Crypto-Agility


Cryptographic algorithms are constantly under attack on two fronts. The first is the ceaseless increase in processor speed, making it more feasible that algorithms can be cracked in reasonable times, and the second is from ongoing cryptographic research that continually finds weaknesses in algorithms. A good example of this research is weaknesses found in some major hash functions; MD4, MD5 are now considered utterly insecure because of poor collision resistance, and SHA-1 is showing signs of serious weaknesses. In fact, Microsoft has banned the use of MD4 and MD5, and SHA-1 in new code except for backward compatibility or if the algorithm is used in an industry standard, or in applications where the minimum Windows platform is anything older than Windows Vista.

More Info  

NIST has some excellent guidance about the use of SHA-1: “Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs), key derivation functions (KDFs), and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols.” (NIST 2006).

Sometimes policy dictates the need for new algorithms; a great example would be the U.S. federal “Suite B” requirements. If your application does not understand Suite B, but your competitors do, then your lack of cryptoagility could mean lost sales.

The biggest mistake developers make is hardcoding the algorithm name in the code; if the algorithm is weak and needs to be replaced, then the code has to be fixed to use the new algorithm, data structures need to be updated, and finally a product update needs to be issued to customers. In some cases, this kind of work can cause incompatibilities with older file formats. The following code snippet, using Cryptographic API (CAPI), is an example of code that is not cryptoagile because it has an embedded algorithm identifier:

 if(CryptDeriveKey(hProv, CALG_DES, hHash, CRYPT_EXPORTABLE, &hKey)) {     // Encrypt data }

A good example of crypto-agility is SSL and TLS, which securely negotiate cryptographic algorithms between the server and client. If an algorithm is deemed weak, a simple algorithm policy setting at the server or client will prevent that algorithm from being used. We discuss these settings later in the chapter.

Note 

It could be argued that SSL and TLS really don’t have good crypto-agility because the underlying random number generators are hardcoded to use SHA-1 and MD5!

Crypto-Agility in CNG

There are three major areas of improvement in CNG that make agility easier. First, all cryptographic constants are strings rather than numeric constants. In CAPI, all cryptographic algorithms are predefined in wincrypt.h. This makes it very hard to extend cryptographic functionality to suit your application’s needs. Adding a custom symmetric encryption algorithm to CAPI–for example, Serpent (Anderson 1999)–is not easy. But this all changes in CNG because you can use any string constant you want to define your algorithm, and when your application attempts to use your algorithm, CNG will load the crypto-provider that registered that name.

Crypto-agility in CNG extends beyond cryptographic primitives; you can also plug in custom cipher-suites for SSL and TLS or customer envelopes for CMS and custom certificate elements. Documentation outlining the steps to install and register a CNG add-in can be found in the CNG SDK. The core function that adds a new add-in is BCryptAddContextFunctionProvider:

 #define BCRYPT_SERPENT_ALGORITHM L"SERPENT" status = BCryptAddContextFunctionProvider(      CRYPT_LOCAL,      NULL, // Default context      BCRYPT_CIPHER_INTERFACE,      BCRYPT_SERPENT_ALGORITHM,      L"Serpent Provider",      CRYPT_PRIORITY_TOP);

The second area of agile improvement is that unlike CAPI, CNG does not require Microsoft to sign the implementation. A cryptographer can create a CNG cryptographic provider. When implementing a CNG provider, you need only implement the necessary functionality. For example, if you implement a Serpent provider, then the provider does not need to implement signing or hashing functions because Serpent is only a symmetric encryption algorithm.

Finally, it is possible for an application to query CNG for supported algorithms, based on certain criteria, if needed. The following code shows how to dump all primitive cryptographic algorithms:

 PROVIDER_REFS pProviders = NULL; DWORD dwBufSize = 0; const DWORD dwFlags = CRYPT_ALL_FUNCTIONS | CRYPT_ALL_PROVIDERS; for (DWORD dwInterface = BCRYPT_CIPHER_INTERFACE;        dwInterface <= BCRYPT_RNG_INTERFACE;        dwInterface ++) {              NTSTATUS ret = BCryptResolveProviders(                           NULL,                           dwInterface,                           NULL,                           NULL,                           CRYPT_UM,                           dwFlags,                           &dwBufSize,                           &pProviders);     if (NT_SUCCESS(ret) && pProviders) {     printf("dwInterface = %d\n", dwInterface);     for (DWORD k=0; k < pProviders->cProviders; k++) {         PCRYPT_PROVIDER_REF pProv = pProviders->rgpProviders[k];         printf("\tFunction = %S\n", pProv->pszFunction);         printf("\tProvider = %S\n", pProv->pszProvider);              // dump property names      for ( DWORD j = 0; j < pProv->cProperties; j++)          printf("\tProperty %d = %S\n",                 j,                 pProv->rgpProperties[j]->pszProperty);      printf("\n");     }     BCryptFreeBuffer(pProviders);     pProviders = NULL;   } }

Important  

Note that only administrators can install a CNG provider.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net