Re: makecert fixed on RSA ?

[Tony McGee]

Hi Tom,

The signature algorithm that you can select from there (md5, sha1, etc) 
is a particular type of algorithm called a cryptographic hash function 
that is used for generating a small hash value from a much larger 
quantity of data. AES is a different type of algorithm (symmetric key) 
used to encrypt bulk quantities of data and so doesn't make sense to use 
it in that context.
The public key algorithm of the certificate (in this instance, RSA) is 
something different again, and is typically used to encrypt a small 
amount of data such as a symmetric key or hash value from the previous 
algorithms.


The Windows CryptoAPI does support using both symmetric key and 
asymmetric (public) key algorithms, but how you would use both at the 
API level depends upon your particular application. The makecert tool 
you're playing with leads into a fairly complex set of topics, so unless 
you have a specific goal in mind it's difficult to provide detailed 
direction through the mailing list.


To get a better handle on the difference between hashing/symmetric 
key/asymmetric key algorithms and what they're used for I would 
recommend picking up a cryptography fundamentals book such as Bruce 
Schneier's /Applied Cryptography/ 
http://www.schneier.com/book-applied.html or a similar tome. From there 
it would make sense to head over to Technet or narrow your study to a 
specific book on how Microsoft has implemented these fundamentals in 
Windows and what's achievable/recommended practices:

http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx
http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us 



Cheers,
Tony

On 27/12/2011 7:49 PM, Tom Gao wrote:


Thanks for everyone's response

Many thanks Peter for your detailed response.

I am trying to understanding X509 better and also windows certificate 
store. As I haven't spent much time playing with certificates in the 
past. My initial assumption was after looking at my self generated 
certificate that in my test certificate generated using the command.


makecert -r -pe -n "CN= DevServer TestCert 26/12/2011 " -ss 
MyCertificateStore -sr localmachine


When opening certificate store in mmc, and browsing to the certificate 
location I could clearly see "Signature Algorithm" my initial 
assumption is that you can change this from "sha1RSA" to something 
else. My thoughts were about changing the signature algorithm to 
something else and not necessarily to AES. There didn't appear a way 
to do this via the certificate store. Actually I later realised that 
the only way to do this is at the time of generation for the certificate.


-a The signature algorithm

.  Default to 'sha1'

It would appear that makecert supports the following algorithms. 
However does that mean that the windows server 2008 certificate store 
only supports certificates with the above algorithm? My understanding 
of x509 certificate is that it PKI so then what about other PKI 
algorithms out there?


Also does this mean we can't create certificate for symmetric 
encryption? Does this then mean that windows certificate store do not 
support symmetric encryption?


I'm not trying to achieve anything just trying to understanding 
certificates and the certificate store better. Sorry for loads of 
silly questions. But I really just wanted to confirm my understanding.


Many thanks,

Tom

*From:*ozdotnet-boun...@ozdotnet.com 
[mailto:ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Peter Maddin

*Sent:* Tuesday, 27 December 2011 6:17 PM
*To:* 'ozDotNet'
*Subject:* RE: makecert fixed on RSA ?

For what's it's worth (from work I did ages ago).

RSA is an asymmetric cipher (as is Elliptic Curve(ECC)).

AES is a symmetric cipher as is Rijindael, twofish, OneFish, BlowFish etc.

I think AES is very similar or a variation of  Rijindael (see The 
Differences Between Rijndael and AES, 
http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and-aes.aspx).


As far as I understand it, as an asymmetric cipher is slow, it is used 
to encrypt exchange keys for a symmetric cipher (exchange keys are 
generally randomly generated) and to encrypt digital hashes (aka 
digital signatures). The DSA used to be the SHA-1 algorithm, but as 
this function has been broken, a better digital hash should be used 
(i.e. SHA-224, SHA-256, SHA-384, and SHA-512).


This forms the basis of PKI and asymmetric keys are mostly distributed 
using X.509 digital certificates. Certificates can be used to 
distribute both pairs of asymmetric keys (private and public) or just 
the public ones. The public keys are made publically available while 
private keys are kept as securely as possible. It does not make sense 
to distribute symmetric keys via X.509 certificates. I am not sure 
that this even possible. I think the Diffie--Hellman key exchange may 
work better 
(http

RE: makecert fixed on RSA ?

[Tom Gao]

 

Thanks for everyone's response

 

Many thanks Peter for your detailed response. 

