Securing Windows NT/2000 Servers for the Internet p age 12 8 The CSW's second screen (Figure 9.3) allows the developer to specify what program will be signed and what information will be displayed on the program's certificate when the code is validated. It contains a URL that can be clicked on to provide more information about the program. The full name and URL are displayed on the program's certificate when its digital signature is checked. Figure 9.3. The Code Signing Wizard's second window Next, the developer specifies which key should be used to sign the program, what credentials are used for the key, and what cryptographic digest algorithm is used for the signature (see Figure 9.4). The information is then verified (see Figure 9.5). Figure 9.4. The Code Signing Wizard's third window Securing Windows NT/2000 Servers for the Internet p age 12 9 Figure 9.5. The fourth step is to validate all of the information that will be used to sign the binary Finally, the developer signs the executable (see Figure 9.6). Figure 9.6. The fifth and sixth panels perform the actual signature 9.2.3 Verifying Authenticode Signatures Currently, Authenticode signatures can only be verified by programs that are developed with the Microsoft ActiveX Software Developer's Toolkit. The ActiveX SDK includes a program called chktrust that allows users to check the certificate on an executable. If the program being checked is signed, chktrust displays the certificate and asks the user if he wishes to trust it. If the program being checked is not signed, or if the user chooses not to trust it, the chktrust program returns an error code. The chktrust program has these options: C:\>chktrust Usage: CHKTRUST [-options] file-name Options: -I subject type is PE executable image file (default)NOTEPAD.EXE -J subject type is Java class -C subject type is Cabinet file -N no UI in 'bad trust' case C:\> When chktrust is run, it displays a fancy certificate if the binary is signed showing the name of the person or organization on the certificate that signed it, and the name of the certification authority that signed the certificate (see Figure 9.7). Clicking the check-box at the bottom causes the program to stop displaying certificates and to always accept them. Clicking the "Advanced" button causes the program to display the list of approved software publishers. If the program is not signed, a warning window is displayed instead (see Figure 9.8). Securing Windows NT/2000 Servers for the Internet p age 13 0 Figure 9.7. The chktrust program displays a fancy certificate when it encounters a signed executable The chktrust program returns a result of "0" if the user has decided to trust the program: C:\>chktrust signed.exe Result: 0 C:\> If the user decides against trusting the program, something else is displayed: C:\>chktrust unsigned.exe Result: 800b0004 C:\> Actual programs that wish to check signatures would simply use the APIs used by the chktrust program. Figure 9.8. The warning window displayed by chktrust for unsigned executables 9.2.4 Support for Authenticode in Internet Explorer Microsoft (partially) acknowledges the potential dangers of ActiveX. However, their official position is that the solution to the security problem is not to limit what downloaded ActiveX controls can do. It can't. Once an ActiveX control is running on your computer, there is nothing that it can't do. It can steal your confidential documents, for example. The theory behind Authenticode is that the user will realize when a control has done damage and the user will take some form of legal action. For example, the user might contact the software publisher and seek redress. If that doesn't work, the user might take the ActiveX publisher to court. Microsoft's solution is to provide traceability of the authors of ActiveX controls. This traceability is provided through the use of digital signatures and Microsoft's Authenticode technology. Securing Windows NT/2000 Servers for the Internet p age 131 Microsoft's Internet Explorer can be run with several different security levels. The program's default is the highest level. When run at this level, Internet Explorer will only execute ActiveX controls that have been digitally signed by a secret key for which there exists a valid software publisher's digital certificate. Version 3.0 of Internet Explorer recognizes two kinds of software publisher certificates: the VeriSign individual software publisher certificate and the VeriSign commercial software publisher certificate. When Internet Explorer encounters a signed ActiveX control, it will show the user the name of the person or organization who signed it and the name of the certification authority that signed the software publisher's digital certificate. The user is given the choice as to whether or not this particular software publisher is trusted. The user interface allows the user to say that a particular software publisher should always be trusted. The user can also choose to have all commercial software publishers unconditionally trusted. 