Next Generation of Cryptography for Microsoft Windows Vista

• Download Executable (Managed CAPI)- 195.5 KB
• Download RSA Demo Source (Managed CAPI)- 576.4 KB
• Download Enumerate CNG Providers (Unmanaged CNG)- 58.1 KB
• Download Encrypt AES (Unmanaged CNG)- 12.6 KB

Introduction

The Cryptography API: Next Generation(CNG) is a new and agile framework in Windows Vista�, which implements an extensible provider model that allows you to load a provider by specifying the required cryptographic algorithm rather than having to hardcode a specific provider.

The advantage is that an algorithm provider can be replaced or upgraded and you will not have to change your code in any way to use the new provider. Also, if some algorithm is determined to be unsafe in the future, a more secure version of that algorithm can be installed with no effect to your code. To facilitate this, you load a CNG provider by identifying the cryptographic algorithm that you require, not the specific provider. Most of the CNG APIs require a provider or an object created by a provider.

In this article, I try to describe the new security feature Cryptography API: Next Generation(CNG) and compare it with an RSA and AES samples, both managed and unmanaged, using "Crypto API" (CAPI before Vista) and how it can be implemented using CNG in Windows Vista. Managed version of CNG is yet to come, if you feel like you want more, wait for the next release of Visual Studio "Orcas".

Background

About RSA

RSA is the established standard for public key encryption. The name RSA is derived from the names of the inventors of this algorithm, which are: Ron Rivest, Adi Shamir and Leonard Adleman. The principle and security of RSA is based on the fact that with today's knowledge, it is not possible to find the prime factors of a big number (n=pq, where p and q are prime numbers) in suitable time.

Short details

• Public Key: n=pq (p and q are big prime numbers)
• e relative prime to (p-1)(q-1)
• Private Key: d e-1 mod ((p-1)(q-1))
• Encryption: c = me mod n
• Decryption: m = cd mod n

About AES

Advanced Encryption Standard (AES), also known as Rijndael, is a symmetric 128-bit block cipher adopted as an encryption standard by the US government.

Short details

• AES operates on a 4�4 array of bytes.
• For encryption, each round of AES (except the last round) consists of four stages: AddRoundKey, Subbytes, Shift rows and Mix columns.
• At each stage, the bytes are manipulated and processed for the next level.

Crytography API: Next Generation(CNG)

CNG provides a set of APIs that are used for performing basic cryptographic operations, such as creating hashes, encrypting, and decrypting data.

Each algorithm class in CNG is represented by a primitive router. Applications making use of the primitive APIs will link to the router binary (Bcrypt.dll in user mode, or Ksecdd.sys in kernel mode), and make calls to the various CNG primitive functions. All of the algorithm primitives are managed by various router components. These routers keep track of each algorithm implementation that has been installed on the system. The router will route each function call to the appropriate primitive provider module.

The following illustration shows the design and function of the CNG cryptographic primitives.

CNG provides primitives for the following classes of algorithms:

• Random Number Generator: This class is used to represent pluggable random number generation (RNG).
• Hashing: This class represents algorithms used for hashing, such as SHA1 and SHA2.
• Symmetric encryption: This class represents algorithms used for symmetric encryption. Some examples are AES, 3DES, and RC4.
• Asymmetric encryption: This class represents asymmetric (public key) algorithms that support encryption, like RSA.
• Signature: This class represents signature algorithms such as DSA and ECDSA. This class can also be used with RSA.
• Secret Agreement: This class represents secret agreement algorithms such as Diffie-Hellman (DH) and elliptical curve Diffie-Hellman (ECDH).

Using the code

Using a RSA CryptoService Provider (CAPI)

In CAPI, all cryptographic algorithms are predefined in wincrypt.h which makes it very difficult to extend cryptographic functionality to suit your application's need. Adding a custom symmetric algorithm is not easy. Secondly the CAPI requires Microsoft to sign the implementation, so that it can be a part of a security namespace.

Encrypt and Decrypt in a traditional way, with RSACryptoServiceProvider.

RSACryptoServiceProvider MyAsymmetricAlgorithm = new RSACryptoServiceProvider();
byte[] PlainTextBytes;
byte[] CipherTextBytes;

private void Encrypt()
{
    PlainTextBytes = System.Text.Encoding.UTF8.GetBytes(TextBoxOriginal.Text);
    CipherTextBytes = MyAsymmetricAlgorithm.Encrypt(PlainTextBytes, true);
    TextBoxEncrypted.Text = TextBoxEncrypted.Text +
    + Convert.ToBase64String(CipherTextBytes);
                ShowPublicPrivate();
    // rest of the code removed for brevity

}

private void Decrypt()
{
    PlainTextBytes = MyAsymmetricAlgorithm.Decrypt(CipherTextBytes, true);
    TextBoxOriginal.Text = System.Text.Encoding.UTF8.GetString
    (PlainTextBytes);
}

private void ShowPublicPrivate()
{
   RSAParameters MyParameters = new RSAParameters();
   MyParameters = MyAsymmetricAlgorithm.ExportParameters(true);
   TextBoxPrivateKey.Text = Convert.ToBase64String(MyParameters.D);
   TextBoxPublicKey.Text = Convert.ToBase64String(MyParameters.Modulus);
   // rest of the code removed for brevity

}

Using the CryptoService Provider with CNG

In CNG, all cryptographic constants are "strings" rather than numeric constants. And since you can use any string constant you want to define your algorithm, when your application attempts to use the algorithm, CNG will load the crypto-provider that registered the name. You can also plug in custom cipher-suits for SSL and TLS. The core function that adds a new add-in is BCryptAddContextFunctionProvider².

The typical steps involved in using the CNG API for cryptographic primitive operations are:

1. Open the Algorithm Provider
2. Get or Set Algorithm Properties
3. Create or Import a Key
4. Perform Cryptographic Operations
5. Close the Algorithm Provider

The code for "encrypting data", the string for RSA encryption is BCRYPT_RSA_ALGORITHM. The following shows a pseudocode for the algorithm.

Encrypt pseudocode

BCryptOpenAlgorithmProvider(&hAlg...)
BCryptGetProperty(hAlg,BCRYPT_BLOCK_LENGTH,&dwBlockSize...)
//allocate buffer , rounding up to next block size


BCryptGetProperty(hAlg,BCRYPT_OBJECT_LENGTH,&cbKeyObjectLen...)
//allocate buffer for key object


BCryptGenerateSymmetricKey(hAlg,&hKey...)
BCryptEncrypt(hKey,...)
//data is now encrypted


BCryptDestroyKey(hKey)
BCryptCloseAlgorithmProvider(hAlg,0)
//deallocate buffers

Portion of Encrypt code, key generation

I have added this example of CNG for AES, and not for RSA for simplicity and reference only.
BCRYPT_RSA_ALGORITHM can also be implemented in a similar fashion. A complete sample program for AES-CBC encryption using CNG comes with the CNG³ SDK.

Here BCRYPT_AES_ALGORITHM is the string variable which gives the handle to the actual algorithm. So later if this algorithm needs to be changed, all we will need to do is change the implementation of AES, keeping the existing code.

#include "stdafx.h"

using namespace std;
#pragma comment(lib, "bcrypt")

wchar_t *GetEncryptionAlg() 
{
    return BCRYPT_AES_ALGORITHM;
}

LPBYTE GetPwd() 
{
    static const BYTE key[] = {1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8,0};
    return (LPBYTE)key;
}

LPBYTE GetIV() 
{
    static const BYTE iv[] = {1,2,3,4,5,6,7,8,1,2,3,4,5,6,7,8};
    return (LPBYTE)iv;
}

