1

2

Architecture and Application of Microsoft .NET Framework 3.5 Cryptography for Data Protection

Rafal LukawieckiStrategic ConsultantProject Botticelli LtdSession Code: ARC303

3

Objectives And AgendaOutline data protection requirementsExplain the status of today’s cryptographyIntroduce the cryptography APIs for Windows 7 and Windows Server 2008 R2

The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.

© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.

4

Agenda

Data Protection GoalsState of Today’s CryptographyCryptography in Windows 7, Vista, and Windows Server 2008 and R2Demo: simple but fully working CNG code using .NET Framework 3.5Hidden Section {Crypto Primer}

5

Why We Need This Session?

Crypto is still cryptic, with lots of new stuffYou need Data Protection badlyFor every good crypto choice apps make several bad onesGood crypto starts in the architecture

6

Data Protection Goals

7

Defense in Depth

Policies, Procedures, & Awareness

OS hardening, updates, BitLocker, strong authentication, secure startup

Firewalls, VPN quarantine

Guards, locks, tracking devices, HSM, TPM

Compartments, IPSec, IDS

Application hardening

Cryptography

User education against social engineering

Physical Security

Perimeter

Internal Network

Host

Application

Data

8

Data Protection is Important

DP is at the heart of all defenceIt has to work when everything failedDP is typically the only defence when physical security has been broken

You need Data Protection in your application’s architecture!

9

Essence of Data Protection

Protect secrets, customer data, private information......by encrypting it with keys

Then, protect the keys:Human memory (passwords + DPAPI)Devices (smartcards, TPMs)Paper (and a good safe)Obfuscation (temporary protection)

EASY

VERYHARD

REALLY

10

Easiest Crypto, Please?

Just use DPAPISystem.Security.Cryptography

ProtectedData.ProtectProtectedMemory.Protect

Takes care of looking after keys

Or, if you are brave enough – stay with us!

11

Advanced DP in .NET Frameworks

System.Security.Cryptography:Rijndael, RSA, and DSA Managed providers and CryptoStream

Full crypto, not FIPS-certified - .NET Fx 2.0, 3.0, 3.5CNG Wrappers for full cryptography FIPS-certified .NET Fx 3.5 and same in 4.0

System.Security.Cryptography.Xml W3C XML Encryption and XML Signature standards

System.Security.Cryptography.PkcsPKCS#7 and Cryptographic Message Syntax (CMS) standards

12

Cryptography of Past, Present and its Problems

13

XP Recommendation

If you cannot use Windows 7, Windows Server 2008, R2, or even Vista…At present (Nov 2009), consider:

Rijndael or AES-128 (or AES-192, or AES-256)RSA 4096 (arguably 3072 or longer)“SHA-2” (i.e. SHA-256, or SHA-512)DSA (or SHA-2/RSA signatures)

14

DES, IDEA, RC2, RC5, TwofishNot Recommended

These are all symmetric non-recommendationsDES (Data Encryption Standard)

DO NOT USE DES!Triple DES (3DES) more secure, but better options exist

IDEA (International Data Encryption Standard)128 bit keys but designer weak by today’s standards

RC2 & RC5 (by R. Rivest)RC2 is older and RC5 newer (1994) - similar to DES and IDEA

Blowfish, Twofish – Good, but not a standard

15

Rijndael & AESRecommended

Present standardWinner of AES (Advanced Encryption Standard) competition

NIST (US National Institute of Standards and Technology) 1997-2000Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen

Recommended by NSA CNSSP-15 policySymmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too)

AES is a specific way of using Rijndael

.NET Fx 3.0 RijndaelManaged is a full Rijndael

.NET Fx 3.5 AesManaged is a standards-compliant version of Rijndael

16

CAST and GOSTNot used widely anymore – avoid

CASTCanadians Carlisle Adams & Stafford Tavares64 bit key and 64 bit of data – not enough

GOSTSoviet Union’s “version” of DES but with a clearer design and many more repetitions of the process256 bit key but really 610 bits of secret, so pretty much “tank quality”Backdoor? Who knows…

17

Rely on Cryptosystems

Never use just an algorithmAlways use entire cryptosystemE.g.

AES used in a simple “loop” to encrypt a stream of data destroys securityUse a block chaining mode

CNG supports CBC, CFB, and as of Vista SP1/WS08 also CCM, and GCM

Easiest way: .NET Fx CryptoStream applies your chosen symmetric algorithm correctly

18

Dangerous Implementations

Cryptographic applications from not-well-known sourcesI “just downloaded this library”

Insist on using built-in systems where possible:Microsoft OS: CNG, CAPI, CAPICOM etc.Smartcards: certified CSPs/KSPsElsewhere: FIPS-140-2 compliant implementations

See csrc.nist.gov/cryptval

19

RC4Generally Not Recommended

SymmetricFast, streaming encryption

R. Rivest in 1994Originally secret, but “published” on sci.crypt

Related to “one-time pad”, theoretically most secureBut!It relies on a really good random number generator

And that is a problem

Nowadays: use AES with a chaining mode

23

XP/2003 Era of Crypto APIsStill used and supported

Microsoft CryptoAPI (CAPI) 2.0 was the interface to all CSPs

Cryptographic Service ProvidersBuilt-in or smartcard-based

.NET Framework 1.1 and 2.0, and 3.0 wraps most of the functionality of CAPI in namespace System.Security.CryptographyOr you could use the CAPICOM library

24

Contemporary Cryptography

26

The Golden Standard

US NSA and NIST recommended “Suite-B” protocolsMicrosoft supports Suite-B only in Windows 7, Windows Server 2008 and R2, and Vista

Internally Windows does not use weaker algorithms than Suite-B

But, of course, you can if you wish – please don’t except for backwards compatibility

27

Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm

Mandatory set of cryptographic algorithms for non-classified and classified (SECRET and TOP-SECRET) USG needs since 2008

Except a small area of special-security needs (e.g. nuclear security) – guided by Suite A (definition is, naturally, classified)Widely used world-wide, as of 2009

28

Mathematical Designs

Many cryptographic algorithms (e.g. DSA) rely on a class of mathematical designs related to the concept of discrete logarithmsThese can be implemented over the finite field of any abelian group

Normally, this means using integers modulo a prime number

Alternatively, elliptic curve groups could be used

29

Elliptic Curve CryptographyECC

More efficient design, fewer bits of keyHarder to breakSignificantly faster algorithmsUsed to enhance existing algorithms, such as DH or DSA

30

Suite-B Algorithms

Encryption: AESDigital Signature: EC-DSAKey Exchange: EC-DH or EC-MQVHashing: SHA-2

31

Suite-B Encryption

AESFIPS 197 (with keys sizes of 128 and 256 bits)Rijndael with 128 bit data blocks onlyKeys of 192 bits not used

Most 256 bit implementations much slower than 128

Anything of 84 bits or more in this class considered “good enough” commercially (Nov 2009)

32

Suite-B Digital Signatures

Elliptic Curve Digital Signature Algorithm (EC-DSA)

FIPS 186-2 (using the curves with 256 and 384-bit prime moduli)

Microsoft also supports 521-bit keys

Classical DSA applied over the algebra of finite fields of elliptic curves

33

Suite-B Key ExchangeThe Best Bit of Suite-B

Elliptic Curve Diffie-Hellman (or Elliptic Curve MQV)

Curves with 256 and 384-bit prime moduliMicrosoft also supports 521-bits

Susceptible to man-in-the-middle attackSo requires authentication

Using digital signatures, certificates, or pre-shared secrets

34

Diffie-Hellman ConceptuallyThis is non-EC, normal DH

1. Alice and Bob openly agree on a (large) prime number p and a base integer gp = 83, g = 8

2. Alice chooses a private secret integer a = 9, and then sends Bob public (ga) mod p

(89) mod 83 = 53. Bob chooses a private secret integer b = 21, and then sends Alice public

(gb) mod p(821) mod 83 = 18

4. Alice computes (((gb) mod p)a) mod p(189) mod 83 = 24

5. Bob computes (((ga) mod p)b) mod p(521) mod 83 = 24

24 is the shared secret – never sent over the network!

36

Suite-B Hashing

Secure Hash Algorithm “2”FIPS 180-2 (using SHA-256 and SHA-384)

MD5 and SHA-0 have been broken and SHA-1 has been theoretically and allegedly practically brokenSHA-2 should suffice for a few years, but ultimately it must be replaced

SHA-2 allows: 224, 256, 384, and 512 bit lengths

37

APIs for Suite-B Today?

That’s what we have been waiting for

38

Cryptography APIs for Suite-B

39

Cryptographic Next Generation APICNG

CAPI 1.0 has been deprecatedMay be dropped in future Windows

CNGOpen cryptographic API for Windows 7, Server 2008 and R2, and VistaPlug in kernel or user mode algorithmsEnables policy-based enterprise crypto configuration

40

Main CNG Features1. Cryptography agnostic2. Kernel-mode for performance and security (better performance

than CAPI 1.0)3. Aim for FIPS-140 Certification

140-2 and Common Criteria (CC) on selected platforms140-1 everywhereAim for CC compliance for long-term key storage and audit

