Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

A recent question about this newsgroup thread (http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2006-04/msg00074.html) prompts me to share my recommendations about how to test new Cryptographic Service Providers (CSPs) for Crypto API (CAPI), without having to get them signed by Microsoft.

That thread alludes to the problem:  you have to have a “real” kernel debugger (kd) hooked up and live, and the debuggee must be booted with /DEBUG. Once you’ve got that, a kd check in CryptAcquireContext in advapi32.dll will let unsigned CSPs load.

The thread mentions SoftIce as a work-around: it’s indeed possible that SoftIce lets you skip the whole serial cable business in hooking up a kd. But note that simply running a user-mode debugger won’t cause the signature check to be skipped.

My recommendation? Use a virtual machine. For example, setting up a kd with VMware (I usually use windbg.exe as the host debugger) is really easy. Then you can use the VM to test your CSP, which isn’t a bad idea anyway, in case something gets really screwed up by your testing.

The only drawback is if you’re building a CSP for special hardware that can’t be exposed to the VM. In that case, I recommend using a separate physical debuggee machine and serial cable.

And note that when it comes time to actually deploy the CSP into production, you’ve still got to get it signed. The only plus is that the new Crypto API: Next Generation (CNG) has no signing requirement, so at least there’s a light at the end of the tunnel …

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment