Upload
charteris-plc
View
218
Download
0
Embed Size (px)
Citation preview
8/14/2019 Cryptographic Algorithms Guidance for Developers
1/29
8/14/2019 Cryptographic Algorithms Guidance for Developers
2/29
!" #$%
! "#$" %! %! &! '(##)*#*') +%! #,**#'$"#)*#*') -
&$ ' &&()$ &" &*+, &-$ .& %&./0 %
&! ''" &! . &! &!% # +! )//#"#)*#*') &+! . &
*12345126 **23526 **&3526 -* -**23# -*-(7 -*( -
+! -*!15!16 *8!15&!16 *&"1516 */
+!% # 01! )//#"#)*#*') 21! . 2
-(19 -0:
1! 1!% ! 1!& *"/ 1!+ 3. &1!1 # &-! 4$"5$" 10! 6"6,"#*') 0
8/14/2019 Cryptographic Algorithms Guidance for Developers
3/29
!" #&$%
! "#$"
!
$ $ " ;$3
4$$"$018"$ $ "' " $ ' 9$
,$;$'""""'$
8/14/2019 Cryptographic Algorithms Guidance for Developers
4/29
:!" #$%
!
*5" # ( ?$ 8 $;$?
B$"'$
$
(
$ $ 8 3 $
8/14/2019 Cryptographic Algorithms Guidance for Developers
5/29
:!" #*$%
! '(##)*#*')
!" 56$"8$;CD;3'$$
4E ,
,$
?
$$;"
#"
?
8$?"='";""
8""$'
4E
,! ,!
08
8
?
4$ ?
?
#"
"
8/14/2019 Cryptographic Algorithms Guidance for Developers
6/29
:!" #-$%
$"$9$E$$;'3""5-6
?$'3$$'3;'9$8
'35*6;;8'9$$$;'$56
8/14/2019 Cryptographic Algorithms Guidance for Developers
7/29
:!" #$%
%! #,**#'$"#)*#*')
8'$'"$ ) ' $ $=;
& !" ' ? 3 " ' $ " $ $$"4$;$"$'
& *.
? "' E $E; '$"3"
3' ; $' $ '
$$"'$$"15*&68F$';$1
&& 5,
!3$(";3"
8$$$$'$3
8$$
8$357$36
8"$
23$3$$;''"'3
&
B$$;?$;$9E3
'5GHG'30'3'+'8";$$6
;$$39&* 3$(
8 $ ' +' $ 9
0$)'"$8"$$??$"5??6?'3"''08$
13'('3"(!$3"$
:3$8"//5//6
8/14/2019 Cryptographic Algorithms Guidance for Developers
8/29
:!" #.$%
0$"?#'"
8/14/2019 Cryptographic Algorithms Guidance for Developers
9/29
:!" #%$%
K04LKLK4==NO4==;4NPP;#(83N***;NO
8/14/2019 Cryptographic Algorithms Guidance for Developers
10/29
:!" #$%
privatebyte[] GetRandomNumber(int keyLength)
{
//create an instance of the default random number generator
RandomNumberGenerator rng = RandomNumberGenerator.Create();
//obtain the required length of the byte array - 128 bits
//divided by 8 is 16
int btLength = keyLength / 8;
//create a byte array for the random number
byte[] bt = newbyte[btLength];
//fill the byte array with the random number
rng.GetBytes(bt);
return bt;
}
8/14/2019 Cryptographic Algorithms Guidance for Developers
11/29
:!" #$%
&! ''"
&! .
?$";''Q""'Q
8$B''"$'Q?'":"3"$$$"
="$$;'$'B';"$
=E'5$6C$D$9
?$;$'$$=;;9'
B$';$$$97;''$$;$$9$$;$"$9'"83'='";E$'$9"8;";
=$E$:';$$$'8;$$9$'8$'9'
CD$$';
CD$3I9$'+=3#5=#6;"8"$$CD";$$8$
&!
