Module 9: Encrypting, Hashing, and Signing. Data

Chia sẻ: Mai Phuong | Ngày: | Loại File: PDF | Số trang:78

0
72
lượt xem
18
download

Module 9: Encrypting, Hashing, and Signing. Data

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

This module explains to students how to strengthen the security of their Web applications by incorporating the programmatic use of cryptography. Depending on the programming platform, students will use one of several cryptographic libraries to add encryption, hashing, and digital signing functionality to their Web application. After completing this module, students will be able to use the CAPICOM cryptographic library and the System.Security.Cryptography namespace to encrypt, hash, and sign data....

Chủ đề:
Lưu

Nội dung Text: Module 9: Encrypting, Hashing, and Signing. Data

  1. Module 9: Encrypting, Hashing, and Signing Data Contents Overview 1 Lesson: Encryption and Digital Signing Libraries 2 Lesson: Using CAPICOM 9 Lesson: Using the System.Security.Cryptography Namespace to Hash Data 21 Lab 9: Hashing Data 26 Lesson: Using the System.Security.Cryptography Namespace to Encrypt and Sign Data 42 Review 62
  2. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property..  2002 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  3. Module 9: Encrypting, Hashing, and Signing Data iii Instructor Notes Presentation: This module explains to students how to strengthen the security of their Web 75 minutes applications by incorporating the programmatic use of cryptography. Depending on the programming platform, students will use one of several Lab: cryptographic libraries to add encryption, hashing, and digital signing 60 minutes functionality to their Web application. After completing this module, students will be able to use the CAPICOM cryptographic library and the System.Security.Cryptography namespace to encrypt, hash, and sign data. After completing this module, students will be able to: ! Choose the most appropriate cryptographic library for a given programming platform. ! Use CAPICOM to encrypt, decrypt, hash, and sign data in an Active Server Pages (ASP) Web application. ! Use the System.Security.Cryptography namespace to hash data in a Microsoft® ASP.NET Web application. ! Use the System.Security.Cryptography namespace to encrypt and decrypt data by using both symmetric and asymmetric encryption, and sign data in an ASP.NET Web application. Required materials To teach this module, you need the following materials: ! Microsoft PowerPoint® file 2300A_09.ppt ! Hypertext Markup Language (HTML) code file 2300A_09_code.htm Preparation tasks To prepare for this module: ! Read all of the materials for this module. ! Complete the practices and lab. ! Read Chapter 21, “Encrypting Data over the Network,” in ASP.NET Unleashed by Stephen Walther (2002, Sams Publishing). ! Read Chapter 7, ”Storing Secrets,” in Writing Secure Code by Michael Howard and David LeBlanc (2002, Microsoft Press®). ! Read the Microsoft MSDN® Magazine article, “Protect Private Data with the Cryptography Namespaces of the .NET Framework,” which is available at http://msdn.microsoft.com/msdnmag/issues/02/06/crypto/crypto.asp. ! Read the MSDN article, “The Cryptography API, or How to Keep a Secret,” which is available at http://msdn.microsoft.com/library/en-us/dncapi/ html/msdn_cryptapi.asp. ! Read the MSDN article, “Introducing CAPICOM,” which is available at http://msdn.microsoft.com/library/en-us/dnsecure/html/intcapicom.asp. ! Read the TechNet article, “Authentication and Encryption,” which is available at http://www.microsoft.com/technet/security/network/authen.asp.
  4. iv Module 9: Encrypting, Hashing, and Signing Data ! Read the TechNet article, “Data integrity with hash functions,” which is available at http://www.microsoft.com/technet/prodtechnol/winxppro/ proddocs/sag_IPSec_Und6.asp. ! Read about hashing and encryption algorithms at the SSH Communications Security Web site at http://www.ssh.fi/tech/crypto/algorithms.html. Classroom setup The information in this section provides setup instructions that are required to prepare the instructor computer or classroom configuration for the lab. ! Prepare for the lab by updating the TailspinToys database (Glasgow computer only) On the Glasgow computer, run a Structured Query Language (SQL) script to change the data type of the Password field in the Users table to be binary: 1. On the Start menu, click Programs, click Microsoft SQL Server, and then click Query Analyzer. 2. In the Connect to SQL Server dialog box, type (local) in the SQL Server box, click Start SQL Server if it is stopped, click Windows Authentication, and then click OK. 3. On File menu, click Open. 4. In the Open Query File dialog box, in the File name box, type C:\Program Files\Msdntrain\2300\Labfiles\Lab09\database \update2300DB.sql and then click Open. 5. On the Query menu, click Execute. 6. Close SQL Query Analyzer.
  5. Module 9: Encrypting, Hashing, and Signing Data v How to Teach This Module This section contains information that will help you to teach this module. Lesson: Encryption and Digital Signing Libraries Choosing a Although CAPICOM and the System.Security.Cryptography namespace Cryptography API provide ways to perform some of the same cryptographic tasks, there are features of each library that are mutually exclusive. For example, you can use CAPICOM to work with certificates in the different certificate stores, but you cannot use the System.Security.Cryptography namespace to do this. And you can implement asymmetric encryption by using the System.Security.Cryptography namespace, but not by using CAPICOM. Windows 2000 Briefly discuss each of the Windows® 2000 Cryptographic Service Providers Cryptographic Service (CSPs) and mention the algorithms that are supported by each CSP. Providers Cryptographic algorithms are discussed in more detail in the next topic. Choosing a You might mention that it is acceptable to employ a commonly used algorithm Cryptographic Algorithm that has a solid reputation. Remember that an attacker can be aware of the algorithm that is used to encrypt the data, but unless the key is also known, it will be virtually impossible to decrypt the data. Recommend to the students that they hire a security professional to ensure the correct usage of cryptography in their Web applications. Cryptography is a very complex subject and this module covers only the basics. Lesson: Using CAPICOM Hashing Data Of the hashing algorithms that are supported by CAPICOM, SHA1 is considered to be very good and it is the recommended algorithm. Instructor-Led Practice: After students have run the capicomHash.asp page, show the source code of the Hashing Data Using Web page. There are four check boxes that use the four different hash CAPICOM algorithms that are supported by CAPICOM. Point out how the length of the SHA1 hash value is longer than the other hash algorithms. Encrypting and Point out that you should use the Utilities.GetRandom method to create the Decrypting Data key.
  6. vi Module 9: Encrypting, Hashing, and Signing Data Instructor-Led Practice: After students have run the capicomEncrypt.htm and capicomDecrypt.asp Web Encrypting and pages, show the source code of the pages: Decrypting Data Using CAPICOM 1. In Microsoft Visual Studio® .NET, open the 2300Demos solution. 2. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open the capicomEncrypt.htm file. The page has a text box that can be used for entering the data to be encrypted and a Submit button that sends the data to the capicomDecrypt.asp page. 3. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open the capicomDecrypt.asp file: a. View the inline ASP code. The capicomDecrypt.asp page first reads the string to be encrypted from a form variable. The code then passes that string to the EncryptTheString function, which returns the encrypted value. The encrypted value is then passed to the DecryptTheString function, which returns the decrypted value. b. View the EncryptTheString function. The EncryptTheString function has two parameters, the string that is used to encrypt and an error flag. The EncryptTheString function uses the EncryptedData object to encrypt the first parameter and then returns the encrypted data to the calling ASP code. The key for encryption is derived from the GetRandom method of the Utilities object and is then stored in a Session variable; therefore, the key is valid only during the session. c. View the DecryptTheString function. The DecryptTheString function has two parameters, the encrypted string and an error flag. The DecryptTheString function uses the EncryptedData object to decrypt the first parameter by using the key that is stored in the Session variable. The function then returns the decrypted data to the calling ASP code.