4. Suite-B of course, but also supports all existing algorithms available through CryptoAPI 1.0

5. Key Isolation and Storage using TPMs6. Developer-friendly model for plug-ins

42

Other APIs

In addition to CNG:.NET Framework System.Security.Cryptography

3.0 does not manage CNG3.5 and 4.0 manage CNG

TBS: TPM Base ServicesFor interaction with Trusted Platform Modules

Certificate Enrolment API

43

CNG: Cryptographic Primitives Architecture

45

So, Who Encrypts?Reason for the Two APIs

“B-API” ifYou want OS to do all the encryption, you use the “B-API”

Microsoft implementation or one you have addedRealistically: use for symmetric encryption

“N-API” ifYou have a smartcard, HSM (hardware security module), a TPM, or a suitable CSP

All computations performed by the deviceRealistically: use for key exchange only

Generally, OS has little or nothing to do

47

Using CNG – Encryption StepsFollow this process:1. Open a CNG Algorithm Provider

BCryptOpenAlgorithmProvider 2. Generate or import keys3. Calculate the size of encrypted data

Call BCryptEncrypt with NULL for pbInput paramter

4. Encrypt data by calling BCryptEncrypt againRepeat this step as needed using chaining (not loop)

5. Output the result6. Close the provider, unless caching, and clean-up

BCryptCloseAlgorithmProvider

48

Randomness

Use BCryptGenRandomThe default generator at least FIPS-186-2 compliantUses entropy gathered over timeYou can add your own entropy

You can also specify a different generator for all calls

Needless to say, do not use Rnd() etc. from your favourite language

50

CNG and .NET Fx 3.5 and 4.0New algorithms:

AesCryptoServiceProvider, ECDiffieHellmanCng, ECDSACng, SHA1Cng, SHA256Cng, SHA384Cng, SHA512Cng

Avoid “old” (.NET 3.0 and earlier) providersNo FIPS certificationHarder to use

CngKey wraps “NCrypt” And some functionality of “BCrypt”

Use CngUIPolicy to enforce user actions on private keys

51

Using .NET Fx 3.5 and CNG

1. Sender and recipient use CngKey to access or generate their private/public key-pairs

CngKey will use your security device if present2. Parties exchange their public key (serialising and/or

wrapping it)3. Sender and recipient use ECDiffieHellmanCng to

generate a shared secret key by deriving it from their own and other party’s keys

4. Use AesCryptoServiceProvider and the CryptoStream to encrypt data

52

Use of ECDiffieHellmanCng

// First, point CngKey to your security device or a CSPECDiffieHellmanCng sender = new ECDiffieHellmanCng();sender.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;sender.HashAlgorithm = CngAlgorithm.Sha256;

ECDiffieHellmanCng recipient = new ECDiffieHellmanCng();recipient.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash;recipient.HashAlgorithm = CngAlgorithm.Sha256;

// Exchange the x.PublicKey by serialising and sending thembyte[] recipientKey = recipient.DeriveKeyMaterial(sender.PublicKey);byte[] senderKey = sender.DeriveKeyMaterial(recipient.PublicKey);

53

Conceptual Use of AES with CNG

// Remember an IV (in plaintext) – can be randomAesCryptoServiceProvider myAES = new AesCryptoServierProvider();myAES.Key = sender.Key;

FileStream fsEncrypted = new FileStream(sOutputFilename, FileMode.Create, FileAccess.Write);

ICryptoTransform aesencrypt = myAES.CreateEncryptor();CryptoStream mycryptostream = new CryptoStream(fsEncrypted, aesencrypt, CryptoStreamMode.Write);

// Now just write to myCryptoStream like a normal file stream – the output will be encrypted

54

CNG in Actiondemo

55

ReferencesGet a bigger CMG sample from:

http://msdn.microsoft.com/en-us/library/cc488018.aspx

My demo (and this PPT) at: http://projectbotticelli.com/downloads/public/ Read sci.crypt (incl. archives), subscribe to CryptogramFor more detail, read:

Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5, see http://www.esecurity.ch/Books/cryptography.html)Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.htmlCryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)

56

Summary

Today’s cryptography has just accelerated its evolutionWindows Vista and Windows Server 2008 are at the front of innovation in this fieldUnleash the awesome power of Suite-B with CNG by using .NET Framework 3.5!

57

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

58

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

59

Please join us for theCommunity Drinks this evening

In Halls 3 & 4from 18:15 – 19:30

60

The information herein is for informational purposes only and represents the opinions and views of Project Botticelli and/or Rafal Lukawiecki. The material presented is not certain and may vary based on several factors. Microsoft makes no warranties, express, implied or statutory, as to the information in this presentation.

© 2009 Project Botticelli Ltd & Microsoft Corp. Some slides contain quotations from copyrighted materials by other authors, as individually attributed. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Project Botticelli Ltd as of the date of this presentation. Because Project Botticelli & Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft and Project Botticelli cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT AND/OR PROJECT BOTTICELLI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. E&OE.