9.2.4.1 Controlling Authenticode in Internet Explorer Authenticode is controlled from the Properties window of "The Internet" icon (on the desktop) or from the Options window of Internet Explorer. (These are actually the same windows.) By selecting the "Security" tab of the window, the user can choose whether or not "Active Content" (such as ActiveX controls and Java programs) are downloaded and executed (see Figure 9.9). Pushing the button labeled "Safety Level" allows you to choose between three different settings for ActiveX: High Only signed ActiveX controls will be executed. Medium Users are told whether ActiveX controls are signed or not. Unsigned controls may be run at the user's discretion. None All ActiveX controls are executed, whether they are signed or not. Figure 9.9. Microsoft Internet Explorer's Security Preferences allow you to control whether or not ActiveX content is executed Securing Windows NT/2000 Servers for the Internet p age 13 2 Internet Explorer will also check programs that are downloaded to see if they are or are not digitally signed. If the user attempts to download an unsigned binary with Internet Explorer, a window is displayed similar to the one in Figure 9.10. Figure 9.10. A window displayed by Microsoft Internet Explorer when an unsigned application or component is downloaded If the binary is signed, Internet Explorer will display a certificate. Binaries signed with commercial keys display a pretty certificate, such as the one shown in Figure 9.11. Internet Explorer displays binaries signed with individual keys using a plain certificate. Internet Explorer warns the user if unsigned code is being downloaded, as shown in Figure 9.12. However, the warning is misleading, because signed code can also "contain viruses or otherwise harm your computer." Figure 9.11. A window displayed by Microsoft Internet Explorer when a signed application or component is downloaded: this component is signed by a commercial certificate 9.3 Obtaining a Software Publisher's Certificate Although Microsoft's Authenticode technology should work with software publisher digital certificates from any recognized certification authority, as this book went to press the only CA that was issuing these certificates was VeriSign. VeriSign issues two kinds of software publisher's certificates (sometimes called software publisher's credentials): individual certificates and commercial certificates. Personal certificates are based on VeriSign's Class 2 digital certificates. Commercial certificates are based on VeriSign's Class 3 certificates, similar to the company's web server certificates. (You do not need to have a web server or a domain of your own to obtain either kind of software publisher's certificate.) Securing Windows NT/2000 Servers for the Internet p age 133 VeriSign's certificate requesting process is performed on the company's Digital ID web site. Keys must be generated with Microsoft Internet Explorer 3.0 or higher. As this book went to press, keys could only be generated on computers running the Windows 95 or Windows NT 4.0 operating systems. Keys are generated by an ActiveX control that is downloaded to the web browser. The ActiveX control invites you to store the private key on removable media, such as a floppy disk. Because floppy disks are not terribly reliable, you should copy your private key to at least one other floppy disk. Private keys are not encrypted with passphrases. After the key is created, the public key is transmitted to VeriSign over the Internet. VeriSign validates the user's request and sends the user a URL and a PIN that can be used to retrieve the software publisher's certificate. Figure 9.12. Microsoft's Internet Explorer will warn the user if unsigned code is being downloaded 9.4 Other Code Signing Methods To close this chapter, we note that there are other ways of signing code to make it trustworthy. For example, for many years, PGP signature certificates have been used for validating programs and announcements distributed over the Internet. Because support for PGP is not built into web servers and browsers, the signature signing and verification must be done as a two-step process. A second drawback is that PGP signatures cannot use the public key infrastructure developed for use with web browsers. A benefit of the use of PGP is that any kind of file, document, or program can be signed with PGP, as PGP signatures can be "detached" and saved in separate locations. Code Signing URLs http://www.w3.org/pub/WWW/Security/DSig/Overview.html An overview of the World Wide Web Consortium's Digital Signatures initiative. http://www.microsoft.com/intdev/security/misf8-f.htm Microsoft's proposal for distributing software safely on the