int _tmain(int argc, _TCHAR* argv[]) 
{
    BCRYPT_ALG_HANDLE hAlg = NULL;
    if (BCryptOpenAlgorithmProvider(
        &hAlg,
        GetEncryptionAlg(),
        NULL,
        0) == STATUS_SUCCESS) 
        {
            BCRYPT_KEY_HANDLE hKey = NULL;
            DWORD cbKey = 0;
            DWORD cbData = 0;
            if (BCryptGetProperty(
                    hAlg,
                    BCRYPT_OBJECT_LENGTH,
                    reinterpret_cast(&cbKey),
                    sizeof cbKey,
                    &cbData,
                    0) == STATUS_SUCCESS) 
            {
                LPBYTE pbKey = new (nothrow)BYTE[cbKey];
                if (pbKey) 
                {
                        BCRYPT_KEY_HANDLE hKey = NULL;
                        LPCSTR szPwd = (LPCSTR)GetPwd();
                        if (BCryptGenerateSymmetricKey(
                                    hAlg,
                                    &hKey,
                                    pbKey,
                                    cbKey,
                                    (PUCHAR)szPwd,
                                    (ULONG)strlen(szPwd),
                                    0) == STATUS_SUCCESS) 
                        {
                                printf("!!!");
                        }
                }
            }
        }

    return 0;
}

Decrypting Data

Same as above, except for BCryptDecrypt

BCryptOpenAlgorithmProvider(&hAlg...)
BCryptGetProperty(hAlg,BCRYPT_BLOCK_LENGTH,&dwBlockSize...)
//allocate buffer , rounding up to next block size


BCryptGetProperty(hAlg,BCRYPT_OBJECT_LENGTH,&cbKeyObjectLen...)
//allocate buffer for key object


BCryptGenerateSymmetricKey(hAlg,&hKey...)
BCryptDecrypt(hKey,...)
//data is now encrypted


BCryptDestroyKey(hKey)
BCryptCloseAlgorithmProvider(hAlg,0)
// deallocate buffers

Hashing Data

BCryptOpenAlgorithmProvider(&hAlg...)
BCryptGetProperty(hAlg,BCRYPT_OBJECT_LENGTH,&cbHash...)
//allocate buffer for hash


BCryptCreateHash(hAlg,&hHash,...)
BCryptHashData(hHash,...)
// use the hash data

// your code here


BCryptDestroyHash(hHash)
BCryptCloseAlgorithmProvider(hAlg,0)
//deallocate buffers

With CNG, a cryptographer can create his own cryptographic provider, with all the needed interfaces and functionality for the provider and plug in the CNG framework. The core function which is required for this is BCryptAddContextFunctionProvider.

Here is the basic structure which will be required to add a test algorithm BCRYPT_MYTEST_ALGORITHM, for details please refer to the steps to install and register "CNG add-ins" in the CNG SDK³.

#define BCRYPT_MYTEST_ALGORITHM
status = BCryptAddContextFunctionProvider(
         CRYPT_LOCAL,
         NULL,  //default

         BCRYPT_CIPHER_INTERFACE,
         BCRYPT_MYTEST_ALGORITHM,
         L"MyTest Provider",
         CRYPT_PRIORITY_TOP);

A CNG also allows you to query for all supported algorithms using the function BCryptResolveProviders.

#include "stdafx.h"

#pragma comment(lib, "bcrypt")
#ifndef NT_SUCCESS
#   define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#endif

int  __cdecl main(int argc, __in_ecount(argc) LPWSTR *wargv) 
{
    argc;
    wargv;

    BOOLEAN bFipsEnabled = FALSE;
    if (NT_SUCCESS(BCryptGetFipsAlgorithmMode(&bFipsEnabled)))
        printf("FIPS is %Senabled.\n",bFipsEnabled ? L"" : L"not ");

    PCRYPT_PROVIDER_REFS pProviders = NULL;
    DWORD dwBufSize = 0;
    const DWORD dwFlags = CRYPT_ALL_FUNCTIONS | CRYPT_ALL_PROVIDERS;

    for (DWORD i = BCRYPT_CIPHER_INTERFACE; i <= BCRYPT_RNG_INTERFACE; i++) 
    {
        NTSTATUS ret = BCryptResolveProviders(
                            NULL,
                            i,
                            NULL,
                            NULL,
                            CRYPT_UM,
                            dwFlags,
                            &dwBufSize,
                            &pProviders);
        if (NT_SUCCESS(ret) && pProviders) 
        {
            printf("dwInterface = %d\n", i);

            for (DWORD k=0; k < pProviders->cProviders; k++) 
            {
                PCRYPT_PROVIDER_REF pProv = pProviders->rgpProviders[k];

                printf("\tFunction = %S\n", pProv->pszFunction);
                printf("\tProvider = %S\n", pProv->pszProvider);

            // print property names

            for ( DWORD j = 0; j < pProv->cProperties; j++)
            printf("\tProperty %d = %S\n", j, 
            pProv->rgpProperties[j]->pszProperty);

                printf("\n");
            }

            BCryptFreeBuffer(pProviders);
            pProviders = NULL;
            dwBufSize = 0;
        }
    }

    return 0;
}

Managed library for CNG is coming with the next version of Visual Studio "Orcas" and is not available right now in Visual Studio 2005. You can download the unmanaged version of the CNG SDK³ to develop for Windows Vista.