  7. Module 9: Encrypting, Hashing, and Signing Data vii Signing Data When signing data, the process doing the signing (either the ASP process or the ASPNET process, depending on where the code runs in a Web application) must have access to the certificates. To obtain a certificate from a different store, like the local computer store, and to use that certificate to sign data, use the following code: Function SignTheStringWithMachineCertificate() Dim oSignedData Set oSignedData = CreateObject("CAPICOM.SignedData") oSignedData.Content = "Text to sign" 'open the local machine store Dim Store Set Store = CreateObject("CAPICOM.Store") Store.Open(1) 'this opens the local machine store 'get the first certificate in the store Dim Certificate Set Certificate = Store.Certificates(1) 'sign the data Dim strSignedData Dim Signer Set Signer = CreateObject("CAPICOM.Signer") Signer.Certificate = Certificate strSignedData = oSignedData.Sign(Signer) End Function Note Obtaining a certificate from a different store is beyond the scope of Course 2300, Developing Secure Web Applications. Instructor-Led Practice: After students have run the capicomSign.asp and capicomVerify.asp Web Signing Data Using pages, show the source code of the pages: CAPICOM 1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open the capicomSign.asp file. The page has a text box that can be used for entering the data to be signed. 2. View the HTML for the page. The Submit button calls the SignTheString function, which signs the data in the txtClear text box. The signed data is stored in a Hidden field and is then passed to the capicomVerify.asp page. 3. Open the capicomVerify.asp page and view the HTML. The ASP code retrieves the signed data and then calls the VerifyTheSignedString function.
  8. viii Module 9: Encrypting, Hashing, and Signing Data Lesson: Using the System.Security.Cryptography Namespace to Hash Data In this lesson, students will learn how to hash data by using the System.Security.Cryptography namespace. Hashing Data After explaining how to hash data by using the System.Security.Cryptography namespace, talk about how to compare two hashed values. Show the code at the end of the topic that loops through the hashed values and compares each element. Instructor-Led Practice: After students have run the NEThashData.aspx page, show the source code of Hashing Data the Web page: 1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open the NEThashData.aspx file. The page has a text box on a form that can be used for entering the data to be hashed, and a second text box on the same form that can be used to enter a second string for comparison. 2. In the code-behind page, view the cmdHash_Click event procedure. The cmdHash_Click event procedure uses the SHA1Managed hash algorithm to hash data in the txtClear text box on the form, and then displays the hash of the data in a second text box. 3. In the code-behind page, view the cmdCompare_Click event procedure. The cmdCompare_Click event procedure uses the SHA1Managed hash algorithm to hash data in the txtCompare text box on the form, and then compares the two hash values to determine whether they are equivalent. Lab 9: Hashing Data To start the lab, the instructor must update the TailspinToys Microsoft SQL Server™ database to change the data type of the Password field in the Users table to be binary. Part of the database update process is to remove and then re-create the Users table. Students must use a new page in the TailspinToysAdmin Web application, CreateAccount, to create new reseller accounts in the Users table. In the first exercise of the lab, students must add the CreateAccount page to the TailspinToysAdmin Web application and update the other files in the Web applications that interact with the Users table. At the end of the lab, use SQL Server Enterprise Manager to show how passwords are now stored in the Users table in a binary format.