Internet. http://www.microsoft.com/INTDEV/security/misf8.HTM Microsoft's code signing home page. Securing Windows NT/2000 Servers for the Internet p age 134 Part IV: Cryptography This part of the book explains the way cryptography is used to protect information sent over the Internet. It covers current encryption techniques and cryptography on the World Wide Web. It explains the technical underpinnings of the digital identification techniques introduced in Part III. This section should be particularly interesting to individuals and organizations interested in publishing information on the web and using the web for commercial transactions. Securing Windows NT/2000 Servers for the Internet p age 13 5 Chapter 10. Cryptography Basics This chapter explains the basics of cryptography on which many secure Internet protocols are based. This chapter also explores the ways in which the use of cryptography is regulated by politics and U.S. law. Chapter 11, explores the specific ways in which cryptography is used today on the World Wide Web. 10.1 Understanding Cryptography Cryptography is a collection of techniques for keeping information secure. Using cryptography, you can transform written words and other kinds of messages so that they are unintelligible to unauthorized recipients. An authorized recipient can then transform the words or messages back into a message that is perfectly understandable. For example, here is a message that you might want to encrypt: SSL is a cryptographic protocol And here is the message after it has been encrypted: Ç`^@%[»FÇ«$T?P |x¿EÛóõÑ ß+ö˜ ÖaÜ BÆuâw Even better, with cryptography you can transform this gibberish back into the original easily understood message. 10.1.1 Roots of Cryptography The idea of cryptography is thousands of years old: Greek and Roman generals used cryptography to send coded messages to commanders who were in the field. Those early systems were based on two techniques: substitution and transposition. Substitution is based on the principle of replacing each letter in the message you wish to encrypt with another one. The Caesar cipher, for example, substitutes the letter "a" with the letter "d," the letter "b" with the letter "e," and so on. Some substitution ciphers use the same substitution scheme for every letter in the message that is being encrypted; others use different schemes for different letters. Transposition is based on scrambling the characters that are in the message. One transposition system involves writing a message into a table row-by-row, then reading it out column-by-column. Double transposition ciphers involve repeating this scrambling operation a second time. In the early part of the 20th century, a variety of electromechanical devices were built in Europe and the United States for the purpose of encrypting messages sent by telegraph and radio. These systems relied principally on substitution, because there was no way to store a complete message using transposition techniques. Today, encryption algorithms running on high-speed digital computers use both substitution and transposition in combination, as well as other mathematical functions. 10.1.2 Terminology Modern cryptographic systems consist of two complementary processes: Encryption A process by which a message (the plaintext ) is transformed into a second message (the ciphertext) using a complex function (the encryption algorithm) and a special encryption key. Decryption The reverse process, in which the ciphertext is transformed back into the original plaintext using a second complex function and a decryption key. With some encryption systems, the encryption key and the decryption key are the same. With others, they are different. Securing Windows NT/2000 Servers for the Internet p age 13 6 Figure 10.1 illustrates how these two processes fit together. Figure 10.1. A simple example of encryption and decryption The goal of cryptography is to make it impossible to take a ciphertext and reproduce the original plaintext without the corresponding key and to raise the cost of guessing the key beyond what is practical. Many modern cryptographic systems now easily achieve this goal. Indeed, cryptographic algorithms that have no known flaws are readily available today. Despite the fact that modern cryptography is fast, easy to use, and well-understood, many political barriers still limit the use of this technology. 10.1.3 A Cryptographic Example Let's see how cryptography works in practice. Here is a simple piece of plaintext: SSL is a cryptographic protocol This message can be encrypted with a popular encryption algorithm known as the Data Encryption Standard (DES). The DES is a symmetric algorithm, which means that it uses the same key for encryption as for decryption. In this case, we shall use the key nosmis: % des -e < text > text.des Enter key: nosmis Enter key again: nosmis % The result of the encryption is this encrypted message: 50 % cat text.des Ç`^@%[»FÇ«$T?P |x¿EÛóõÑ ß+ö˜ ÖaÜ BÆuâw When this message is decrypted with the key nosmis, the original message is produced: % des -d < text.des > text.decrypt Enter key: nosmis Enter key again: nosmis % cat text.decrypt SSL is a cryptographic protocol % 50 Encrypted messages are inherently binary data. Because of the limitations of paper, not all control characters are displayed. Securing Windows NT/2000 Servers for the Internet p age 13 7 If you try to decrypt the encrypted message with a different key, such as gandalf, the result is garbage: 51 % des -d < text.des > text.decrypt Enter key: gandalf Enter key again: gandalf Corrupted file or wrong key % cat text.decrypt ±N%EÒRÖf`"H;0ªõO>?„!_+í8› The only way to decrypt the encrypted message and get printable text is by knowing the secret key nosmis. If you don't know the key, and you need the contents of the message, one approach is to try to decrypt the message with every possible key. This approach is called a key search attack or a brute force attack. How easy is a key search attack? That depends on the length of the key. The message above was encrypted with the DES algorithm, which has a 56-bit key. Each bit in the 56-bit key can be a 1 or a 0. That means that there are 2 56 , or roughly 72,057,594,037,900,000 different keys. On the other hand, the des command only gives you access to this keyspace when keys are specified as hexadecimal numbers. A typed key will typically only include the 96 printable characters, reducing the keyspace by 90 percent to 7,213,895,789,838,340 (96 8 ). Although DES has a lot of keys, it does not have an impossibly large number of keys. If you can try a billion keys a second and you can recognize the correct key when you find it (quite possible on some modern computers), you can try all possible keys in a little less than 834 days. We'll discuss these issues more thoroughly in the section Section 10.2.1 later in this chapter. 10.1.4 Is Cryptography a Military or Civilian Technology? For years, cryptography has been primarily considered a military technology - despite the fact that nearly all of the strongest cryptosystems were invented by civilians. 52 Why the confusion? Nearly all of the historical examples of cryptography, from Greece and Rome, through France, Germany, and England, and on into the modern age, are stories of armies and spies that used cryptography to shield their messages transmitted by carrier. Examples that remain are either diplomatic, such as Mary, Queen of Scots, using cryptography to protect her messages (unsuccessfully, it turns out), or nefarious, such as a pirate using cryptography to record where he buried his ill-gotten gains. There is also a tradition of nonmilitary use of cryptography that is many centuries old. There are records of people using cryptography to protect religious secrets, to hide secrets of science and industry, and to arrange clandestine romantic trysts. During World War I, the U.S. Postal Service opened all letters sent overseas. The majority of the letters that were decrypted by Herbert Yardley's so-called American Black Chamber were not messages being sent from German spies operating within the U.S., but nonmilitary letters being exchanged between illicit lovers. 53 They used cryptography for the same reasons that the spies did: to assure that, in the event that one of their messages was intercepted or opened by the wrong person, its content would remain secret. In recent years, cryptography has increasingly become a tool of business and commerce. Ross Anderson, an English cryptographer, believes that in recent years civilian use of cryptography has eclipsed military use. After all, says Anderson, cryptography is used to scramble satellite television broadcasts, to safeguard currency stored on "smart cards," and to protect financial information that is sent over electronic networks. These uses have all exploded in popularity in recent years. 51 In the example, the des command prints the message "Corrupted file or wrong key" when we attempt to decrypt the file text.des with the wrong key. How does the des command know that the key provided is incorrect? The answer has to do with the fact that DES is a block encryption algorithm, encrypting data in blocks of 64 bits at a time. When a file is not an even multiple of 64 bits, the des command pads the file with null characters (ASCII 0). It then inserts at the beginning of the file a small header indicating how long the original file "really was." During decryption, the des command checks the end of the file to make sure that the decrypted file is the same length as the original file. If it is not, then something is wrong: either the file was corrupted, or the wrong key was used to decrypt the file. Thus, by trying all possible keys, it is possible to use the des command to experimentally determine which of the many possible keys is the correct one. But don't worry: there are a lot of keys to try. 52 For a discussion, see Carl Ellison's essay at http://www.clark.net/pub/cme/html/timeline.html. 53 Details are provided in Herbert Yardley's book, The American Black Chamber. [...]