# Cryptography Next Generation (CNG) Secure Communication Example

The Cryptography Next Generation (CNG) secure communication example models a cryptographic solution to a man-in-the-middle attack. It simulates communications among three people, Alice, Bob, and Mallory, at a fictitious advertising company. The example uses CNG classes, a named pipes transport, and interactive console windows to demonstrate security solutions for a man-in-the-middle attack.

This is an advanced example and assumes familiarity with cryptography, inter-process communication, and network security.

Note

The CNG classes are available only in Windows Vista and subsequent Windows operating systems.

This topic provides an overview of the CNG example. It discusses the following:

## The Example Scenario

An advertising company develops an instant messaging (IM) tool that runs on the desktop. All employees can view the messages entered into the tool.

Alice and Bob work in the sales department. They use the IM tool to send each other sales contacts. Mallory is a network engineer who works in system operations. He has been secretly monitoring Alice and Bob's messages. Once a month he copies valuable sales contacts and sells them to competitors for personal profit.

After several months, the company realizes that someone is stealing sales contacts and that interdepartmental communication has been compromised. They decide to create a new IM tool, and they start by analyzing the security of the current tool.

## Security Vulnerabilities of the IM Tool

The company realizes that the current IM tool has the following security vulnerabilities:

• It transfers plaintext (nonencrypted) messages.

• It broadcasts those messages over the corporate network.

• The messages can be viewed and even recorded by anyone.

The company decides that the new IM tool can address these issues by enabling point-to-point communication on the corporate network.

## Version 1: Named Pipes

The company creates a new IM tool that relies on named pipes (or channels) for interprocess communication (IPC). This version does not use encryption or digital signatures.

Alice and Bob are given the following instructions:

1. Create an initial connection over a channel named PublicChannel.

2. Send the name of a private channel to each other, and then immediately disconnect from PublicChannel.

3. Connect using the private channel, and send each other sales contacts.

The company hopes that point-to-point communication channels will provide enough isolation from the rest of the corporate network. They soon learn that this solution is insufficient. Mallory discovers how to defeat the new system. He continues to steal sales contacts and starts to hide his misdeeds by carefully changing the sales contacts' addresses.

The company decides to add security safeguards to the IM tool to stop the thefts.

## Versions 2 Through 5: Incremental Security Improvements

The new software is tested and enhanced for several months. By the time the tests are complete, four additional versions of the IM tool have been created. Each version builds upon the previous version:

• Version 2 incorporates CNG-based encryption that uses public/private key pairs.

• Version 3 uses a digital signature to sign cryptographic keys and messages.

• Version 4 adds a private channel to transmit a digital signature to sign cryptographic keys and messages.

• Version 5 stops the intrusions by ending all IM sessions that receive signed keys with invalid signatures.

## Test Results

Version 2 uses a high-security encryption algorithm. Breaking the encryption would require extensive resources and time. Therefore, the company is surprised to learn that this solution has been compromised.

Version 3, which uses digital signatures, does not prevent theft either. However, this version helps the company make an important discovery: If the cryptographic keys and digital signature are being intercepted and substituted, the channel that is used to transmit the keys and signature must be the source of the problem.

This idea is tested by adding a private channel to version 4 to transmit a digital signature. Version 4 also displays a warning when a key or message has an invalid signature. Version 4 is given only to two people in the company: Alice and Bob. It starts to display security warnings as soon as Alice and Bob send their first messages. The company finally realizes that their network is suffering a man-in-the-middle attack.

Version 5 is the same as version 4, except that it ends the session at the first security violation. As soon as this version is installed, the theft of sales contacts stops.

## The Example Code

The code that is provided with this example models these five security versions. An overview of the code is provided in Source Code Overview (CNG Example).

Note

This example does not provide a comprehensive security solution. Its only purpose is to demonstrate the CNG API in a plausible security scenario. A complete security application is beyond the scope of this example.

## Naming Conventions

The documentation for this example refers to the five software releases and the corresponding security levels by number (for example, "version 1", "version 2", and so on).

Depending on the context, the names "Alice", "Bob", and "Mallory" may refer to the three people involved in the example scenario or to the three Visual Studio applications. For simplicity, the documentation uses the same name to refer to both. For example, "Alice automatically loads Bob and Mallory" means that the Alice application automatically loads the Bob and Mallory applications.

## Detailed Information

The following topics provide in-depth information about the example scenario and code: