Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public Key Infrastructure – Deep Dive PKI session SHOWING you how to embrace PKI Steve Lamb

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Public Key Infrastructure – Deep Dive PKI session SHOWING you how to embrace PKI Steve Lamb"— Presentation transcript:

1 Public Key Infrastructure – Deep Dive PKI session SHOWING you how to embrace PKI Steve Lamb stephlam@microsoft.com http://blogs.technet.com/steve_lamb IT Pro Security Evangelist Microsoft Ltd

2 Agenda What can PKI enable Let’s review the theory Introducing our Demonstration Environment Secure Web Publishing Secure Email Secure Files Recommendations

3 What can PKI enable? Secure Email – sign and/or encrypt messages Secure browsing – SSL – authentication and encryption Secure code – authenticode Secure wireless – PEAP & EAP-TLS Secure documents – Rights Management Secure networks – segmentation via IPsec Secure files – Encrypted File System(EFS)

4 Let’s review the theory…

5 Security Defense in Depth Data and Resources Application Defenses Host Defenses Network Defenses Perimeter Defenses

6 Symmetric Key Cryptography Encryption “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8R\s@!q3 %” “The quick brown fox jumps over the lazy dog” Decryption Plain-text input Plain-text output Cipher-text Same key (shared secret)

7 Public Key Encryption Encryption “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^ bDFaq#xzjFr@g5=&n mdFg$5knvMd’rkveg Ms” “The quick brown fox jumps over the lazy dog” Decryption Clear-text Input Clear-text Output Cipher-text Different keys Recipient’s public key Recipient’s private key private public

8 Hybrid Encryption (Real World) As above, repeated for other recipients or recovery agents Digital Envelope Other recipient’s or agent’s public key (in certificate) in recovery policy Launch key for nuclear missile“RedHeat”is... Symmetric key encrypted asymmetrically (e.g., RSA) Digital Envelope User’s public key (in certificate) RNG Randomly- Generated symmetric “session” key Symmetric encryption (e.g. DES) *#$fjda^ju539!3t t389E *&\@ 5e%32\^kd

9 Introducing our demonstration environment

10 Network Infrastructure

11 Certification Authority Installed on the DC for simplicity In production use a multi-level hierarchy Enterprise Installation – integrated with AD

12 Secure Web Publishing

13 Application Layer Content ?????????????????????? A Traditional Firewall’s View of a Packet Only packet headers are inspected Application layer content appears as “black box” IP Header Source Address, Dest. Address, TTL, Checksum TCP Header Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on port numbers Legitimate traffic and application layer attacks use identical ports Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Corporate Network

14 ISA Server’s View of a Packet Application Layer Content MSNBC - MSNBC Front Page <link rel="stylesheet" IP Header Source Address, Dest. Address, TTL, Checksum TCP Header Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on content Only legitimate and allowed traffic is processed Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Corporate Network Packet headers and application content are inspected

15 Configure IIS for HTTPS Populate site Enrol for web server certificate Configure SSL

16 Configure ISA for SSL Copy web server cert to ISA

17 Publish the web server Use the Wizard! Create an SSL listener

18 Secure Email

19 How Exchange RPC Works ServiceUUIDPort Exchange Info Store {0E4A0156-DD5D-11D2-8C2F- 00CD4FB6BCDE} 4402 Active Directory {E35114235-4B06-11D1-AB04- 00C04C2DCD2} 3544 Performance Monitor {A00C021C-2BE2-11D2-B678- 0000F87A8F8E} 9233 RPC Server (Exchange) RPC Client (Outlook) TCP 135: Port for {0E4A…} Port 4402: Data The RPC server maintains a table of Universally Unique Identifiers (UUID) and assigned port 1 The client connects to TCP port 135 on the server to query for the port associated with a UUID 2 The server responds with the associated port 3 The client reconnects to server on the designated port to access Exchange Server 4 Server: Port 4402 Internet

20 RPC and Traditional Firewalls Open port 135 for incoming traffic Open every port that RPC might use for incoming traffic RPC Server (Exchange) RPC Client (Outlook) TCP 135: Port for {0E4A… ? Port 4402: Data Server: Port 4402 Traditional firewalls can’t provide secure RPC access Internet

