What encryption algorithm is used by NegotiateStream? -- dotnet security

dotnet security : What encryption algorithm is used by NegotiateStream?

Gary Feldman
6/5/2006 1:37:01 PM

Does anyone know which encryption algorithm is used by NegotiateStream for
encrypting the content? I can't find this anywhere in the documentation.

And how long is the key, if that's not implied by the algorithm?

Thanks,

Joe Kaplan (MVP - ADSI)
6/6/2006 4:10:33 PM

Unfortunately, it isn't that straightforward as the encryption is whatever
is negotiated by the negotiate protocol. This in turn varies based on OS
version and SP level and also potentially by which auth protocol was
negotiated (Kerb or NTLM). Based on what I've seen in the SSPI
documentation, they don't really say much about the ciphers and key lengths.
I do know that with Win2K3, you will get at least a 128 bit key with RC2
when Kerb is used.

I'm pretty sure this stuff is discovered in SSPI via QueryContextAttributes,
but I'm not sure you how you get that in .NET.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

Gary Feldman
6/7/2006 3:42:03 PM

[quoted text, click to view]

Thanks. Your reply triggered my memory of looking at the Microsoft
CryptoAPI several years ago, includind seeing a table of CSPs that normally
ship with each operating system (but which I can't find anymore).

Intuitively, the implementation should either be using one of the providers
defined in system.security.cryptography, or one that's available via the
CryptoAPI. Correct? If the latter, they can be found in the registry, but
it's not clear how .Net may get repackaged for different countries. Or
perhaps the .Net system.security.cryptography package is the same everywhere,
and it's the presence or absence of the underlying CSP that determines
whether or not that particular feature is available.

That still leaves one question in my mind? Is there any insight into how
the negotiate protocol picks one from the available matches?

Joe Kaplan (MVP - ADSI)
6/7/2006 9:16:26 PM

The thing to know is that NegotiateStream is just a wrapper around SSPI.
The .NET code doesn't do anything to negotiate the encryption. The
encryption that gets used will depend a great deal on the OS versions on
both ends of the stream and whether or not Kerberos of NTLM is used as the
underlying negotiated protocol. With 2003 server at both ends, you'll get
higher encryption strength and will get encryption whether Kerberos or NTLM
is used. If Win2K is used, it depends on the service pack version.

There is probably some documentation somewhere that says which ciphers are
supported by which OS revs for SSPI, but I haven't spotted it yet.

Like I said, with SSPI, you can call QueryContextAttributes to find out the
ciphers used and the key length (and the actual session key), but that does
not seem to be exposed to .NET.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

Dominick Baier [DevelopMentor]
6/8/2006 12:00:00 AM

CSP are "drivers" for cryptographic hardware like your CPU or SmartCards
- used for (asymmetric) key generation/operations. This has nothing to do
with SPNEGO.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about dotnet security

home · blog · groups

Questions? Comments? Contact the dn