WINDOWS PKI

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |

2

Outline

Hash algorithms Symmetric algorithms Asymmetric algorithms Current algorithms in use Cryptographic standards Operating system support

Security Services

Confidentiality Data Integrity

accidental vs. deliberate modification Authentication

plus role-based authentication when more individuals share authentication information

Authorization Non-repudiation

key establishment and random number

Cryptographic Algorithms

Hash algorithms no keys

Symmetric key algorithms secret key

Asymmetric key algorithms public and private key

5

HASH ALGORITHMSCryptography

6

Hashing

Clear-text

hash

Hash

Hash

Data authentication and integrity in conjunction with keys HMAC – Hashed Message Authentication

Code Compression of messages for digital

signatures Deriving keys Generation of deterministic random

numbers

8

Incorrect hash example

Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52

Can obtain arbitrary clear-text (collision) without brute-forcing

Two similar clear-texts lead to similar output

9

Hash collisions

Pure arithmetic collisions limited exploitability

Post-signing collisions Chosen-prefix collisions

10

Post-signing collision

Name: Ondrej

Owes: 100 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Name: Ondrej

Owes: 1 000 000 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Trash: XX349%$@#BB...

11

Chosen-prefix collision

CN: www.idtt.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 35B87AA11...

CN: www.microsoft.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 4B3318C9D...

12

MD5 problems

Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions

Practically proved for certificates with predictable serial numbers

2^50

13

SHA-1 problems

General brute-force attack at 2^80 as about 12 characters complex

password Some collisions found at 2^63

pure arithmetic collisions, no exploitation proved

14

SYMMETRIC ALGORITHMSCryptography

Symmetric key

Data confidentiality Authentication and integrity

MAC – Message Authentication Code, single key to generate, the same to validate

Key establishment Generation of deterministic random

numbers

16

Cipher-text

Password and key

Password

Key

Clear-text

Cipher

Hash

17

Clear-text

Encryption key

Key

Cipher

Cipher-text

Key

18

ASYMMETRIC ALGORITHMSCryptography

Asymmetric keys

Digital signatures Key establishment Generation of random numbers

20

Clear-text

Encryption and decryption keys

Encryption key

Cipher

Cipher-text

Decryption key

21

Private and public key

Signing

Private key

Signature

validationSignatur

e validati

onSignature

validation

Public key

Public key

Public key

22

Private and public key

Decryption

Private key

Signature

validationSignatur

e validati

onEncrypti

on

Public key

Public key

Public key

Performance considerations Asymmetric algorithms use large

keys EC is about 10 times smaller

Encryption/decryption time about 100x longer symmetric is faster

Document

Private key

Digital Signature (incorect)

Document

Private key

Digital Signature

Document

Hash

Storage Encryption (slow)

Public key

Document

Public key (User A)

Storage Encryption

Symmetric encryption key (random)

Symmetric key

Document

Public key (User B)

Symmetric key

Transport encryption

Public keySymmetric Key

Public key

Symmetric KeyData

Client Server

Diffie-Hellman Key Exchange Asymmetric algorithm for key

exchange most commonly used for key exchange

Automatically generates the same encryption key for symmetric encryption on both sides

Private key

Digital Signature and time stamping (incorrect)

Document

Hash Timestamp

TA private keyPrivate key

Time authority (incorrect)

Document

Hash Timestamp

TA private keyPrivate key

Time authority (correct)

Document

Hash TimestampHash

TA private keyPrivate key

Time authority (correct)

Document

Hash TimestampHash Public

key

Random Number Generators

Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated

symmetric keys DNS cache poisoning

Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules

Random Number Generators

CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)

Entropy from system time, process id, thread id, tick

counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …

Random Number Generators

new Random() just a time seed several instances created

simultaneously may have the same seed

37

CURRENT ALGORITHMSCryptography

38

Symmetric algorithm history DES (1976, 56 bit) 3DES, TDEA (1998, 168/112 bit) RC4 (1987, 128 bit) AES-128, AES-192, AES-256 (2001)

39

Hash algorithm history

MD4 (1990, 128 bit) MD5 (1991, 128 bit) SHA-1 (1995, 160 bit) SHA-224, SHA-256, SHA-384, SHA-