  9. Module 9: Encrypting, Hashing, and Signing Data ix Lesson: Using the System.Security.Cryptography Namespace to Encrypt and Sign Data Note The last lesson in this module is very complex and may be too advanced for some students. You can skip the rest of the module if you are running short on time. Overview of Symmetric It is important to note that the new key and initialization vector (IV) that are Encryption generated by the Microsoft .NET Framework should be generated for every session, and the key and IV should not be stored for use in a later session. Discuss the algorithms that are supported by the symmetric encryption classes. You might return to the topic “Choosing a Cryptographic Algorithm,” which appeared earlier in this module, and discuss the differences between the algorithms. Performing Symmetric If students are unfamiliar with streams, you should begin with an explanation of Encryption streams. Then, you can use the illustration on the slide to explain how the stream-based objects work together to encrypt data. The Stream class is the abstract base class of all streams. A stream is an abstraction of a sequence of bytes, such as a file, an input/output device, an interprocess communication pipe, or a Transmission Control Protocol/Internet Protocol (TCP/IP) socket. The Stream class and its derived classes provide a generic view of these different types of input and output, isolating the programmer from the specific details of the operating system and the underlying devices. Streams involve three fundamental operations: ! Read from streams. Reading is the transfer of data from a stream into a data structure, such as an array of bytes. ! Write to streams. Writing is the transfer of data from a data structure into a stream. ! Seeking. Seeking is the querying and modifying of the current position within a stream. Seek capability depends on the kind of backing store (a storage medium, such as a disk or memory) that a stream has. For example, network streams have no unified concept of a current position, and therefore, they typically do not support seeking. There are four stream-based objects in the .NET Framework that can be used with encryption: BufferedStream, FileStream, MemoryStream, and NetworkStream. The examples in the lesson and demonstrations use a MemoryStream object. Performing Symmetric Use the illustration on the slide to explain how the stream-based objects work Decryption together to decrypt data.
  10. x Module 9: Encrypting, Hashing, and Signing Data Instructor-Led Practice: After students have viewed the NETSymmetricEncryption.aspx and Using Symmetric and NETAsymmetricEncrpyption.aspx Web pages, show the source code of the Asymmetric Encryption Web pages: 1. In Visual Studio .NET, in the Mod09 folder of the 2300Demos project, open the NETSymmetricEncryption.aspx file. The page has a text box on a form that can be used for entering the data to be encrypted. 2. In the code-behind page, view the cmdEncrypt_Click event procedure. The cmdEncrypt_Click event procedure converts the text in the txtClear text box into a byte array, encrypts it by using a DESCryptoServiceProvider object, and then stores the encrypted data in a Session variable. 3. In the NETSymmetricEncryption.aspx.vb code-behind page, view the cmdDecrypt_Click event procedure. The cmdDecrypt_Click event procedure decrypts the encrypted data that is stored in the Session variable by using the cmdEncrypt_Click event procedure. 4. In Visual Studio .NET, open the NETAsymmetricEncryption.aspx.vb code- behind page and view the following event procedures: • cmdCreateKey_Click • cmdEncrypt_Click • cmdDecrypt_Click Note You can run the NETAsymmetricEncryption.aspx page in the Visual Studio .NET debugger to show the flow of the code.
  11. Module 9: Encrypting, Hashing, and Signing Data xi Performing Asymmetric The scenario of asymmetric encryption that is used in this topic and in the Encryption asymmetric encryption demonstration page is to encrypt a symmetric encryption key. Make sure this scenario is clear to the students. In most cases, you will not need to use the CspParameters object. Every new RSACryptoServiceProvider and DSACryptoServiceProvider class will create a new temporary key container that will be deleted when the process exits. You will want to use CspParameters in the following cases: ! You need to persist the key; in this case, specify either the KeyContainerName property or set the Flags property to UseDefaultKeyContainer. ! You are running as a service, or as a user without a profile (as in the case of ASP.NET Web applications); in this case, you will want to set the Flags property to UseMachineKeyStore. In ASP.NET Web applications, you cannot use keys from the local user store because the ASPNET user account does not have rights to read from that store. To use the local computer store, you must have a user account that the code is running under to read keys for that user and configure the Web application to use impersonation (which was discussed in Module 4, “Internet Information Services Authentication,” in Course 2300, Developing Secure Web Applications). ! You would like to use a non-default CSP, such as Gemplus smartcard CSP; as such, you can specify the full provider name in the ProviderName. Signing Data Review how digital signing works, as introduced in Module 8, “Protecting Communication Privacy and Data Integrity,” in Course 2300, Developing Secure Web Applications. Verifying a Signature Before a digital signature can be verified, you must have the public key of the user who signed the data, the digital signature, the data that was signed, and the hash algorithm that was used by the signer. Instructor-Led Practice: After students have run the NETSigning.aspx Web page, show the source code Signing Data of the Web page. The cmdSign_Click event procedure uses the RSACryptoServiceProvider object to create a key pair and store it in a key container named SignKeyContainer. The digital signature is stored in a Session variable so that it can be verified by the cmdVerifyHashSig_Click event procedure.
