Presentation is loading. Please wait.

Presentation is loading. Please wait.

CredSSP in RDP Sreekanth Nadendla Windows Open Specifications.

Similar presentations


Presentation on theme: "CredSSP in RDP Sreekanth Nadendla Windows Open Specifications."— Presentation transcript:

1 CredSSP in RDP Sreekanth Nadendla Windows Open Specifications

2 Topics CredSSP operation Smart card redirection – RDPESC updates

3 CredSSP Authentication
Introduced in Windows Vista/2008 Allows for second hop authentication, aka Credentials Delegation Allows computer B to authenticate with computer C as computer A Overcomes formal Kerberos delegation login A Server B Server C Kerberos:

4 CredSSP Overview MS-CSSP
The Credential Security Support Provider (CredSSP) Protocol enables an application to securely delegate a user's credentials from a client to a target server. Establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS) (as specified in [RFC2246]). The CredSSP Protocol uses TLS as an encrypted pipe; it does not rely on the client/server authentication services that are available in TLS. The CredSSP Protocol then uses the protocol extensions described in [MS-SPNG] to negotiate a Generic Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality services to securely bind to the TLS channel and encrypt the credentials for the target server. All GSS security tokens are sent over the encrypted TLS channel.

5 CredSSP Messages

6 TSRequest The CredSSP Protocol introduces the TSRequest message. The client and server use this message to encapsulate the SPNEGO tokens and TSCredentials message that the client uses to delegate the user's credentials to the CredSSP server over a TLS connection. These messages are encoded by using ASN.1 (as specified in [X690]) and Distinguished Encoding Rules (DER). TSRequest ::= SEQUENCE { version [0] INTEGER, negoTokens [1] NegoData OPTIONAL, authInfo [2] OCTET STRING OPTIONAL, pubKeyAuth [3] OCTET STRING OPTIONAL, errorCode [4] INTEGER OPTIONAL }

7 authInfo A TSCredentials structure that contains the user's credentials TSCredentials ::= SEQUENCE { credType [0] INTEGER, credentials [1] OCTET STRING } credType Meaning 1 credentials contains a TSPasswordCreds structure that defines the user's password credentials. 2 credentials contains a TSSmartCardCreds structure that defines the user's smart card credentials. 6 credentials contains a TSRemoteGuardCreds structure that defines logon and supplemental credentials.

8 Credential Structures
TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } TSCspDataDetail ::= SEQUENCE { keySpec [0] INTEGER, cardName [1] OCTET STRING OPTIONAL, readerName [2] OCTET STRING OPTIONAL, containerName [3] OCTET STRING OPTIONAL, cspName [4] OCTET STRING OPTIONAL } TSRemoteGuardCreds ::= SEQUENCE{ logonCred [0] TSRemoteGuardPackageCred, supplementalCreds [1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL } TSRemoteGuardPackageCred ::= SEQUENCE{ packageName [0] OCTET STRING, credBuffer [1] OCTET STRING }

9 pubKeyAuth This field is used to assure that the public key that is used by the server during the TLS handshake belongs to the target server and not to a "man in the middle". After the client completes the SPNEGO phase of the CredSSPProtocol, it uses GSS_WrapEx() for the negotiated protocol to encrypt the server's public key. The pubKeyAuth field carries the message signature and then the encrypted public key to the server. In response, the server uses the pubKeyAuth field to transmit to the client a modified version of the public key that is encrypted under the encryption key that is negotiated under SPNEGO.

10 Smart Card Redirection MS-RDPESC

11 Smart card Redirection
MS-RDPESC A pipe between PC/SC implementations on the client and server side. Smart Card SDK functions Smart card IOCTLs   SDK functions

12 Versioning and Capability
Determined by RDP client build number [MS-RDPBCGR] section Build Number Dialect >= 7865 SCREDIR_VERSION_WINDOWS_8 (3) >= 4034 and < 7865 SCREDIR_VERSION_LONGHORN (2) < 4034 SCREDIR_VERSION_XP (1)

13 Capabilities SCREDIR_VERSION_XP SCREDIR_VERSION_LONGHORN
Base level SCREDIR_VERSION_LONGHORN SCARD_IOCTL_READCACHEW, SCARD_IOCTL_READCACHEA, SCARD_IOCTL_WRITECACHEW, SCARD_IOCTL_WRITECACHEA, SCARD_IOCTL_GETTRANSMITCOUNT SCREDIR_VERSION_WINDOWS_8 SCARD_IOCTL_GETREADERICON, SCARD_IOCTL_GETDEVICETYPEID

14 CredSSP with HTTP In the network capture, you will see the hearders mentioned above as WWWAuthenticate: CredSSP FgMBAv0CAABRAwFW3i0gqfI50SDRncb4rJp7gbSN2wVNQK+dAYqEMgRjOSCASwAAFZTDSJsAh8lUrW8kp51iLlpG82PfAEfp+X4C+8AUAAAJABcAAP8BAAEACwAB1QAB0gABzzCCAcswggE0oAMCAQICEB4GZ1Rsl262T/Ue7d6CO2QwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAxMZV1NNQU4tc2VydmVyMS5jb2 This is the base64 encoded TLS messages This is the one that trips customers the most They expect (if HTTPS is used) CredSSP to not use TLS since the HTTPS is already doing that. Not so.

15 5/26/ :01 PM © Microsoft Corporation. All rights reserved.


Download ppt "CredSSP in RDP Sreekanth Nadendla Windows Open Specifications."

Similar presentations


Ads by Google