[API Proposal]: Windows CNG virtualization-based security
krwq opened this issue · comments
Background and motivation
One of the Windows 11 builds has added framework to help secure Windows keys with virtualization-based security (VBS). With this new capability, keys can be protected from admin-level key theft attacks with negligible effect on performance, reliability, or scale.
Win API:
https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptcreatepersistedkey
The proposal is to extend existing CngKeyCreationOptions
API to include the new flags.
API Proposal
namespace System.Security.Cryptography;
[Flags]
public enum CngKeyCreationOptions : int
{
// existing:
// None = 0x00000000,
// MachineKey = 0x00000020, // NCRYPT_MACHINE_KEY_FLAG
// OverwriteExistingKey = 0x00000080, // NCRYPT_OVERWRITE_KEY_FLAG
// new APIs:
PreferVbs = 0x00010000, // NCRYPT_PREFER_VBS_FLAG
RequireVbs = 0x00020000, // NCRYPT_REQUIRE_VBS_FLAG
UsePerBootKey = 0x00040000, // NCRYPT_USE_PER_BOOT_KEY_FLAG
}
API Usage
// Note: this API is Windows only
using System.Security.Cryptography;
CngKeyCreationParameters cngCreationParams = new()
{
Provider = CngProvider.MicrosoftSoftwareKeyStorageProvider,
KeyCreationOptions = CngKeyCreationOptions.RequireVbs | CngKeyCreationOptions.OverwriteExistingKey,
};
using (CngKey key = CngKey.Create(CngAlgorithm.ECDsaP256, "mySoftwareKey", cngCreationParams))
using (ECDsaCng ecdsa = new ECDsaCng(key))
{
// do stuff with the key
}
Alternative Designs
No response
Risks
Very low - new flags to existing API
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.
I'm not sure I like the names of any of these new enum members. NCRYPT_USE_PER_BOOT_KEY_FLAG doesn't seem to be on MSDN, so I can't say if the description offers a better description of what this means, and the Vbs
isn't (I don't think) a common enough concept yet that it's worthy of abbreviation... but the expanded form isn't really better.
So, they might all be "right", but I'm not sure I like them :)
I mainly matched the WinAPI names but will leave for API review to make a call which name they prefer - I think it's easier to mostly match existing WinAPI names but I'm personally not a fan of "VBS" in the name
- Looks good as proposed
namespace System.Security.Cryptography;
[Flags]
public enum CngKeyCreationOptions : int
{
// existing:
// None = 0x00000000,
// MachineKey = 0x00000020, // NCRYPT_MACHINE_KEY_FLAG
// OverwriteExistingKey = 0x00000080, // NCRYPT_OVERWRITE_KEY_FLAG
// new APIs:
PreferVbs = 0x00010000, // NCRYPT_PREFER_VBS_FLAG
RequireVbs = 0x00020000, // NCRYPT_REQUIRE_VBS_FLAG
UsePerBootKey = 0x00040000, // NCRYPT_USE_PER_BOOT_KEY_FLAG
}