Recently I have been busy trying to get Oracle certified. So I have not had a lot of time to devote to my Black Hat duties. In addition, I am entering a programming contest this week. There goes another chunk of my time. However I thought I would share some insight into the Crypto API that I have learned by studying the documentation from Microsoft.
Authentication in the Crypto API uses a digital certificate. The encoding and decoding is conducted using a standard called Abstract Syntax Notation One (ASN.1). The certificates contain information about an entity and its public key. The certificates are issued by a certificate authority.
The Crypto API makes use of Cryptographic Service Providers (CSPs). These are lower level routines which the Crypto API calls to do the dirty work of encryption and decryption. The Crypto API is a uniform layer above the CSPs. The CSPs themselves are shipped as a dynamic link library (DLL) and a signature file.
Microsoft itself ships the Microsoft Base Cryptographic Provider with the Crypto API., It uses 40 bit session keys, and 512 bit public keys. Now that we have used the term “session keys” to characterize the Microsoft CSP, I had better define it. Session keys are also called symmetric keys. The key changes for each message that gets encrypted. However the same key is used to encrypt and later decrypt the message.
Symmetric keys are used with symmetric encryption algorithms. Such algorithms include RC2, RC4, and DES. I will go over these algorithms in more detail later (in some future blog posts). The symmetric key is kept internally in the CSP. There are other types of keys. I will also go into those at a later time.
Good-fast-cheap. Pick two. - I got invited to a meeting with the customer today. There was a problem in production. And the customer wanted answers. When it came time, I explained wha...