SEC230 - Windows Cryptography Next Generation (CNG) for Developers

This seminar covers the “next-generation” cryptography (CNG) support in Windows Vista through Windows 8 and Windows Server 2012. 

Level: Intermediate

Application programmers; security personnel; management responsible for security policy and implementation


Windows Vista and later versions provide a new set of cryptographic services and APIs referred to as "Cryptography Next Generation," or "CNG." The CNG APIs are far easier to use and to extend than previous Windows cryptography APIs. CNG furthermore provides several important new features, such as secure key storage, support for third-party key storage providers, and kernel mode accessibility.

This seminar presents the design, implementation, and APIs of the “Cryptography Next Generation” implementation in Windows Vista and later versions, with emphasis on how to use these facilities in application programs. The legacy cryptographic services present in these and past versions of Windows will also be discussed, as well as some other Windows Vista security technologies such as BitLocker.

This seminar will provide to application developers and designers all the information required to successfully configure, use, and extend the CNG interfaces. The seminar will also be of use to those responsible for creating and maintaining the security policy for an organization or for  application design. Cryptographic concepts and decision points will be introduced and discussed. 

  • Introduction to modern cryptography and cryptanalysis
  • Legacy Windows cryptography

    • Data Protection API
    • Encrypted File System (EFS)
    • CryptoAPI
  • Windows Vista security overview

    • Address Space Layout Randomization
    • Trusted Processes
    • BitLocker
  • Cryptography Next Generation (CNG) architecture overview
  • CNG API concepts and interface styles
  • Using bcrypt interfaces

    • Enumerating algorithms
    • Random number generator
    • Hashing functions
    • Symmetric encryption
    • Key signing
    • Secret agreement (key exchange)
    • Asymmetic encryption
  • Using ncrypt (secure key storage) interfaces

    • Secure key storage principles
    • Hash signing and verification algortihms
    • Secret agreement (key exchange)
    • Asymmetric encryption
    • Exporting and importing keys
  • Implementing a new algorithm provider

    • User-mode providers
    • Kernel-mode providers
  • CNG implementation and internal details
  • Windows 7 CNG enhancements
  • Familiarity with INT150: Windows Internals Essentials; and
  • Familiarity with Windows API (Win32) programming; and
  • Familiarity with the C programming language

If kernel-mode CNG providers are to be covered in labs, then familiarity with Windows' general kernel mode driver interfaces (NTDDK/WDM) is also required. 

Operating systems supported:

Windows 2000 through Windows 10/Windows Server 2012 R2

Durations and formats: 3 or 4 days with labs
2 days lecture only

The lab version of this seminar includes a series of programming exercises that illustrate and amplify the principles presented in the “Using CNG” section. Attendees for this version will spend at least half of the seminar time modifying, coding, and debugging programs that use examples of various CNG algorithm classes, as well as older services such as DPAPI. Solutions to all lab problems will be provided in machine-readable form. 

The standard labs version of the seminar includes a lab exercise involving implementation of a user-mode CNG provider. Kernel-mode CNG providers may be covered upon request. 

Durations with labs:
3 days with user-mode CNG provider. 
4 days with kernel-mode CNG provider.