for Data Protection Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd Session Code ARC303 Objectives And Agenda Outline data protection requirements Explain the status of todays cryptography ID: 399308
Download Presentation The PPT/PDF document "Architecture and Application of Microsof..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Architecture and Application of Microsoft .NET Framework 3.5 Cryptography for Data Protection
Rafal Lukawiecki
Strategic Consultant
Project Botticelli Ltd
Session Code: ARC303Slide3
Objectives And AgendaOutline data protection requirementsExplain the status of today’s cryptographyIntroduce the cryptography APIs for Windows 7 and Windows Server 2008 R2
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.
©
2009
Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE
.Slide4
AgendaData Protection GoalsState of Today’s CryptographyCryptography in Windows 7, Vista, and Windows Server 2008 and R2Demo: simple but fully working CNG code using .NET Framework 3.5
Hidden Section {Crypto Primer}Slide5
Why We Need This Session?Crypto is still cryptic, with lots of new stuff
You need
Data Protection
badly
For every good crypto
choice
apps make several bad ones
Good crypto starts in the
architectureSlide6
Data Protection GoalsSlide7
Defense in Depth
Policies, Procedures, & Awareness
OS hardening, updates,
BitLocker
, strong authentication
, secure startup
Firewalls, VPN quarantine
Guards, locks, tracking devices, HSM, TPM
Compartments, IPSec, IDS
Application hardening
Cryptography
User education against social engineering
Physical Security
Perimeter
Internal Network
Host
Application
DataSlide8
Data Protection is ImportantDP is at the heart of all defenceIt has to work when everything failedDP is typically the only defence when physical security has been brokenYou need Data Protection
in your application’s architecture!Slide9
Essence of Data ProtectionProtect secrets, customer data, private information......by encrypting it with keys
Then,
protect the keys
:
Human memory (passwords + DPAPI)
Devices (smartcards, TPMs)
Paper (and a good safe)
Obfuscation (temporary protection)
Easy
VERY
HARD
REALLYSlide10
Easiest Crypto, Please?Just use DPAPISystem.Security.Cryptography
ProtectedData.Protect
ProtectedMemory.Protect
Takes care of looking after keys
Or, if you are brave
enough
– stay with us!Slide11
Advanced DP in .NET FrameworksSystem.Security.Cryptography:Rijndael, RSA, and DSA Managed providers and
CryptoStream
Full crypto, not FIPS-certified - .NET
Fx
2.0, 3.0, 3.5
CNG Wrappers
for full cryptography FIPS-certified .NET Fx
3.5
and same in 4.0
System.Security.Cryptography
.Xml
W3C XML Encryption and XML Signature standards
System.Security.Cryptography
.PkcsPKCS#7 and Cryptographic Message Syntax (CMS) standardsSlide12
Cryptography of Past, Present and its ProblemsSlide13
XP RecommendationIf you cannot use Windows 7, Windows Server 2008, R2, or even Vista…At present (Nov 2009), consider:Rijndael or
AES
-128 (or AES-192, or AES-256)
RSA 4096 (arguably
3072
or longer)
“SHA-
2
” (i.e. SHA-256, or SHA-512)
DSA
(or SHA-2/RSA signatures)Slide14
DES, IDEA, RC2, RC5, TwofishNot Recommended
These are all
symmetric
non-recommendations
DES (Data Encryption Standard)
DO NOT USE DES!
Triple DES (3DES) more secure, but better options exist
IDEA (International Data Encryption Standard)
128 bit keys but designer weak by today’s standards
RC2 & RC5 (by R.
Rivest
)
RC2 is older and RC5 newer (1994) - similar to DES and IDEA
Blowfish,
Twofish – Good, but not a standardSlide15
Rijndael & AESRecommendedPresent standard
Winner of AES (Advanced Encryption Standard) competition
NIST (US National Institute of Standards and Technology) 1997-2000
Comes from Europe (Belgium) by Joan
Daemen
and Vincent
Rijmen
Recommended by NSA CNSSP-15 policy
Symmetric
block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)
AES is a specific way of using
Rijndael
.NET
Fx
3.0
RijndaelManaged is a full Rijndael.NET Fx
3.5 AesManaged is a standards-compliant version of RijndaelSlide16
CAST and GOSTNot used widely anymore – avoidCAST
Canadians Carlisle Adams & Stafford Tavares
64 bit key and 64 bit of data – not enough
GOST
Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the process
256 bit key but really 610 bits of secret, so pretty much “tank quality”
Backdoor? Who knows…
Slide17
Rely on CryptosystemsNever use just an algorithmAlways use
entire cryptosystem
E.g.
AES used in a simple “loop” to encrypt a stream of data destroys security
Use a block chaining mode
CNG supports CBC, CFB, and as of
Vista SP1
/WS08 also CCM, and GCM
Easiest way: .NET
Fx
CryptoStream
applies your chosen symmetric algorithm correctlySlide18
Dangerous ImplementationsCryptographic applications from not-well-known sourcesI “just downloaded this library”Insist on using built-in systems where possible:Microsoft OS: CNG, CAPI, CAPICOM etc.Smartcards: certified CSPs/KSPs
Elsewhere: FIPS-140-2 compliant implementations
See
csrc.nist.gov/cryptval
Slide19
RC4Generally Not RecommendedSymmetricFast, streaming encryption
R.
Rivest
in 1994
Originally secret, but “published” on
sci.crypt
Related to “one-time pad”,
theoretically most secure
But!
It relies on a really good random number generator
And that is a problem
Nowadays: use AES with a chaining modeSlide20
RSA, DSA, ElGamalAsymmetricRelatively slow and computationally expensiveSecurity sometimes being questionedRivest, Shamir,
Adleman
– 1978
Popular and well researched
Strength in today’s inefficiency to factorise into prime numbers
Some worries about key generation process in some implementations
DSA (Digital Signature Algorithm)
Mainly for digital signing, not for encryption, used in US
Variant of
Schnorr
and
ElGamal
signature algorithm
ElGamal
Relies on complexity of discrete logarithmsGenerally, considered one of the best asymmetric algorithmsSlide21
MD5, SHAHash functions – often used in digital signaturesHash much shorter than message and “unique” to itNot reversible: can’t obtain the message from its hashTwo messages won’t have the same hash
MD5 (R.
Rivest
)
512 bits hashed into 128
Mathematical model still unknown
Broken
in July 2004, do not use on its own
SHA (Secure Hash Algorithm)
US standard based on MD5
MD5 and MD4 broken
SHA-0
broken
(July 2004), SHA-1 probably too weak (
partly broken, full break alleged), use SHA-256 at leastSlide22
Diffie-Hellman, SSL, CertsMethods for key exchange and transportDH (1976) generates a new symmetric key based on public/private key pairsIt is both a mechanism for key exchange and encryption, if you wish
Certificates are still the most common way to exchange or validate public keys
Foundation of Public Key Infrastructure (PKI)
SSL uses a protocol to exchange keys safely, but requires PKISlide23
XP/2003 Era of Crypto APIsStill used and supportedMicrosoft CryptoAPI (
CAPI
) 2.0 was the interface to all CSPs
Cryptographic Service Providers
Built-in or smartcard-based
.NET Framework 1.1 and 2.0, and 3.0 wraps most of the functionality of CAPI in namespace
System.Security.Cryptography
Or you could use the
CAPICOM
librarySlide24
Contemporary CryptographySlide25
Quantum Cryptography?Method for generating and passing a secret key or a random streamFor keys, not dataPolarisation of light (photons) can be detected only in a way that destroys the “direction” (basis)
Works up-to-120km of a dedicated fibre-optic link
Practical implementations still use AES etc. for actual encryption
Magiq
QPN:
http://www.magiqtech.com/press/qpn.pdf
Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…
Recently: an alternative was suggested using cheap resistors and regular cabling – “the Johnson noise” concept
Too new to comment, but an exciting ideaSlide26
The Golden StandardUS NSA and NIST recommended “Suite-B” protocolsMicrosoft supports Suite-B
only
in Windows 7, Windows Server 2008 and R2, and Vista
Internally Windows does not use weaker algorithms than Suite-B
But, of course, you can if you wish – please don’t except for backwards compatibilitySlide27
Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm Mandatory set of cryptographic algorithms for non-classified and classified (SECRET and TOP-SECRET)
USG
needs since 2008
Except a small area of special-security needs (e.g. nuclear security) – guided by Suite A (definition is, naturally, classified)
Widely used world-wide, as of 2009Slide28
Mathematical DesignsMany cryptographic algorithms (e.g. DSA) rely on a class of mathematical designs related to the concept of discrete logarithmsThese can be implemented over the finite field of any
abelian
group
Normally, this means using
integers
modulo a prime number
Alternatively,
elliptic curve groups
