Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card logon
Motivation Use certificates for logon Random keys stronger than passwords –SHA-1 >> 12 character password Passwords can be stolen in clear –Thursday, 10:30 :-) Multifactor authentication with smart card –private key never leaves the card –must have the card to logon –simple PIN just to prevent an accidental loss
Technology PC/SC chip + reader Credit card format –transport in wallet or stripe –printed –RFID –requires separate reader Token –attach to keys –no reader necessary –no printing –no RFID
Drivers Reader driver –USB CCID compatible built-in –many other built-in Chip driver –Cryptographic Service Provider (CSP) SafeSign, CryptPlus, Schlumberger, … –minidriver for Microsoft Base Smart Card CSP –CERTUTIL -csplist
Vendors Card + reader ~ 1000 CZK Gemalto –.NET v2 ~ IDPrime IM v2 ~ IDPrime.NET ~ IPPrime IM v3 ~ Axalto Cryptoflex.NET –the only mini-driver built-in Monet+ –Czech vendor –mini-driver installable Aladin, … –require full CSP $$$
Card management CERTUTIL -scinfo Excel :-) third-party tools
CA hierarchy? Trust maintenance –may be expensive to be trusted –may be even more expensive to revoke root –risk analysis Revocation of subordinates Distributed administration –Qualified subordination CRL (Certificate Revocation List) OSCP (Online Certificate Status Protocol) 7
CA hierarchy? GOPAS Root CA GOPAS London CA GOPAS Paris CA GOPAS Prague CA Leaf certificate
CA hierarchy? GOPAS Root London CA GOPAS Root Paris CA GOPAS Root Prague CA Leaf certificate
Where the nonsense leads Offline root –OS license –hardware –physical access to publish CRLs Degenerate CRL publishing –once several months –or only once!
Trust maintenance in Windows domain
Risk assessment in Windows domain Risk of AD Domain Controller single DC compromised = whole forest compromised Online AD integrated enterprise PKI cannot have higher risks than any DC NTAuth CAs have the same level of risk as any DC
CA hierarchy?
Algorithms SHA-1 –well compatible with XP, 2003 –stronger than 12 character passwords SHA-256, SHA-384, SHA-512 –requires XP SP3 –requires manual download update KB for 2003 –requires manual download update KB for auto-enrollment on XP SP3 and 2003 –no problem with the card hardware RSA 2048 –well supported by card hardware –only 112 bit strength RSA 4096 –stronger, but limited support by card hardware ECDH –bad application and no card hardware support
Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512
Domain SC User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN or AD mapped subject (Windows 6.0+) Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature (AllowSignatureOnlyKeys GPO on Windows 6.0+) Encryption (required on 2000+, more secure) Key UsageDigital Signature CSPSmart Card compatible provider EKUSmart Card Logon can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU Autoenrollmentno? Publish in ADno
Certificate mapping altSecurityIdentities all reverted Subject and Issuer fields X509: DC=virtual,DC=gopas,CN=GOPAS Root CA CN=kamil Subject DN X509: CN=kamil Subject Key Identifier X509: ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41 Issuer, and Serial Number X509: DC=gopas,DC=virtual,CN=GOPAS Root CA bde810 SHA1 Hash X509: ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd RFC822 name X509:
Kurzy Počítačové školy Gopas na GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník.