www.it-ebooks.info Davis Chapman 800 East 96th St., Indianapolis, Indiana, 46240 USA Developing Secure Applications with Visual Basic ® 00 8369 FM 4/25/00 9:04 AM Page i www.it-ebooks.info Developing Secure Applications with Visual Basic Copyright © 2000 by Sams Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photo- copying, recording, or otherwise, without written permission from the pub- lisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. International Standard Book Number: 0-672-31836-9 Library of Congress Catalog Card Number: 99-66271 Printed in the United States of America First Printing: May 2000 02 01 00 4 3 2 1 Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Sams Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages aris- ing from the information contained in this book or programs accompanying it. ASSOCIATE PUBLISHER Bradley L. Jones EXECUTIVE EDITOR Chris Webb DEVELOPMENT EDITOR Steve Rowe MANAGING EDITOR Charlotte Clapp PROJECT EDITOR Carol L. Bowers COPY EDITORS Barbara Hacha Chuck Hutchinson INDEXER Kevin Fulcher PROOFREADER Jill Mazurczyk TECHNICAL EDITOR John Hooven TEAM COORDINATOR Meggo Barthlow MEDIA DEVELOPER Jason Haines INTERIOR DESIGNER Anne Jones COVER DESIGNER Anne Jones COPY WRITER Eric Bogert 00 8369 FM 4/25/00 9:04 AM Page ii www.it-ebooks.info Contents at a Glance Introduction 1 1 Understanding Encryption and Application Security 5 2 Getting Started with the CryptoAPI 19 3 Symmetric and Password Encryption 37 4 Public/Private Key Communications 93 5 Requesting and Retrieving Certificates 139 6 Working with Certificates 175 7 Working With Certificate Revocation Lists 217 8 Using Digital Signatures 257 9 DCOM Through SSL 309 10 Understanding Windows 2000 Security and Security Descriptors 339 11 Using NT Login Authentication 385 12 Working with Active Directory Security (ADSI) and an LDAP Server 407 13 Active Directory Security and Searching 441 14 Developing with COM+ Security 475 15 Microsoft Certificate Server 495 16 Security Standards 505 17 Legal Issues of Digital Signatures and Encryption 517 A Cryptographic Service Providers 529 Index 535 00 8369 FM 4/25/00 9:04 AM Page iii www.it-ebooks.info Contents Introduction 1 1 Understanding Encryption and Application Security 5 Exploring Encryption 6 Encryption Algorithms and Standards 6 Other Forms of Encryption 10 Using Certificates with Encryption 13 Certificate Authorities 14 Certificate Chains 14 Digital Signatures 14 Message Enveloping 15 Secure Sockets Layer (SSL) 16 Security and Audit Logs 16 Why Do You Need Audit Logs? 17 What Information Needs to Be Included? 17 Summary 18 2 Getting Started with the CryptoAPI 19 CryptoAPI and Cryptographic Service Providers 20 Opening the CSP 21 Closing the CSP 25 Listing the Available CSPs 26 Listing the CSP Types 27 Getting the Default CSP 28 Setting the Default CSP 28 CSP Types and Encryption Algorithms 29 Listing CSPs and CSP Types 30 Designing the Interface 30 Listing the CSPs 32 Building a List of the CSP Types 34 Summary 36 3 Symmetric and Password Encryption 37 Generating Hashes of Strings and Messages 38 Creating a Hash Object 38 Destroying a Hash Object 40 Duplicating a Hash Object 41 Hashing Data 42 Hashing a Session Key 42 Getting Hash Information 43 Setting Hash Information 45 00 8369 FM 4/25/00 9:04 AM Page iv www.it-ebooks.info Generating Symmetric Keys 46 Deriving a Key 47 Generating a Key 48 Destroying a Key 50 Duplicating a Key 51 Understanding Basic Encryption and Decryption 52 Encrypting Data 53 Decrypting Data 54 Building a Simple Encryption Application 55 Declaring API Functions, Constants, and Variables 55 Exposing Properties 60 Acquiring a Handle for the CSP 61 Deriving a Password-Based Key 64 Destroying a Password-Based Key 66 Performing Data Encryption 67 Performing Data Decryption 69 Designing the User Interface 70 Performing the Encryption 71 Performing the Decryption 74 Building a File Encryption/Decryption Utility 77 Making Additional Declarations 77 Hashing the Data File 78 Encrypting the Data File 80 Decrypting the Data File 81 Designing the User Interface 83 Performing the Data File Encryption 85 Performing the Data File Decryption 89 Summary 92 4 Public/Private Key Communications 93 Block Versus Stream Algorithms 94 Salt Values: What Are They and Why Use Them? 95 Generating Salt Values 96 Extracting Salt Values from Session Keys 97 Setting Salt Values in Session Keys 100 Generating, Saving, and Retrieving Public/Private Keys 103 Exporting and Importing Keys 104 Exporting Keys 104 Importing Keys 107 Building a Secure Messaging Utility 108 Creating the Initial Project 108 Making Additional Declarations 109 Adding New Properties 110 00 8369 FM 4/25/00 9:04 AM Page v www.it-ebooks.info DEVELOPING SECURE APPLICATIONS WITH VISUAL BASIC Getting the User Public/Private Key Pair 111 Exporting the Public Key 113 Importing the Public Key 114 Creating and Exporting the Session Key 115 Importing the Session Key 117 Terminating the Class 118 Designing the User Interface 119 Performing Form Initialization, Cleanup, and Other Miscellaneous Functions 121 Performing the Initial Server Key Exchange 123 Performing the Client Key Exchange 125 Finishing the Server Key Exchange 126 Sending and Receiving Encrypted Messages 127 Listening for Connection Requests 130 Connecting to the Server 131 Receiving the Connection Request 132 Handling Data Arrival 133 Closing the Socket Connection 135 Summary 138 5 Requesting and Retrieving Certificates 139 Digital Certificates Explained 140 Requesting a Certificate from a Certificate Authority 141 Verifying the Key Owner’s Identity 142 Acquiring Certificates 143 Generating a Certificate Request 143 Retrieving Certificates 151 Building a Certificate Request Utility 155 Creating the Certificate Request Class 156 Creating the Class Properties 159 Class Initialization and Termination 161 Requesting Certificates 162 Retrieving Certificates 164 Checking on Request Status 165 Designing the Form 166 Form Initialization and Shutdown 168 Performing the Certificate Request 169 Checking the Status and Getting the Certificate 171 Running the Sample Application 171 Summary 173 vi DEVELOPING SECURE APPLICATIONS WITH VISUAL BASIC 00 8369 FM 4/25/00 9:04 AM Page vi www.it-ebooks.info CONTENTS 6 Working with Certificates 175 Managing Certificate Stores 176 Opening Certificate Stores 177 Closing Certificate Stores 178 Duplicating the Store Handle 179 Managing Certificates and Certificate Contexts 179 Creating a Certificate Context 179 Duplicating a Certificate Context 180 Finding a Certificate 180 Enumerating Certificates 183 Getting an Issuer Certificate 183 Serializing a Certificate 184 Verifying a Certificate 186 Deleting a Certificate 186 Freeing a Certificate Context 187 Getting Information from Certificates 187 Enumerating Certificate Properties 188 Getting Property Values 189 Setting Certificate Properties 192 Getting the Subject Name 193 Building a Certificate Maintenance Utility 195 Creating the Project 195 Listing the Certificates 198 Converting Strings 207 Extracting the Key Spec 208 Extracting the Provider Type 209 Extracting the Container Name 210 Extracting the CSP Name 211 Designing the Form 212 Listing the Certificates 214 Summary 214 7 Working with Certificate Revocation Lists 217 Verifying Certificates Against a CA 218 Extracting a Certificate Serial Number 219 Formatting the Serial Number 222 The CertAdmin COM Object 223 Verifying a Certificate 223 Building and Maintaining a Certificate Revocation List 226 Creating a CRL Context 226 Adding a CRL to a Certificate Store 227 Duplicating a CRL 229 Freeing a CRL Context 229 vii CONTENTS 00 8369 FM 4/25/00 9:04 AM Page vii www.it-ebooks.info DEVELOPING SECURE APPLICATIONS WITH VISUAL BASIC viii Deleting a CRL 229 Getting a CRL from a Certificate Store 230 Verifying Certificates Against a CRL 231 Managing a Certificate Revocation List 233 Creating the Project 233 Adding New Properties 237 Converting Bytes to Hex String 238 Checking Certificates Against the CA 239 Creating a CRL from a File 241 Checking Certificates Against a CRL 243 Adding a CRL to a Certificate Store 244 Modifying the Certificate Listing 246 Modifying the Form 249 Using the CA to Verify Certificates 251 Using the CRL to Verify Certificates 252 Importing the CRL to the Certificate Store 254 Summary 255 8 Using Digital Signatures 257 What Are Digital Signatures? 259 Signing Messages and Verifying Signatures 261 Encryption Algorithms and Pointers 261 Signing a Message 262 Verifying a Message Signature 266 Verifying a Detached Message Signature 269 Determining the Number of Signers 270 Enveloping Messages 270 Encrypting a Message 270 Decrypting a Message 273 Signing and Encrypting a Message 275 Decrypting and Verifying a Message 276 Decoding a Message 277 Building a Signing Utility 279 Creating the Project 279 Retrieving the Signing Certificate 282 Determining the Certificate Type 284 Signing the Message 286 Verifying the Signature 289 Retrieving the Exchange Certificate 291 Encrypting the Message 293 Decrypting the Message 296 Releasing the Signature Certificate 299 Designing the Form 300 Getting the Signer Certificate 302 00 8369 FM 4/25/00 9:04 AM Page viii www.it-ebooks.info CONTENTS ix Performing the Signing 302 Performing the Signature Verification 304 Performing the Encryption 305 Performing the Decryption 307 Summary 308 9 DCOM Through SSL 309 RDS and HTTP 310 Standard DCOM Versus RDS DCOM 310 RDS DataSpace Object 313 RDSServer DataFactory Object 313 RDS DataControl Object 314 Interacting with Custom Server Controls 314 Enabling RDS Use 315 DCOM Tunneling Through TCP/IP 316 Client Configuration 317 Server Configuration for DCOM 319 Building a DCOM-HTTPS Application 323 Creating the Server Object 323 Creating the Client Application 329 Summary 337 10 Understanding Windows 2000 Security and Security Descriptors 339 Windows 2000 Security Overview 340 Fundamental Security Data Structures 341 Understanding Process and Thread Security Tokens 341 Understanding the Security Identifier 346 Understanding ACE, DACL, and SACL Structures 354 Determining the Size Required for an ACL 355 Adding an Access-Allowed ACE to a DACL 357 Security Descriptors 360 Retrieving a Security Descriptor 366 Using the Security_Attributes Structure 369 Trustee-Based Access Control 370 Using the TRUSTEE Structure 371 The EXPLICIT_ACCESS Structure 375 Using SetEntriesInAcl to Create and Modify Access Control Lists 379 Impersonating a Client 381 Summary 383 00 8369 FM 4/25/00 9:04 AM Page ix www.it-ebooks.info [...]