Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Published byJustin Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |

2 Smart card logon  Motivation  Kerberos smart card logon vs. TLS client certificate authentication  CA requirements  Certificate requirements  Enrollment agents

3 Motivation  Passwords shorter than 12 chars are insecure  Can be cracked from  AD, local databases, password caches, NLTM and Kerberos traffic, LDAP simple bind, stored passwords, …  Windows passwords are MD4  Certificates are SHA-1 or SHA2  random keys, not transported easily without smart cards

4 SHA-1 problems  General brute-force attack at 2^80 4

5 Windows passwords  8 characters password?  80^8 possible passwords  2^x = 80^8 ??  x * log 2 = 8 * log 80  x = 8 * log 80 / log 2  x ~= 51  10 characters ~= 2^63  12 characters ~= 2^76 5

6 Kerberos vs. TLS  Kerberos TGT generation  password  PKINIT with certificate  TLS client certificate logon  require client certificate  prevents before-authentication attacks

7 CA requirements  Trusted  NTAuth trusted  CRL/OCSP available

8 Certificate Requirements  Domain Controllers  name of the domain  Smart Card Logon + Kerberos Authentication  User certificates  Kerberos PKINIT: Smart Card Logon  TLS client certificate auth: Client Authentication

9 Domain TLS User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature Key UsageDigital Signature CSPall Base, Enhanced, AES providers EKUClient Authentication 1.3.6.1.5.5.7.3.2 Autoenrollmentyes Publish in ADno

10 Domain SC User with RSA ExtensionValue SubjectCommon Name or Distinguished Name SANUPN or AD mapped subject (Windows 6.0+) Exporatable Keyno? Archive Keyno, transport encryption only Key TypeSignature (AllowSignatureOnlyKeys GPO on Windows 6.0+) Encryption (required on 2000+, more secure) Key UsageDigital Signature CSPSmart Card compatible provider EKUSmart Card Logon 1.3.6.1.4.1.311.20.2.2 can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU Autoenrollmentno? Publish in ADno

11 Enrollment Agent  aka Registration Authority (RA)  Generates requests signed by its own RA certificate  AD CS can apply more granular policies

12 Smart card and certificate logon Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |

Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
AAI and universities Roles and functions. The Smart Card Architect Objectives zBuild a secure Authentication and Authorization Infrastructure between.

AAI and universities Roles and functions. The Smart Card Architect Objectives zBuild a secure Authentication and Authorization Infrastructure between.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Ing. Ondřej Ševeček | GOPAS a.s. MCM:Directory | MVP:Security | CEHv7 | Evolution.

Ing. Ondřej Ševeček | GOPAS a.s. MCM:Directory | MVP:Security | CEHv7 | Evolution.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.

Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Similar presentations

Ads by Google