EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SHA256 on WinXP using CrytoAPI

Also by EldoS Corporation: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#13534
Posted: 05/31/2010 06:35:46
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

Hi, I am trying to support crytocards in general using WinCertStorages (windows crytoapis) and I found that, some models of cards, on a WinXP SP3, can't use anything except SHA1, while other cards can use SHA256.

I read that WinXP SP3 does allow the use of SHA256, but only using a new cryto provider (AES one), so my guess is that the middleware of one card (SafeSign V3.0.33 in that case) doesn't detect this new cryto provider so use the old one, and can't use anything except SHA1.

The other card used, the spanish electronic DNI, using exactly the same code, is able to sign using SHA256 or SHA1, so i suppose its drivers are more up-to-date for WinXP SP3.

Using WinCertStorage but with a file certificate doesn't allow me to use anything but SAH1, but if I use it with a MemCertStorage (no windows cryptoapi) then all algortihms are working ok. Again, I suppose in the case of files, the default windows cryto provider is used, so only SHA1 is allowed.

My source of info about that was this: http://blogs.msdn.com/b/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx

And my question is: Can i force the use of one of the win32 cryto providers, or it is somethig the middleware should chose for us?

The component I am using, a TElMessageSigner, has a CrytoProviderManager, but its DefaultCrytoProvider is a read only property, so i am unable to chose one or another.

Thanx in advance for any help,
Sergio Hernandez.
#13535
Posted: 05/31/2010 07:00:48
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

The information you have explained exposes at least two different issues:

1) Hardware tokens usually use their own cryptographic engine; in most cases they *do not* use CryptoAPI. That's why SHA1 algorithm limitation you are facing with some of the tokens is very likely to be a limitation of that particular tokens rather than of their drivers or the system.

2) Where exactly does the certificate you are trying to access with TElWinCertStorage resides (is it stored in the system store, or is just mapped to the system store by a hardware token driver)?

Answering your question, the default TElWin32CryptoProvider automatically decides whether SHA2 algorithms are supported by the system. In other words, if one of SHA2 algorithms is requested by the user, and this algorithm is supported by the system, it will be used transparently.
#13538
Posted: 05/31/2010 07:31:59
by Sergio Hernandez (Standard support level)
Joined: 03/03/2008
Posts: 14

Thanxs Innokentiy for you quick answer.

1) I don't really know if this particular card uses its own cryto provider, but i would love to know... How could i know it in my actual testing code?

It looks like this:

Code
Signer.HashAlgorithm:= SB_ALGORITHM_DGST_SHA256;
Sz:= 0;
Signer.Sign(@InBuf[0], Length(InBuf), nil, Sz);
SetLength(OutBuf, Sz);
I:= Signer.Sign(@InBuf[0], Length(InBuf), @OutBuf[0], Sz);
Texto:= Texto + #10 +'SHA256 (Output size: '+IntToStr(Sz)+'): '+iif(I=0, 'OK', 'No, err.'+IntToStr(I)+' '+Signer.ErrorInfo);


2) Again, I don't know. I suppose it is mapped, as it is not a file certificate, it is a crypto card that should not let you copy the certyificate out of the card. If I unplug it, the certificate disapear from my "Certificates" in IE.

About your last sentence: Using a file certificate, that can use any SHA family algorithm when used with a MemCertStorage, is not capable of using anything except SHA1 when used with WinCertStorage... it makes me think if may be I don't have this new cryto provider of MS that allows you to use SHA2...

Is there a way I can check if a particular WinXP is able or not to use SHA2?

I mean: May be this card use win cryto provider, and may be in my XP I don't have the last SP3 cryto provider with AES support, in this case, it cuold be the reason why the card nor the file certificate can't use SHA256.

PD: My Win XP is finally a SP2... I didnt' care about this before, but surely both file and card certificates use win cryto providers, so it is why I can't use SHA256 with any of them. I will test on a Win7 and also update my XP to see if it improves.

Thanxs again,
Sergio.
#13539
Posted: 05/31/2010 08:01:48
by Ken Ivanov (EldoS Corp.)

Quote
1) I don't really know if this particular card uses its own cryto provider, but i would love to know... How could i know it in my actual testing code?

There is no guaranteed way to find this out, but you can check whether SHA2 are in the list of the algorithms supported by the token. Please use SupportedPKCS11Mechanisms[] and SupportedPKCS11MechanismCount properties of the appropriate TElPKCS11SlotInfo object and check whether the following constants are present in the list:

#define CKM_SHA_1 0x00000220
#define CKM_SHA256 0x00000250
#define CKM_SHA384 0x00000260
#define CKM_SHA512 0x00000270

Quote
2) Again, I don't know. I suppose it is mapped, as it is not a file certificate, it is a crypto card that should not let you copy the certyificate out of the card. If I unplug it, the certificate disapear from my "Certificates" in IE.

Actually, this means that the certificate is located on the token. It is likely that the token just does not support SHA2 (can be checked as I described above) and that's why you get the aforementioned error.

Quote
Is there a way I can check if a particular WinXP is able or not to use SHA2?

First of all, please check that SHA2 are supported by the token itself. If they aren't, you will be unable to use SHA independently of the platform version.

Reply

Statistics

Topic viewed 2717 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top