... may stretch your Visual Basic skills beyond what you’ve seen in most other programming situations You’ll also have to delve into areas of programming that Visual Basic normally tries to hide from you Take fair warning! This book is not for the Visual Basic beginner If you just picked up Visual Basic for the first time last week, this is not the book for you (yet) This book is written with the assumption... Logs www.it-ebooks.info CHAPTER 1 6 Developing Secure Applications with Visual Basic With the explosion of commerce and business applications on the Internet, whole areas of programming expertise have entered the limelight Just a few short years ago, encryption and application security were areas of programming limited to academic and military programming, along with some Research and Development labs... not the book for you (yet) This book is written with the assumption that you already know your way around Visual Basic and already have a bit of Visual Basic programming experience under your belt However, if you’ve built several applications using Visual Basic and you pretty much know all the basics, you shouldn’t have anything to fear How This Book Is Organized I wrote this book to match the way... thinking You saw this book on the shelf and picked it up out of curiosity, thinking, “Encryption and Visual Basic? Security and Visual Basic? Aren’t these topics normally reserved for the ranks of C/C++ developers?” Well, they used to be, but not anymore Now you can perform these tasks within Visual Basic, without having to dip into any C/C++ code The next question on your mind probably is, “Do I have... languages My, how times have changed! Now, it is possible to use Visual Basic to accomplish these tasks This book is all about exploring how you can use Visual Basic to perform various encryption and application security tasks These are exciting times for Visual Basic programmers! Exploring Encryption One of the key technologies involved with making secure communications possible, especially over the Internet,... secret message 12 Developing Secure Applications with Visual Basic What makes this encryption scheme so secure is that an infinite number of possibilities exists for the key, each of which decrypts the message to a legible message There is no way of knowing whether the message you’ve decrypted is the original message unless you possess the original key sequence For instance, if you start with the message... yourself with building another audit log? If a user is interacting directly with your application, the operating system is not likely to recognize that a security breach has occurred Only your application is in a position to recognize this situation and have the information necessary to identify what happened, who did it, and how it was done 17 18 Developing Secure Applications with Visual Basic For... idea to at least glance at these notes so that you are familiar with what they are trying to convey Of course, there may be a time or two where I just felt like making some unimportant remark that really shouldn’t be part of the main topic, so I’ll mark those as notes, too www.it-ebooks.info 3 4 DEVELOPING SECURE APPLICATIONS WITH VISUAL BASIC CAUTION Warning! Warning! Man the lifeboats! Oops, sorry—I... restrict the hardware that can be used) 13 14 Developing Secure Applications with Visual Basic Certificate Authorities A Certificate Authority is a commonly agreed-upon authority whose verification of someone’s identity is accepted by all parties It can be a large, independent organization such as Verisign (www.verisign.com) or the security department within a corporation The CA has the responsibility... decrypts the signature hash and compares the two hashes If the hashes match, the signature is valid, and the message hasn’t been altered or tampered with since being signed This process is illustrated in Figure 1.6 15 16 Developing Secure Applications with Visual Basic Message Signing Process Original Message Signed Message Private Signing Key Signature Verification Process Decryption Process Encryption . USA Developing Secure Applications with Visual Basic ® 00 8369 FM 4/25/00 9:04 AM Page i www.it-ebooks.info Developing Secure Applications with Visual Basic Copyright. 171 Summary 173 vi DEVELOPING SECURE APPLICATIONS WITH VISUAL BASIC 00 8369 FM 4/25/00 9:04 AM Page vi www.it-ebooks.info CONTENTS 6 Working with Certificates