[PDF] Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library

View - Download Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library

Previous PDF

Next PDF

Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

1

Library(cng.sys)SecurityPolicyDocument

Microsoft Windows 7 Operating System

FIPS 140-2 Security Policy Document

This document specifies the security policy for the Microsoft Kernel Mode Cryptographic Primitives Library

(CNG.SYS) as described in FIPS PUB 140-2.

January 16, 2013

Document Version: 2.2

Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

2

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the

date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE

INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons

Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit

http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford,

California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights

covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the

furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real

company, organization, product, person or event is intended or should be inferred. © 2006 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, Windows Server, Windows Vista

and Windows 7 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

3

1CRYPTOGRAPHIC MODULE SPECIFICATION ................................................................. 5

1.1Cryptographic Boundary ............................................................................................................... 5

2SECURITY POLICY .............................................................................................................. 5

3CRYPTOGRAPHIC MODULE PORTS AND INTERFACES ................................................. 7

3.1Exported Functions ........................................................................................................................ 7

3.2Data Input and Output Interfaces .............................................................................................. 8

3.3Control Input Interface ................................................................................................................. 8

3.4Status Output Interface ................................................................................................................ 8

3.5Cryptographic Bypass .................................................................................................................... 8

4ROLES AND AUTHENTICATION ........................................................................................ 8

4.1Roles .................................................................................................................................................. 9

4.2Maintenance Roles ......................................................................................................................... 9

4.3Operator Authentication ............................................................................................................... 9

5SERVICES ............................................................................................................................. 9

5.1Cryptographic Module Power Up and Power Down ................................................................. 9

5.1.1DriverEntry .................................................................................................................................. 9

5.1.2DriverUnload ................................................................................................................................ 9

5.2Algorithm Providers and Properties.......................................................................................... 10

5.2.1BCryptOpenAlgorithmProvider ................................................................................................... 10

5.2.2BCryptCloseAlgorithmProvider ................................................................................................... 10

5.2.3BCryptSetProperty ..................................................................................................................... 10

5.2.4BCryptGetProperty ..................................................................................................................... 10

5.2.5BCryptFreeBuffer ....................................................................................................................... 10

5.3Random Number Generation ...................................................................................................... 11

5.3.1BCryptGenRandom .................................................................................................................... 11

5.3.2SystemPrng ............................................................................................................................... 11

5.3.3EntropyRegisterSource .............................................................................................................. 12

5.3.4EntropyUnregisterSource ........................................................................................................... 13

5.3.5EntropyProvideData ................................................................................................................... 13

5.4Key and Key-Pair Generation ..................................................................................................... 13

5.4.1BCryptGenerateSymmetricKey .................................................................................................. 13

5.4.2BCryptGenerateKeyPair ............................................................................................................. 13

5.4.3BCryptFinalizeKeyPair ................................................................................................................ 14

5.4.4BCryptDuplicateKey ................................................................................................................... 14

5.4.5BCryptDestroyKey ...................................................................................................................... 14

5.5Key Entry and Output .................................................................................................................. 14

5.5.1BCryptImportKey ....................................................................................................................... 14

5.5.2BCryptImportKeyPair ................................................................................................................. 15

5.5.3BCryptExportKey........................................................................................................................ 15

5.6Encryption and Decryption ......................................................................................................... 16

5.6.1BCryptEncrypt ............................................................................................................................ 16

5.6.2BCryptDecrypt ........................................................................................................................... 17

5.7Hashing and Message Authentication ...................................................................................... 17

5.7.1BCryptCreateHash ..................................................................................................................... 17

5.7.2BCryptHashData ........................................................................................................................ 18

5.7.3BCryptDuplicateHash ................................................................................................................. 18

5.7.4BCryptFinishHash ...................................................................................................................... 18

5.7.5BCryptDestroyHash ................................................................................................................... 19

5.8Signing and Verification .............................................................................................................. 19

5.8.1BCryptSignHash ......................................................................................................................... 19

5.8.2BCryptVerifySignature ............................................................................................................... 19

Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

4 5.9

Secret Agreement and Key Derivation ..................................................................................... 20

