Entries in cryptography (6)

Updated Secure Parcel Delivery

Secure Parcel Delivery version 1.2 brings a number of long-awaited improvements.

  • Switching to the latest and greatest Cryptographic Service Provider (CSP)
    • Microsoft Enhanced RSA and AES Cryptographic Provider
    • Valid for Windows XP and later
  • Adding the Advanced Encryption Standard (AES) symmetric cipher to the fold
  • Restricting symmetric encryption ciphers and key strengths to those allowed by FIPS 140-2 (and FIPS 140-3)
    • See
    • Allowed ciphers include triple DES and AES with a minimum key length of 128 bits
    • Disabling selection of RC4, RC2, DES, 2-key 3DES
  • Allowing user selection of RSA key size from 1024 to 16384 bits in 256 bit steps
    • I suggest you take the default RSA key size of 3072 bits
    • FIPS 140-3 will require at least 3072 bits (to set a minimum cryptographic strength of 128 bits overall) but the program will let you choose keys down to 1024 bits at this time
  • Consolidation of User and Key interface elements to simplify configuration

This version is 32-bit only and tested on:

  • Windows 7 Professional x64
  • Windows Vista Business x86
  • Windows XP SP3 x86



Software Tool Updates

I've updated several tools today. The changes include a bug fix and a small expansion of capability as listed below. :)

Oh, and an update to the Secure Parcel Delivery program is on the way.



MyCryptInfo -> version 1.4

The tool is expanded to detect more block cipher modes of operation. That is, the algorithms employed to make a block cipher encrypt a chunk of data bigger than the native block size. I noticed that some new modes had been added in the Microsoft header files since last I looked. Although these modes don't seem to be available with the Microsoft native Cryptographic Service Providers (CSPs), they must be available in some third party CSPs. The modes added are:

  • CBCI - ANSI CBC Interleaved
  • CFBP - ANSI CFB Pipelined
  • OFBP - ANSI OFB Pipelined
  • CBCOFM - ANSI CBC + OF Masking
  • CBCOFMI - ANSI CBC + OFM Interleaved

MyNetwork -> version 1.3

Fixed a bug in the formatting of the lease times for interfaces with DHCP enabled. This turned out to be a 32-bit to 64-bit portability issue on windows.

MTFileTransfer -> version 1.3

Fixed the same bug in the formatting of the lease times for interfaces with DHCP enabled.


Updated MyCryptInfo

Today's update is for the MyCryptInfo tool that allows you to explore the Microsoft Cryptographic Service Providers (CSPs) on your system. It has been updated to run on 64-bit systems and to include some missing information about the SHA2 hash that is in the AES enabled CSP.

Otherwise the tool hasn't needed to change much.

Have fun, and don't delete any cryptographic containers that you really need!


Redux: FIPS 140 dash What?

There must be something in the water. A few weeks ago we heard about a lack of encryption on the US Predator drone video downlinks. This week we hear about an attack vector on encrypted USB hard drives. Cryptography is getting attention. :) In this case the big deal is about a FIPS 140-2 certification of these USB drives and the fact that they are vulnerable to an attack.

"How did this happen?", one might ask? The answer can be found by in the FIPS 140-2 Level 2 certification requirements. The certification process does not require inclusion of the system into which the USB drive is plugged, meaning your computer. The result is that vetting the security of passphrase communication path between your computer and the USB drive was probably not part of FIPS 140-2 certification.

Click to read more ...

Predatory Encryption and Risk Management

We learned some things this week about the US Predator drone program that has some people appalled and indignant - it is the kind of story that makes news.

A Predator drone is an unmanned aerial vehicle (UAV) used by the United States Air Force both for reconnaissance and for offensive operations. It seems that the video downlink from these drones has never been encrypted and it has been possible for those under surveillance to intercept and view the video feed.

This is the kind of news that makes great headlines. People read about it and slap their foreheads, proclaiming in a righteous voice, "What were they thinking? Head's should roll!" Stuff like that.

Here is an alternative viewpoint: this whole situation could just be a result of acceptable RISK MANAGEMENT practices.

Click to read more ...

FIPS 140 Dash What?

If you use a computer today to buy anything over the internet then you are the end user of cryptographic algorithms. If you feel that you don't need to worry about the implementation of your cryptography, well, you are probably right. You may have read the news about how the MD5 cryptographic hash function is not as secure (collision resistant) as we used to think. Weaknesses in the SHA1 cryptographic hash function have also been found although SHA1 has fared somewhat better than MD5. That news causes people like me enough concern to track the progress of those attacks but so far there is no public indication that a disaster is at hand.

Click to read more ...