  12. xii Module 9: Encrypting, Hashing, and Signing Data Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. Lab Setup To complete this lab, the TailspinToys database, on the Glasgow computer, must be updated to change the data type of the Password field in the Users table to be binary. In Exercise 1, students will update the files in the TailspinToys and TailspinToysAdmin Web applications that interact with the Users table in the TailspinToys database. ! Configure SQL Server on Glasgow • If you did not perform the “Adding Roles and Logins to SQL Server” demonstration in Module 7, “Securing Microsoft SQL Server,” in Course 2300, Developing Secure Web Applications, you must do it now. ! Update the TailspinToys database (Glasgow computer only) On the Glasgow computer, run an SQL script to change the data type of the Password field in the Users table to be binary: 1. On the Start menu, click Programs, click Microsoft SQL Server, and then click Query Analyzer. 2. In the Connect to SQL Server dialog box, type (local) in the SQL Server box, click Start SQL Server if it is stopped, click Windows Authentication, and then click OK. 3. On File menu, click Open. 4. In the Open Query File dialog box, in the File name box, type C:\Program Files\Msdntrain\2300\Labfiles\Lab09\database\ update2300DB.sql and then click Open. 5. On the Query menu, click Execute. 6. Close SQL Query Analyzer. To complete this lab, students can continue working in the Tailspin Toys Visual Studio .NET projects that they used in previous labs, or they can start with new files. To start with new files, students must complete the following steps. ! Create the Web applications for the ASP exercises 1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab09\ASP\Starter\TailspinToys to the TailspinToys Internet Information Services (IIS) virtual directory at C:\Inetpub\wwwroot\TailspinToys. 2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab09\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin.
  13. Module 9: Encrypting, Hashing, and Signing Data xiii ! Create the Web applications for the ASP.NET exercises 1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab09\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET. 2. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab09\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET. 3. Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and change the tag to be , where machineName is the name of your computer. ! Configure IIS authentication 1. Run the IIS administrative tool. 2. Expand the computer node and the Default Web Site node in the tree. 3. Right-click the TailspinToysAdmin virtual directory, and then click Properties. 4. Click Directory Security. 5. In the Anonymous access and authentication control group, click Edit. 6. Clear the Anonymous access check box. 7. Click OK twice to save your changes. 8. Right-click the TailspinToysAdmin.NET virtual directory, and then click Properties. 9. Click Directory Security. 10. In the Anonymous access and authentication control group, click Edit. 11. Clear the Anonymous access check box. 12. Click OK twice to save your changes. Lab Results Performing the labs in this module introduces the following configuration changes: 1. The CreateAccount.asp and UsersDB.inc pages are added to the private folder of the TailspinToysAdmin Web application. 2. A new version of the UsersDB.inc page is added to the TailspinToys Web application. 3. The CreateAccount.aspx page is added to the private folder of the TailspinToysAdmin.NET Web application. 4. New versions of the Tailspin_ReadDBUtils and Tailspin_WriteDBUtils class libraries are placed in the C:\Documents and Settings\2300Student\ My Documents\Visual Studio Projects\2300Labs.NET folder.