5.9.1BCryptSecretAgreement ............................................................................................................ 20

5.9.2BCryptDeriveKey ........................................................................................................................ 20

5.9.3BCryptDestroySecret ................................................................................................................. 21

5.10Legacy Compatibility Interfaces ............................................................................................ 21

5.10.1Key Formatting .......................................................................................................................... 21

5.10.2Random Number Generation ..................................................................................................... 21

5.10.3Data Encryption and Decryption ............................................................................................... 22

5.10.4Hashing ..................................................................................................................................... 24

5.11Configuration ............................................................................................................................. 26

5.12Other Interfaces ........................................................................................................................ 26

6OPERATIONAL ENVIRONMENT ...................................................................................... 27

7CRYPTOGRAPHIC KEY MANAGEMENT .......................................................................... 27

7.1Cryptographic Keys, CSPs, and SRDIs ...................................................................................... 27

7.2Access Control Policy ................................................................................................................... 27

7.3Key Material ................................................................................................................................... 28

7.4Key Generation.............................................................................................................................. 28

7.5Key Establishment ........................................................................................................................ 28

7.6Key Entry and Output .................................................................................................................. 29

7.7Key Storage .................................................................................................................................... 29

7.8Key Archival ................................................................................................................................... 29

7.9Key Zeroization ............................................................................................................................. 29

8SELF-TESTS ........................................................................................................................ 29

9DESIGN ASSURANCE ........................................................................................................ 30

10ADDITIONAL DETAILS .................................................................................................. 30

Microsoft Windows 7 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

5

1 Cryptographic Module Specification

Microsoft Kernel Mode Cryptographic Primitives Library (CNG.SYS) is a FIPS 140-2 Level 1 compliant, general purpose, software-based, cryptographic module residing at kernel mode level of Windows 7 operating system. CNG.SYS (versions 6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514,

6.1.7601.17725, 6.1.7601.17919, 6.1.7601.21861, and 6.1.7601.22076) runs as a kernel mode export

driver, and provides cryptographic services, through their documented interfaces, to Windows 7 kernel

components. The CNG.SYS encapsulates several different cryptographic algorithms in an easy-to-use cryptographic

module accessible via the Microsoft CNG (Cryptography, Next Generation) API. It also supports several

cryptographic algorithms accessible via a Fips function table request irp (I/O request packet). Windows 7

kernel mode components can use general-purpose FIPS 140-2 Level 1 compliant cryptography in

CNG.SYS.

1.1 Cryptographic Boundary

The Windows 7 kernel mode CNG.SYS consists of a single kernel mode export driver (SYS). The cryptographic boundary for CNG.SYS is defined as the enclosure of the computer system, on which

CNG.SYS is to be executed. The physical configuration of CNG.SYS, as defined in FIPS-140-2, is multi-

chip standalone

2 Security Policy

CNG.SYS operates under several rules that encapsulate its security policy. CNG.SYS is supported on Windows 7 and Windows 7 SP1. CNG.SYS operates in FIPS mode of operation only when used with the FIPS approved version of Windows 7 Winload OS Loader (winload.exe) validated to FIPS 140-2 under Cert. #1326 operating in FIPS mode Windows 7 is an operating system supporting a "single user" mode where there is only one interactive user during a logon session. CNG.SYS is only in its Approved mode of operation when Windows is booted normally, meaning Debug mode is disabled and Driver Signing enforcement is enabled. CNG.SYS operates in its FIPS mode of operation only when one of the following DWORD registry values is set to 1: o HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled o HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration\SelfTest

Algorithms

All users assume either the User or Cryptographic Officer roles. CNG.SYS provides no authentication of users. Roles are assumed implicitly. The authentication provided by the Windows 7 operating system is not in the scope of the validation. All cryptographic services implemented within CNG.SYS are available to the User and

Cryptographic Officer roles.

