Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card logon

Motivation  Use certificates for logon  Random keys stronger than passwords –SHA-1 >> 12 character password  Passwords can be stolen in clear –Thursday, 10:30 :-)  Multifactor authentication with smart card –private key never leaves the card –must have the card to logon –simple PIN just to prevent an accidental loss

Technology  PC/SC chip + reader  Credit card format –transport in wallet or stripe –printed –RFID –requires separate reader  Token –attach to keys –no reader necessary –no printing –no RFID

Drivers  Reader driver –USB CCID compatible built-in –many other built-in  Chip driver –Cryptographic Service Provider (CSP) SafeSign, CryptPlus, Schlumberger, … –minidriver for Microsoft Base Smart Card CSP –CERTUTIL -csplist

Vendors  Card + reader ~ 1000 CZK  Gemalto –.NET v2 ~ IDPrime IM v2 ~ IDPrime.NET ~ IPPrime IM v3 ~ Axalto Cryptoflex.NET –the only mini-driver built-in  Monet+ –Czech vendor –mini-driver installable  Aladin, … –require full CSP $$$

Card management  CERTUTIL -scinfo  Excel :-)  third-party tools

CA hierarchy?  Trust maintenance –may be expensive to be trusted –may be even more expensive to revoke root –risk analysis  Revocation of subordinates  Distributed administration –Qualified subordination  CRL (Certificate Revocation List)  OSCP (Online Certificate Status Protocol) 7

CA hierarchy? GOPAS Root CA GOPAS London CA GOPAS Paris CA GOPAS Prague CA Leaf certificate

CA hierarchy? GOPAS Root London CA GOPAS Root Paris CA GOPAS Root Prague CA Leaf certificate

Where the nonsense leads  Offline root –OS license –hardware –physical access to publish CRLs  Degenerate CRL publishing –once several months –or only once!

Trust maintenance in Windows domain

Risk assessment in Windows domain  Risk of AD Domain Controller single DC compromised = whole forest compromised  Online AD integrated enterprise PKI cannot have higher risks than any DC  NTAuth CAs have the same level of risk as any DC

CA hierarchy?

Algorithms  SHA-1 –well compatible with XP, 2003 –stronger than 12 character passwords  SHA-256, SHA-384, SHA-512 –requires XP SP3 –requires manual download update KB for 2003 –requires manual download update KB for auto-enrollment on XP SP3 and 2003 –no problem with the card hardware  RSA 2048 –well supported by card hardware –only 112 bit strength  RSA 4096 –stronger, but limited support by card hardware  ECDH –bad application and no card hardware support

Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512

Domain SC User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN or AD mapped subject (Windows 6.0+) Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature (AllowSignatureOnlyKeys GPO on Windows 6.0+) Encryption (required on 2000+, more secure) Key UsageDigital Signature CSPSmart Card compatible provider EKUSmart Card Logon can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU Autoenrollmentno? Publish in ADno

Certificate mapping  altSecurityIdentities  all reverted  Subject and Issuer fields X509: DC=virtual,DC=gopas,CN=GOPAS Root CA CN=kamil  Subject DN X509: CN=kamil  Subject Key Identifier X509: ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41  Issuer, and Serial Number X509: DC=gopas,DC=virtual,CN=GOPAS Root CA bde810  SHA1 Hash X509: ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd  RFC822 name X509:

Kurzy Počítačové školy Gopas na GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník.