Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Slides:



Advertisements
Similar presentations
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 9 Deploying IIS and Active Directory Certificate Services
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.
Chapter 11: Active Directory Certificate Services
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
What would a real hacker do to your AD GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | PowerShell.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
Configuring Directory Certificate Services Lesson 13.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Bezpečnost Windows pro pokročilé: přístup do sítě GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM:Directory.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: | | Ing. Ondřej Ševeček.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Passwords.
Building and extending the internal PKI
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | Enterprise certification.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Ondřej Ševeček | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.
Ing. Ondrej Sevecek MCSM:Directory2012 | MVP:Security | CEH | MCSE:Windows2012 | What would a real hacker do to your AD.
Passwords Everywhere Ing. Ondřej Ševeček | GOPAS a.s. |
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
زير ساخت كليد عمومي و گواهي هويت
Session 4: Security and PKI
GOPAS TechEd 2012 Kerberos Delegation
Presentation transcript:

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card logon

Motivation  Use certificates for logon  Random keys stronger than passwords –SHA-1 >> 12 character password  Passwords can be stolen in clear –Thursday, 10:30 :-)  Multifactor authentication with smart card –private key never leaves the card –must have the card to logon –simple PIN just to prevent an accidental loss

Technology  PC/SC chip + reader  Credit card format –transport in wallet or stripe –printed –RFID –requires separate reader  Token –attach to keys –no reader necessary –no printing –no RFID

Drivers  Reader driver –USB CCID compatible built-in –many other built-in  Chip driver –Cryptographic Service Provider (CSP) SafeSign, CryptPlus, Schlumberger, … –minidriver for Microsoft Base Smart Card CSP –CERTUTIL -csplist

Vendors  Card + reader ~ 1000 CZK  Gemalto –.NET v2 ~ IDPrime IM v2 ~ IDPrime.NET ~ IPPrime IM v3 ~ Axalto Cryptoflex.NET –the only mini-driver built-in  Monet+ –Czech vendor –mini-driver installable  Aladin, … –require full CSP $$$

Card management  CERTUTIL -scinfo  Excel :-)  third-party tools

CA hierarchy?  Trust maintenance –may be expensive to be trusted –may be even more expensive to revoke root –risk analysis  Revocation of subordinates  Distributed administration –Qualified subordination  CRL (Certificate Revocation List)  OSCP (Online Certificate Status Protocol) 7

CA hierarchy? GOPAS Root CA GOPAS London CA GOPAS Paris CA GOPAS Prague CA Leaf certificate

CA hierarchy? GOPAS Root London CA GOPAS Root Paris CA GOPAS Root Prague CA Leaf certificate

Where the nonsense leads  Offline root –OS license –hardware –physical access to publish CRLs  Degenerate CRL publishing –once several months –or only once!

Trust maintenance in Windows domain

Risk assessment in Windows domain  Risk of AD Domain Controller single DC compromised = whole forest compromised  Online AD integrated enterprise PKI cannot have higher risks than any DC  NTAuth CAs have the same level of risk as any DC

CA hierarchy?

Algorithms  SHA-1 –well compatible with XP, 2003 –stronger than 12 character passwords  SHA-256, SHA-384, SHA-512 –requires XP SP3 –requires manual download update KB for 2003 –requires manual download update KB for auto-enrollment on XP SP3 and 2003 –no problem with the card hardware  RSA 2048 –well supported by card hardware –only 112 bit strength  RSA 4096 –stronger, but limited support by card hardware  ECDH –bad application and no card hardware support

Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512

Domain SC User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN or AD mapped subject (Windows 6.0+) Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature (AllowSignatureOnlyKeys GPO on Windows 6.0+) Encryption (required on 2000+, more secure) Key UsageDigital Signature CSPSmart Card compatible provider EKUSmart Card Logon can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU Autoenrollmentno? Publish in ADno

Certificate mapping  altSecurityIdentities  all reverted  Subject and Issuer fields X509: DC=virtual,DC=gopas,CN=GOPAS Root CA CN=kamil  Subject DN X509: CN=kamil  Subject Key Identifier X509: ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41  Issuer, and Serial Number X509: DC=gopas,DC=virtual,CN=GOPAS Root CA bde810  SHA1 Hash X509: ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd  RFC822 name X509:

Kurzy Počítačové školy Gopas na GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník.