1. TEŽAVNOST: 200 New Cryptography Rafal Lukawiecki Strategic Consultant rafal@projectbotticelli.co.uk Project Botticelli Ltd This presentation is based on work from MSDN.

2. TEŽAVNOST: 2002 Objectives Explain the status and some of the problems of today’s cryptography Discuss solutions for the problems Introduce the new APIs for using newer forms of cryptography

3. TEŽAVNOST: 2003 Agenda Cryptography of Present Cryptography of Tomorrow Cryptography in Windows Vista and Longhorn

4. TEŽAVNOST: 2004 Cryptography Primer

5. TEŽAVNOST: 2005 Symmetric Key Cryptography Encryption “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8R\s@!q3 %” “The quick brown fox jumps over the lazy dog” Decryption Plain-text input Plain-text output Cipher-text Same key (shared secret)

6. TEŽAVNOST: 2006 Symmetric Pros and Cons Strength: –Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms) Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael) Weakness: –Must agree the key beforehand –Securely pass the key to the other party

7. TEŽAVNOST: 2007 Public Key Cryptography Knowledge of the encryption key doesn’t give you knowledge of the decryption key Receiver of information generates a pair of keys –Publish the public key in a directory Then anyone can send him messages that only she can read

8. TEŽAVNOST: 2008 Public Key Encryption Encryption “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^ bDFaq#xzjFr@g5=&n mdFg$5knvMd’rkveg Ms” “The quick brown fox jumps over the lazy dog” Decryption Clear-text Input Clear-text Output Cipher-text Different keys Recipient’s public key Recipient’s private key private public

9. TEŽAVNOST: 2009 Public Key Pros and Cons Strength –Solves problem of passing the key –Allows establishment of trust context between parties Weakness: –Extremely slow –Susceptible to “known ciphertext” attack –Problem of trusting public key (see later on PKI)

10. TEŽAVNOST: 20010 Hybrid Encryption (Real World) As above, repeated for other recipients or recovery agents Digital Envelope Other recipient’s or agent’s public key (in certificate) in recovery policy €25m hidden at 221b Baker St. Access code is… Symmetric key encrypted asymmetrically (e.g., RSA) Digital Envelope User’s public key (in certificate) RNG Randomly- Generated symmetric “session” key Symmetric encryption (e.g. AES) *#$fjda^ju539!3t t389E *&\@ 5e%32\^kd

11. TEŽAVNOST: 20011*#$fjda^ju539!3t t389E *&\@ 5e%32\^kd €25m hidden at 221b Baker St. Access code is… €25m hidden at 221b Baker St. Access code is… Symmetric decryption (e.g. AES) Digital Envelope Asymmetric decryption of “session” key (e.g. RSA) Symmetric “session” key Session key must be decrypted using the recipient’s private key Digital envelope contains “session” key encrypted using recipient’s public key Recipient’s private key Hybrid Decryption

12. TEŽAVNOST: 20012 Cryptography of Present

13. TEŽAVNOST: 20013 Today’s Recommendation At present (June 2006), consider using the following cryptographic mechanisms available in Windows in preference to others: –AES-128 (or AES-192, or AES-256) –RSA 2048 (or longer) –“SHA-2” (i.e. SHA-256, or SHA-512) –DSA (or SHA-2/RSA signatures)

14. TEŽAVNOST: 20014 DES, IDEA, RC2, RC5, Twofish Not Recommended Symmetric DES (Data Encryption Standard) is popular –DO NOT USE DES! –Keys very short: 56 bits –Brute-force attack took 3.5 hours on a machine costing US$1m in 1993. Today it is done real-time –Triple DES (3DES) more secure, but better options exist IDEA (International Data Encryption Standard) –Deceptively similar to DES, and “not” from NSA –128 bit keys, OK but we have better ones RC2 & RC5 (by R. Rivest) –RC2 is older and RC5 newer (1994) - similar to DES and IDEA Blowfish, Twofish – OK, but not a standard –B. Schneier’s replacement for DES, followed by Twofish, one of the NIST competition finalists

15. TEŽAVNOST: 20015 Rijndael (AES) Recommended Current US standard –Winner of the AES (Advanced Encryption Standard) competition run by NIST (National Institute of Standards and Technology in US) in 1997-2000 –Comes from Europe (Belgium) by Joan Daemen and Vincent Rijmen. “X-files” stories less likely (unlike DES). Symmetric block-cipher (128, 192 or 256 bits) with variable keys (128, 192 or 256 bits, too) Fast and a lot of good properties, such as good immunity from timing and power (electric) analysis Construction, again, deceptively similar to DES (S-boxes, XORs etc.) but really different

