Security Issues with MS Windows
WHAT CSP IS, AND WHAT IS SIGNED AND HOW IT IS SIGNED
LIST OF PRODUCTS DEPENDING HEAVILY ON AUTHENTICODE
Whitepaper on Authenticode
(download in 1995 DOC format, zipped)
- <URL: http://msdn.microsoft.com/workshop/security/authcode/signfaq.asp>
Is Authenticode technology really secure?
While not guaranteeing bug-free code, Authenticode technology
is designed to identify the publisher of code and to assure
that software has not been tampered with before, or during
the download process.
The security methods used to support this proposal rely on
tested an proven technology. Authenticode is based upon
specifications that have been used in the industry for some
time, including PKCS#7 (encrypted key specification), PKCS#10
(certificate request formats), X.509 (certificate
specification) and SHA and MD5 hash algorithms.
Authenticode with Internet Browsing
Some ways that SUBTLE changes could be handled by a replacement:
Authenticode is recommended way to secure against viruses
- <URL: http://msdn.microsoft.com/library/backgrnd/html/msdn_misf.htm>
As illustrated in the architecture below, CryptoAPI is the
foundation for MISF. Higher-level protocols and services
are built upon the base-level cryptographic and certificate
management functionality provided by CryptoAPI and its associated
Cryptographic Service Providers (CSPs). Applications can then
add security functionality by building on top of MISF. This
section takes a more in-depth look at the technologies that
are included in MISF, and provides links to detailed
information. Appendix A summarizes MISF technologies and
their availability. See Appendix A for a list of vital system security
functionalities that are built on MSIF.
Components of CryptoAPI tools
A note that modification of the REGISTRY can also weaken CryptoAPI
CSP use of Public/Private key pairs
WinTrust use of CryptoAPI
- <URL: http://msdn.microsoft.com/library/psdk/winbase/portalwin_59np.htm>
In Trust includes a function and structures used by that
function to verify trust in files, catalogs, memory blobs,
signatures, or certificates. In the case of verifying certificates,
WinTrust calls the CryptoAPI trust chain building functions,
CertGetCertificateChain and CertVerifyCertificateChainPolicy.
An application can use those functions directly, and their direct
use is recommended.
Where does CryptoAPI sit (logically) - diagram(s)
So, from the Microsoft description, it appears that
a replaced or used "
- <URL: http://msdn.microsoft.com/workshop/security/client/certsvr.asp>
Certificate Server leverages the reliability and scalability
features of Microsoft Windows NT Server. It can be deployed on
multiple servers in large organizations that need the flexibility
of more than one certificate authority. Certificate Server is a
multithreaded service on Windows NT and takes full advantage of
Windows NT's multiprocessor capabilities. Certificate Server:
* Runs as a Windows NT service and is tightly integrated
with the operating system.
- Offers high performance, multithreaded certificate processing.
- Uses CryptoAPI 2.0, which provides the flexibility to choose
the level of encryption and device (hardware device or in
_NSAKEY" can even compromise
hardware based security such as smart-cards, and other external devices.
- <URL: http://www.microsoft.com/TechNet/cdonline/iissecur.htm>
Internet Information Server was designed to provide corporate
developers with a powerful platform for designing Web-based
applications. In addition to the Internet Server API (ISAPI)
and Active Server Pages for scripting of the Web server, IIS
makes the following secure technologies available to developers:
CryptoAPI provides a rich set of high-level APIs that make it<
easier for the developer to sign, seal, encrypt, and decrypt
data. Developers will easily be able to integrate identity and
authentication into their applications, thereby securing private
communications and data transfers over intranets and the Internet.
Examples of certificate services are functions for generating
requests to create certificates, functions for storing and
retrieving certificates, and functions for parsing certificates.
- Issuing digital certificates with Microsoft Certificate Server
- CryptoAPI for cryptography
- Using SSL certificates with Active Server Pages
3rd party "Cognos Datamerchant"
- <URL: http://www.cognos.com/datamerchant/tech_wp.html>
DataMerchant uses data encryption to protect data during transfer
to a consumer's computer. DataMerchant does not provide its own
cryptographic security technology; rather it leverages the security
of the platform. The encryption system supported for access by
wholesale consumers via an ODBC-compliant application is Microsoft's
CryptoAPI. For retail consumers using Web browsers,
DataMerchant supports Netscape's SSL (Secure Sockets Layer).
CryptoAPI is an operating system API from Microsoft for Windows 95
and NT. It provides data encryption. DataMerchant uses CryptoAPI
to secure private communications and data transfers over intranets,
extranets, and the Internet.
The payment information and transfers of funds are protected by CryptoAPI,
SSL, or the security features of the selected third-party online
3rd party "BackupNet"
3rd party "E-Lock ATS"
- <URL: http://www.e-lock.com/PRODUCTS/ATS/key_features.htm>
Support for Microsoft CryptoAPI allows the e-Lock ATS 2.1 to<
share keys with any other applications that use CryptoAPI.
It also allows the e-Lock ATS 2.1 access to the growing number
of Cryptographic Service Providers (CSP) that are available for
3rd party "VALTECH"
SETI reported to rely on CryptoAPI
Mailing list archives
RSA/Microsoft joint press release (1996)
- <URL: http://www.microsoft.com/mscorp/presspass/press/1996/aug96/Rsapr.htm>
The agreement between Microsoft and RSA builds on the companies'
existing Internet security relationship. Microsoft currently ships
RSA encryption technology as the packaged cryptographic engine for
its CryptoAPI, which provides the foundation for the other components
of the Microsoft Internet Security Framework.
Microsoft's CryptoAPI 1.0, the foundation for the Microsoft Internet
Security Framework, provides extensible, exportable, system-level
access to common cryptographic functions such as encryption,
hashing and digital signatures. Now available in the Windows NT
operating system version 4.0 and shipped as part of Microsoft
Internet Explorer 3.0, CryptoAPI is currently scheduled to be
delivered to OEMs as part of the Windows 95 OEM Service Release
in the third quarter of 1996. ...
Analysis and comparsion with NSA guidlines
© 1999 Dr. Raj Mehta. All rights reserved.