Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law...
Transcript of Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law...
![Page 1: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/1.jpg)
ClientCer)ficates
SecurityProfessionals2012PreconferenceSeminar
8:30‐Noon,Tuesday,May15th,2012WhiteRiverBallroomB,JWMarrioE,IndianapolisIN
JoeStSauver,Ph.D.(joe@[email protected])InCommonCerPficateProgramManagerand
Internet2NaPonwideSecurityProgramsManager
hEp://pages.uoregon.edu/joe/secprof2012/
Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.
![Page 2: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/2.jpg)
Preface
2
![Page 3: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/3.jpg)
OurTimeTogetherToday
• SincethreehoursisarelaPvelylongPmeforasinglesession,we'regoingtogothroughmaterialforaboutanhourandahalf(unPlabout10:00),andthenwe'lltakeacoffeebreakoutsideofroom103forahalfhourorso.Around10:30,we'llcrankbackupandfinishtherestofthematerialwewanttogoover.
• IfyouhaveanyquesPonsatanyPme,feelfreetospeakup.WhileI'vepreparedafairlystructuredsessiongiventhenumberofaEendeesthatareexpected,I'vesPlltriedtobuildinPmefordiscussion,andIknowthatsomeofyoumayalreadybeexperiencedwihclientcertsandhavemuchtoshareyourselves.
• Finally,Ialsowanttomakesurewe'vegotPmetohelpyouactuallygetaclientcertinstalledandupandrunningonyoursystem,ifyou'dliketotrydoingthis.
• ArethereanyquesPonsatthispoint?3
![Page 4: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/4.jpg)
Introduc)ons
• Let'stakeaminuteortwotogoaroundtheroomandintroduceourselves.
• Pleasesay:
‐‐whoyouare‐‐whatschoolyou'rewith‐‐anythingyoursitemaycurrentlybedoingwithclientcerts‐‐whyyou'reinterestedinclientcerts/anythingyouparPcularlyhopewecovertoday
4
![Page 5: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/5.jpg)
StrongCryptographyandFederal/Interna)onalLaw
• Strongcryptographyiscri)caltocomputerandnetworksecurity,includingenablingsecureauthenPcaPonandonlinecommerce,protecPngpersonallyidenPfiableinformaPon(PII)storedonline,andlegiPmatelyensuringpersonalprivacyforlaw‐abidingciPzens.
• AtthesamePme,strongcryptographyissubjecttocomplexregula)oninmanycountries,includingtheUnitedStates.Why?UseofencrypPonmakesitharderfornaPonalsecurityagenciesandlawenforcementorganizaPonstolawfullyinterceptcriminalcommunicaPonsandnaPonal‐security‐relatedcommunicaPons.
• Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna)onaltrea)esrela)ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmournaPonalsecurityorinterferewiththelawfulinvesPgaPonandprosecuPonofcriminals.
5
![Page 6: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/6.jpg)
SinceWe’llBeGivingYouStrongHardwareCryptoProducts
• Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcryptoproductsorsoKware,NORareyoubarredfromreceivingtrainingonit.
• Specifically,thismeansthatyouassertthatyouareNOTaciPzen,naPonal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.
• YouareNOTa"deniedperson,"a"speciallydesignatednaPonal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)
• Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabricaPonoruseofweaponsofmassdestrucPon(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)
• YouagreeNOTtoredistributeorretransfercryptographicproductsorsofwaretoanyonewhoisinoneofthepreviouslymenPonedprohibitedcategories.
• YouunderstandandagreethattheforgoingisbywayofexampleandisnotanexhausPvedescripPonofallprohibitedenPPes,andthatthisisnotlegaladvice.ForlegaladvicerelaPngtostrongcrypto,pleaseconsultyourownaEorney. 6
![Page 7: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/7.jpg)
"First,DoNoHarm"
• Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouruniversity)isNOT"lockeddown"byyouruniversityITdepartment.
• IfyouhaveNOTbackedupyoursystemrecently,oryouruniversityITdepartmentdoesNOTwantyoutoPnkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsofwareorotherwisemodifyyoursystem.
• Also,ifyoualreadyhaveaclientcerPficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinparPcularPLEASEdoNOTinten)onallydeleteanyclientcer)ficatesyoumayalreadyhaveinstalledonyoursystem!
7
![Page 8: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/8.jpg)
Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvanced
Crypto‐RelatedMathema)csToday
• OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseclientcerPficates,parPcularlyforsecureemail,andgemngyoutothepointwhereyouunderstandthepracPcallimitaPonsassociatedwiththosetechnologies.Youdon'tneedadvancedmathemaPcstodothat.
• SoifyouhatedmathemaPcswhilegoingthroughschool,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathemaPcal.
• Let’sdiverightin.We'llbeginbytalkingaboutwhyyoumightwanttouseclientcerPficates,parPcularlyforsigningandencrypPngemail.
8
![Page 9: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/9.jpg)
I.Mo)va)ngAnInterestinClientCer)ficates("PKI"):
SecuringEmail
9
![Page 10: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/10.jpg)
WhyMightWeNeedToSignand/orEncryptEmail?
• Putsimply,regularemailishorriblyinsecure.
• Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusidenPtyinformaPonintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orpreEymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.
• Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiEedorstored,sounauthorizedparPescanreadyourcommunicaPons."Trustedinsiders"mayalsoaccessconfidenPalcommunicaPons.
• Let'stakealookatacoupleofpracPcalexamplesofthesesortofexposures.
10
![Page 11: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/11.jpg)
TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird
11[Yes,thiswillwork.Butno,pleasedon'tactuallydothis.]
![Page 12: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/12.jpg)
"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"
• SPF(www.openspf.org)andDKIM(www.dkim.org)weremeanttohelpfixspoofing,andtheydo,butthey'renotatotalsoluPon.
• Forinstance,SPF/DKIMcannotprotectyouagainstspoofedemailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofaEack.
• Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")soluPonsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?
12
![Page 13: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/13.jpg)
ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark
• Sendasimplemailmessage...
% mailx -s "testing 123" [email protected] Joe!
I don't think this is very secure, do you?
Joe .
• IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:
13
![Page 14: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/14.jpg)
"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"
• SitessomePmeshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.
• Youmayalreadybeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehEp://eEercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inpracPce,thatprocessmayfailtomaintaintrafficseparaPon.
• Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.
• Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.
14
![Page 15: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/15.jpg)
OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMessages...
% suPassword: # cat /var/mail/joe From [email protected] Sun Feb 12 14:30:54 2012Return-Path: <[email protected]>Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: [email protected]: Some thoughts on the insider threatMessage-Id: <[email protected]>Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: [email protected] (Joe St Sauver)Status: O
Hi Joe,
I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...
Joe 15
![Page 16: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/16.jpg)
BUTIfYourEmailIsEncrypted,ItMayNotMaberIfSomeoneDoesALible"Browsing:"TheFollowingIsn'tVeryInforma)ve,IsIt?
MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw
11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo
UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR
[This base64 encoded file is actually a base64 encoded encrypted file] 16
![Page 17: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/17.jpg)
EmailIsAlsoPoten)allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure
17hEp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138
![Page 18: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/18.jpg)
ReducingTheTransportEmailSniffingVulnerability:Opportunis)cSSL/TLSEncryp)on
• YoucanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunisPcSSL/TLSencrypPon.ThismeansthatiftheMTAsonbothsidesoftheconversaPonarereadyandwillingtodoSSL/TLSencrypPon,itwillbenegoPatedandusedwheneveritcanbe.Seeforexample:
hEp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhEp://www.posdix.org/TLS_README.htmlhEp://www.sendmail.org/~ca/email/starEls.html
• However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdesPnaPon.Thatis,itisnot"end‐to‐end."
18
![Page 19: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/19.jpg)
Obtaining*End‐to‐End*Protec)onRequiresMessage‐LevelSigningandEncryp)onE.G.,UseofPGP/GPG,orUseofS/MIME
• Therearetwobasicapproachestogemngend‐to‐endprotecPonforemailmessages:
• PreEyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*
• S/MIME(RFC5751)withpersonalcerPficates.
