Difference between revisions of "Private Key Component"
(→Solutions) |
(→Windows Specific Technology) |
||
| Line 18: | Line 18: | ||
* NIST SP 800-63-3B established authentication assurance level (AAL) the reports the protection level of the user's private key components. | * NIST SP 800-63-3B established authentication assurance level (AAL) the reports the protection level of the user's private key components. | ||
===Windows Specific Technology=== | ===Windows Specific Technology=== | ||
| + | Windows has two cryptography technologies that use quite different technologies to protect [[Private Key Component]s. | ||
| + | ====Cryptographic API (CAPI)==== | ||
| + | This technology is based on the original bcrypt libraries acquired from RSA in the last century. The Private Key is protected in the Windows Registry as a part of the certificate key store using the Cryptographic Service Provider (CSP) specific to the type of private key. It was extended in later years to handle keys in hardware like smart cards and HSMs, but the marriage was awkward. | ||
| + | ====Cryptography Next Generation (CNG)==== | ||
| + | This is new technology that created the abstraction know a a Key Storage Provider (KSP) to differentiate the function of protecting the [[Private Key Component]] from the function of storing credentials that could be renew every year while the KSP was unaffected. | ||
==References== | ==References== | ||
Revision as of 12:34, 26 July 2020
Contents
Full Title or Meme
Good Public Key Cryptography is dependent on the absolute protection of the Private Key Component of the public/private key pair.
Scope/Goal
- The goal of a Private Key Component is give the user an Authentication factor that can be completely within their control.
- Should some other technology for the use of secret data be found beyond the Private Key Component, it is expected that this wiki page should apply to that new technology as well.
Context
- Protecting one's secret information, in the modern age of computers, has become synonymous with protect a secret key or a Private Key Component of a key pair.
- This wiki uses the term Credential for any secret held by a device that can be used in authenticating a user. The best known credential (2020) is a well-protected private key component.
- Another technology that antedates Public Key technology is a shared secret, such as those used in creating One Time Passwords (OTP). Those continue to be useful.
Problems
- Governments have been the primary customers for keeping secrets and, so, the primary customers for cryptography.
- The challenge with providing good secrecy became a challenge to (1) find a good cryptography algorithm and (2) getting the cryptographic key security into the hands of those who need it.
Solutions
- NIST SP 800-63-3B established authentication assurance level (AAL) the reports the protection level of the user's private key components.
Windows Specific Technology
Windows has two cryptography technologies that use quite different technologies to protect [[Private Key Component]s.
Cryptographic API (CAPI)
This technology is based on the original bcrypt libraries acquired from RSA in the last century. The Private Key is protected in the Windows Registry as a part of the certificate key store using the Cryptographic Service Provider (CSP) specific to the type of private key. It was extended in later years to handle keys in hardware like smart cards and HSMs, but the marriage was awkward.
Cryptography Next Generation (CNG)
This is new technology that created the abstraction know a a Key Storage Provider (KSP) to differentiate the function of protecting the Private Key Component from the function of storing credentials that could be renew every year while the KSP was unaffected.
References
- Also see this wiki page Self-signed Certificate.
- Accessing and using certificate private keys in .NET Framework/.NET Core describes the mess created when Microsoft switched from their legacy CAPI key storage API to the CNG (Crypto Next Generation) key storage. The mess continues to this day.
