This seminar provides an introduction and orientation to “next-generation” cryptography (CNG) support in the Windows Vista and Windows “Longhorn” Server, with emphasis on internal  implementation and programming details. The legacy cryptographic services are also covered.

Level

Basic through intermediate

Audience

Application programmers and designers; security personnel; management responsible for security policy and implementation

Description

Windows Vista and the forthcoming Windows Longhorn Server provide a new set of cryptographic services and APIs referred to as "Cryptography Next Generation," or "CNG." The CNG APIs are far easier to use and to extend than previous Windows cryptography APIs. CNG furthermore provides several important new features, such as secure key storage, support for third-party key storage providers, and kernel mode accessibility.

This seminar presents the design and APIs of the “Cryptography Next Generation” implementation in Windows Vista and Windows Longhorn, with emphasis on how to use these facilities in application programs. The legacy cryptographic services present in these and past versions of Windows will also be discussed, as well as some other Windows Vista security technologies such as BitLocker.

This seminar will provide to application developers and designers all the information required to successfully configure, use, and extend the CNG interfaces. The seminar will also be of use to those responsible for creating and maintaining the security policy for an organization or for  application design. Cryptographic concepts and decision points will be introduced and discussed. 

The four-day (with labs) form of the seminar is structured to allow non-developers to attend the first two days, and does not require any programming knowledge for that material. 

Topics

• Introduction to modern cryptography and cryptanalysis

• Windows cryptography before Vista/Longhorn
   

  • Data Protection API

  • Encrypted File System (EFS)

  • CryptoAPI

• Windows Vista security enhancements
   

  • Address Space Layout Randomization

  • Trusted Processes

  • BitLocker

• Cryptography Next Generation (CNG) architecture overview

• CNG API concepts and interface styles

• Using bcrypt interfaces
   

  • Enumerating algorithms

  • Random number generator

  • Hashing functions

  • Symmetric encryption

  • Key signing

  • Secret agreement (key exchange)

  • Asymmetic encryption

• Using ncrypt (secure key storage) interfaces
   

  • Secure key storage principles

  • Hash signing and verification algortihms

  • Secret agreement (key exchange)

  • Asymmetric encryption

  • Exporting and importing keys

• Implementing a new algorithm provider

• Migrating from CAPI to CNG

Prerequisites

• Familiarity with INT201: Windows Internals; and

• Familiarity with Windows API (Win32) programming; and

• Familiarity with the C programming language (for labs version).

Windows versions

Windows Vista; Windows "Longhorn" Server

Duration and formats

4 days with labs
2 days lecture only

Labs

The lab version of this seminar includes a series of programming exercises that illustrate and amplify the principles presented in the “Using CNG” section. Attendees for this version will spend at least half of the seminar time modifying, coding, and debugging programs that use examples of various CNG algorithm classes, as well as older services such as DPAPI. Solutions to all lab problems will be provided on CD-R or other machine-readable form.