Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Outline  Hash algorithms  Symmetric algorithms  Asymmetric algorithms  Current algorithms in use  Cryptographic standards  Operating system support 2

Security Services  Confidentiality  Data Integrity  accidental vs. deliberate modification  Authentication  plus role-based authentication when more individuals share authentication information  Authorization  Non-repudiation  key establishment and random number

Cryptographic Algorithms  Hash algorithms  no keys  Symmetric key algorithms  secret key  Asymmetric key algorithms  public and private key

5 Cryptography

Hashing 6 Clear-text hash Hash

 Data authentication and integrity  in conjunction with keys  HMAC – Hashed Message Authentication Code  Compression of messages for digital signatures  Deriving keys  Generation of deterministic random numbers

Incorrect hash example  Sum alphabet letter positions HELLO = = 52  Can obtain arbitrary clear-text (collision) without brute-forcing  Two similar clear-texts lead to similar output 8

Hash collisions  Pure arithmetic collisions  limited exploitability  Post-signing collisions  Chosen-prefix collisions 9

Post-signing collision 10 Name: Ondrej Owes: 100 $ Hash: 14EEDA49C1B7 To: Kamil Signature: 3911BA85 Name: Ondrej Owes: $ Hash: 14EEDA49C1B7 To: Kamil Signature: 3911BA85 Trash:

Chosen-prefix collision 11 CN: Valid: 2010 Hash: 24ECDA49C1B7 Serial #: 325 Signature: 5919BA85 Public: 35B87AA11... CN: Valid: 2010 Hash: 24ECDA49C1B7 Serial #: 325 Signature: 5919BA85 Public: 4B3318C9D...

MD5 problems  Pure arithmetic in 2^112 evaluations  Post-signing collisions suspected  Chosen-prefix collisions  Practically proved for certificates with predictable serial numbers  2^50 12

SHA-1 problems  General brute-force attack at 2^80  as about 12 characters complex password  Some collisions found at 2^63  pure arithmetic collisions, no exploitation proved 13

14 Cryptography

Symmetric key  Data confidentiality  Authentication and integrity  MAC – Message Authentication Code, single key to generate, the same to validate  Key establishment  Generation of deterministic random numbers

Cipher-text Password and key 16 Password Key Clear-text Cipher Hash

Clear-text Encryption key 17 Key Cipher Cipher-text Key

18 Cryptography

Asymmetric keys  Digital signatures  Key establishment  Generation of random numbers

Clear-text Encryption and decryption keys 20 Encryption key Cipher Cipher-text Decryption key

Private and public key 21 Signing Private key Signature validation Public key

Private and public key 22 Decryption Private key Signature validation Encryption Public key

Performance considerations  Asymmetric algorithms use large keys  EC is about 10 times smaller  Encryption/decryption time about 100x longer  symmetric is faster

Document Private key Digital Signature (incorect) Document

Private key Digital Signature Document Hash

Storage Encryption (slow) Public key Document

Public key (User A) Storage Encryption Symmetric encryption key (random) Symmetric key Document Public key (User B) Symmetric key

Transport encryption Public key Symmetric Key Public key Symmetric Key Data Client Server

Diffie-Hellman Key Exchange  Asymmetric algorithm for key exchange  most commonly used for key exchange  Automatically generates the same encryption key for symmetric encryption on both sides

Private key Digital Signature and time stamping (incorrect) Document HashTimestamp

TA private keyPrivate key Time authority (incorrect) Document HashTimestamp

TA private keyPrivate key Time authority (correct) Document HashTimestampHash

TA private keyPrivate key Time authority (correct) Document HashTimestampHash Public key

Random Number Generators  Deterministic RNG use cryptographic algorithms and keys to generate random bits  attack on randomly generated symmetric keys  DNS cache poisoning  Nondeterministic RNG (true RNG) use physical source that is outside human control  smart cards, tokens  HSM – hardware security modules

Random Number Generators  CryptGenRandom()  hashed  Vista+ AES (NIST )  DSS (FIPS 186-2)  Entropy from  system time, process id, thread id, tick counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …

Random Number Generators  new Random()  just a time seed  several instances created simultaneously may have the same seed

37 Cryptography

Symmetric algorithm history  DES (1976, 56 bit)  3DES, TDEA (1998, 168/112 bit)  RC4 (1987, 128 bit)  AES-128, AES-192, AES-256 (2001) 38

Hash algorithm history  MD4 (1990, 128 bit)  MD5 (1991, 128 bit)  SHA-1 (1995, 160 bit)  SHA-224, SHA-256, SHA-384, SHA-512 (2001) 39

Asymmetric algorithm history  RSA (1973)  DSA (1991)  ECDSA (2000)  ECDH (2000) 40

41 Cryptography

US standards  FIPS – Federal Information Processing Standards  provides standard algorithms  NIST – National Institute for Standards and Technology  approves the algorithms for US government non- classified but sensitive use  latest NIST SP800-57, March 2007  NSA – National Security Agency  Suite-B for Secure and Top Secure (2005)

Hash functions (SP800-57)  SHA-1  hash size output is 160  SHA-2  SHA-224, SHA-256, SHA-384, SHA-512  hash size output is 224, 256, 384, 512

Symmetric key (SP800-57)  AES-128, AES-192, AES-256  encrypts data in 128-bit blocks  uses 128, 192, 256-bit keys  Triple DEA (TDEA)  encrypts data in 64-bit blocks  uses three 56-bit keys

Digital Signatures (SP800-57)  DSA (Digital Signature Algorithm)  key sizes of 1024, 2048 and 3072-bit  produces 320, 448, 512-bit signatures  RSA (Rivest – Shamir – Adleman)  key sizes according to FIPS186-3  ECDSA (Elliptic Curve DSA)  key sizes of at least 160-bit  produces 2x key length signatures  types of curves specified in FIPS186-3

Cryptoperiods (SP800-57) KeyCryptoperiod Private signature1 – 3 years Symmetric authentication<= 5 years Private authentication1-2 years Symmetric data encryption<= 5 years Public key transport key1-2 years

Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512

Security lifetimes (SP and Suite-B) LifetimeStrengthLevel bitUS Confidential bitUS Confidential 128 bitUS Secure 192 bitUS Top-Secure Beyond bitUS Confidential

49 Cryptography

FIPS Compliant Algorithms

Cryptographic Providers  Cryptographic Service Provider – CSP  Windows  DLL loaded into client processes  can use only V1 and V2 templates  Cryptography Next Generation – CNG  Windows Vista+  different API functions, isolated private keys  use only V3 templates  enables use of ECC  CERTUTIL -CSPLIST 51

Cryptography support 52 SystemDES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows 2000yesnoyes no Windows XPyes no Windows 2003yes non-public update yes no Windows Vista/2008 yes Windows 7/2008 R2 yes

Cryptography support 53 SystemDES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows Mobile 6.5 yes no Windows Mobile 7 yes TMG 2010yes no SCCM 2007yesno SCOM 2007yes no

Encryption EFSBitLockerIPSecKerberosNTLMRDP DES LM password hash, NTLM 3DES RC AES Vista + DH RSA Seven ECC Seven +Vista +Seven +

Hashing 55 MD4MD5SHA-1SHA-2 NT password hash NT4 + Digest password hash IPSec Seven + NTLM NTLMv2 MS-CHAP MS-CHAPv2

SHA-2 Support  CSPs can store and validate the SHA-2 certificates  Windows XP SP3  Windows Server 2003 – KB  Windows Mobile 7  New SHA-2 certificates can be issued only by Windows CA  Autoenrollment client can enroll for SHA-2 certificates only on Windows 2008/Vista+

CNG Not Supported  EFS  Windows 2008/Vista-  user encryption certificates  VPN/WiFi Client (EAPTLS, PEAP Client)  Windows 2008/7-  user or computer certificate authentication  TMG 2010  server certificates on web listeners  Outlook 2003  user certificates for signatures or encryption  Kerberos  Windows 2008/Vista- DC certificates  System Center Operations Manager 2007 R2 System Center Configuration Manager 2007 R2

SAN and wildcards * 58 ApplicationSupports *Supports SAN Internet Explorer 4.0 and olderno Internet Explorer 5.0 and neweryes Internet Explorer 7.0yesyes, if SAN present Subject is ignored Windows Pocket PC 3.0 a 4.0no Windows Mobile 5.0noyes Windows Mobile 6.0 and neweryes Outlook 2003 and neweryes RDP/TS proxyyesyes, if SAN present Subject is ignored ISA Server firewall certificateyes ISA Server 2000 and 2004 published server certificate no ISA Server 2006 published server certificate yesyes, only the first SAN name

OCSP and Delta CRL 59 SystemChecks OCSPDelta CRL Windows 2000 and olderno Windows XP and oldernoyes Windows Vista and neweryes, prefferedyes Windows Pocket PC 4.0 and olderno Windows Mobile 5.0noyes Windows Mobile 6.0noyes Windows Mobile 6.1 and neweryes, prefferedyes ISA Server 2006 and oldernoyes TMG 2010 and neweryes, prefferedyes

CRL checks in Internet Explorer 60 VersionCRL and OSCP checking 4.0 and olderno checks 5.0 and newercan check CRL, disabled by default 7.0 and newercan check OCSP (if supported by OS) and CRL, enabled by default

Automatic Root Certificate Update  Windows XP/2003  whole list periodically updated from Windows Update  Windows Vista/2008+  individual CAs updated on demand from Windows Update  Windows Mobile 6.5+  individual CAs updated on demand from Windows Update

Windows Mobile 2003/5.0 CAs 62 CompanyCertificate NameWindows Mobile CybertrustGlobalSign Root CA2003 and 5.0 CybertrustGTE CyberTrust Global Root2003 and 5.0 CybertrustGTE CyberTrust Root2003 and 5.0 VerisignClass 2 Public Primary Certification Authority2003 and 5.0 VerisignThawte Premium Server CA2003 and 5.0 VerisignThawte Server CA2003 and 5.0 VerisignSecure Server Certification Authority2003 and 5.0 VerisignClass 3 Public Primary Certification Authority2003 and 5.0 EntrustEntrust.net Certification Authority (2048)2003 and 5.0 EntrustEntrust.net Secure Server Certification Authority2003 and 5.0 GeotrustEquifax Secure Certificate Authority2003 and 5.0 Godaddyhttp://

Windows Mobile 6.0 CAs 63 ComodoAAA Certificate Services ComodoAddTrust External CA Root CybertrustBaltimore CyberTrust Root CybertrustGlobalSign Root CA CybertrustGTE CyberTrust Global Root VerisignClass 2 Public Primary Certification Authority VerisignThawte Premium Server CA VerisignThawte Server CA VerisignSecure Server Certification Authority VerisignClass 3 Public Primary Certification Authority EntrustEntrust.net Certification Authority (2048) EntrustEntrust.net Secure Server Certification Authority GeotrustEquifax Secure Certificate Authority GeotrustGeoTrust Global CA GodaddyGo Daddy Class 2 Certification Authority Godaddyhttp:// GodaddyStarfield Class 2 Certification Authority

RSA 2048 browser support 64 BrowserFirst Version Internet Explorer5.01 Mozila Firefox1.0 Opera6.1 Apple Safari1.0 Google Chrome AOL5 Netscape Communicator4.51 Rad Hat Linux Konqueror Apple iPhone Windows Mobile2003 Windows CE4.0 RIM Blackberry4.3.0 PalmOS5 Sony Playstation Portable Sony Playstation3 Nintendo Wii

Extended Validation browsers 65 BrowserFirst Version Internet Explorer7.0 Opera9.5 Firefox3 Google Chrome- Apple Safari3.2 Apple iPhone3.0

S/MIME RSA 2048 client support 66 BrowserFirst Version Microsoft Outlook99 Mozila Thunderbird1.0 Qualcomm Eudora6.2 Lotus Notes6 Netscape Communicator 4.51 Mulberry Mail Apple Mail Windows Mail The Bat

CA Hierarchy IDTT Root CA IDTT London CA IDTT Paris CAIDTT Roma CA Leaf certificate

68

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |