|
Security Terms For Wireless and Fixed Networks and the .NET 2.0 Framework Cryptography APIs Part I : Terms, Technologies and Use Part II: Brief Overview of the System.Security.Cryptography Namespace |
Security Terms For Wireless and Fixed Networks
and the .NET 2.0 Framework Cryptography
APIs
Part I : Terms, Technologies and Use
Part II: Brief Overview of the
System.Security.Cryptography Namespace
Part I Terms, Technologies and Use
Block Cipher
A symmetric key
cipher operates on fixed-length groups of bits in blocks. For example a file
may be processed into a sequence of blocks of 128 bits of length. So the
encryption is performed on an entire sixteen byte quantity all at once. Due to
the bit packing/shifting operations block ciphers are slower than stream
ciphers.
Stream Cipher
A symmetric key
cipher encrypts operates on single digits one at a time, or a byte at time.
Stream ciphers are faster than block ciphers.
DES Encryption (1976)
Adopted by the NIST (National Institute of Technologies and
Standards) in 1976. DES stands for data encryption standard. It
encrypts/decrypts in 64 bit blocks. Each 8 bit word uses one bit as a parity
bit so the total length or “strength” is only 56 bits. DES is a special type of block
cipher called a product cipher. It applies an algorithm 16 times on an
input string to produce cipher text of the same length.
A key can typically be broken or “cracked” within 24 hours.
Triple DES Encryption (1977)
Shortly after the DES emerged, TDES was adopted. Triple DES
applies 3 different keys making a total of three DES passes. Due to this triple
encoding/decoding process the processing time is higher with TDES but also more
secure. Again one bit is used as a parity bit so the effective total length or
“strength” is 168 bits. Typically but not always the middle step applies
decryption instead of encryption. TDES
is also known as
TDEA
(Triple Data Encryption Algorithm). Triple DES is not exportable. It is being
superseded by the next best thing AES.
AES or RjinDael (1997)
Six times faster than TDES, AES stands for advanced encryption
standard. AES is a block cipher and
is also known as the RijnDael algorithm.
It was created by two Belgians aptly named and Vincent Rijmen and Joan
Daemen. AES uses four step process
and key lengths may be in the length of 128, 192 or 256.
Triple DES is not exportable. AES is considered “uncrackable” . It is
considered stronger than DES, TDES, RC4 or TKIP.
RC2 (1987)
Developed by the folks at RSA Security, RC2 is a 64 bit
block cipher with a variable key size. It is exportable with the 40 bit
key implementation.
RC4 (1987)
RC4 (RSA) is used in several security protocols such as
BitTorrent, CipherSabre, MPPE(Microsoft Point to Point), WEP, Secure Shell
(Optional), SSL (Optional), TKIP, TLS, WEP, and WPA. RSA a firm launched by the
following three: Ron Rivent, Adi Shamir, and Leonard Adleman. RC4 is a
stream cipher. Key lengths are 64, 128 or 256 bits. RC4 works by XORing
the key on the data stream. Note: WEP is a weak implementation of RC4, whereas
TKIP is a stronger version is still used in wireless lan security instead of
WEP. Generally though RC4 is not
considered a “safe” technology anymore.
RC5 (1994)
RC5 (RSA) is a block
cipher which has a variable key size ranging from 0 to 2040 bits. RC%
works using modular addition and applying XOR operations. It is a “strong”
encryption technology and takes hundreds to several thousand days to “crack”
with automated programs. Citrix
uses RC5 in some of its products.
MD5 (1991)
A cryptographic hash function, another RSA invention which uses a
128 bit hash value. The general recommendation is to use SHA instead.
SHA (1993)
Secure Hash Algorithm are a related set of cryptographic
hash functions which range in a variety of bit lengths. Typically the greater
the bit length the stronger the algorithm.
DSA (1993)
Digital Signature Algorithm is a standard developed for the
signing of digital signatures. It consists of a key generation, signing and
verification.
HMAC (1996)
Key-Hashed Message Authentication Code. Which uses a cryptographic
hand function along with a secret key.
Any iterative hash functions can be used so we end up with various forms of
HMAC such as HMACMD5, HMACRIPEMD160, HMACSHA1,
HMACSHA256, HMACSHA384, HMACSHA512. The strength of the cryptography depends of
the length of the key and the robustness of the hash function.
PGP (1991)
Pretty Good Privacy is an algorithm and software developed
by Phil Zimmerman which uses both a public key and symmetric key to encrypt and
decode data for secure transmissions. PGP can be used to secure confidential
email data between people on the internet. It is very strong and secure.
Zimmerman was subject to a grand jury investigation and government
investigation some folks did a
public post of his algorithm on Usenet. Since it was published on the internet
and open to the world, they could not prosecute Zimmerman. Similarly the
Federal Goverment could not sue MIT who had published the PGP algorithm in
books.
CSP
A software package providing
cryptographic functions, to be used with Microsoft’s CryptoAPI. CSP implements
encoding and decoding functions which used for strong authentication of the
user or applications such as secure email.
Initialization Vectors
IVs have lot to do with the “strength” of cryptography. For
example a weakness of WEP is that the IVs can sometimes start at a fixed value.
i.e. such as zero or one so it is easy for a hacker to deduce the a pattern of
encryption. IVs are used in both
cipher and stream ciphers. You need to understand IVs in order to use some of
the APIs. In WEP the IV is a 3 byte length value. IVs are either as long as the
block of data you are encrypting or as long as the key you are using to encrypt
data. For example encrypting a file of variable length the block size could be
64 with an IV or 64 bytes and a key of 64 bytes.
