Writing Secure Code for Windows Vista (Best Practices (Microsoft))
CNG offers a number of newer algorithms; most notably and probably most importantly, is support for Suite B. Tables 7-1 and 7-2 outline all the algorithms supported by the default CNG providers in Windows Vista.
Algorithm | #define | Standard | Allowed by SDL? | Suite B? |
---|---|---|---|---|
RC2 | BCRYPT_RC2_ALGORITHM | RFC2288 | ||
RC4 | BCRYPT_RC4_ALGORITHM | Yes[*] | ||
AES | BCRYPT_AES_ALGORITHM | FIPS 197 | Yes | Yes |
DES | BCRYPT_DES_ALGORITHM | FIPS 46-3, FIPS 81 | ||
DESX | BCRYPT_3DES_ALGORITHM | |||
3DES | BCRYPT_DESX_ALGORITHM | FIPS 46-3, FIPS 81, SP800-38A | ||
3DES-112 | BCRYPT_3DES_112_ALGORITHM | FIPS 46-3, FIPS 81, SP800-38A | ||
MD2 | BCRYPT_MD2_ALGORITHM | RFC 1319 | ||
MD4 | BCRYPT_MD4_ALGORITHM | RFC 1320 | ||
MD5 | BCRYPT_MD5_ALGORITHM | FC 132 | ||
SHA-1 | BCRYPT_SHA1_ALGORITHM | FIPS 180-2, FIPS 198 | ||
SHA-256 | BCRYPT_SHA256_ALGORITHM FIPS | 180-2, FIPS 198 | Yes | Yes |
SHA-384 | BCRYPT_SHA384_ALGORITHM | FIPS 180-2, FIPS 198 | Yes | Yes |
SHA-512 | BCRYPT_SHA512_ALGORITHM | FIPS 180-2, FIPS 198 | Yes | Yes |
RSA (encryption) | BCRYPT_RSA_ALGORITHM | PKCS#1 v1.5 and v2.0. | Yes | |
RSA (signing) | BCRYPT_RSA_SIGN_ALGORITHM | PKCS#1 v1.5 and v2.0. | Yes | |
Diffie-Hellman | BCRYPT_DH_ALGORITHM | PKCS#3 | ||
Digital Signature Algorithm | BCRYPT_DSA_ALGORITHM | FIPS 186-2 | ||
[*]RC4 is only allowed after full cryptographic review. |
Algorithm | #define | Standard |
---|---|---|
Elliptic Curve Digital Signature Algorithm with Prime-256 curve | BCRYPT_ECDSA_P256_ALGORITHM | FIPS 186-2, X9.62 |
Elliptic Curve Digital Signature Algorithm with Prime-384 curve | BCRYPT_ECDSA_P384_ALGORITHM | FIPS 186-2, X9.62 |
Elliptic Curve Digital Signature Algorithm with Prime-521 curve | BCRYPT_ECDSA_P521_ALGORITHM | FIPS 186-2, X9.62 |
Elliptic Curve Diffie-Hellman Algorithm with Prime-256 curve. | BCRYPT_ECDH_P256_ALGORITHM | SP800-56A |
Elliptic Curve Diffie-Hellman Algorithm with Prime-384 curve. | BCRYPT_ECDH_P384_ALGORITHM | SP800-56A |
Elliptic Curve Diffie-Hellman Algorithm with Prime-521 curve. | BCRYPT_ECDH_P521_ALGORITHM | SP800-56A |
Note | SHA-256, SHA-384, and SHA-512 are collectively referred to as SHA-2 and are available on Windows Vista (in CAPI and CNG) and Windows Server 2003 (in CAPI), and all supported Windows platforms via the .NET Framework. |
Note | All of the above are approved for use in the SDL, are Suite B compliant, and are new to CNG. |
CNG also supports two kinds of random number generators (RNG), and both are allowed under SDL: BCRYPT_RNG_ALGORITHM and BCRYPT_RNG_FIPS186_DSA_ALGORITHM. Most applications should use the former, but if you are using DSA, then you should use the latter. Both RNGs conform to FIPS 186-2 and FIPS 140-2.