Abstract:
Windows-based applications most often rely on the the Microsoft Cryptographic Application Programming Interface (MS-CAPI) to handle cryptography: developers use it largely, for example to secure sensitive data, manage certificates, generate passwords, exchange messages with other entities.
A lot of commercial applications have been developed combining internal cryptographic implementations, ready-to-use modules or external independent libraries. Because of this, it’s hard to evaluate the overall security level of a product: companies need a tool to get a clear view on their cryptography to assess its correct usage.
During his internship at Cryptosense in Paris, the author of this thesis started the development of an application to solve this problem. Following the path provided by the pre-existing Java App Tracer, the project makes use of a Windows hooking library to intercept the calls to the functions contained in the CryptoAPI to analyse their parameters and results.
The final outcome is a complete prototype of tracer which evaluates a limited set of cryptographic properties and generates an easy-readable report in the HTML format. This prototype has been tested with basic programs, but also with bigger everyday applications showing interesting behaviours and good premises for further developments.
