Post on 26-Feb-2016
description
Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePointondrej@sevecek.com | www.sevecek.com
Smart card logon
Motivation
Use certificates for logon Random keys stronger than passwords
– SHA-1 >> 12 character password Passwords can be stolen in clear
– Thursday, 10:30 :-) Multifactor authentication with smart card
– private key never leaves the card– must have the card to logon– simple PIN just to prevent an accidental loss
Technology
PC/SC chip + reader Credit card format
– transport in wallet or stripe– printed– RFID– requires separate reader
Token– attach to keys– no reader necessary– no printing– no RFID
Drivers
Reader driver– USB CCID compatible built-in– many other built-in
Chip driver– Cryptographic Service Provider (CSP)
• SafeSign, CryptPlus, Schlumberger, …– minidriver for Microsoft Base Smart Card CSP– CERTUTIL -csplist
Vendors
Card + reader ~ 1000 CZK Gemalto
– .NET v2 ~ IDPrime IM v2 ~ IDPrime .NET ~ IPPrime IM v3 ~ Axalto Cryptoflex .NET
– the only mini-driver built-in Monet+
– Czech vendor– mini-driver installable
Aladin, …– require full CSP $$$
Card management
CERTUTIL -scinfo Excel :-) third-party tools
CA hierarchy?
Trust maintenance– may be expensive to be trusted– may be even more expensive to revoke root– risk analysis
Revocation of subordinates Distributed administration
– Qualified subordination CRL (Certificate Revocation List) OSCP (Online Certificate Status Protocol)
7
CA hierarchy?
GOPAS Root CA
GOPASLondon CA
GOPASParis CA
GOPASPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
CA hierarchy?
GOPAS RootLondon CA
GOPAS RootParis CA
GOPAS RootPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Where the nonsense leads
Offline root– OS license– hardware– physical access to publish CRLs
Degenerate CRL publishing– once several months– or only once!
Trust maintenance in Windows domain
Risk assessment in Windows domain
Risk of AD Domain Controllersingle DC compromised = whole forest compromised
Online AD integrated enterprise PKI cannot have higher risks than any DC
NTAuth CAs have the same level of risk as any DC
CA hierarchy?
Algorithms
SHA-1– well compatible with XP, 2003– stronger than 12 character passwords
SHA-256, SHA-384, SHA-512– requires XP SP3– requires manual download update KB938397 for 2003– requires manual download update KB968730 for auto-enrollment on XP SP3 and 2003– no problem with the card hardware
RSA 2048– well supported by card hardware– only 112 bit strength
RSA 4096– stronger, but limited support by card hardware
ECDH– bad application and no card hardware support
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
Domain SC User with RSAExtension Value
Subject Common Name or Distinguished Name
SAN UPNor AD mapped subject (Windows 6.0+)
Exporatable Key no?
Archive Key no, transport encryption only
Key Type Signature (AllowSignatureOnlyKeys GPO on Windows 6.0+)Encryption (required on 2000+, more secure)
Key Usage Digital Signature
CSP Smart Card compatible provider
EKU Smart Card Logon1.3.6.1.4.1.311.20.2.2can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU
Autoenrollment no?
Publish in AD no
Certificate mapping
altSecurityIdentities all reverted
Subject and Issuer fields X509:<I>DC=virtual,DC=gopas,CN=GOPAS Root CA<S>CN=kamil
Subject DN X509:<S>CN=kamil
Subject Key Identifier X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41
Issuer, and Serial NumberX509:<I>DC=gopas,DC=virtual,CN=GOPAS Root CA<SR>32000000000003bde810
SHA1 Hash X509:<SHA1-PUKEY>ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd
RFC822 name X509:<RFC822>kamil@gopas.cz
Kurzy Počítačové školy Gopas na www.gopas.cz
GOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced SecurityGOC169 - Auditing ISO/IEC 2700x
Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.