1 / 43

New Cryptography

Raf a l L ukawiecki Strategic Consultant rafal@projectbotticelli.co.uk Project Botticelli Ltd. New Cryptography. This presentation is based on work from MSDN. Objectives. Explain the status and some of the problems of today’s cryptography Discuss solutions for the problems

infinity
Télécharger la présentation

New Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rafal Lukawiecki Strategic Consultant rafal@projectbotticelli.co.uk Project Botticelli Ltd New Cryptography This presentation is based on work from MSDN.

  2. Objectives • Explain the status and some of the problems of today’s cryptography • Discuss solutions for the problems • Introduce the new APIs for using newer forms of cryptography

  3. Agenda • Cryptography of Present • Cryptography of Tomorrow • Cryptography in Windows Vista and Longhorn

  4. Cryptography of Present

  5. Today’s Recommendation • At present (June 2006), consider using the following cryptographic mechanisms available in Windows in preference to others: • AES-128 (or AES-192, or AES-256) • RSA 2048 (or longer) • “SHA-2” (i.e. SHA-256, or SHA-512) • DSA (or SHA-2/RSA signatures)

  6. DES, IDEA, RC2, RC5, TwofishNot Recommended • Symmetric • DES (Data Encryption Standard) is popular • DO NOT USE DES! • Keys very short: 56 bits • Brute-force attack took 3.5 hours on a machine costing US$1m in 1993. Today it is done real-time • Triple DES (3DES) more secure, but better options exist • IDEA (International Data Encryption Standard) • Deceptively similar to DES, and “not” from NSA • 128 bit keys, OK but we have better ones • RC2 & RC5 (by R. Rivest) • RC2 is older and RC5 newer (1994) - similar to DES and IDEA • Blowfish, Twofish – OK, but not a standard • B. Schneier’s replacement for DES, followed by Twofish, one of the NIST competition finalists

  7. Rijndael (AES)Recommended • Current US standard • Winner of the AES (Advanced Encryption Standard) competition run by NIST (National Institute of Standards and Technology in US) in 1997-2000 • Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES). • Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too) • Fast and a lot of good properties, such as good immunity from timing and power (electric) analysis • Construction, again, deceptively similar to DES (S-boxes, XORs etc.) but really different

  8. CAST and GOSTNot used widely anymore – avoid • CAST • Canadians Carlisle Adams & Stafford Tavares • 64 bit key and 64 bit of data • Chose your S-boxes • Seems resistant to differential & linear cryptanalysis and only way to break is brute force (but key is a bit short!) • GOST • Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the process • 256 bit key but really 610 bits of secret, so pretty much “tank quality” • Backdoor? Who knows…

  9. Rely on Cryptosystems • Indeed: never use just an algorithm, but an entire cryptosystem • For example: • If you use DES etc. in a simple “loop” to encrypt a stream of data you literally lose all security • Instead: use a technique designed for adapting an algorithm to a streams of data, such as CBC (Cipher Block Chaining) • Microsoft never implement just an algorithm – always a complete cryptosystem, e.g. RSA-OAEP etc. • Do it just by using built-in cryptographic systems, such as various Microsoft CSPs etc.

  10. Dangerous Implementations • Cryptographic applications from not-well-known sources • “Just downloaded libraries” used by your in-house developers • Insist on using built-in systems where possible: • Microsoft OS: CAPI, CAPICOM, MS CSP etc. • Smartcards: certified CSPs • Elsewhere: FIPS-140-2 compliant implementations • See csrc.nist.gov/cryptval

  11. RC4Generally Not Recommended • Symmetric • Fast, streaming encryption • R. Rivest in 1994 • Originally secret, but “published” on sci.crypt • Related to “one-time pad”, theoretically most secure • But! • It relies on a really good random number generator • And that is the problem • Nowadays, we tend to use block ciphers in modes of operation that work for streams

  12. RSA, DSA, ElGamal • Asymmetric • Slow and computationally expensive – need a computer • Security increasingly being questioned • Rivest, Shamir, Adleman – 1978 • Popular and well researched • Strength in today’s inefficiency to factorise into prime numbers • Some worries about key generation process in some implementations • DSA (Digital Signature Algorithm) • Mainly for digital signing, not for encryption, used in US • Variant of Schnorr and ElGamal signature algorithm • ElGamal • Relies on complexity of discrete logarithms

  13. MD5, SHA • Hash functions – part of the digital signature • Goals: • Not reversible: can’t obtain the message from its hash • Hash much shorter than original message • Two messages won’t have the same hash • MD5 (R. Rivest) • 512 bits hashed into 128 • Mathematical model still unknown • Recently (July 2004) broken, do not use on its own • SHA (Secure Hash Algorithm) • US standard based on MD5 • SHA-0 broken (July 2004), SHA-1 probably too weak (partly broken, full break alleged by Chinese recently), use SHA-256 at least