  14. Module 9: Encrypting, Hashing, and Signing Data 1 Overview ! Encryption and Digital Signing Libraries ! Using CAPICOM ! Using the System.Security.Cryptography Namespace to Hash Data ! Using the System.Security.Cryptography Namespace to Encrypt and Sign Data *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You can strengthen the security of your Web applications by incorporating the programmatic use of cryptography. Depending on your programming platform, you will use one of several cryptographic libraries to add encryption, hashing, and digital signing functionality to your Web application. Note Cryptography is a vast subject, and not all aspects of cryptography are covered in this module. For example, this module does not cover Microsoft® Authenticode®, which allows developers to include information about themselves and their code with their programs through the use of digital signatures. For more information about cryptography, search for “Cryptography” in the Platform software development kit (SDK). Objectives After completing this module, you will be able to: ! Choose the most appropriate cryptographic library for a given programming platform. ! Use CAPICOM to encrypt, decrypt, hash, and sign data in an Active Server Pages (ASP) application. ! Use the System.Security.Cryptography namespace to hash data in a Microsoft ASP.NET Web application. ! Use the System.Security.Cryptography namespace to encrypt and decrypt data by using both symmetric and asymmetric encryption, and sign data in an ASP.NET Web application. Note The code samples in this module are provided in both Microsoft Visual Basic® .NET and C#.
  15. 2 Module 9: Encrypting, Hashing, and Signing Data Lesson: Encryption and Digital Signing Libraries ! Choosing a Cryptography API ! Windows 2000 Cryptographic Service Providers ! Choosing a Cryptographic Algorithm *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction There are a number of cryptographic libraries that you can use to add cryptography to a Web application. The cryptographic library that you choose to use in your Web applications will depend on your programming background and the platform that you are developing your Web application on. Lesson objectives After completing this lesson, you will be able to: ! Select a method of encryption and data verification, including CryptoAPI, CAPICOM, and the System.Security.Cryptography namespace. ! Describe the Cryptographic Service Providers (CSPs) that are provided by Microsoft Windows® 2000. ! Select a hashing and encryption algorithm from a set of industry-standard algorithms.
  16. Module 9: Encrypting, Hashing, and Signing Data 3 Choosing a Cryptography API System.Security.Cryptography CAPICOM Namespace CryptoAPI Cryptographic Service Providers ! Download CAPICOM from http://www.microsoft.com ! Register the CAPICOM DLL with regsvr32 *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction A CSP contains implementations of cryptographic standards and algorithms. At least one CSP is required with each Web application that uses cryptographic functions. A single application can occasionally use more than one CSP. Each CSP provides a different implementation of the cryptographic support that is provided to CryptoAPI. Some CSPs provide stronger cryptographic algorithms, whereas others contain hardware components, such as smart cards. CryptoAPI, CAPICOM, and the System.Security.Cryptography namespace are the application programming interfaces (APIs) that you use to interact with a CSP. CAPICOM and the System.Security.Cryptography namespace share some, but not all, of the same cryptographic features. You should use the API that best meets the needs of your Web application. Cryptographic Service A CSP implements cryptographic standards and algorithms through a dynamic- Providers link library (DLL) that implements the functions in CryptoSPI (a system programming interface). Most CSPs implement of all of their own functions; however, some CSPs implement their functions mainly in a Windows-based service program that is managed by the Windows service control manager. Others CSPs implement functions in hardware, such as a smart card or secure coprocessor. If a CSP does not implement its own functions, the DLL acts as a pass-through layer, thereby facilitating the communication between the operating system and the actual CSP implementation. CryptoAPI CryptoAPI is an unmanaged API that provides services that you can use to add cryptography to Windows-based applications. CryptoAPI includes the functionality that can be used for encrypting and decrypting data, hashing data, creating digital signatures, and interacting with digital certificates.