In order to invoke the approved mode of operation, the user must call FIPS approved functions. CNG.SYS implements the following FIPS-140-2 Approved algorithms. o SHA-1, SHA-256, SHA-384, SHA-512 hash (Cert. #1081) o SHA-1, SHA-256, SHA-384, SHA-512 HMAC (Cert. #677) o Triple-DES (2 key and 3 key) in ECB, CBC, and CFB8 modes (Cert. #846) o AES-128, AES-192, AES-256 in ECB, CBC, and CFB8 modes (Cert. #1168) o AES-128, AES-192 and AES-256 in CCM mode (Cert. #1178) o AES-128, AES-192 and AES-256 in GCM mode (AES Cert. #1168, vendor-affirmed) o AES-128, AES-192 and AES-256 in GMAC mode (AES Cert. #1168, vendor-affirmed) o RSA (RSASSA-PKCS1-v1_5 and RSASSA-PSS) digital signatures (Cert. #560) and X9.31

RSA key-pair generation (Cert. #559)

o ECDSA with the following NIST curves: P-256, P-384, P-521 (Cert. #141)

Microsof

This S

C C a l

The fo

Figure 1

1

Applicati

operate th ft Windows 7

Security Policy

o FIPS 1 o FIPS 1 o SP800 o SP800 o KAS - meth o

NG.SYS supp

o AES K e and 25 o Diffie-H o TLS an o IKEv1

NG.SYS also

s lgorithms may o RSA en o RC2, R o DES in ollowing diag

Master com

ions may not he module in

7 Kernel Mode

is non-propriet

186-2 x-Chang

186-2 x-Chang

-90 AES-256 -90 Dual-EC D

SP800-56A (v

odology provid orts the follow ey Wrap (AES

56 bits of enc

Hellman (DH)

nd EAP-TLS

Key Derivati

o supports the y not be used ncrypt/decryp

RC4, MD2, MD

n ECB, CBC, a ram illustrat e mponents of use any of t h a FIPS comp e Cryptograph tary and may b ge Notice Gen ge Notice Reg counter mode

DRBG (Cert. #

vendor-affirm des between wing non-App

S Cert #1168;

cryption streng ) secret agree on Functions followin g non d when opera pt

D4, MD5, HMA

nd CFB with 8 es the master cn g.sys cry hese non-FIPS liant manner, hic Primitives be reproduced neral Purpose gular RNG (Ce e DRBG (Cert #24) med) EC Diffie

128 and 256-

proved algorit ; key establis gth) ement n FIPS 140-2 tin g the mod

AC MD5

1

8-bit feedbac

components ypto module

S algorithms

, applications

Library (cng.s

only in its origi e RNG (Cert. # ert. #649) t. #23) e-Hellman Key -bits of encryp thms allowed hment meth o approved alg ules in a FIPS ck of the modul if they need t must only us sys) Security inal entirety (w #649) y Agreement; ption strength for use in FIP odology provid orithms, thou

S compliant m

e: to be FIPS co se FIPS-appro

Policy Docum

quotesdbs_dbs32.pdfusesText_38

[PDF] Code civil local art. 21 à 79

[PDF] Cour municipale de la Ville de Montréal Direction des services judiciaires

[PDF] POLITIQUE DE FORMATION CONTINUE DE L ORDRE DES AGRONOMES DU QUÉBEC 2014-2017

[PDF] Problèmes à propos des nombres entiers naturels

[PDF] La démarche «projets de service»

[PDF] Vu les articles 4, 19 et 85 de la Loi sur les compétences municipales (RLRQ, chapitre C-47.1);

[PDF] PROGRAMME D ETUDE FORMATION MUSICALE POUR DANSEURS

[PDF] DOSSIER D APPRENTISSAGE

[PDF] Objectif des gardes barrières. Barrière de Sécurité. Pare-feu. Pare-feu. Types de Pare-feu. Une vue d'ensemble

[PDF] Document associé : Plan de formation continue des membres du CA Modèle type

[PDF] Election du Conseil Municipal Enfants 2013

[PDF] + + Construction en bottes de paille. Professionnaliser. pourquoi, pour qui, comment? Réseau Français de la Construction en Paille

[PDF] Document validé en CNP le 17/12/2010 et présenté aux DG ARS le 21/01/2011.

[PDF] Vous n êtes pas seul. Guide à l intention des parents pour aider les jeunes victimes d un crime

[PDF] Classes : QUATRIEMES