16. TEŽAVNOST: 20016 CAST and GOST Not used widely anymore – avoid CAST –Canadians Carlisle Adams & Stafford Tavares –64 bit key and 64 bit of data –Chose your S-boxes –Seems resistant to differential & linear cryptanalysis and only way to break is brute force (but key is a bit short!) GOST –Soviet Union’s “version” of DES but with a clearer design and many more repetitions of the process –256 bit key but really 610 bits of secret, so pretty much “tank quality” –Backdoor? Who knows…

17. TEŽAVNOST: 20017 Rely on Cryptosystems Indeed: never use just an algorithm, but an entire cryptosystem For example: –If you use DES etc. in a simple “loop” to encrypt a stream of data you literally lose all security –Instead: use a technique designed for adapting an algorithm to a streams of data, such as CBC (Cipher Block Chaining) Microsoft never implement just an algorithm – always a complete cryptosystem, e.g. RSA-OAEP etc. Do it just by using built-in cryptographic systems, such as various Microsoft CSPs etc.

18. TEŽAVNOST: 20018 Dangerous Implementations Cryptographic applications from not-well- known sources “Just downloaded libraries” used by your in-house developers Insist on using built-in systems where possible: –Microsoft OS: CAPI, CAPICOM, MS CSP etc. –Smartcards: certified CSPs –Elsewhere: FIPS-140-2 compliant implementations See csrc.nist.gov/cryptval

19. TEŽAVNOST: 20019 RC4 Generally Not Recommended Symmetric –Fast, streaming encryption R. Rivest in 1994 –Originally secret, but “published” on sci.crypt Related to “one-time pad”, theoretically most secure But! It relies on a really good random number generator –And that is the problem Nowadays, we tend to use block ciphers in modes of operation that work for streams

20. TEŽAVNOST: 20020 RSA, DSA, ElGamal Asymmetric –Slow and computationally expensive – need a computer –Security increasingly being questioned Rivest, Shamir, Adleman – 1978 –Popular and well researched –Strength in today’s inefficiency to factorise into prime numbers –Some worries about key generation process in some implementations DSA (Digital Signature Algorithm) –Mainly for digital signing, not for encryption, used in US –Variant of Schnorr and ElGamal signature algorithm ElGamal –Relies on complexity of discrete logarithms

21. TEŽAVNOST: 20021 MD5, SHA Hash functions – part of the digital signature Goals: –Not reversible: can’t obtain the message from its hash –Hash much shorter than original message –Two messages won’t have the same hash MD5 (R. Rivest) –512 bits hashed into 128 –Mathematical model still unknown –Recently (July 2004) broken, do not use on its own SHA (Secure Hash Algorithm) –US standard based on MD5 –SHA-0 broken (July 2004), SHA-1 probably too weak (partly broken, full break alleged by Chinese recently), use SHA-256 at least

22. TEŽAVNOST: 20022 Diffie-Hellman, “SSL”, Certs Methods for key exchange and transport DH (1976) always generates a new “key- pair” for each asymmetric session Certificates are the most common way to exchange public keys –Foundation of Public Key Infrastructure (PKI) SSL uses a protocol to exchange keys safely, but also requires PKI

23. TEŽAVNOST: 20023 APIs of Today Microsoft CryptoAPI (CAPI) 2.0 is the interface to all CSPs –Cryptographic Service Providers Built-in or smartcard-based.NET Framework 1.1 and 2.0 wraps most of the functionality of CAPI in classes: –System.Security.Cryptography and its subclasses:.Pkcs.X509Certificates.XML Or you can use the CAPICOM library

24. TEŽAVNOST: 20024 Cryptography of Tomorrow

25. TEŽAVNOST: 20025 Quantum Cryptography? Method for generating and passing a secret key or a random stream –Not for passing the actual data, but that’s irrelevant Polarisation of light (photons) can be detected only in a way that destroys the “direction” (basis) –So if someone other than you observes it, you receive nothing useful and you know you were bugged Perfectly doable over up-to-120km dedicated fibre-optic link –Seems pretty perfect, if a bit tedious and slow –Practical implementations still use AES/DES etc. for actual encryption Magiq QPN: http://www.magiqtech.com/press/qpn.pdfhttp://www.magiqtech.com/press/qpn.pdf Don’t confuse it with quantum computing, which won’t be with us for at least another 50 years or so, or maybe longer…

26. TEŽAVNOST: 20026 More Practical Solution US NSA and NIST recommendation as of Feb 2005 is to implement “Suite-B” protocols This is very rarely done in today’s software Good news: Microsoft supports Suite-B in Windows Vista (and Longhorn Server) –For all internal implementations Microsoft will not use weaker algorithms than Suite-B But, of course, they will support your choice to do so if you wish

27. TEŽAVNOST: 20027 Vista Supports NSA Suite B www.nsa.gov/ia/industry/crypto_suite_b.cfm Required cryptographic algorithms for all US non-classified and classified (SECRET and TOP-SECRET) needs –Except a small area of special-security needs (e.g. nuclear security) – guided by Suite A (definition is classified) –Announced by NSA at RSA conference in Feb 2005

28. TEŽAVNOST: 20028 Mathematical Designs Many cryptographic algorithms (e.g. DSA) rely on a class of mathematical designs related to the concept of discrete logarithms These can be implemented over the finite field of any abelian group –Normally, this means using integers modulo a prime number Alternatively, elliptic curve groups could be used –This leads to ECC

29. TEŽAVNOST: 20029 Elliptic Curve Cryptography ECC More efficient design, using fewer bits of key for the same strength Breaking these designs seems even harder than traditional ones Leads to faster algorithms with fewer problems Primarily used to enhance algorithms of existing design, such as DSA

30. TEŽAVNOST: 20030 Suite-B Algorithms Encryption: AES Digital Signature: EC-DSA Key Exchange: EC-DH or EC-MQV Hashing: SHA-2

31. TEŽAVNOST: 20031 Suite-B Encryption AES –FIPS 197 (with keys sizes of 128 and 256 bits) –This is a specific implementation of Rijndael algorithm allowing use of 128 bit data blocks only –Keys of 192 bits are not used (although FIPS specifies them) Please note that most 256 bit implementations are much slower than 128 bits In general, anything of 81 bits or more in this class of cryptography is considered “good enough” for typical commercial applications

32. TEŽAVNOST: 20032 Suite-B Digital Signatures Elliptic Curve Digital Signature Algorithm (EC-DSA) –FIPS 186-2 (using the curves with 256 and 384-bit prime moduli) Microsoft also supports 521-bit keys This is a classical DSA algorithm applied over the algebra of finite fields of elliptic curves

33. TEŽAVNOST: 20033 Suite-B Key Exchange (1 of 2) Elliptic Curve Diffie-Hellman or Elliptic Curve MQV –Draft NIST Special Publication 800-56 (using the curves with 256 and 384-bit prime moduli) –Microsoft will also support 521-bit keys Recall: DH allows two parties to generate and communicate a secret key to each other (removing the need for key transport) It is susceptible to man-in-the-middle attacks, so it requires authentication in most applications –Usually done (not very efficiently) with digital signatures

34. TEŽAVNOST: 20034 Suite-B Key Exchange (2 of 2) EC-MQV: Menezes, Qu, and Vanstone protocol Authenticated key exchange Design similar to DH –Uses the discrete logarithm concept –Also requires a pre-existing, verified and trusted long-term public/private keypair Which is only used for trust establishment, not for actual encryption or signing This gives it an important forward-secrecy property Suite-B uses the EC implementation of MQV

35. TEŽAVNOST: 20035 Suite-B Hashing Secure Hash Algorithm –FIPS 180-2 (using SHA-256 and SHA-384) As MD5 and SHA-0 have been broken and SHA-1 has been allegedly broken we do not have much choice –Almost no alternatives exist SHA-2 should suffice for a few years, but ultimately it must be replaced –SHA-2 allows: 224, 256, 384, and 512 bit lengths

36. TEŽAVNOST: 20036 APIs for Suite-B Today? There are no widely used or supported libraries or APIs for Suite- B and most operating systems of today However…

37. TEŽAVNOST: 20037 Cryptography in Widows Vista and Longhorn NB: All Information Subject to Last- Minute Changes

38. TEŽAVNOST: 20038 Trusted Platform Module TPM Chip Version 1.2 Hardware present in the computer, e.g. a chip on the motherboard Securely stores credentials, such as a private key of a machine certificate and is crypto-enabled –Effectively, the essence of a smart smartcard TPM can be used to request digital signing of code and files and for mutual authentication of devices See www.trustedcomputinggroup.org

39. TEŽAVNOST: 20039 BitLocker™ Windows Vista Full Volume Encryption BitLocker strongly encrypts and signs the entire hard drive using Suite-B –TPM chip (see later) provides key management –Can use additional protection factors such as a USB dongle, PIN or password Any unauthorised off-line modification to your data or OS is discovered and no access is granted –Prevents attacks which use utilities that access the hard drive while Windows is not running and enforces Windows boot process Protection against data loss when machine (laptop) has been stolen Essential part of the Secure Startup –Plan data recovery strategy carefully – three scenarios supported (escrow, recovery agent, backup)

40. TEŽAVNOST: 20040 New Cryptography: CNG CAPI 1.0 is deprecated –May be dropped altogether in future Windows releases CNG: Cryptography Next Generation –Open cryptographic API for Windows Vista/Longhorn –Ability to plug in kernel or user mode implementations for: Proprietary cryptographic algorithms Replacements for standard cryptographic algorithms Key Storage Providers (KSP) –Enables cryptography configuration at enterprise and machine levels