could be usedSlide29
Elliptic Curve CryptographyECCMore efficient design, fewer bits of key
Harder to break
Significantly faster algorithms
Used to enhance existing algorithms, such as DH or DSASlide30
Suite-B AlgorithmsEncryption: AESDigital Signature: EC-DSAKey Exchange:
EC-DH
or
EC-MQV
Hashing:
SHA-2Slide31
Suite-B EncryptionAESFIPS 197 (with keys sizes of 128 and 256 bits)Rijndael with 128 bit data blocks only
Keys of 192 bits not used
Most 256 bit implementations much slower than 128
Anything of 84 bits or more in this class considered “good enough” commercially (Nov 2009)Slide32
Suite-B Digital SignaturesElliptic Curve Digital Signature Algorithm (EC-DSA)FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)Microsoft also supports 521-bit keys
Classical DSA applied over the algebra of finite fields of elliptic curves Slide33
Suite-B Key ExchangeThe Best Bit of Suite-BElliptic Curve Diffie-Hellman (or Elliptic Curve MQV)
Curves with 256 and 384-bit prime
moduli
Microsoft also supports 521-bits
Susceptible to man-in-the-middle attack
So requires authentication
Using digital signatures, certificates, or pre-shared secretsSlide34
Diffie-Hellman ConceptuallyThis is non-EC, normal DH
Alice and Bob openly agree on a (large) prime number
p
and a base integer
g
p
= 83,
g
= 8
Alice chooses a
private secret
integer
a
= 9, and then sends Bob
public (
ga) mod p(89
) mod 83 = 5Bob chooses a private secret integer b
= 21, and then sends Alice public (
gb) mod p(821) mod 83 = 18
Alice computes (((gb) mod
p)a) mod p
(189) mod 83 = 24Bob computes (((g
a) mod p)b
) mod p(521) mod 83 = 24
24 is the shared secret – never sent over the network!Slide35
Suite-B Key Exchange (MQV)EC-MQV: Menezes, Qu, and Vanstone protocolAuthenticated key exchangeDesign similar to DH
Uses the discrete logarithm concept
Also requires a pre-existing, verified and trusted long-term public/private
keypair
Which is only used for trust establishment, not for actual encryption or signing
This gives it an important forward-secrecy property
Suite-B uses the EC implementation of MQVSlide36
Suite-B HashingSecure Hash Algorithm “2”FIPS 180-2 (using SHA-256 and SHA-384)MD5 and SHA-0 have been broken
and SHA-1 has been theoretically and allegedly practically broken
SHA-2 should suffice for a few years, but ultimately it must be replaced
SHA-2 allows: 224,
256
, 384, and
512
bit lengthsSlide37
APIs for Suite-B Today?That’s what we have been waiting forSlide38
Cryptography APIs for Suite-BSlide39
Cryptographic Next Generation APICNGCAPI 1.0 has been deprecated
May be dropped in future Windows
CNG
Open cryptographic API for Windows 7, Server 2008 and R2, and Vista
Plug in kernel or user mode algorithms
Enables policy-based enterprise crypto configurationSlide40
Main CNG FeaturesCryptography agnosticKernel-mode for
performance
and security (better performance than CAPI 1.0)
Aim for FIPS-140
Certification
140-2 and Common Criteria (CC) on selected platforms
140-1 everywhere
Aim for CC compliance for long-term key storage and audit
Suite-B
of course, but also supports all existing algorithms available through CryptoAPI 1.0
Key Isolation and Storage using
TPMs
Developer-friendly
model for plug-insSlide41
CNG DesignThree APIs within CNG:CNG Cryptographic Primitive FunctionsThe “main” API: all algorithms are here – their names begin with a “B”
CNG Key Storage Functions
Allows interaction with the new Key Storage Providers concept
Supports existing devices (smartcards) and future types of tokens
This is also for encryption (see later) – names begin with an “N”
CNG Cryptographic Configuration Functions
For registering and managing additional cryptographic functions
http://msdn2.microsoft.com/en-us/library/aa375276.aspx
Slide42
Other APIsIn addition to CNG:.NET Framework System.Security.Cryptography
3.0 does
not
manage CNG
3.5 and 4.0 manage CNG
TBS: TPM Base Services
For interaction with Trusted Platform Modules
Certificate Enrolment APISlide43
CNG: Cryptographic Primitives ArchitectureSlide44
Using CNG – Two ModelsYour choice of who provides algorithms and keys:A Key Storage Provider (such as smartcards)All function names begin with “N”, such as NCryptOpenStorageProvider
This is the CNG Key Storage Functions API
Ncrypt.h
