Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Order the encryption and hashing algorithms in order of preference within the CSP?

Posted on 2015-01-22
2
Medium Priority
?
271 Views
Last Modified: 2015-01-26
We have a two-tier pki hierarchy configured (offline root, subordinate CA) running on Microsoft Server 2012 R2. We're in the process of configuring LDAPs in our environment (and it's configured and working in our test environment).  The problem is we require AES256 to be used and I am trying to figure out how to force it on the connection when another server makes an LDAP query. Connecting with ldp.exe (and enabling the LDAP_OPT_SSL_INFO option), it's showing a cipher strength of 128-bits.

I'm guessing that on the CA side the cryptographic storage provider (CSP) that is selected determines which encryption options are available. Based on what the client has available; the client/server negotiate the highest level of encryption they can both agree on.

The certificate template that I used (which is based off of the Kerberos Authentication template) has "Microsft RSA SChannel Cryptographic Provider" selected only.  After doing some searching I am unable to determine if this would allow AES256.

So here are my questions:

1. Assuming my thinking (above) is correct on how CSPs work with Microsoft Certificate Services, which CSP should be used to allow AES256 - and if multiple support AES256 - which one is recommended?  If not please clarify how this works.

2. is there a way to order the encryption and hashing algorithms in order of preference within the CSP (via the registry or something?).
0
Comment
Question by:meade470
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 1000 total points
ID: 40566253
The AES 256 encryption support added since Windows Vista

SHA and MD are hashing algorithms and AES is advanced encryption standard
SHA isn't encryption, it's a one-way hash function. AES (Advanced_Encryption_Standard) is a symmetric encryption standard.
SHA is used to generate a hash of data and AES is used to encrypt data.

By default 2008 and above CA are not prepared for AES 256
You need to run certain commands to make it AES 256 compliant

Check Configure CA encryption Settings in below article to find out commands
https://technet.microsoft.com/en-us/library/ff829847(v=ws.10).aspx

Also you can create Suite-B compliant V3 templates (2008 mode) by duplicating existing template
Check Creating Suite-B compliant Certificate templates in above article

Test above in test lab 1st
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 40567871
you should be able to dictate through use of CA certificate template, see this. Windows Server 2012 introduces the option to order the cryptographic service providers (CSPs) or key storage providers (KSPs) on the Cryptography tab. Inside you should be able to see the  Algorithm name & Minimum key size and should be able to select the CSP. It can also be enforced in Certutil as stated in Mahesh posting. The CSP should be Next Gen Crypto (which you will see in listing of CSP with "#" sign
http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx

The full setup of 2012 CA is  found in this blog, and if if you see the certutil at step 34, it stated below
certutil -setreg CA\EncryptionCSP\CNGEncryptionAlgorithm AES
certutil -setreg CA\EncryptionCSP\SymmetricKeySize 256
http://security-24-7.com/windows-2012-r2-certification-authority-installation-guide/
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question