8$$5=:4!*6$$;$'
83$973
8$3
8$'93
8'C$$D7$;"$$$$2$;$$018$-;'$$$@?$$$;"8
84!*=:
"$8$'B
"';9
8/14/2019 Cryptographic Algorithms Guidance for Developers
12/29
:!" #$%
";;"3;$'$9
'$"'9"=4;'018
8'3'018
48!1
=4=
+"$(=
8=4=
('"$B$"3;;$
80,=5=6%%&;0?$850?86?$#5?#6.;"@80''$;'=:;'''3$=8'3'"
4!*$"018?'//"%%8"$35.;-$=:6;'3$
2;3'
0?8?#.:8$=:*-;=:&.=:*8":7$;$$$'E/;'";'018'"$
3""5'$96?$$;$'$9;$9"83'38$$3$
&!% #
=:4!*8'"$'018?";'
=: 4!*;3 & ='";4!*$$018;
=:$$='";$$;4!**R$$3
=4=3
43$5&-62;'$$=:'='"
= 9$ $4!*;' =:$"
//alg would actually be configurable in practice
string alg = "MD5";
8/14/2019 Cryptographic Algorithms Guidance for Developers
13/29
:!" #&$%
//use System.Text.Encoding to convert to a byte array
byte[] inputText = System.Text.Encoding.Default.GetBytes(plainText);
//instantiate a base class, this allows either an SHA1Managed or
//MD5CryptoServiceProvider to be configured
HashAlgorithm ha = HashAlgorithm.Create(alg);
byte[] hashInput = null;
//create the hash
using (ha)
{
hashInput = ha.ComputeHash(inputText);
}
8 9 ' ' 3 ? ; (=
string plainText = "Here is the message";
string hashKey = "Here is the key";
//alg would be configurable in practice
string alg = "HMACSHA1";
//create the base class, so that different a different
//algorithm class can be configured
KeyedHashAlgorithm kha = KeyedHashAlgorithm.Create(alg);
//convert the key and plaintext to byte arrays
byte[] hashKeyBytes = System.Text.Encoding.Default.GetBytes(hashKey);
byte[] plainTextBytes = System.Text.Encoding.Default.GetBytes(plainText);
//set the key
kha.Key = hashKeyBytes;
byte[] hashResultBytes = null;
//compute the hash
using(kha)
{
hashResultBytes = kha.ComputeHash(plainTextBytes);
}
8/14/2019 Cryptographic Algorithms Guidance for Developers
14/29
:!" #$%
+! )//#"#)*#*')
+! .
="$;'$"Q'"; 9 $;
$"'$;,;""3'
5'3$6$$$'?3':5-$$'3$$'6
33$93
Messagedata block
Cipherfunction
Ciphertextblock
Secret key
89"$;3
Ciphertextblock
Cipherfunction
Messagedata block
Secret key
8$3"'018$'3
1345126
23526
3526
8 $ ; $ ' 018'3 )"
8/14/2019 Cryptographic Algorithms Guidance for Developers
15/29
:!" #*$%
* 67/:6;
Messagedata block 1
Cipherfunction
Ciphertextblock 1
Messagedata block 2
Cipherfunction
Ciphertextblock 2
Messagedata block 3
Cipherfunction
Ciphertextblock 3
8933
13
893
8'3$3$9'"9;3"E
8"$123$9
8/14/2019 Cryptographic Algorithms Guidance for Developers
16/29
:!" #-$%
8'?5?6?3$7$38?E$;3536
*& (97:(6;
# 9 3 3 $ @ 3 '$3$9$ 9; $ ; 2 12' E 3$$2E$3$9$$378'"
9;-?.38-?E$.9";EJI/'98.9E;EC$D;$
8$9.
893I3;"2;'$$$E
*
989$'3;$$018$'3
** 67*
3 ' $ 3 7E$; #(>$
*- 5
8/14/2019 Cryptographic Algorithms Guidance for Developers
17/29
:!" #$%
'$;$'
! : 3 ; ?# $ ' 3 $9"$8"$'$3
+!
8""018
!15!16
8!15&!16
/"5/6
"1516
* :;
8$;',"$%-802$5026,$!1'$"$" ? %.&; 0 $ $ %. ='"; ' "$;002'$$
!13;3$-?37$*-
* :%;
&!1;'$$3&!1$$";''3;'3;'3
?;$3;'$
8018''*-3;9-
$$$"37-.5&9*-6
? $ 3 ; '!1;&!1
&!1'$1
*& :;
1$'!1""80?$850?86,$"'%%
$'';9$3"8/@'"'I$$'$'E
0 $/@$1
4"'1'$&!1
?".;%*-3
1'$'"
"$1"'3='";
1$!1;$$$31"5"$6
8/14/2019 Cryptographic Algorithms Guidance for Developers
18/29
:!" #.$%
?018'/@4$$$
* #
8'//"/;/;/*/-'3;/
/$!1
8018';.;*-;-;;.;..;%-;;;.3
'"37?$3;''"9
+!% #
&!1$$
13$''"$;"''8,""$!1""4;"0;"'$3B3*-3
$"!1
8$$3$;
#(>$
8 $$ 3 E B *8"1235126;
$3"3/05&.6
,@$
8"3'5*6
4$""4!0$$;$$37"$$$8 E; 3 8 #$!'#!'
=9$''$$$$
privatebyte[] EncryptSymmetric(
byte[] key,
string plainText,
byte[] IV,
int blockSize,
string alg,
CipherMode mode)
{
//calculate keysize based on length of array
int keySize = key.Length * 8;
8/14/2019 Cryptographic Algorithms Guidance for Developers
19/29
:!" #%$%
//convert the text to a byte array
byte[] btPlainText =
System.Text.Encoding.Default.GetBytes(plainText);
//use a base class so that the algorithm used is configurable
SymmetricAlgorithm sa = SymmetricAlgorithm.Create(alg);
MemoryStream ms = null;
using(sa)
{
//set the blocksize and keysize for the symmetric
//algorithm class
sa.BlockSize = blockSize;
sa.KeySize = keySize;
//set the initialisation vector
sa.IV = IV;
//set the padding to PKCS#7
sa.Padding = PaddingMode.PKCS7;
//no parallel computation, no requirement to encrypt
//as data is assembled, so use CBC mode
//It may be good practice to configure this
sa.Mode = mode;
//set the secret key for the encryption
sa.Key = key;
//the ICryptoTransform interface exposes details to the
//algorithm for handling data in blocks
ICryptoTransform ict = sa.CreateEncryptor();
//the encrypted data is written to a memory stream
ms = new MemoryStream();
//CryptoStream transforms blocks of data
//using the ICryptoTransform object
CryptoStream cs = new CryptoStream(
ms,
ict,
CryptoStreamMode.Write);
//perform the encryption
using (cs)
{
cs.Write(btPlainText, 0, btPlainText.Length);
}
}
return ms.GetBuffer();
}
?$$$
$ CD 3' $ @
8/14/2019 Cryptographic Algorithms Guidance for Developers
20/29
:!" #$%
/$$;3;;'
$ $ 156!56; $ '
8/14/2019 Cryptographic Algorithms Guidance for Developers
21/29
:!" #$%
1! )//#"#)*#*')
1! .
='39'$Q8$$
$ ' $$ 3 $ 8 " " $ B $ $ 3 $; 3 $ "; 3 $;$3'9
;$$;353633'$35"36
8$39:$';3"3
$ 3 $9
8/14/2019 Cryptographic Algorithms Guidance for Developers
22/29
:!" #$%
Message text
Asymmetricencryption of
text using partyAs privatekey
Ajsadvdvcl
Party A sends a message
Bbjbdc&&$
Message text
Bbjbdc&&$
Public Key Cert
Message, encryptedhash and Party Aspublickey are
enveloped together
Message sentto Party B
Public Key Cert
Message text
Bbjbdc&&$
Public Key Cert
Public keycertificate
extracted andVERIFIED -this is VERYIMPORTANT
Encrypted hashextracted
Ajsadvdvcl
Bbjbdc&&$
Encrypted hashdecrypted
using publickey fromcertificate
Message text
Message textextracted
Hash createdfrom message
text
Ajsadvdvcl
Do the twohashes match?
If yes, then thesignature has
been verified
Party B has verified the digitalsignature
Hash createdfrom message
text
='";'$$;#
(?$;'"$'$"38"$$#(?
1!
8$$$$;'
/;$/";8'$%
!5!6B?#%%8;"$3
8018$/!
1!% !
8018"$'$$5$;J*%6
?$01839'"$C44D39
8''39
,3,2
,23F3
,233,
I,3'"3
8/14/2019 Cryptographic Algorithms Guidance for Developers
23/29
:!" #&$%
='";'$3
,3,2
,3
,3,2
,23,F35,23,F36
,233
, ; " 3 5' $,2;',F36
,$,F3
,33,
,3"3
8,3,,233
"/*#= ! > 7!
'$"(='";'3'$8;'': ' $ ; 3 $$8''$ ' ; ( ' '3 ' ";
";$'#?I45-6''#? 3 $ $ ; E $'5$!))#?I4'6
/I1#(19;$339$3
I1#$C3D'C3D8$$33/$98/'"$9
4$ 018 ; 9"$'33" $ $,'
+" 1 3; J*%$ @ "; J*%$ " 4$+"
8"$$;8"3$J*% $ 9 $ $ ; :$ $3
8'"$5+6''$$$$$;0189#?$+'"$"
J4)!'3
'"$
8/14/2019 Cryptographic Algorithms Guidance for Developers
24/29
:!" #$%
$$39
$' ; "$+ ='";;9$";
1!& *"/
#?I4I4'+'#?$
? ' ' $ ; ' " E$39
=9$4!0
!
