The curse of Crypt32.dll

crypt32dll

One single file, soooo may problems with it…

The file “crypt32.dll” is part of the Windows NT family.
It resides in c:\windows\system32\crypt32.dll, and its main function it to provide all kinds of cryptographic functions to the Windows OS.

Using yet another great tool from our good friend nirsoft, an overview of it’s first 50 (or so) functions:

gdr qfe

Now, as some people already know, cryptography evolves (yep, it really does 😛 ). The main reason, because the old methods for securing data get cracked everyday… So new methods are needed!

This story goes about the setup of a new PKI: a new CA in a mixed OS environment: XP, WS03, 7, 8, linux, mac, …
All these operating systems should be able to validate AND use the one root certificate.

So, we chose for a deployment with a windows server 2008 r2 as root certificate authority.
One of the steps in this deployment is the decision for the hash of the root certificate.

Now, sha-1 isn’t that much of a deal anymore these days… It’s still good. But hey, we chose for the much stronger sha-256 method (it’s direct successor).

Now the fun part starts.

Windows server 2003, R2 and XP untill SP3 aren’t compatible with the sha-256 algorithm…
It’s only after a specific version of the crypt32.dll, the function to verify sha-256 signatures is available…
Aka: they can’t validate our new root certificate 😦

And from here, things get only worse…

The version for crypt32.dll you need should be 5014 (5.131.3790.5014).
From 2009, there is a hotfix available with this version. Also, from august 2012, there is an update available trough the Windows Update Channel, containing this 5014-edition of the dll.

They are different…

overview

Two builds, 2 different files, 1kb in size bigger, build time 30 minutes apart…

Using winmerge we see quite some difference…

diff

So don’t bother the Windows Update version (gdr – general distribution release), go for the hotfix version (qfe – quick fix engineering). You’ll have to install it manually (or using a gpo). But it’s a real dissapointment to first try the gdr version, and finding out nothing works as expected…

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: