The Guide

Home

Search

Forum

Feedback

Credits

About Raj

Security Issues with MS Windows


*
Introduction
*
The Problem
*
Why is this Misleading?
*
So How is security breached?
*
Can Things get shoddier?
*
Other Resources
*
Analysis and comparsion with NSA guidlines
*
World Class Authority
*
Conclusions
*
Further links for Reference


Analysis and comparison with NSA guidelines

  • <URL: http://fmg-www.cs.ucla.edu/
    classes/239_2.spring98/papers/capi19.html
    >
    CryptoAPI was not designed for novice C programmers. Programmers< using this CAPI will need substantial C expertise and cryptographic programming expertise. Efforts to abstract the CryptoAPI interface into C++ or Visual Basic objects have been demonstrated; however, they do not reduce the level of cryptographic programming expertise required for a good implementation. CSP developers will also need expert programmers familiar with the process and security models of Microsoft's operating systems.

Report on US Electronic (IRS) Tax Filing System ("ir-File")

"Where do your Encryption Keys want to go today?"

  • <URL: http://www.cs.auckland.ac.nz/~pgut001/pubs/ird.html>
    Another way to repudiate a fraudulent return is to claim that the security mechanisms used are insecure, and that because they can be broken, someone could have done this and filed the fraudulent return (explaining why anyone would bother to do this isn't necessary, all you're interested in is casting doubt on the evidence). Thanks to the reliance of ir-File on ActiveX and Microsoft's CryptoAPI, this is fairly easy to do. Microsoft's CryptoAPI, (which) has a number of known security flaws. The worst one of these is a function called CryptExportKey(), which hands out your private key (that is, your signature-generating token) to anyone who asks for it. Although Microsoft finally fixed this in Internet Explorer (MSIE) 5, the flaw is present in both versions of MSIE which are recommended in the ir-File documentation (3.02 and 4.0).

"Where do your Encryption Keys want to go today?"

WindowsCE aspects

<URL: http://www.microsoft.com/WindowsCE/EMBEDDED/RESOURCES/CRYPTO.ASP>
With its support for many different communications interfaces, the Microsoft® Windows CE operating system enables a wide variety of mobile information appliances.  These programming interfaces can also provide secure communications to ensure the integrity and privacy of sensitive data. From data-link authentication using PAP, CHAP, and Microsoft CHAP, through the Microsoft CryptoAPI, SSPI, Winsock, and the WinInet API functions, the wide variety of support for communications security means that existing and new applications can take advantage of standard methods for authenticating users and encrypting data.
Note that there have been new vulnerabilities found in Windows CE password handling:
http://www.tbtf.com/blog/1999-11-14.html#3
http://www.cegadgets.com/artsusageP.htm
http://www.counterpane.com/crypto-gram-9911.html

World Class Authority [Next]



Copyright 1999 Dr. Raj Mehta. All rights reserved.