21 RPC and ISA Server RPC Server (Exchange) RPC Client (Outlook) TCP 135: Port for {0E4A… ? Port 4402: Data Server: Port 4402 Internet Initial connection Only allows valid RPC traffic Blocks non-Exchange queries Secondary connection Only allows connection to port used by Exchange Enforces encryption ISA Server enables secure remote e-mail access using Outlook

22 Configure Secure Email Request a “user” cert Configure Outlook to use the cert Send Signed / Encrypted message

23 Secure Files

24 Protecting files (“Stop thief!”) BIOS passwords Not universally supported Pretty much no recovery if you forget! Good passwords Mitigate “pass-the-hash” attacks SysKey mode 3 Useful mostly for protecting local accounts Use system restore disk if you forget Encrypting file system (EFS) Transparent to applications and users Computationally infeasible to break (domain accts or SysKey 3) Must implement recovery agents; better with domain and PKI

25 EFS operation Assumptions: domain accounts, enterprise CA, Windows Server 2003, Windows XP EFS certificate request with public EFS key generate public and private EFS keys public key bound to cert; store cert and private key in profile generate file encryption key encrypt FEK with EFS key encrypt FEK with default recovery agent

26 Avoid EFS “gotchas” Back up that EFS certificate and the keys! You will lose access if you have no PKI or DRA CIPHER /X command  store on USB drive Also export local DRA and remove from computer Eliminate plain-text “shreds” Encrypt folders, not files CIPHER /W  wipe slack space: 00-FF-random Please, just use an enterprise CA Set up for auto-enrollment Configure DRA in group policy Now you won’t have any worries

27 Recommendations Don’t be scared of PKI! Set up a test environment to enable you to “play” Minimise the scope of your first implementation Read up on CP & CPS Document the purpose and operating procedures of your PKI

28 Summary Cryptography is a rich and amazingly mature field We all rely on it, everyday, with our lives Know the basics and make good choices avoiding common pitfalls Plan your PKI early Avoid very new and unknown solutions

29 References Visit www.microsoft.com/security www.microsoft.com/security Read sci.crypt (incl. archives) For more detail, read: Cryptography: An Introduction, N. Smart, McGraw-Hill, ISBN 0-07-709987-7 Practical Cryptography, N. Ferguson & B. Schneier, Wiley, ISBN 0-471-22357-3 Contemporary Cryptography, R. Oppliger, Artech House, ISBN 1-58053-642-5 (to be published May 2005, see http://www.esecurity.ch/Books/cryptography.html) http://www.esecurity.ch/Books/cryptography.html Applied Cryptography, B. Schneier, John Wiley & Sons, ISBN 0-471-11709-9 Handbook of Applied Cryptography, A.J. Menezes, CRC Press, ISBN 0-8493- 8523-7, www.cacr.math.uwaterloo.ca/hac (free PDF) www.cacr.math.uwaterloo.ca/hac PKI, A. Nash et al., RSA Press, ISBN 0-07-213123-3 Foundations of Cryptography, O. Goldereich, www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html www.eccc.uni-trier.de/eccc-local/ECCC-Books/oded_book_readme.html Cryptography in C and C++, M. Welschenbach, Apress, ISBN 1-893115-95-X (includes code samples CD)

30 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.microsoft.com/communities/mvp Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx http://communities2.microsoft.com/communities /newsgroups/en-us/default.aspx User Groups - Meet and learn with your peers http://www.microsoft.com/communities/usergroups default.mspx http://www.microsoft.com/communities/usergroups default.mspx

31 Copyright 2004 © Project Botticelli Ltd & Microsoft Corp. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. Thanks to Rafal Lukawiecki for providing some of the content for this presentation deck – his contact details are as follows… rafal@projectbotticelli.co.uk Strategic Consultant, Project Botticelli Ltd

Download ppt "Public Key Infrastructure – Deep Dive PKI session SHOWING you how to embrace PKI Steve Lamb"

Similar presentations

Public Key Infrastructure – tell me in plain English AND THEN deep technical how PKI works Steve Lamb stephlam@microsoft.com http://blogs.technet.com/steve_lamb.

Public Key Infrastructure – tell me in plain English AND THEN deep technical how PKI works Steve Lamb
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
A-to-Z of Public Key Infrastructure (PKI)

A-to-Z of Public Key Infrastructure (PKI)
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mostly borrowed & updated from Steve Lamb in Microsoft Land….

Mostly borrowed & updated from Steve Lamb in Microsoft Land….
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google