512 (2001)

40

Asymmetric algorithm history RSA (1973) DSA (1991) ECDSA (2000) ECDH (2000)

41

CRYPTOGRAPHIC STANDARDSCryptography

US standards

FIPS – Federal Information Processing Standards provides standard algorithms

NIST – National Institute for Standards and Technology approves the algorithms for US government

non-classified but sensitive use latest NIST SP800-57, March 2007

NSA – National Security Agency Suite-B for Secure and Top Secure (2005)

Hash functions (SP800-57)

SHA-1 hash size output is 160

SHA-2 SHA-224, SHA-256, SHA-384, SHA-512 hash size output is 224, 256, 384, 512

Symmetric key (SP800-57)

AES-128, AES-192, AES-256 encrypts data in 128-bit blocks uses 128, 192, 256-bit keys

Triple DEA (TDEA) encrypts data in 64-bit blocks uses three 56-bit keys

Digital Signatures (SP800-57) DSA (Digital Signature Algorithm)

key sizes of 1024, 2048 and 3072-bit produces 320, 448, 512-bit signatures

RSA (Rivest – Shamir – Adleman) key sizes according to FIPS186-3

ECDSA (Elliptic Curve DSA) key sizes of at least 160-bit produces 2x key length signatures types of curves specified in FIPS186-3

Cryptoperiods (SP800-57)

Key CryptoperiodPrivate signature 1 – 3 yearsSymmetric authentication <= 5 years

Private authentication 1-2 yearsSymmetric data encryption <= 5 years

Public key transport key 1-2 years

Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256

192 bit AES-192 RSA 7680 ECDSA 384 SHA-384

256 bit AES-256 RSA 15360 ECDSA 512 SHA-512

Security lifetimes (SP800-57 and Suite-B)

Lifetime Strength Level

2010 80 bit US Confidential

2030

112 bit US Confidential

128 bit US Secure

192 bit US Top-Secure

Beyond 2030 128 bit US Confidential

49

OPERATING SYSTEM SUPPORTCryptography

FIPS Compliant Algorithms

51

Cryptographic Providers

Cryptographic Service Provider – CSP Windows 2000+ DLL loaded into client processes can use only V1 and V2 templates

Cryptography Next Generation – CNG Windows Vista+ different API functions, isolated private keys use only V3 templates enables use of ECC

CERTUTIL -CSPLIST

52

Cryptography supportSystem DES

3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1 SHA-256SHA-384SHA-512

ECDSAECDH

Windows 2000

yes no yes yes no no

Windows XP yes yes yes yes yes noWindows 2003

yes yes yes yes non-public updateyes

no

Windows Vista/2008

yes yes yes yes yes yes

Windows 7/2008 R2

yes yes yes yes yes yes

53

Cryptography support

System DES3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1 SHA-256SHA-384SHA-512

ECDSAECDH

Windows Mobile 6.5

yes yes yes yes no no

Windows Mobile 7

yes yes yes yes yes yes

TMG 2010 yes yes noSCCM 2007 yes no noSCOM 2007 yes yes no

EncryptionEFS BitLocke

r IPSec Kerberos NTLM RDP

DES 2000 + 2000 + 2000 +

LM password hash, NTLM

3DES 2000 + 2000 + 2000 +

RC4 2000 + 2000 +

AES 2003 + Vista + Vista + Vista +

DH 2000 + 2000 +

RSA 2000 + Seven + 2000 + 2000 + 2003 +

ECC Seven + Vista + Seven +

55

HashingMD4 MD5 SHA-1 SHA-2

NT password

hashNT4 +

Digest password

hash2003 +

IPSec 2000 + 2000 + Seven +

NTLM NTLMv2

MS-CHAP MS-CHAPv2

SHA-2 Support

CSPs can store and validate the SHA-2 certificates Windows XP SP3 Windows Server 2003 – KB 938397 Windows Mobile 7

New SHA-2 certificates can be issued only by Windows 2008+ CA

Autoenrollment client can enroll for SHA-2 certificates only on Windows 2008/Vista+