... from work to your competitor If there is a mysterious deposit to your bank account two days after each transmission, an investigator is likely to draw some conclusions from this behavior Cryptography can't protect against a booby-trapped encryption program Someone can modify your encryption program to make it worse than worthless For example, an attacker could modify your copy of Netscape Navigator... information systems The different functions are these: Confidentiality Encryption is used to scramble information sent over the Internet and stored on servers so that eavesdroppers cannot access the data's content Some people call this quality "privacy," but most professionals reserve that word to refer to the protection of personal information (whether confidential or not) from aggregation and improper... layer security protocol similar to SSL that was developed by Microsoft Reportedly, the acronym has had several expansions: the current favored one is Private Communications Technology PCT was developed in response to problems with SSL 2.0; these problems were also addressed in SSL 3.0 Although Microsoft is supporting SSL 3.0 and TLS, the new Transport Layer Security model, Microsoft intends to continue... for UNIX, Windows, and the Macintosh from Data Fellows (http://www.datafellows.com) 61 Kerberos didn't adopt public key technology for two reasons The first was that when Kerberos was developed in 19 85, computers were much slower The developers thought that public key encryptions and decryptions would be too slow to use Kerberos to do things like authenticate logins and requests for email The second... user on the Internet Such programs can also be used to encrypt files that are stored on computers to give these files added protection Some popular systems that fall into this category include the following: • • Section 11.2.1 Section 11.2.2 The second category of cryptographic systems are network protocols used for providing confidentiality, authentication, integrity, and nonrepudiation in a networked... MD5, and others Confidentiality, authentication, integrity, nonrepudiation PCT Protocol for encrypting TCP, IP transmissions RSA, MD5, RCZ, RC4, and others Confidentiality, authentication, integrity, nonrepudiation S-HTTP Protocol for encrypting HTTP requests and responses RSA, DES, and others Confidentiality, authentication, integrity, nonrepudiation; however, it's obsolete SET and CyberCash Protocols... electronic mail Unfortunately ,55 wider use of IDEA has been hampered by a series of software patents on the algorithm, which is currently held by Ascom-Tech AG in Solothurn, Switzerland 54 A comprehensive list, complete with source code, can be found in Applied Cryptography, by Bruce Schneier (John Wiley & Sons, second edition 1996) 55 Although we are generally in favor of intellectual property protection,... SSL implementation easier to write page 140 Securing Windows NT/2000 Servers for the Internet 10.2.2 Attacks on Symmetric Encryption Algorithms If you are going to use cryptography to protect information, then you must assume that people whom you do not wish to access your information will be recording the encrypted data and attempting to decrypt it forcibly .58 To be useful, your cryptographic system... hours can be built for under $1 million Such machines probably exist, although no government or corporation officially admits to having one DESX DESX is a simple modification to the DES algorithm that is built around two "whitening" steps These steps appear to improve the security of the algorithm dramatically, effectively rendering key search impossible Further information about DESX can be found on... to the newspapers after legitimately decrypting them Your system also may not protect against one of your system administrators being tricked into revealing a password by a phone call purporting to be from the FBI Thus, while cryptography is an important element of web security, it is not the only part Cryptography can't guarantee the security of your computer if people can break into it through other . dangers of ActiveX. However, their official position is that the solution to the security problem is not to limit what downloaded ActiveX controls can do. It can't. Once an ActiveX control. publisher to court. Microsoft's solution is to provide traceability of the authors of ActiveX controls. This traceability is provided through the use of digital signatures and Microsoft's. Authenticode is controlled from the Properties window of "The Internet" icon (on the desktop) or from the Options window of Internet Explorer. (These are actually the same windows.) By selecting