• PGP/GPGisprobablythemorecommonofthosetwoopPons,andonethatmanyofyoumayalreadyuse,buttodaywe'regoingtotalkaboutusingS/MIMEwithclientcerPficates,instead.
• Beforewecandigin,however,weneedaliEle"cryptobackfill"19
![Page 20: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/20.jpg)
II.AMinisculeLibleBitofCryptographicBackfill
20
![Page 21: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/21.jpg)
PublicKeyCryptography
• Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.
• Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).
• BothPGP/GPGandS/MIMEwithpersonalcerPficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathemaPcally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathemaPcalprocess.
21
![Page 22: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/22.jpg)
ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...
• Well,thatmaybeaslightexaggeraPon.
• Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:
‐‐itcan'tbechangedwithoutinvalidaPngthemessagesignature(e.g.,itactsasananP‐tamperingchecksumvalue)
‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey
22
![Page 23: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/23.jpg)
HowDoCer)ficatesFitIntoAllThis?
• Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.YoumaywonderhowcerPficatesfitintoallthis.
• TheansweristhatcerPficatesaEachanidenPtytoacryptographickeypair.
• Ifyou'relikemostfolks,whenyouhear"cerPficates"inanonlinecontext,youthinkofSSLwebservercerPficates.That'snotwhatwe'regoingtobetalkingabouttoday.ThosecerPficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.
• Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:meePnganewpersoninreallife.
23
![Page 24: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/24.jpg)
MappingUserstoIden))esIn"RealLife"
• IfImeetyouface‐to‐face,perhapsatthehotelbar,youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaEerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertedidenPty."That'sOK.
• IfitturnsoutthatIeventuallyneedconfirmaPonofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.
• OtherPmes,forexampleifyou'reinastrangecity,orsomeone'strusPngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."(ObCheers:"Norm!")
24
![Page 25: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/25.jpg)
MappingUsersToIden))esOnline:PGP/GPG
• Asimilarproblemexistsonline.HowdoyouknowwhichpubliclyofferedPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'scredenPals?InPGP/GPG,thisisdoneviaa"weboftrust."
• InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisofengetsdoneatPGP/GPG"keysigningparPes,"liketheonethatwillhappenat6:30PMonWednesdaynight).NormallyakeyholderwillgetsignaturesfrommulPplefriendsorcolleagues.
• Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.
• Whilethissoundsincrediblyadhocandkludgy,inpracPce,itactuallyworkspreEywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.
25
![Page 26: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/26.jpg)
TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)
• Animportantnoteaboutthecryptographic"weboftrust:"
SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.
Completelyevilpeoplemayhavewell‐signedPGP/GPGkeys!
• Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:
‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.
Thatis,they'rebindinganiden9tytoacryptographiccreden9al.26
![Page 27: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/27.jpg)
PersonalCer)ficates
• InthecaseofS/MIMEwithpersonalcerPficates,aweboftrustisn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").
• Thatis,apersonalcerPficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcerPficateauthority("CA"),anenPtythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingidenPPestocredenPals.
• CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(specifically,verycarefultodowhattheysaythey'regoingtodointheir"CerPficatePracPcesStatement"),becauseiftheydon't,people(includingbrowservendorsandtheCABForum)willstoptrusPngthemandthenthey'llquicklybetotallyoutofbusiness(literally).
27
![Page 28: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/28.jpg)
'SoWhat'sthis"CABForum?"'
• No,it'snotataxicabassociaPon.• TheCerPficateandBrowserForumisaninfluenPalbodymadeup
ofCerPficateAuthoriPes(that'sthe"CA"intheirname)andBrowserVendors(that'sthe"B"intheirname).
• TheirwebsiteishEp://www.cabforum.org
• AsapracPcalmaEer,increasinglythey'reeffecPvelyestablishingthepracPces/normsthatapplytotheenPrecerPficateindustry,andFWIW,they'remakingtheshipfarmoreshipshape.:‐)
• Previously,variousindustrygroups,suchastheMozillaFoundaPon,hadalottodowithwhatwasorwasn'tacceptable:putsimply,ifyouwantedyourcerPficatestobetrustedinFirefox,youcompliedwithwhattheMozillaFoundaPonrequired.DiEoforInternetExplorerandMicrosof,etc.