IVs may be passed along to the peer process by adding them onto the
cipher text, or they may be generated or negotiated at a startup point in the
data communications process. IVs are used in the internal key generation
process for stream ciphers. For Block cipher IVs are passed to the peer by
either concatenating them onto the cipher text or XORing them into the cipher
text.
Keys
You need to create a strong key in order to provide adequate
security. A pseudo random number generator will not provide adequate strength.
You can use the RNGCryptoServiceProvider API to generate
strong keys. Note: where IVs are
required you can use the same API to generate an IV as well if so desired.
SideBar – Cryptographic Technologies in Network and Wireless Mediums
WEP
One of the first technologies used with 802.11 for security
purposes. WEP can typically be “cracked” within anywhere from three to twenty
some hours. The greater the number of transmissions the quicker the network can
be compromised. WEP uses the RC4
algorithm. Due to the fact that there is no key management WEP can be quickly
exploited.
WPA and WPA2
Answers to the WEP problems, WPA uses RC4 but has better key
management either by generating a unique key per user or by using “pass phrase”
keys pre-assigned to each user. WPA2 takes WPA uses a MIC (message integrity
code) to prevent replay attacks which are were one of WEPs weaknesses.
WPA2 further enhances WPA by replacing MIC with CCMP and RC4 with AES.
CCMP is an 802.11i standard (counter mode with cipher block chaining
message authentication code).
Cisco Leap
Lightweight Extensible Authentication Protocol was
developed by Cisco to use WEP authentication via dynamic
WEP key and mutual authentication between devices and a Radius Server.
Radius servers are implemented in software or as network appliances. They
authenticate and authorize devices/users access onto a network.
TKIP
TKIP uses a per packet key mixing scheme along MIC and RC4 to
greatly enhance the problems in WEP. TKIP is used along as part of WSA.
SSL/TLS
Secure Socket Layer and Transport Layer Security are both methods of
securing communications on the internet such as email
TLS is a later implementation of SSL. SSL uses public key encryption,
and symmetric ciphers to secure the communications. (see PGP later on)
MSPPTP
Microsoft’s Point to Point Tunneling Protocol is a networking
technology which supports multi-protocol virtual private networks (VPN)
allowing secure network access to private networks.
Part II – The System.Security.Cryptography Namespace
Rather then painfully detail each class. We will briefly describe each one and the appropriate security technology it utilizes and what the class accomplishes. There are roughly 17 groups. The HMAC group contains six separate classes to perform unique message based authentication.
DES
Represents the base class for the Data Encryption Standard algorithm
from which all implementations must derive.
DESCryptoServiceProvider
Defines a wrapper object to access the cryptographic service
provider version of the DES algorithm.
Example using DES
|
FileStream filein = new FileStream(“input.dat”, FileMode.Open,
FileAccess.Read);
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider (); DES des =
new DesCryptoServiceProvider();
while (LengthRead < LengthToEncrypt) |
DSA class and DSACryptoServiceProvider class
Base Class and corresponding wrapper object to access the
cryptographic service provider implementation of the DSA algorithm.
SHA1 class and SHA1CryptoServiceProvider
class
SHA1 Class computes the class for SHA1 input data
SHA1CryptoServiceProvider used to access the cryptographic service provider
implementation of the SHA1 algorithm.
TripleDES and
TripleDESCryptoServiceProvider class
MD5 class and MD5CryptoServiceProvider class
RSA class and RSACryptoServiceProvider class
RC2 class and RC2CryptoServiceProvider class (weak)
RijndaelManaged class and RijndaelManagedTransform class (AES)
The above classes allow you to define and implement their
corresponding CSPs.
AssymetricAlgorithm class
Base class used to implement for example the RSA CSPs.
HashAlgorithm class
The base class from which all implementations of cryptographic
hash algorithms must derive from.
ProtectedData class and ProtectedMemory
class
Wrapper classes for unmanaged memory (protect and unprotect)
CspParameters class
Contains Parameters used when working with CSPs.
CryptoAPITransform class
Used to apply cryotpgraphic transforms on data be it DES, RSA
etc…
RandomNumberGenerator class
Abstract class to create RNG implementations for keys and IVs.
CryptoStream class
Defines a class used to link data streams to cryptographic
transforms.
CryptoConfig class
To access the cryptographic configuration information (static
values).
Hash-based Message Authentication Code
(HMAC)
HMACMD5 class
HMACRIPEMD160 class
HMACSHA1 class
HMACSHA256 class
HMACSHA384 class
HMACSHA512 class
The 256, 384 and 512 classes specify the length of bit sizes when applying the HMAC. The HMASHA1 operates at 160 bits.
There may be several reasons to use “weaker” cryptographic algorithms. You may need to receive and decrypt data from legacy programs, or perhaps just simply apply them on data which need not be secure for that long a time period. For example cookie data in a browser. Think about the geographic region of the deployment site. If you are exporting your software to certain countries make sure that the encryption technology is legally exportable to that region.
Processing speed is another reason to use slightly “weaker” cryptography. Stream ciphers are quicker then block ciphers. If speed is not an issue you can make data even more secure by applying several cryptographs for example RC2 and then DES. The receiver would apply DES and then RC2. The strongest cryptographs are the latest such as AES (Rijndael), HMACSHA and RC5. Newer ones will continually be brought to market.
This brief could be embellished with more examples but serves as a basic introduction on cryptographic technologies to approach the APIs in the .NET 2.0 Framework.
Feedback/Contact
paulzazzarino@3zwireless.com .
Copyright
2006 3zwireless Ltd, This page last updated on 07/2006