  14. Diffie-Hellman, “SSL”, Certs • Methods for key exchange and transport • DH (1976) always generates a new “key-pair” for each asymmetric session • Certificates are the most common way to exchange public keys • Foundation of Public Key Infrastructure (PKI) • SSL uses a protocol to exchange keys safely, but also requires PKI

  15. APIs of Today • Microsoft CryptoAPI (CAPI) 2.0 is the interface to all CSPs • Cryptographic Service Providers • Built-in or smartcard-based • .NET Framework 1.1 and 2.0 wraps most of the functionality of CAPI in classes: • System.Security.Cryptography and its subclasses: • .Pkcs • .X509Certificates • .XML • Or you can use the CAPICOM library

  16. Cryptography of Tomorrow

  17. Quantum Cryptography? • Method for generating and passing a secret key or a random stream • Not for passing the actual data, but that’s irrelevant • Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis) • So if someone other than you observes it, you receive nothing useful and you know you were bugged • Perfectly doable over up-to-120km dedicated fibre-optic link • Seems pretty perfect, if a bit tedious and slow • Practical implementations still use AES/DES etc. for actual encryption • Magiq QPN: http://www.magiqtech.com/press/qpn.pdf • Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…

  18. More Practical Solution • US NSA and NIST recommendation as of Feb 2005 is to implement “Suite-B” protocols • This is very rarely done in today’s software • Good news: Microsoft supports Suite-B in Windows Vista (and Longhorn Server) • For all internal implementations Microsoft will not use weaker algorithms than Suite-B • But, of course, they will support your choice to do so if you wish

  19. Vista Supports NSA Suite Bwww.nsa.gov/ia/industry/crypto_suite_b.cfm • Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs • Except a small area of special-security needs (e.g. nuclear security) – guided by Suite A (definition is classified) • Announced by NSA at RSA conference in Feb 2005

  20. Mathematical Designs • Many cryptographic algorithms (e.g. DSA) rely on a class of mathematical designs related to the concept of discrete logarithms • These can be implemented over the finite field of any abelian group • Normally, this means using integers modulo a prime number • Alternatively, elliptic curve groups could be used • This leads to ECC

  21. Elliptic Curve CryptographyECC • More efficient design, using fewer bits of key for the same strength • Breaking these designs seems even harder than traditional ones • Leads to faster algorithms with fewer problems • Primarily used to enhance algorithms of existing design, such as DSA

  22. Suite-B Algorithms • Encryption: AES • Digital Signature: EC-DSA • Key Exchange: EC-DH or EC-MQV • Hashing: SHA-2

  23. Suite-B Encryption • AES • FIPS 197 (with keys sizes of 128 and 256 bits) • This is a specific implementation of Rijndael algorithm allowing use of 128 bit data blocks only • Keys of 192 bits are not used (although FIPS specifies them) • Please note that most 256 bit implementations are much slower than 128 bits • In general, anything of 81 bits or more in this class of cryptography is considered “good enough” for typical commercial applications

  24. Suite-B Digital Signatures • Elliptic Curve Digital Signature Algorithm (EC-DSA) • FIPS 186-2 (using the curves with 256 and 384-bit prime moduli) • Microsoft also supports 521-bit keys • This is a classical DSA algorithm applied over the algebra of finite fields of elliptic curves

  25. Suite-B Key Exchange (1 of 2) • Elliptic Curve Diffie-Hellman or Elliptic Curve MQV • Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli) • Microsoft will also support 521-bit keys • Recall: DH allows two parties to generate and communicate a secret key to each other (removing the need for key transport) • It is susceptible to man-in-the-middle attacks, so it requires authentication in most applications • Usually done (not very efficiently) with digital signatures

  26. Suite-B Key Exchange (2 of 2) • EC-MQV: Menezes, Qu, and Vanstone protocol • Authenticated key exchange • Design similar to DH • Uses the discrete logarithm concept • Also requires a pre-existing, verified and trusted long-term public/private keypair • Which is only used for trust establishment, not for actual encryption or signing • This gives it an important forward-secrecy property • Suite-B uses the EC implementation of MQV

  27. Suite-B Hashing • Secure Hash Algorithm • FIPS 180-2 (using SHA-256 and SHA-384) • As MD5 and SHA-0 have been broken and SHA-1 has been allegedly broken we do not have much choice • Almost no alternatives exist • SHA-2 should suffice for a few years, but ultimately it must be replaced • SHA-2 allows: 224, 256, 384, and 512 bit lengths

  28. APIs for Suite-B Today? • There are no widely used or supported libraries or APIs for Suite-B and most operating systems of today • However…

  29. Cryptography in Widows Vista and LonghornNB: All Information Subject to Last-Minute Changes

  30. Trusted Platform ModuleTPM Chip Version 1.2 • Hardware present in the computer, e.g. a chip on the motherboard • Securely stores credentials, such as a private key of a machine certificate and is crypto-enabled • Effectively, the essence of a smart smartcard • TPM can be used to request digital signing of code and files and for mutual authentication of devices • See www.trustedcomputinggroup.org