""
"
"
#
$#%
8#?I4$
8/14/2019 Cryptographic Algorithms Guidance for Developers
25/29
:!" #*$%
foreach (Certificate cert in certStore.Certificates)
{
//obtain the name of the certificate
string name =
cert.GetInfo(CAPICOM_CERT_INFO_TYPE.CAPICOM_CERT_INFO_SUBJECT_SIMPL
E_NAME);
//is this the certificate we wish to use?if (name == certName)
{
x509cert = cert;
}
}
//create a signer
Signer messageSigner = new SignerClass();
//set the certificate to use
messageSigner.Certificate = x509cert;
//create a signed data class
SignedData sd = new SignedDataClass();
//text to sign
sd.Content = "This is the piece of text that requires signing";
//sign the message
string signedMessage = sd.Sign(messageSigner,
false,
CAPICOM_ENCODING_TYPE.CAPICOM_ENCODE_BASE64);
8'9;9$8#(>
#(>$;'''$
= '' "$ " $ -
//create the signeddata classSignedDataClass sd = new SignedDataClass();
//call the verify method - signedText is the string that has to be
verified
sd.Verify(signedText,
false,
CAPICOM_SIGNED_DATA_VERIFY_FLAG.CAPICOM_VERIFY_SIGNATURE_AND_CERTIF
ICATE);
//to check the signatures, we have to iterate through all of the
signatures.
//Messages can be cosigned
foreach (Signer sr in sd.Signers)
{
Signer s = sr;
//call the IsValid.Result property to see if the signature is valid
MessageBox.Show(
s.Certificate.GetInfo(
CAPICOM_CERT_INFO_TYPE.CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME)
+ ":" + s.Certificate.IsValid().Result);
//this is useful - CAPICOM will also check CRL status
//If you set the CheckFlag parameter
//it will also obtain CRL from the certificate's CRL
//Distribution Points.Certificate.IsValid().CheckFlag =
8/14/2019 Cryptographic Algorithms Guidance for Developers
26/29
:!" #-$%
CAPICOM_CHECK_FLAG.CAPICOM_CHECK_TRUSTED_ROOT |
CAPICOM_CHECK_FLAG.CAPICOM_CHECK_TIME_VALIDITY |
CAPICOM_CHECK_FLAG.CAPICOM_CHECK_SIGNATURE_VALIDITY |
CAPICOM_CHECK_FLAG.CAPICOM_CHECK_ONLINE_REVOCATION_STATUS ;
//call the IsValid.Result property again
MessageBox.Show(s.Certificate.GetInfo(CAPICOM_CERT_INFO_TYPE.CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME) + ":" +
s.Certificate.IsValid().Result.ToString());
}
1!+ 3.
"" $ ' E$ $ ?' 3 $8$B3$E'$8
/)$?$3"$5I$#6;'
9'+'$5$$#?6
8E$'$
8)3#$''"3
$'E
8$$";"3'
='";'3$$? $' $'3! $$$#$S
1!1 #
! $ $ I $ 39
+ $3 9 ;3
"/*#= " . 7> .?37@!
?3$?$'#(?;'$J*%$?$018; $ '$
8/14/2019 Cryptographic Algorithms Guidance for Developers
27/29
:!" #$%
43/I1#(19$39$018
8;;'$''#?I4'$='";''$#(>"$$?$$E5J4)!?6;
$#?$9$$$;018$$
89"$018$'3'9$' $ 8 ' $"
I$'";"''33'?'$$';$3" $ $ $ 8 3 ' $ $ ; ' $ $$"
8/14/2019 Cryptographic Algorithms Guidance for Developers
28/29
:!" #.$%
-! 4$"5$"
8"$3''
"A!! #
1
#$$"4$3$$5&*6
?$ ;
0"''
$"+'4$
9596
#$
43 $ $ E $ 35&*6
43$$
$
3"5&&6
1'
3 $+' ' ?#5&*
19 3 '5-6
,$$395-&;-6
35*6
1$
,3$56
,=:$";4!*$5&6
,:
,#?I45-6
43 "$ ' $"3B$"#(?5-6
$
1&!1;'35*6
'$;;5*&6
43 3 7;; ? $ 5&-;*&6
,#?I45-6
0" #$ #(? $ ;
?$#(?$$;'$B'$$5--6
43 / $
8/14/2019 Cryptographic Algorithms Guidance for Developers
29/29
0! 6"6,"#*')
0'3'+'8"GG;#:+
#018;G;#IF/
#GG;);4!;//;G$$#;#
H$19#I#
4=';!")2;#4$#
!4$+'0'3#4$#
4!0#$!#!'
4!0?#?I4G)
0?$850?86'