CNG Not Supported

EFS Windows 2008/Vista- user encryption certificates

VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication

TMG 2010 server certificates on web listeners

Outlook 2003 user email certificates for signatures or encryption

Kerberos Windows 2008/Vista- DC certificates

System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2

58

SAN and wildcards *

Application Supports * Supports SAN

Internet Explorer 4.0 and older no noInternet Explorer 5.0 and newer yes yes

Internet Explorer 7.0 yes yes, if SAN present Subject is ignored

Windows Pocket PC 3.0 a 4.0 no noWindows Mobile 5.0 no yesWindows Mobile 6.0 and newer yes yesOutlook 2003 and newer yes yesRDP/TS proxy yes yes, if SAN present Subject is

ignoredISA Server firewall certificate yes yesISA Server 2000 and 2004 published server certificate no no

ISA Server 2006 published server certificate yes yes, only the first SAN name

59

OCSP and Delta CRLSystem Checks OCSP Delta CRLWindows 2000 and older no noWindows XP and older no yesWindows Vista and newer yes, preffered yesWindows Pocket PC 4.0 and older

no no

Windows Mobile 5.0 no yesWindows Mobile 6.0 no yesWindows Mobile 6.1 and newer

yes, preffered yes

ISA Server 2006 and older no yesTMG 2010 and newer yes, preffered yes

60

CRL checks in Internet Explorer

Version CRL and OSCP checking

4.0 and older no checks

5.0 and newer

can check CRL, disabled by default

7.0 and newer

can check OCSP (if supported by OS) and CRL, enabled by default

Automatic Root Certificate Update Windows XP/2003

whole list periodically updated from Windows Update

Windows Vista/2008+ individual CAs updated on demand from

Windows Update Windows Mobile 6.5+

individual CAs updated on demand from Windows Update

62

Windows Mobile 2003/5.0 CAs

Company Certificate Name Windows Mobile

Cybertrust GlobalSign Root CA 2003 and 5.0Cybertrust GTE CyberTrust Global Root 2003 and 5.0Cybertrust GTE CyberTrust Root 2003 and 5.0

Verisign Class 2 Public Primary Certification Authority 2003 and 5.0

Verisign Thawte Premium Server CA 2003 and 5.0Verisign Thawte Server CA 2003 and 5.0Verisign Secure Server Certification Authority 2003 and 5.0

Verisign Class 3 Public Primary Certification Authority 2003 and 5.0

Entrust Entrust.net Certification Authority (2048) 2003 and 5.0

Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0

Geotrust Equifax Secure Certificate Authority 2003 and 5.0Godaddy http://www.valicert.com/ 5.0

63

Windows Mobile 6.0 CAsComodo AAA Certificate ServicesComodo AddTrust External CA Root

Cybertrust Baltimore CyberTrust RootCybertrust GlobalSign Root CACybertrust GTE CyberTrust Global Root

Verisign Class 2 Public Primary Certification AuthorityVerisign Thawte Premium Server CAVerisign Thawte Server CAVerisign Secure Server Certification AuthorityVerisign Class 3 Public Primary Certification AuthorityEntrust Entrust.net Certification Authority (2048)Entrust Entrust.net Secure Server Certification Authority

Geotrust Equifax Secure Certificate AuthorityGeotrust GeoTrust Global CAGodaddy Go Daddy Class 2 Certification AuthorityGodaddy http://www.valicert.com/Godaddy Starfield Class 2 Certification Authority

64

RSA 2048 browser supportBrowser First VersionInternet Explorer 5.01Mozila Firefox 1.0Opera 6.1Apple Safari 1.0Google ChromeAOL 5Netscape Communicator

4.51

Rad Hat Linux KonquerorApple iPhoneWindows Mobile 2003Windows CE 4.0RIM Blackberry 4.3.0PalmOS 5Sony Playstation PortableSony Playstation 3Nintendo Wii

65

Extended Validation browsers

Browser First VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0

66

S/MIME RSA 2048 client support

Browser First VersionMicrosoft Outlook 99Mozila Thunderbird 1.0Qualcomm Eudora 6.2Lotus Notes 6Netscape Communicator

4.51

Mulberry MailApple MailWindows MailThe Bat

CA Hierarchy

IDTT Root CA

IDTT London CA IDTT Paris CAIDTT Roma

CA

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

68

THANK YOU!

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |ondrej@sevecek.com | www.sevecek.com |