CNG also has access to all the CAPI keys used by Microsoft Cryptographic Service providers.

List of CNG Cryptographic Primitive Functions

Here is a the list of functions defined by the Cryptographic Next Generation (CNG) API that are used for performing cryptographic operations.

• BCryptCloseAlgorithmProvider
• BCryptCreateHash
• BCryptDecrypt
• BCryptDeriveKey
• BCryptDestroyHash
• BCryptDestroyKey
• BCryptDestroySecret
• BCryptDuplicateHash
• BCryptDuplicateKey
• BCryptEncrypt
• BCryptExportKey
• BCryptFinalizeKeyPair
• BCryptFinishHash
• BCryptFreeBuffer
• BCryptGenerateKeyPair
• BCryptGenerateSymmetricKey
• BCryptGenRandom
• BCryptGetProperty
• BCryptHashData
• BCryptImportKey
• BCryptImportKeyPair
• BCryptOpenAlgorithmProvider
• BCryptSecretAgreement
• BCryptSetProperty
• BCryptSignHash
• BCryptVerifySignature

Look for details on each of these functions in MSDN.

New Crypto Algorithms in Orcas

The January CTP of Orcas, has the first set of managed wrappers around the new CNG APIs in Windows Vista⁵, which will use the "Cng suffix" on the implementation classes.

Hash Algorithms

Algorithm	Class	OS Required
MD5	MD5Cng	Windows Vista
SHA-1	SHA1Cng	Windows Vista
SHA-256	SHA256CryptoServiceProvider SHA256Cng	Windows 2003 Windows Vista
SHA-384	SHA384CryptoServiceProvider SHA384Cng	Windows 2003 Windows Vista
SHA-512	SHA512CryptoServiceProvider SHA512Cng	Windows 2003 Windows Vista

For applications targeting Vista which must use CNG, this set of algorithms also provides CNG wrappers for all of our hashing algorithms.

Asymmetric Algorithms

Algorithm	Class	OS Required
Elliptic Curve DSA	ECDSACng	Windows Vista
Elliptic Curve Diffie-Hellman	ECDiffieHellmanCng	Windows Vista

Check Microsoft security⁵ blogs for the latest information on CNG.

Points of Interest

• Windows Vista supports the following four user modes cryptographic interfaces; CNG, Cryptographic API 1.0 (CAPI 1.0), Cryptographic API 2.0 (CAPI 2.0) and .NET Framework Cryptography
• CNG also includes kernel mode along with the user mode. In prior versions of Windows, technologies like CAPI were user mode only and kernel mode cryptography required totally different set of APIs. Now with the Next Generation Cryptography (CNG) there is a unified set of APIs for both
• CNG is highly flexible, enabling new algorithms to be added to Windows Vista for use in Secure Socket Layer/Transport Layer Security SSL/TLS and Internet Protocol Security IPSec
• CNG includes Elliptic Curve Cryptography, an emerging standard among cryptographic algorithms.
• Windows Vista includes a Base Smart Card Cryptographic Service Provider (Base CSP) in the platform. This will make smart cards more accessible, as vendors will no longer have to deal with writing complex CSPs. There will also be a smart card Key Storage Provider in the new CNG infrastructure.
• Only administrator can install a CNG Provider

References

1. Encryption and Cryptography
2. Writing Secure Code for Windows Vista
3. Download CNG SDK for use in C++
4. Orcas January CTP with Managed library for CNG
5. CNG Reference, MSDN Security blog
6. List Cryptographic algorithms available in your computer

History

• Apr 29, 2007: First Published
• May 02, 2007: CNG Enumerator & portion of AES encrypt

And thanks

For coming so far, I hope this article will help demystify some of the new security concepts in Windows Vista, and you will find it useful. Adios!