41. TEŽAVNOST: 20041 Regulatory Compliance Windows Vista CNG cryptography will comply with: –Common Criteria (CC) csrc.nist.gov/cc Currently in version 3 –FIPS requirements for strong isolation and auditing –US NSA (National Security Agency) CSS (Central Security Service) Suite B

42. TEŽAVNOST: 20042 Main CNG Features Cryptography agnostic Kernel-mode for performance and security (better performance than CAPI 1.0) FIPS-140 Certification –140-2 and Common Criteria (CC) on selected platforms –140-1 everywhere CC compliance for long-term key storage and audit Suite-B of course, but also supports all existing algorithms available through CryptoAPI 1.0 Key Isolation and Storage using TPMs Developer-friendly model for plug-ins

43. TEŽAVNOST: 20043 CNG Design Three APIs within CNG: –Cryptography Primitives The “main” API: all algorithms are here –Key Storage and Retrieval Allows interaction with the new Key Storage Providers concept –Supports existing devices (smartcards) and future types of tokens Interface for all secure key creation, including the EC-DH and EC-MQV* methods Interface for import and export of keys using PKCS #7 and #8 –Cryptography Configuration For use and installation of additional cryptographic providers Read: msdn.microsoft.com/library/default.asp?url=/library/en- us/seccng/security/about_cng.asp?frame=truemsdn.microsoft.com/library/default.asp?url=/library/en- us/seccng/security/about_cng.asp?frame=true

44. TEŽAVNOST: 20044 Other APIs In addition to CNG: –.NET Framework 2.0 Microsoft will extend the.NET Fx library to cover CNG (not available at present) –TBS: TPM Base Services For interaction with Trusted Platform Modules –Certificate Enrollment API

45. TEŽAVNOST: 20045 CNG: Cryptography Primitives Architecture

46. TEŽAVNOST: 20046 Using CNG – Two Models Depending on your needs, you use CNG with: –Algorithms and keys provided by a Key Storage provider (such as smartcards) All function names begin with “N”, such as NCryptOpenStorageProvider NCryptOpenStorageProvider –Algorithms and keys generated by the operating system’s software providers All function names begin with “B”, such as BCryptOpenAlgorithmProvider BCryptOpenAlgorithmProvider I only explain “B” in next slides, but “N” is very similar

47. TEŽAVNOST: 20047 Using CNG - Concepts Designed as a Win32 library (work in.NET) You don’t need to be aware of any specific providers on your system (unlike in CryptoAPI) Instead, you request an algorithm, and the system offer you the default best available –Of course, you can always chose a specific provider if you prefer, by enumerating them first BCryptEnumRegisteredProviders –You can check properties of a provider before you use it BCryptQueryProviderRegistration –You can register a specific provider BCryptRegisterProvider This solves the problem of updates, when better implementations are found in the future

48. TEŽAVNOST: 20048 Using CNG – Encryption Steps Generally, follow this process: –Open a CNG Algorithm Provider BCryptOpenAlgorithmProvider –Generate or import keys –Calculate the size of encrypted data Call BCryptEncrypt with NULL for pbInput paramterBCryptEncrypt –Encrypt data by calling BCryptEncrypt againBCryptEncrypt Repeat this step as needed for all data, remembering to use the correct form of operating mode (chaining) –Output or persist the result –Close the provider, unless you want to cache it for later use BCryptCloseAlgorithmProvider

49. TEŽAVNOST: 20049 Randomness Use BCryptGenRandom You can use a specific algorithm, otherwise the default is used, which is FIPS-186-2 compliant –It uses entropy gathered by the provider over the time –You can add your own entropy as a parameter

50. TEŽAVNOST: 20050 Summary Today’s cryptography has just accelerated its evolution Windows Vista and Longhorn Servers will be at the front of innovation in this field You can benefit from the increased security by using BitLocker or the APIs such as CNG It is an exciting time to be using cryptography!

51. TEŽAVNOST: 20051 References Visit msdn.microsoft.com/security and www.microsoft.com/technet/securitymsdn.microsoft.com/security www.microsoft.com/technet/security Read sci.crypt (incl. archives) For more detail, read: –Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07- 709987-7 –Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471- 22357-3 –Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1- 58053-642-5 (to be published May 2005, see http://www.esecurity.ch/Books/cryptography.html) http://www.esecurity.ch/Books/cryptography.html –Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471- 11709-9 –Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0- 8493-8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF)www.cacr.math.uwaterloo.ca/hac –PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3 –Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC- Books/oded_book_readme.html www.eccc.uni-trier.de/eccc-local/ECCC- Books/oded_book_readme.html –Cryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)