, Ncrypt.lib and Ncrypt.dll
Operating system’s software providers
All function names begin with “B”, such as
BCryptOpenAlgorithmProvider
This is the CNG Cryptographic Primitive Functions API
Bcrypt.h
, Bcrypt.lib and Bcrypt.dllSlide45
So, Who Encrypts?Reason for the Two APIs“B-API” ifYou want OS to do all the encryption, you use the “B-API”
Microsoft implementation or one you have added
Realistically: use for symmetric encryption
“N-API” if
You have a
smartcard
,
HSM
(hardware security module), a TPM, or a
suitable CSP
All computations performed by the device
Realistically: use for key exchange only
Generally, OS has little or nothing to doSlide46
Using CNG - ConceptsWin32/COM libraryRequest an algorithm/class, and the system offers the bestYou can always chose a specific provider
BCryptEnumRegisteredProviders
You can check properties of a provider before use
BCryptQueryProviderRegistration
You can register a specific provider
BCryptRegisterProvider
This solves the huge problem of updates, when better implementations are found in the futureSlide47
Using CNG – Encryption StepsFollow this process:Open a CNG Algorithm Provider
BCryptOpenAlgorithmProvider
Generate or import keys
Calculate the size of encrypted data
Call
BCryptEncrypt
with NULL for
pbInput
paramter
Encrypt data by calling
BCryptEncrypt
again
Repeat this step as needed using chaining (
not loop)
Output the resultClose the provider, unless caching, and clean-up
BCryptCloseAlgorithmProvider Slide48
RandomnessUse BCryptGenRandomThe default generator at least FIPS-186-2 compliant
Uses entropy gathered over time
You can add your own entropy
You can also specify a
different generator for all calls
Needless to say, do not use
Rnd
() etc. from your favourite language
Slide49
Tidy Up!After use don’t forget to:Destroy any in-memory keys and handles using
BCryptDestroyKey
Destroy plaintext
(or encrypt in-place)
This is not straightforward if UI was involvedSlide50
CNG and .NET Fx 3.5 and 4.0New algorithms:AesCryptoServiceProvider
,
ECDiffieHellmanCng
,
ECDSACng
, SHA1Cng, SHA256Cng, SHA384Cng, SHA512Cng
Avoid “old” (.NET 3.0 and earlier) providers
No FIPS certification
Harder to use
CngKey
wraps “
NCrypt
”
And some functionality of “
BCrypt
”Use CngUIPolicy to enforce user actions on private keysSlide51
Using .NET Fx 3.5 and CNGSender and recipient use CngKey to access or generate their private/public key-pairs
CngKey
will use your security device if present
Parties
exchange their public key
(
serialising
and/or wrapping it)
Sender and recipient use
ECDiffieHellmanCng
to generate a
shared secret
key by deriving it from their own and other party’s keys
Use
AesCryptoServiceProvider
and the
CryptoStream to encrypt dataSlide52
Use of ECDiffieHellmanCng// First, point CngKey to your security device or a CSPECDiffieHellmanCng
sender = new
ECDiffieHellmanCng
();
sender.KeyDerivationFunction
=
ECDiffieHellmanKeyDerivationFunction.Hash
;
sender.HashAlgorithm
=
CngAlgorithm.Sha256
;
ECDiffieHellmanCng
recipient = new
ECDiffieHellmanCng();recipient.KeyDerivationFunction
= ECDiffieHellmanKeyDerivationFunction.Hash;recipient.HashAlgorithm = CngAlgorithm.Sha256;
// Exchange the x.PublicKey by serialising and sending thembyte[]
recipientKey = recipient.DeriveKeyMaterial(
sender.PublicKey);byte[] senderKey =
sender.DeriveKeyMaterial(recipient.PublicKey);Slide53
Conceptual Use of AES with CNG// Remember an IV (in plaintext) – can be randomAesCryptoServiceProvider myAES = new
AesCryptoServierProvider
();
myAES.Key
=
sender.Key
;
FileStream
fsEncrypted
= new
FileStream
(
sOutputFilename
, FileMode.Create, FileAccess.Write);
ICryptoTransform aesencrypt = myAES.CreateEncryptor();
CryptoStream mycryptostream = new CryptoStream(
fsEncrypted, aesencrypt, CryptoStreamMode.Write
);// Now just write to myCryptoStream like a normal file stream – the output will be encryptedSlide54
CNG in ActiondemoSlide55
ReferencesGet a bigger CMG sample from: http://msdn.microsoft.com/en-us/library/cc488018.aspx My demo (and this PPT) at:
http://projectbotticelli.com/downloads/public/
Read
sci.crypt
(incl. archives), subscribe to Cryptogram
For more detail, read:
Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7
Practical Cryptography, N. Ferguson & B.
Schneier
, Wiley, ISBN 0-471-22357-3
Contemporary Cryptography, R.
Oppliger
,
Artech House, ISBN 1-58053-642-5, see http://www.esecurity.ch/Books/cryptography.html
)Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9Handbook of Applied Cryptography, A.J.
Menezes, CRC Press, ISBN 0-8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)
PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3Foundations of Cryptography, O. Goldereich,
www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlCryptography in C and C++, M. Welschenbach, Apress
, ISBN 1-893115-95-X (includes code samples CD)Slide56
SummaryToday’s cryptography has just accelerated its evolutionWindows Vista and Windows Server 2008 are at the front of innovation
in this field
Unleash the
awesome power of Suite-B
with CNG by using .NET Framework 3.5!Slide57
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Required Slide
Speakers,
TechEd 2009 is not producing
a DVD. Please announce that
attendees can
access session
recordings at TechEd Online. Slide58
Complete an evaluation on
CommNet
and enter to win an Xbox 360 Elite!
Required SlideSlide59
Please join us for theCommunity Drinks this evening
In Halls 3 & 4
from 18:15 – 19:30Slide60
The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.
© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.
Required SlideSlide61
Cryptography Primer
Hidden Section for Your Reading PleasureSlide62
Symmetric Key Cryptography
Encryption
“The quick brown fox jumps over the lazy dog”
“AxCv;5bmEseTfid3)fGsmWe#4^,sdgfMwir3:dkJeTsY8R\s@!q3%”
“The quick brown fox jumps over the lazy dog”
Decryption
Plain-text input
Plain-text output
Cipher-text
Same key
(shared secret)Slide63
Symmetric Pros and ConsStrength:Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms)Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael)Weakness:Must agree the key beforehand
Securely pass the key to the other partySlide64
Public Key CryptographyKnowledge of the encryption key doesn’t give you knowledge of the decryption keyReceiver of information generates a pair of keys Publish the public key in a directoryThen anyone can send him messages that only she can readSlide65
Public Key Encryption
Encryption
“The quick brown fox jumps over the lazy dog”
“Py75c%bn&*)9|fDe^bDFaq#xzjFr@g5=&nmdFg$5knvMd’rkvegMs”
“The quick brown fox jumps over the lazy dog”
Decryption
Clear-text Input
Clear-text Output
Cipher-text
Different
keys
Recipient’s public key
Recipient’s private key
private
publicSlide66
Public Key Pros and ConsStrengthSolves problem of passing the keyAllows establishment of trust context between partiesWeakness:Extremely slowSusceptible to “known ciphertext” attack
Problem of trusting public key (see later on PKI)Slide67
Hybrid Encryption (Real World)
As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s
public
key
(in certificate)
in recovery policy
€25m hidden
at 221b
Baker St.
Access
code is…
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope
User’s
public
key
(in certificate)
RNG
Randomly-
Generated symmetric
“session” key
Symmetric
encryption
(e.g. AES)
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kdSlide68
*#$fjda^j
u539!3t
t389E *&\@
5e%32\^kd
€25m hidden
at 221b
Baker St.
Access
code is…
Symmetric
decryption
(e.g. AES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be decrypted using the recipient’s
private key
Digital envelope contains “session” key encrypted using recipient’s
public key
Recipient’s
private
key
Hybrid Decryption