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 44 (Total in Forum: 44) (Refresh) FirstPrevNext

Will this technology be available in Windows XP SP3? Wong Shao Voon 0:24 10 Dec '07   Hi Quartz, Please kindly update us if this technology gets into Windows XP SP3? Thanks! Sign In·View Thread·PermaLink Re: Will this technology be available in Windows XP SP3? Dr.Luiji 11:03 6 Feb '08   Wong Shao Voon wrote: Please kindly update us if this technology gets into Windows XP SP3? Hi Wong Shao Voon, as Quartz. write here[^] in a post, the CNG algorithms are supported only on the Windows Vista and Windows Server 2008 operating systems. At the moment under Windows Xp no one task is open concerning CNG. You can find more info here[^] or here[^] or you can try to ask it directly to the CNG Team. Hoping you found it useful. Best wishes. Dr.Luiji Trust and you'll be trusted. Sign In·View Thread·PermaLink Re: Will this technology be available in Windows XP SP3? Wong Shao Voon 15:58 10 Feb '08   Thank you, Dr Luiji! Sign In·View Thread·PermaLink project makpandian 0:28 14 Sep '07   i should want to do this project as my annual project. anybody complete this project.please help me........... i want to know how run and complile this project.. help me. thanks Sign In·View Thread·PermaLink 1.00/5 (1 vote) Applying Cryptography Using The CNG API In Windows Vista Quartz. 14:41 29 Jun '07   Very interesting article on CNG in MSDN Magazine (July 2007 ) MSDN Link[^] Omit Needless Words - Strunk, William, Jr. Vista? Photoshop Preview Handler Sign In·View Thread·PermaLink your project cann't compile without vista? tangliping1 0:46 4 Jun '07   I try to compile your project in windows 2003, I get the error string "Error 1 error C2065: 'cbLength' : undeclared identifier d:\program files\microsoft cng development kit\include\bcrypt.h 356 Error 2 error C4430: missing type specifier - int assumed. Note: C++ does not support default-int d:\program files\microsoft cng development kit\include\bcrypt.h 357 Error 3 error C2513: 'int' : no variable declared before '=' d:\program files\microsoft cng development kit\include\bcrypt.h 357 Error 4 error C2143: syntax error : missing ';' before '' d:\program files\microsoft cng development kit\include\bcrypt.h 357 " 111 Sign In·View Thread·PermaLink Re: your project cann't compile without vista? Quartz. 8:59 4 Jun '07   Thanks for the message CNG API's are "vista" specific API's please check here (MSDN link)[^] for more details Raj Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Congratulations Dr.Luiji 6:48 15 May '07   Article competition winner. Good job Quartz. Trust and you'll be trusted. Cryptography API: The Next Generation (CNG) - How to crypt documents with C++ programming, here. Sign In·View Thread·PermaLink 5.00/5 (1 vote) Re: Congratulations Quartz. 9:43 15 May '07   Thanks once again Dr.Luiji Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Re: Congratulations James Ashley 4:20 21 May '07   Congratulations, Quartz. Well done. Sign In·View Thread·PermaLink Re: Congratulations Quartz. 7:36 21 May '07   Thanks James. Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Simple example for reference Quartz. 0:47 10 May '07   Fellow Cpian Dr. Luiji, posted me a comment yesterday about this detail example, i found it, very easy to follow. It consists of all the essential facts to get you started with CNG Simple way to crypt a file with CNG - by Dr.Luiji[^] One of things which impressed me, was its simplicity, hope you guys find it useful too! Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink 5.00/5 (1 vote) I have questions for kernel mode. Ho Jung Lee 17:13 9 May '07   Hi. Thanks for your great article. ^_^b If you don't mind, would you give me a piece of advices? I made up a my own Cryptographic Service Provider(CSP, is block cipher) of library. And I was able to add my own CSP to CNG list, successfully encrypted and decrypted messages. But I known that it was user mode operations. My questions are here... If I wanna use my own CSP to use SSL(is kernel mode), how could I deal it? And do you have a experience for applying your own or third party CSP to kernel mode? I really wanna heard of your excellent idea. ^_^ And sorry for my poorly English.. T_T Best Regards.... Sign In·View Thread·PermaLink Re: I have questions for kernel mode. Quartz. 21:06 9 May '07   Hi! Ho Jung Lee I am glad you liked it ! Ho Jung Lee wrote: If I wanna use my own CSP to use SSL(is kernel mode), how could I deal it? As i have already said CNG includes user mode as well as kernel mode and a single set of API is used for both, CNG also enables users to plug in custom cipher-suites for SSL and TLS or customer envelops for CMS and custom certificate elements. One of the first things i would suggest you to check, if you have not already done it "The documentation outlining the steps to install and register a CNG add-in" in CNG SDK , assuming you have used BCryptAddContextFunctionProvider to add your CSP and Installed the CNG provider as an administrator. Second things is to look for policy settings for SSL/TLS in Windows Vista, mmc.exe -> Add/Remove Snap-in -> Group Policy Object Editor -> Local Computer Policy -> Computer Configuration ->Administrative templates -> Network -> SSL Configuration , See how you can change those settings and edit them. Again i am assuming this is a SSL provider plug-in This is a new technology and i haven't yet implemented a third party cipher-suit yet, you might be one of the pioneer implementing them, so I can hope this helps you look in the right direction, at the least. Do share your findings. Ho Jung Lee wrote: And sorry for my poorly English.. T_T Don't worry about it, The message and the intent is the substance not the grammar. Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Thank you for your quick and kind replying. ( ^_^ ( Ho Jung Lee 19:55 10 May '07   I already checked that my own CSP was installed and registered in CNG provider list, and successfully encrypted and decrypted some data like block cipher AES and so on. As far as I know, the policy settings for SSL/TLS you told me to look are SSL/TLS protocol list(it is CSP) used in "schannel.dll". I know that we cannot add a new protocol to this list, but we can only change order of these. And added-in my own cipher doesn't exist in there. I have experience in implementing CSP for smart-card in kernel mode. But it couldn't work through SSL/TLS. I think that implentation of CSP is possible with CSPDK, but generally changing or adding a new protocol is too hard or impossible.(It may be possible by "Message Hooking or Global Hooking".) Despite the Microsoft said that CNG supports both user and kernel mode, I think CNG may perfectly not support kernel mode in the present.(It is only my opinion... ^_^;; If you don't mind, I really hope that you tell me some detail information about "CNG in Kernel mode". If you have any idea, I hope you don't mind sharing yours. ^_^ I spent very much time to gathering information about this. T_T Thanks for reading my long wrting and glad to meet you. Power Sign In·View Thread·PermaLink Re: Thank you for your quick and kind replying. ( ^_^ ( Quartz. 8:50 14 May '07   Ho Jung Lee Nice to hear from you again Ho Jung Lee wrote: Despite the Microsoft said that CNG supports both user and kernel mode, I think CNG may perfectly not support kernel mode in the present I am quite sure that, this is not the case, but before jumping into any conclusion let me do some research with practical test on kernel mode, i do have some ideas to go forward, you also try to play around and hit and test, Fellow Cpian Dr. Luiji, posted me a comment yesterday about this detail example, check if you find something useful Simple way to crypt a file with CNG - by Dr.Luiji[^] I will get back to you soon. Raj Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Additionally, these are exported functions... [modified] Ho Jung Lee 22:01 10 May '07   These functions are exported from ncrypt.dll and ksecdd.sys by "dll hooking". I guess these have something to do with SSL, but it do not seem to be documented yet. It is predicted that these are SSL-side of CNG in my opinion. [Referenced functions] SslChangeNotify SslComputeClientAuthHash SslComputeEapKeyBlock SslComputeFinishedHash SslCreateEphemeralKey SslCreateHandshakeHash SslDecrementProviderReferenceCount SslDecryptPacket SslEncryptPacket SslEnumCipherSuites SslEnumProtocolProviders SslExportKey SslFreeBuffer SslFreeObject SslGenerateMasterKey SslGenerateSessionKeys SslGetKeyProperty SslGetProviderProperty SslHashHandshake SslImportKey SslImportMasterKey SslIncrementProviderReferenceCount SslLookupCipherSuiteInfo SslOpenPrivateKey SslOpenProvider SslSignHash SslEncryptPacket SslExportKey SslFreeObject SslImportKey SslLookupCipherSuiteInfo SslOpenProvider -- modified at 3:08 Friday 11th May, 2007 Power Sign In·View Thread·PermaLink Awesome again DeepWaters 8:42 8 May '07   All your articles are my favorite, I have learned a lot from them. I will look forward to your next Sign In·View Thread·PermaLink Re: Awesome again Quartz. 9:28 8 May '07   Thanks buddy , made my day, thats a double[^] Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Encrypt AES doesn't actually encrypt? James Ashley 6:22 3 May '07   Raj, Good job adding the CNG code. I was looking through your AES Encrypt project, though, and it doesn't appear to do any encrypting. It just creates a symmetric key. Additionally, it's not really good practice to use a cleartext password for your secret. You should hash the password and then pass the hash value to BCryptGenerateSymmetricKey. At a minimum, I think you also need to include bcrypt.h in your header file. I'm not sure this project will compile without it (but then again, I'm not a C++ programmer, so I'm only guessing). Sorry to dog you on details like this, but since you've done such an excellent job on presentation (you've definitely got that down), I think the code you produce ought to be up to the same standard. James Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: Encrypt AES doesn't actually encrypt? [Not meant for it] Quartz. 6:58 3 May '07   Hey James, Thanks again, i will look into it, as soon as possible. James Ashley wrote: Sorry to dog you on details like this, Thats, getting the better of me ;P, well if that's the only way to improve the quality of the article , its ok. Best ok i see, that portion of code is meant for reference and as an example to show the benefits of CNG over CAPI I have updated the article as per your suggestions, I have also added a small piece of information: A complete sample program for AES-CBC encryption using CNG comes with the CNG SDK. The SDK Link is in the reference, if anybody wants to dig into that. James Ashley wrote: Additionally, it's not really good practice to use a cleartext password for your secret. You should hash the password and then pass the hash value to BCryptGenerateSymmetricKey. , That is a bit beyond scope, i think, the code is only for reference as i said before and to show the new features in CNG. James Ashley wrote: At a minimum, I think you also need to include bcrypt.h in your header file. I'm not sure this project will compile without it (but then again, I'm not a C++ programmer, so I'm only guessing). Added , smile now I hope you will find the article more accurate now ! Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Re: Encrypt AES doesn't actually encrypt? [Not meant for it] James Ashley 10:04 4 May '07   >> ok i see, that portion of code is meant for reference and as an example to show the benefits of CNG over CAPI Okay. I can sort of see that, but how does the sample show the benefits of CNG over CAPI if the CNG sample does one thing, and the C# CAPI sample does something entirely different? It might also be more accurate to title your C++ project something else than "AES Encrypt" since it doesn't actually do any encryption, or even really use the AES algorithm to do anything. My suggestion, though, would be to go ahead and write a small MFC app that really does ecrypt some text, so that it matches your C# application. I don't think you need to go into too much detail to explain it, but at least then you will have some reference code, for anyone who wants it, that really shows both the old and the new way of doing the same operation. I think that you are right that it probably doesn't make any important difference if one sample is RSA and the other is AES, however, since in the RSA demo you are basically just using the RSA provider as if it were a symmetric key provider, anyways. Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: Encrypt AES doesn't actually encrypt? [Not meant for it] Quartz. 8:21 7 May '07   James Ashley wrote: how does the sample show the benefits of CNG over CAPI Here are some of them i have tried to comprehend again 1. All cryptographic constants are "strings" 2. you can plug in custom cipher-suits using BCryptAddContextFunctionProvider 3. CNG does not requires Microsoft to sign the implementation 4. if you see the steps and pseudocode , you will realize that the infra structure is much more agile and flexible 5. CNG also allows you to query for all supported algorithms using BCryptResolveProviders James Ashley wrote: title your C++ project something else than "AES Encrypt" thats correct, James Ashley wrote: go ahead and write a small MFC app that really does ecrypt some text since the article is in edited section now, it is more difficult to update it , but i will try to come up with something. thanks Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink Re: Encrypt AES doesn't actually encrypt? [Not meant for it] James Ashley 9:17 7 May '07   I'm a bit wary of your conclusion, Quartz. While you've definitely hit on the CNG highlights from the technet article from last year: http://www.microsoft.com/technet/technetmag/issues/2006/05/FirstLook/[^] Crypto NextGen (CNG) is the next version of the Crypto API (CAPI) that provides a