Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Published byGabriel Gray Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card."— Presentation transcript:

1 Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com Smart card logon

2 Motivation  Use certificates for logon  Random keys stronger than passwords –SHA-1 >> 12 character password  Passwords can be stolen in clear –Thursday, 10:30 :-)  Multifactor authentication with smart card –private key never leaves the card –must have the card to logon –simple PIN just to prevent an accidental loss

3 Technology  PC/SC chip + reader  Credit card format –transport in wallet or stripe –printed –RFID –requires separate reader  Token –attach to keys –no reader necessary –no printing –no RFID

4 Drivers  Reader driver –USB CCID compatible built-in –many other built-in  Chip driver –Cryptographic Service Provider (CSP) SafeSign, CryptPlus, Schlumberger, … –minidriver for Microsoft Base Smart Card CSP –CERTUTIL -csplist

5 Vendors  Card + reader ~ 1000 CZK  Gemalto –.NET v2 ~ IDPrime IM v2 ~ IDPrime.NET ~ IPPrime IM v3 ~ Axalto Cryptoflex.NET –the only mini-driver built-in  Monet+ –Czech vendor –mini-driver installable  Aladin, … –require full CSP $$$

6 Card management  CERTUTIL -scinfo  Excel :-)  third-party tools

7 CA hierarchy?  Trust maintenance –may be expensive to be trusted –may be even more expensive to revoke root –risk analysis  Revocation of subordinates  Distributed administration –Qualified subordination  CRL (Certificate Revocation List)  OSCP (Online Certificate Status Protocol) 7

8 CA hierarchy? GOPAS Root CA GOPAS London CA GOPAS Paris CA GOPAS Prague CA Leaf certificate

9 CA hierarchy? GOPAS Root London CA GOPAS Root Paris CA GOPAS Root Prague CA Leaf certificate

10 Where the nonsense leads  Offline root –OS license –hardware –physical access to publish CRLs  Degenerate CRL publishing –once several months –or only once!

11 Trust maintenance in Windows domain

12 Risk assessment in Windows domain  Risk of AD Domain Controller single DC compromised = whole forest compromised  Online AD integrated enterprise PKI cannot have higher risks than any DC  NTAuth CAs have the same level of risk as any DC

13 CA hierarchy?

14 Algorithms  SHA-1 –well compatible with XP, 2003 –stronger than 12 character passwords  SHA-256, SHA-384, SHA-512 –requires XP SP3 –requires manual download update KB938397 for 2003 –requires manual download update KB968730 for auto-enrollment on XP SP3 and 2003 –no problem with the card hardware  RSA 2048 –well supported by card hardware –only 112 bit strength  RSA 4096 –stronger, but limited support by card hardware  ECDH –bad application and no card hardware support

15 Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA-1 112 bit3TDEARSA 2048ECDSA 224SHA-224 128 bitAES-128RSA 3072ECDSA 256SHA-256 192 bitAES-192RSA 7680ECDSA 384SHA-384 256 bitAES-256RSA 15360ECDSA 512SHA-512

16 Domain SC User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN or AD mapped subject (Windows 6.0+) Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature (AllowSignatureOnlyKeys GPO on Windows 6.0+) Encryption (required on 2000+, more secure) Key UsageDigital Signature CSPSmart Card compatible provider EKUSmart Card Logon 1.3.6.1.4.1.311.20.2.2 can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU Autoenrollmentno? Publish in ADno

17 Certificate mapping  altSecurityIdentities  all reverted  Subject and Issuer fields X509: DC=virtual,DC=gopas,CN=GOPAS Root CA CN=kamil  Subject DN X509: CN=kamil  Subject Key Identifier X509: ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41  Issuer, and Serial Number X509: DC=gopas,DC=virtual,CN=GOPAS Root CA 32000000000003bde810  SHA1 Hash X509: ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd  RFC822 name X509: kamil@gopas.cz

18 Kurzy Počítačové školy Gopas na www.gopas.cz GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník.

Download ppt "Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification.

Copyright line. Configuring Certificate Services and PKI Exam Objectives  Planning a Windows Server 2008 Certificate-Based PKI  Implementing Certification.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Identity and Access IDGo Secure Email (ISE) for Android Didier Bonnet April 2015.

Identity and Access IDGo Secure (ISE) for Android Didier Bonnet April 2015.

Similar presentations

Ads by Google