  17. 4 Module 9: Encrypting, Hashing, and Signing Data CAPICOM CAPICOM is a Component Object Model (COM) component that is built on CryptoAPI and provides cryptographic services, such as encrypting and decrypting data, hashing data, and interacting with digital certificates. CAPICOM requires one of the following system configurations: ! Microsoft Windows 98 or later, with Microsoft Internet Explorer version 5 or later ! Microsoft Windows NT® version 4.0 with Service Pack 4 or later CAPICOM is available as a redistributable file that can be downloaded from http://www.microsoft.com/downloads/release.asp?ReleaseID=39546. Before you can use CAPICOM, you must register the Capicom.dll, as shown in the following example: regsvr32 CAPICOM.dll System.Security.Crypto The Microsoft .NET Framework provides a managed wrapper for CryptoAPI graphy namespace called the System.Security.Cryptography namespace that you can use if you are building a Web application that will run on Microsoft .NET. The System.Security.Cryptography namespace provides cryptographic services, including secure encryption and decryption of data, hashing of data, random number generation, and message authentication. The classes in the .System.Security.Cryptography namespace manage many details of cryptography for you. Some classes are wrappers for the unmanaged CryptoAPI, whereas other classes are purely managed implementations.
  18. Module 9: Encrypting, Hashing, and Signing Data 5 Windows 2000 Cryptographic Service Providers ! Microsoft Base Cryptographic Provider ! Microsoft Strong Cryptographic Provider ! Microsoft Enhanced Cryptographic Provider ! Microsoft DSS Cryptographic Provider ! Microsoft Base DSS and Diffie-Hellman Cryptographic Provider ! Microsoft Base DSS and Diffie-Hellman/Schannel Cryptographic Provider ! Microsoft RSA/Schannel Cryptographic Provider ! Schlumberger CSP and GEMPlus CSP *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction CryptoAPI implements cryptographic operations by calling CSPs. When you perform a cryptographic operation programmatically, you use a specific CSP. CSPs provided by Windows 2000 supplies the CSPs that are described in the following table. Windows 2000 CSP Description Microsoft Base Supports data encryption and digital signatures by using Cryptographic Provider the following algorithms: Rivest-Shamir-Adleman (RSA), RC2, RC4, Message Digest Algorithm 5 (MD5), and Secure Hash Algorithm (SHA-1). Microsoft Strong Supports all of the algorithms that are in the Microsoft Cryptographic Provider Enhanced Cryptographic Provider; however, the key lengths are the same as in the Microsoft Base Cryptographic Provider. This CSP supports the RSA, Data Encryption Standard (DES), Triple-DES, RC2, RC4, MD5, and SHA-1 algorithms. Microsoft Enhanced Supports stronger security through longer keys and Cryptographic Provider additional algorithms than the Microsoft Base Cryptographic Provider. This CSP supports the RSA, DES, Triple-DES, RC2, RC4, MD5, and SHA-1 algorithms. Microsoft DSS Supports hashing, data signing, and signature Cryptographic Provider verification by using the SHA-1 and Digital Signature Standard (DSS) algorithms. Microsoft Base DSS and A superset of the Microsoft DSS Cryptographic Diffie-Hellman Provider that also supports Diffie-Hellman key Cryptographic Provider exchange, hashing, data signing, and signature verification by using the SHA-1 and DSS algorithms.
  19. 6 Module 9: Encrypting, Hashing, and Signing Data (continued) CSP Description Microsoft Base DSS and The same as the Microsoft Base DSS and Diffie- Diffie-Hellman/Schannel Hellman Cryptographic Provider, but it is used for SSL3 Cryptographic Provider and TLS1 protocols when the application uses Diffie- Hellman key exchange. Microsoft RSA/Schannel Similar to the Microsoft Base DSS and Diffie- Cryptographic Provider Hellman/Schannel Cryptographic Provider in that it works with SSL3 and TLS1, but it uses the RSA suite of algorithms rather than Diffie-Hellman. Schlumberger CSP and Used with smart cards. Gemplus CSP Note For more information about public key algorithms, symmetric encryption algorithms, and hash algorithms, see the Microsoft MSDN® article “Supported Algorithms.”
Đồng bộ tài khoản