 

I am trying to understanding X509 better and also windows certificate store.
As I haven't spent much time playing with certificates in the past. My
initial assumption was after looking at my self generated certificate that
in my test certificate generated using the command. 

makecert -r -pe -n "CN= DevServer TestCert 26/12/2011 " -ss
MyCertificateStore -sr localmachine

When opening certificate store in mmc, and browsing to the certificate
location I could clearly see "Signature Algorithm" my initial assumption is
that you can change this from "sha1RSA" to something else. My thoughts were
about changing the signature algorithm to something else and not necessarily
to AES. There didn't appear a way to do this via the certificate store.
Actually I later realised that the only way to do this is at the time of
generation for the certificate. 

-a   The signature algorithm

.  Default to 'sha1'

It would appear that makecert supports the following algorithms. However
does that mean that the windows server 2008 certificate store only supports
certificates with the above algorithm? My understanding of x509 certificate
is that it PKI so then what about other PKI algorithms out there? 

 

Also does this mean we can't create certificate for symmetric encryption?
Does this then mean that windows certificate store do not support symmetric
encryption? 

 

I'm not trying to achieve anything just trying to understanding certificates
and the certificate store better. Sorry for loads of silly questions. But I
really just wanted to confirm my understanding.

 

Many thanks,

Tom

 

 

From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com]
On Behalf Of Peter Maddin
Sent: Tuesday, 27 December 2011 6:17 PM
To: 'ozDotNet'
Subject: RE: makecert fixed on RSA ? 

 

For what's it's worth (from work I did ages ago).

 

RSA is an asymmetric cipher (as is Elliptic Curve(ECC)).

AES is a symmetric cipher as is Rijindael, twofish, OneFish, BlowFish etc.

I think AES is very similar or a variation of  Rijindael (see The
Differences Between Rijndael and AES,
http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-r
ijndael-and-aes.aspx).

 

As far as I understand it, as an asymmetric cipher is slow, it is used to
encrypt exchange keys for a symmetric cipher (exchange keys are generally
randomly generated) and to encrypt digital hashes (aka digital signatures).
The DSA used to be the SHA-1 algorithm, but as this function has been
broken, a better digital hash should be used (i.e. SHA-224, SHA-256,
SHA-384, and SHA-512).  

This forms the basis of PKI and asymmetric keys are mostly distributed using
X.509 digital certificates. Certificates can be used to distribute both
pairs of asymmetric keys (private and public) or just the public ones. The
public keys are made publically available while private keys are kept as
securely as possible. It does not make sense to distribute symmetric keys
via X.509 certificates. I am not sure that this even possible. I think the
Diffie-Hellman key exchange may work better
(http://www.codeproject.com/KB/security/DiffieHellmanExample.aspx) for
exchanging symmetric cipher keys.

 

To substantiate non repudiation of encrypted data, a third party certificate
authority (VeriSign, Thawte) is normally used. If you generate your own
certificates, the encryption will work but the aspect of non repudiation is
weakened. 

 

The most common asymmetric cipher used to support PKI is RSA and as far as I
know the only one supported within the .NET framework. 

 

If you want to outside what the .NET framework supports, I suggest you look
at what Bouncy Castle provides

http://www.bouncycastle.org/csharp/ as well as other suppliers of
Cryptography ciphers.

 

If you want a comparison of cipher vendors, Kellerman software compares
theirs with some others as well as the .NET framework (may be a bit
out-dated now).

http://www.kellermansoftware.com/p-17-net-encryption-library.aspx and click
on the link Download the full list of features.
 

 

Regards Peter Maddin
Applications Development Officer
PathWest Laboratory Medicine WA
Phone : +618 6396 4285 (Monday, Wednesday,Friday)

Phone : +618 9346 4372 (Tuesday, Thursday)
Mobile: 0423 540 825 
E-Mail : petermad...@iinet.net.au; peter.mad...@health.wa.gov.au
The contents of this e-mail transmission outside of the WAGHS network are
intended solely for the named recipient's), may be confidential, and may be
privileged or otherwise protected from disclosure in the public interest.
The use, reproduction, disclosure or distribution of the contents of this
e-mail transmission by any person other than the named recipient(s) is
prohibited. If you are not a named recipient please notify the sender
immediately.

 

 

From: ozdotnet-boun...@ozdotne