New Algorithms in CNG


CNG offers a number of newer algorithms; most notably and probably most importantly, is support for Suite B. Tables 7-1 and 7-2 outline all the algorithms supported by the default CNG providers in Windows Vista.

Table 7-1: Cryptographic Algorithms in Windows Vista CNG
Open table as spreadsheet

Algorithm

#define

Standard

Allowed by SDL?

Suite B?

RC2

BCRYPT_RC2_ALGORITHM

RFC2288

   

RC4

BCRYPT_RC4_ALGORITHM

 

Yes[*]

 

AES

BCRYPT_AES_ALGORITHM

FIPS 197

Yes

Yes

DES

BCRYPT_DES_ALGORITHM

FIPS 46-3, FIPS 81

   

DESX

BCRYPT_3DES_ALGORITHM

    

3DES

BCRYPT_DESX_ALGORITHM

FIPS 46-3, FIPS 81, SP800-38A

   

3DES-112

BCRYPT_3DES_112_ALGORITHM

FIPS 46-3, FIPS 81, SP800-38A

   

MD2

BCRYPT_MD2_ALGORITHM

RFC 1319

  

MD4

BCRYPT_MD4_ALGORITHM

RFC 1320

   

MD5

BCRYPT_MD5_ALGORITHM

FC 132

  

SHA-1

BCRYPT_SHA1_ALGORITHM

FIPS 180-2, FIPS 198

  

SHA-256

BCRYPT_SHA256_ALGORITHM FIPS

180-2, FIPS 198

Yes

Yes

SHA-384

BCRYPT_SHA384_ALGORITHM

FIPS 180-2, FIPS 198

Yes

Yes

SHA-512

BCRYPT_SHA512_ALGORITHM

FIPS 180-2, FIPS 198

Yes

Yes

RSA (encryption)

BCRYPT_RSA_ALGORITHM

PKCS#1 v1.5 and v2.0.

Yes

 

RSA (signing)

BCRYPT_RSA_SIGN_ALGORITHM

PKCS#1 v1.5 and v2.0.

Yes

 

Diffie-Hellman

BCRYPT_DH_ALGORITHM

PKCS#3

  

Digital Signature Algorithm

BCRYPT_DSA_ALGORITHM

FIPS 186-2

  

[*]RC4 is only allowed after full cryptographic review.

Table 7-2: Elliptic Curve Cryptographic Algorithms in Windows Vista CNG
Open table as spreadsheet

Algorithm

#define

Standard

Elliptic Curve Digital Signature

Algorithm with Prime-256 curve

BCRYPT_ECDSA_P256_ALGORITHM

FIPS 186-2, X9.62

Elliptic Curve Digital Signature

Algorithm with Prime-384 curve

BCRYPT_ECDSA_P384_ALGORITHM

FIPS 186-2, X9.62

Elliptic Curve Digital Signature

Algorithm with Prime-521 curve

BCRYPT_ECDSA_P521_ALGORITHM

FIPS 186-2, X9.62

Elliptic Curve Diffie-Hellman

Algorithm with Prime-256 curve.

BCRYPT_ECDH_P256_ALGORITHM

SP800-56A

Elliptic Curve Diffie-Hellman

Algorithm with Prime-384 curve.

BCRYPT_ECDH_P384_ALGORITHM

SP800-56A

Elliptic Curve Diffie-Hellman

Algorithm with Prime-521 curve.

BCRYPT_ECDH_P521_ALGORITHM

SP800-56A

Note 

SHA-256, SHA-384, and SHA-512 are collectively referred to as SHA-2 and are available on Windows Vista (in CAPI and CNG) and Windows Server 2003 (in CAPI), and all supported Windows platforms via the .NET Framework.

Note 

All of the above are approved for use in the SDL, are Suite B compliant, and are new to CNG.

CNG also supports two kinds of random number generators (RNG), and both are allowed under SDL: BCRYPT_RNG_ALGORITHM and BCRYPT_RNG_FIPS186_DSA_ALGORITHM. Most applications should use the former, but if you are using DSA, then you should use the latter. Both RNGs conform to FIPS 186-2 and FIPS 140-2.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net