much more flexible and agile cryptographic development platform in Windows. In this case, flexible and agile means that CNG can be pluggable to an unprecedented degree, allowing users to create custom cryptography algorithms and implementations that fit seamlessly into the overall CNG infrastructure. Microsoft is also introducing Elliptic Curve Cryptography, which is becoming the industry’s cryptographic algorithm of choice, to the Windows Vista CNG suite. your code samples don't illustrate this, but instead compare the CNG C/C++ API with the managed crypto library from .NET 2.0. The crypto API is alot more hairy to use than the C# implementations of the same code. There's an example of using the API to do a key exchange in my code sample, which is the equivalent of your RSA sample, and it's a dog to get right. Which is not to take away from your article. Your formatting skills are really excellent, and you have a nice eye for adding graphics to make a decent article look more impressive. I've leaned alot from watching how your decorate your articles with charts and tables to create an air of authority. I'm just a little disappointed with the code, which in places gives a false impression, especially the misnaming of your AES "Encrypt" project. You might also want to add a note to your RSA project stating that it isn't actually good practice to use RSA, a asymmetric algorithm, to encrypt a message; instead, it should be used to encrypt a key, which is passed to AES to encrypt a message. But again, lest my frankness about your code give you the wrong impression, I sincerely think this is a nice introduction to CNG. It's probably just in the nature of the beast that it is very difficult in a beginner's article to work up adequate code samples to illustrate what is essentially a complex subject, and in the end it may not matter much to readers, especially if they don't have Vista installed anyways (which I think is still the norm rather than the exception). Honestly, please keep up the good work. There aren't enough intro articles around here, and yours are especially eye-catching. Sign In·View Thread·PermaLink 3.00/5 (2 votes) Re: Encrypt AES doesn't actually encrypt? [Not meant for it] Quartz. 10:20 7 May '07   James , James Ashley wrote: you've definitely hit on the CNG highlights from the technet article from Well i saw the article[^], but i don't see any relation of the technet article with my article, that just defines CNG and that too in a "difficult to understand way" other then that it mentions smart cards which is not related at all. Quartz. wrote: 1. All cryptographic constants are "strings" 2. you can plug in custom cipher-suits using BCryptAddContextFunctionProvider 3. CNG does not requires Microsoft to sign the implementation 4. if you see the steps and pseudocode , you will realize that the infra structure is much more agile and flexible 5. CNG also allows you to query for all supported algorithms using BCryptResolveProviders The points i have jotted down in my comment is directly from this article , if you read the article from top-down you will come across each of these one by one WITH EXAMPLES. James Ashley wrote: compare the CNG C/C++ API with the managed crypto library from .NET 2.0. actually, i wanted not to include any code samples. My intent about this beginners article was tell, what is the next generation of cryptography with glimpse of code to give you an idea. The CNG itself is in its fluid state, it can be in-accurate IMO, to come up with your own implementation. Cryptography, if it will be implemented, should follow the patterns which are preached by microsoft (if you are developing for microsoft platform). James Ashley wrote: especially the misnaming of your AES "Encrypt" project. i will ask the code project editor to rename it to AES "Key generation" project. Its a beginner article,and i think a more curios user will definetly go for other advanced articles like yourself. James Ashley wrote: Your formatting skills are really excellent, and you have a nice eye for adding graphics to make a decent article look more impressive. I've leaned alot from watching how your decorate your articles with charts and tables to create an air of authority. apart from the fact that, these credits also goes to the Codeproject editors, i can say one more thing, i have a simple philosophy if your users don't experience quality in your work throughout, they may conclude there is lack of quality everywhere. Omit Needless Words - Strunk, William, Jr. Vista? Cryptography Next Generation (CNG) here Sign In·View Thread·PermaLink

Last Visit: 14:33 6 Jul '09     Last Update: 14:33 6 Jul '09 12 Next »