The attached programs are the culmination of my efforts to update my cryptography Class to use Cryptography Next Generation (CNG) from Microsoft. It is by no means the final version, as it simply upgraded SSLClient/SSLServer to TLSClient/TLSServer. As such it uses TLS1.0 and the Cipher Suite 05 (TLS_RSA_WITH_RC4_128_SHA), and both TLS1.0 and RC4 are not universally supported by all servers these days. The next step in the evolution of these programs will be to expand them to support more secure ciphers and TLS1.2.
There are substantial differences between the earlier CRYPTO API and CNG, and upgrading was necessary because Windows 8.1 no longer supports all the Schannel calls in CAPI. Having said that, CNG is far more flexible in the ciphers that it supports, but it is also more difficult to utilize, and I ran into many difficulties that were not covered in the available literature (which is very limited). The major differences are:
1. CAPI uses "Little Endian" format for Certificate and Key data, but CNG uses "Big Endian" format. "Big Endian" format is how the RFC's require this data to be transmitted, so reversing the data becomes unnecessary with CNG.
2. CNG uses Objects extensively, and quite often they are not used directly in CNG calls. Because Visual Basic cleans up after itself, care must be taken to retain these objects if they are to be used again.
I had intended to use the CAPI Server program (SSLServer) to test the CNG Client program (TLSClient), but I ran into difficulty with the TLSEncrypt routine that I could not resolve. It would properly encrypt and transmit the first encrypted record (ClientFinished), but the server program (SSLServer) would report an HMAC error on the second encrypted record (App Data). To facilitate further debugging, I upgraded the server program as well (TLSServer). Strangely enough, the same Client program (TLSClient) that was giving me all the trouble worked just fine with with the upgraded TLSServer program.
You may wonder why I used CAPI to recover the Certificate Data, instead of CNG. The main thrust of my cryptography work is on the Client side of the ledger, and server Apps really need multi-threading to support blocking socket calls. Visual Basic doesn't handle multi-threading very well, and I did not want to spend a lot of time on the server code. It was simpler for me to use the existing Certificate code and transfer the Private Key to CNG.
To run these 2 programs, open 2 separate instances of the IDE and load TLSClient in one and TLSServer in the other. Start both of them, bring both windows to the foreground, and separate them as much as possible. Click the down arrow on the dropdown box in the Client program and click on "LocalHost". As long as "LocalHost" is defined in your "Hosts" file, it should connect with the Server program, negotiate a TLS session, and get a short message from the server. The server program will automatically create both the Container and the RSA Key Pair if they don't already exist, but in order to use TLSServer, you will have to create Certificates and add them to the Certificate Store. The "Readme.txt" file contains instructions on how to do that.
Both programs have been tested on Windows Vista and Windows 8.1.
J.A. Coutts
There are substantial differences between the earlier CRYPTO API and CNG, and upgrading was necessary because Windows 8.1 no longer supports all the Schannel calls in CAPI. Having said that, CNG is far more flexible in the ciphers that it supports, but it is also more difficult to utilize, and I ran into many difficulties that were not covered in the available literature (which is very limited). The major differences are:
1. CAPI uses "Little Endian" format for Certificate and Key data, but CNG uses "Big Endian" format. "Big Endian" format is how the RFC's require this data to be transmitted, so reversing the data becomes unnecessary with CNG.
2. CNG uses Objects extensively, and quite often they are not used directly in CNG calls. Because Visual Basic cleans up after itself, care must be taken to retain these objects if they are to be used again.
I had intended to use the CAPI Server program (SSLServer) to test the CNG Client program (TLSClient), but I ran into difficulty with the TLSEncrypt routine that I could not resolve. It would properly encrypt and transmit the first encrypted record (ClientFinished), but the server program (SSLServer) would report an HMAC error on the second encrypted record (App Data). To facilitate further debugging, I upgraded the server program as well (TLSServer). Strangely enough, the same Client program (TLSClient) that was giving me all the trouble worked just fine with with the upgraded TLSServer program.
You may wonder why I used CAPI to recover the Certificate Data, instead of CNG. The main thrust of my cryptography work is on the Client side of the ledger, and server Apps really need multi-threading to support blocking socket calls. Visual Basic doesn't handle multi-threading very well, and I did not want to spend a lot of time on the server code. It was simpler for me to use the existing Certificate code and transfer the Private Key to CNG.
To run these 2 programs, open 2 separate instances of the IDE and load TLSClient in one and TLSServer in the other. Start both of them, bring both windows to the foreground, and separate them as much as possible. Click the down arrow on the dropdown box in the Client program and click on "LocalHost". As long as "LocalHost" is defined in your "Hosts" file, it should connect with the Server program, negotiate a TLS session, and get a short message from the server. The server program will automatically create both the Container and the RSA Key Pair if they don't already exist, but in order to use TLSServer, you will have to create Certificates and add them to the Certificate Store. The "Readme.txt" file contains instructions on how to do that.
Both programs have been tested on Windows Vista and Windows 8.1.
J.A. Coutts