28
![Page 29: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/29.jpg)
"WhatDoesaCPSActuallyLookLike?"
• CPSdocumentsasaclassareprobablyoneofthemostwidelyignoredcategoriesofdocumentsintheworld.
• Howver,somePmesfolkswhohaveahardPmesleepingactuallywanttoreadCerPficatePracPcesStatements.Ifyou'dliketochecksomeout,youcansee,forexample,InCommon'sCerPficateServiceCPS:hEps://www.incommon.org/cert/repository/
• You'llseeseparateCPSfortheInCommonstandardSSLcerPficateoffering,theextendedvalidaPoncerPficateoffering,theclientcerPficateoffering,andthecodesigningcerPficateoffering.Thevarious"profile"documentsarealsopotenPallyquiteinformaPve.
• SimilardocumentsshouldbeavailableforanypubliccerPficateissuer.
• OneofthethingstheycoverishowidenPtygetsvalidated,andwhatexpectaPonsshouldbeforaparPculartypeofcert.
29
![Page 30: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/30.jpg)
III.Iden))esandLevelsofAssurance
30
![Page 31: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/31.jpg)
ARealName,orJustAnEmailAddress?
• Theremaybesomeconfusionwhenitcomestothe"idenPty"thatacryptographiccredenPalasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?
• Theansweris,“itmaydepend.”SomestandardassurancepersonalcerPficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.
• OtherclientcerPficatesmayrequiremuchmorerigorous"idenPtyproofing,"perhapsrequiringtheusertosupplygovernmentissuedidenPficaPon(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.
31
![Page 32: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/32.jpg)
HSPD‐12andFederalCAC/PIV‐ICards
• OnAugust27th,2004,then‐PresidentGeorgeW.Bushissued"HomelandSecurityPresidenPalDirecPve12,"(seehEp://www.idmanagement.gov/documents/HSPD‐12.htm)mandaPngtheestablishmentofacommonidenPtystandardforfederalemployeesandcontractors.
• Asaresult,thefederalgovernment(andapprovedcommercialcontractorsacPngonthegovernment'sbehalf)havealreadycollecPvelyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIdenPtyVerificaPon‐Interoperable"("PIV‐I")smartcards.
• "Firstresponders"alone(asdefinedinHSPD‐8)mayulPmatelyrequireissuanceofover25.3millionsuchcards.(seehEp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)
• PartofthatprocessisidenPtyproofingthoseusers–including,inthscase,evendoingbackgroundinvesPgaPons.
32
![Page 33: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/33.jpg)
33Source:hEp://www.idmanagement.gov/presentaPons/HSPD12_Current_Status.pdf
![Page 34: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/34.jpg)
AnAside:CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users
• IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."ThisisarealtesPmonytothehardworkofthefederalemployeesandcontractorswhohavebeeninvolvedwiththatproject.
• Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereducaPonistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard:www.nps.edu/Technology/Security/CAC‐guide.pdf
Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.
34
![Page 35: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/35.jpg)
WhyAreTheFedsUsingClientCerts?IfYouNeedNIST"LOA‐4",They'reBasicallyYourOnlyPrac)calOp)on
• NIST800‐63Version1.0.2(seecsrc.nist.gov/publicaPons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:
"Level4–Level4isintendedtoprovidethehighestpracPcalremotenetworkauthenPcaPonassurance.Level4authenPcaPonisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalidaPonrequirementsarestrengthened,andsubsequentcriPcaldatatransfersmustbeauthenPcatedviaakeyboundtotheauthenPcaPonprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthenPcaPonatLevel2andhigher,thislevelensuresgood,twofactorremoteauthenPcaPon."
35
![Page 36: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/36.jpg)
AnAside....DoesHigherEd*HAVE*AnyUseCasesThatActuallyRequireLOA‐4?