  31. BitLocker™Windows Vista Full Volume Encryption • BitLocker strongly encrypts and signs the entire hard drive using Suite-B • TPM chip (see later) provides key management • Can use additional protection factors such as a USB dongle, PIN or password • Any unauthorised off-line modification to your data or OS is discovered and no access is granted • Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process • Protection against data loss when machine (laptop) has been stolen • Essential part of the Secure Startup • Plan data recovery strategy carefully – three scenarios supported (escrow, recovery agent, backup)

  32. New Cryptography: CNG • CAPI 1.0 is deprecated • May be dropped altogether in future Windows releases • CNG: Cryptography Next Generation • Open cryptographic API for Windows Vista/Longhorn • Ability to plug in kernel or user mode implementations for: • Proprietary cryptographic algorithms • Replacements for standard cryptographic algorithms • Key Storage Providers (KSP) • Enables cryptography configuration at enterprise and machine levels

  33. Regulatory Compliance • Windows Vista CNG cryptography will comply with: • Common Criteria (CC) • csrc.nist.gov/cc • Currently in version 3 • FIPS requirements for strong isolation and auditing • US NSA (National Security Agency) CSS (Central Security Service) Suite B

  34. Main CNG Features • Cryptography agnostic • Kernel-mode for performance and security (better performance than CAPI 1.0) • FIPS-140 Certification • 140-2 and Common Criteria (CC) on selected platforms • 140-1 everywhere • CC compliance for long-term key storage and audit • Suite-B of course, but also supports all existing algorithms available through CryptoAPI 1.0 • Key Isolation and Storage using TPMs • Developer-friendly model for plug-ins

  35. CNG Design • Three APIs within CNG: • Cryptography Primitives • The “main” API: all algorithms are here • Key Storage and Retrieval • Allows interaction with the new Key Storage Providers concept • Supports existing devices (smartcards) and future types of tokens • Interface for all secure key creation, including the EC-DH and EC-MQV* methods • Interface for import and export of keys using PKCS #7 and #8 • Cryptography Configuration • For use and installation of additional cryptographic providers Read: msdn.microsoft.com/library/default.asp?url=/library/en-us/seccng/security/about_cng.asp?frame=true

  36. Other APIs • In addition to CNG: • .NET Framework 2.0 • Microsoft will extend the .NET Fx library to cover CNG (not available at present) • TBS: TPM Base Services • For interaction with Trusted Platform Modules • Certificate Enrollment API

  37. CNG: Cryptography Primitives Architecture

  38. Using CNG – Two Models • Depending on your needs, you use CNG with: • Algorithms and keys provided by a Key Storage provider (such as smartcards) • All function names begin with “N”, such as NCryptOpenStorageProvider • Algorithms and keys generated by the operating system’s software providers • All function names begin with “B”, such as BCryptOpenAlgorithmProvider • I only explain “B” in next slides, but “N” is very similar

  39. Using CNG - Concepts • Designed as a Win32 library (work in .NET) • You don’t need to be aware of any specific providers on your system (unlike in CryptoAPI) • Instead, you request an algorithm, and the system offer you the default best available • Of course, you can always chose a specific provider if you prefer, by enumerating them first • BCryptEnumRegisteredProviders • You can check properties of a provider before you use it • BCryptQueryProviderRegistration • You can register a specific provider • BCryptRegisterProvider • This solves the problem of updates, when better implementations are found in the future

  40. Using CNG – Encryption Steps • Generally, follow this process: • Open a CNG Algorithm Provider • BCryptOpenAlgorithmProvider • Generate or import keys • Calculate the size of encrypted data • Call BCryptEncrypt with NULL for pbInput paramter • Encrypt data by calling BCryptEncrypt again • Repeat this step as needed for all data, remembering to use the correct form of operating mode (chaining) • Output or persist the result • Close the provider, unless you want to cache it for later use • BCryptCloseAlgorithmProvider

  41. Randomness • Use BCryptGenRandom • You can use a specific algorithm, otherwise the default is used, which is FIPS-186-2 compliant • It uses entropy gathered by the provider over the time • You can add your own entropy as a parameter

  42. Summary • Today’s cryptography has just accelerated its evolution • Windows Vista and Longhorn Servers will be at the front of innovation in this field • You can benefit from the increased security by using BitLocker or the APIs such as CNG • It is an exciting time to be using cryptography!

  43. References • Visit msdn.microsoft.com/security and www.microsoft.com/technet/security • Read sci.crypt (incl. archives) • For more detail, read: • Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7 • Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3 • Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5 (to be published May 2005, see http://www.esecurity.ch/Books/cryptography.html) • Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9 • Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF) • PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3 • Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html • Cryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)

More Related