After a pen test I have to implement a more strict Azure policy on the Web server.
As a result, client PC's running older versions of Windows, i.e., Vista and Windows 7, can no longer establish a TLS/SSL connection using .NET Framework 4.8. I need to have a secure policy whilst allowing older Windows OS's to connect.
I have checked the supported Cipher Suites for Windows 7 and one of the supported Cipher Suite (I am only focussing on one for the sake of simplicity) is:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
Whereas Azure supports
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
It appears that the Cipher names have to be an exact match.
Is the Elliptic Curve P256 just a variant of TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA or is it completely different?
Is there another approach I should adopt or am I trying to do the impossible?
I tried configuring Azure with the non Elliptic Curve variants but they were not available.
I am unable to modify the Windows machines that are attempting to connect to Azure.
Related
We will start using Microsoft Intune for all our devices soon, and while configuring Intune, the question came up of which certificate to choose, for authentication etc.
I have followed this link and others similar: https://learn.microsoft.com/en-us/intune/certificates-configure
However these links only explain how to install CA's, configure settings etc. I can not find a clear differentiation between the 2 certificates (SCEP and PFX) and why one would choose one over the other.
Are there any general guidelines to follow?
Edit: Our devices are mostly company laptops, with Windows 10.
It's hard to say how to choose one kind rather than the other one. It really depends on what devices you're using and what platforms runs for those devices:
You can create and assign a PKCS or SCEP certificate profile for
devices running the following platforms:
iOS 8.0 and later
Android 4.0 and later
Android for Work Windows 10
(desktop and mobile) and later
You can only use a SCEP certificate
profile for devices running the following platforms:
macOS 10.9 and later
Windows Phone 8.1 and later
So, it's clear that If your devices are using macOS 10.9 and later
,Windows Phone 8.1 and later platforms, you must choose to use SCEP certificates.
Also, it sometimes depends on what CA that your Network devices support. E.g, if your VPN devices only supports SCEP CA,you just need to use SCEP CA.
You can also refer to this Tech Note of Cisco to find more details about SCEP and PKCS.
For same devices:
If you are building a prototype or a small not critical service then go with PKCS12.
If you use SCEP profiles, you need to configure a Network Device Enrollment Service (NDES) server. So,If you are building a serious product (production and touching devices of people with sensitive info) then go with SCEP (you can get a free SCEP servers. It's not that complex).
Hope this helps!
I know that a MDM Client is an integral part of Windows 10 and hence it is available on any device running windows 10.The following link explains MDM on Windows 10 in great detail and depth:
https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-mobile-and-mdm
However, I am curious to know(and code) that is it possible to write a custom MDM Client for Windows 10 Mobile/Desktop/Device and how.
Thanks!!
That is not possible, simply because there are no MDM APIs exposed by the OS.
You could write an app that talks to your server and executes commands in sequence, which would mimic the base flow of an MDM protocol. However, the app will be very limited in terms of what it can actually achieve. E.g. you won't be able to install apps, configure accounts, etc.
You could install certificates, although i am not sure those will be system-wide available, and get the basic device info (network hw addresses, battery level etc).
This is continuation of my previous post (Understanding BCryptSignHash output signature).
Let me clearly state my problem:
I need to sign a data in windows application level.
I need to verify the same in linux application level and windows driver (that i have wrote).
I tried following:
Using CryptoAPI, i was able to sign in windows application level and verify in the windows driver. In linux, i tried to use simpleECDSA (http://jonasfj.dk/blog/2007/12/simpleecdsa-a-simple-implementation-of-ecdsa-in-c/) to verify the signature (generated using cryptoAPI). I was able to convert the binary key blobs from cryptoAPI in simpleECDSA but could not interpret the signature.
Using Crypto++ library, i was able to sign in windows application level and verify in linux application level but could not use the same to verify in windows driver.
Kindly let me know if there is a library available or a way that i could use the same public/private key and signature across windows application/driver and linux.
Am new to cryptography hence forgive my naiveness.
Thanks,
F
I have multiple applications which work with one centralized Oracle database.
The applications are targeted on following platforms:
iPhone
Android
Windows (XP, Vista and 7)
Linux
Mac Os
Web applications (ASP.NET, PHP and JSP)
I want to know which kind of cipher I should use to make sure all my encrypted data will be readable (decrypted) for all my application
E.g. 3DES or RIJNDAEL_256 or TWOFISH256?
You should be able to implement those ciphers on all of the target platforms you mentioned.
As for which to use, I'd suggest Rijndael (AES) since it has received a lot of attention and has a proven security track-record.
http://gpg4browsers.recurity.com/ has JS implementations for all ciphers you mentioned.
All OSes you mentioned support all of these ciphers either directly or via mcrypt.
This reduces the question to opinionizing: So here is my opinion - do NOT standardize (in the sense of hardcode) to any of those ciphers, but invest the on-time penalty to develop your apps and protocols in a way, that allows them to handshake the cipher used. This way you can trade speed for security now and are open for developments in cryptography (or cryptanalysis)
I need a way to protect a private key on a mobile device.
I know in "Writing Secure Code" chapter "Protecting Secret Data" says "Windows CE" cannot be used in secure environments. But the book is many years old now, 2003.
Is this still the case? Tell me it ain't so. There has to be a way to secure a private key today.
The DPAPI is embodied in a set of Win32 functions, CryptProtectData and CryptUnprotectData. These functions are available on Windows CE and Windows Mobile platforms (see links), although I don't know at what version they added support.
The .NET wrapper for the DPAPI is the ProtectedData class in System.Security.Cryptography namespace (assembly System.Security.dll). However, I don't think .NET Compact Framework implements this yet, so you'll have to use P/Invoke if using .NET.
If the a user has access to a device, then no you can not 100% securely store a key. You can raise the bar but you cannot remove it.
You have to externalize the access to the key, e.g. User entered username and/or password or sent to the device via another method (e.g. asymmetric encryption over a network connection). Which is what the security for Windows Mobile programmers recommends.
Any way you store the key on the device can be reverse engineered. This includes the use of CryptProtectData and CryptUnprotectData API.
What's wrong with using standard encryption algorithms?
http://www.windowsfordevices.com/news/NS5217487259.html?kc=rss
Webcast covers security for Windows Mobile programmers
This looks like it will be good.