• WearingmyInCommonCerPficateProgramManagerhatforaminute,currentlyInCommonhasonlyoneclientcerPficateoffering,standardassuranceclientcerts.ShouldwealsohaveaclientcerPficateofferingsPedtotheInCommonAssuranceProgram(e.g.,Bronze,Silver,etc.)?
• DowehaveanyusagecasethatwouldrequireLOA‐4,orwouldLOA‐3be"goodenough"forallpotenPalhigheredusagescenarios?(LOA‐3requirestwofactor,butnotnecessarilyclientcerts).I'mstronglyinterestedinunderstandingwhatmightdriveLOA‐4adopPon...
• IfwedidofferanLOA‐3orLOA‐4compliantcertprofile,itwouldimplystrongeridenPtyproofing.WouldhighereducaPonusersbewillingtoputupwithrigorousidenPtyproofinghassles?(bywayofcomparison,wehaven'tseenatremendousnumberofextendedvalidaPonservercerPficatesrequested,eventhoughthey'reavailableatnoaddiPonalcostaspartoftheInCommonCerPficateProgram)
36
![Page 37: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/37.jpg)
AnAside:"Iden)tyProofing"forRegularCi)zens• Ifyoutravelextensively,you'veprobablyrunintolonglinesatcustoms,
eitherwhilecomingintotheU.S.,orperhapswhiletravellingintoCanadaorMexico.Ifso,youmayhavenoPcedthatsomefolks("TrustedTravellers")canusethe"GlobalOnlineEntrySystem"("GOES")and/orNEXUS/SENTRItoavoidthoselines.Agrowingnumberofairportsalsooffer"TSAPreCheck"linesforparPcipantsinthatprogram.(seehEp://www.globalentry.gov/)."TrustedTravellers"areissuedamachinereadablehigh‐assurancecredenPal($50for5years)forthatpurpose.
• Obviously,however,itwouldbebadtoissueacredenPalofthissorttoapersonyouhadn'tthoroughlyidenPtyproofed.Therefore,ifyouapplytobeaTrustedTraveller,youridenPtyisvalidatedinmulPplewaysincludingareviewofgovernmentrecords(youdon'twanttoissueacardtoacriminal,forexample!);reviewofexisPngdocuments(suchasyourpassport);collecPonofbiometrics,e.g.,aphotograph,fingerprints,andinsomecasesapictureofiris/rePna.Youalsoneedtophysicallyappearinpersonforaninterview.Travellerswearyofbeingstalledattheborderwillputupwiththosehassles,butwouldregularhigheredusersdoso?
37
![Page 38: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/38.jpg)
SomeFederalHighSecurityApplica)onsThatNowUseClientCertsMayBeSurprising
38
![Page 39: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/39.jpg)
ClientCertsCanEvenBeSecureEnoughforUseinConjunc)onwithNa)onalSecuritySystems
• Seethe"NaPonalPolicyforPublicKeyInfrastructureinNaPonalSecuritySystems,"March2009(hEp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefoundaPonforNSSuses:
"(U)NSSoperaPngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSoperaPngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCerPficateAuthority(CA)operatedonbehalfofthenaPonalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."
• TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.39
![Page 40: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/40.jpg)
Cer)ficatesAreNowAlsoBeingUsedtoSecureNa)onalCri)calInfrastructure
• Forexample,considerthenaPonalelectricalgrid.TheNorthAmericanEnergyStandardsBoard's("NAESB")2012AnnualPlanfortheWholesaleElectricQuadrantspecificallydiscussestheirplansfordeployingPKIonpages4andfollowing.(SeehEp://www.naesb.org/pdf4/weq_2012_annual_plan.docxandhEp://www.naesb.org/weq/weq_pki.asp)
• Thisisbeginingtobedeployed/madereal,too,rightnow:
‐‐"ShifSystemsIdenPfiedastheFirstNAESBAuthorizedCerPficaPonAuthority,"Feb16,2012,hEp://www.prnewswire.com/news‐releases/shif‐systems‐idenPfied‐as‐the‐first‐naesb‐authorized‐cerPficaPon‐authority‐139493283.html
‐‐"OATIwebCARESAuthorizedbyNAESBforwebRegistry,"Apr11,2012,hEp://www.prweb.com/releases/2012/4/prweb9390545.htm
‐‐"GlobalSignAnnouncesAccreditaPnasAuthorizedCerPficateAuthorityfortheNorthAmericanEnergyStandardsBoard,"Apr23,2012,hEp://www.prweb.com/releases/2012/4/prweb9431614.htm
40
![Page 41: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/41.jpg)
And,OfCourse,SomeLargeCorpora)onsandAgenciesHaveUsedClientCer)ficatesforYears
• AniceindicaPonofinterestin/useofclientcerPficatescanbeseeninthingslikeparPcipaPoninthe"SmartCardAlliance,"see
hEp://www.smartcardalliance.org/pages/alliance‐membersincluding:AmericanExpress,BankofAmerica,BoozAllenHamilton,CapitalOne,Chase,CSC,DeloiEe&Touche,HewleE‐Packard,IngersollRand,LockheedMarPn,MasterCard,SAIC,Visa,WellsFargo,andmanyothers.
• TounderstandhowsmartcardsrelatetoclientcerPficates,notethatsmartcardsareawaytosecurelystoreclientcerPficatesonwhatlookslikeacreditcard(ifyoulookclosely,you'llseethatasmartcarddiffersfromatradiPonalcreditcardinthatithasasmallsetofflushgold‐coloredcontactsonthefront).
• ManylargecompaniesusesmartcardsasthefoundaPonfortheircorporateemployeeIDcards.
41
![Page 42: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/42.jpg)
IV."NonAdop)on"ofClientCerts
42
![Page 43: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/43.jpg)
SoWhyHaven'tClientCerts"TakenOff"MoreBroadly?
• Andwhatcanwedotofixthis,assumingwewantto?
• Itisn'tsimplythatclientcertsarenew...hEp://en.wikipedia.org/wiki/Public_key_infrastructure#HistoryPestheoriginofPKIto1969,withpublicdisclosureofsomeofthekeyalgorithmsdaPngto1976–that'sthirtyfiveyearsago.TheRSAPKCS("PublicKeyCryptographyStandards")documentsdateto1993–that'seighteenyearsago.ByInternetstandards,allofthisworkis"ancient"(or"wellestablished,"ifyouprefer).
• Soitisn'tsimplythatPKI'sthe"newkidontheblock."
• Thereare(ormaybe)manyotherpossiblereasonswhyclientcerPficateshavestruggledsofar....
43
![Page 44: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/44.jpg)
Economics?AreClientCertsTooExpensive?
• "ThereareseveralreasonsPKIhasfailed,saysPeterTippeE,headoftheindustrysoluPonsandsecuritypracPceatVerizonBusiness.
"ThemainreasonorganisaPondonotusePKI,hetold aEendeesofRSAConference2011,isthatitcoststoomuch. "SpeakingonadebateontheimportanceofidenPtyto internetsecurity,hesaidveryfeworganisaPonsareableto makeabusinesscaseforspending$200to$300peruser,per year."
"WhyPublicKeyInfrastructureHasFailed",hEp://www.computerweekly.com/blogs/read‐all‐about‐it/2011/02/why‐public‐key‐infrastructure.html[emphasisadded]
HowmuchwouldYOURschoolpayperuser,peryear? 44
![Page 45: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/45.jpg)
MyTargetCostforClientCerts:$1/user/month
• Lackingharddata,I'mgoingtosuggestanominalamountthatmightbeacceptable:$1/user/month(inclusiveofallcosts),overanormalfouryearundergraduateenrollment,or$48.00peruseroveraquadrennialperiod.
• Forcontext:(a)www.nacs.orgstatesthattheaveragepriceforanewtextbookin2009‐2010was$62.00(b)onemajoronlinevendorquotesquotes3yearRSASecurID700onePmepasswordTokens(ina5pack)@$55.60/token
• InCommonsellshardtokensfor$19.80/unittoInternet2members(seehEp://www.incommon.org/safenet/pricing.html)whichwouldleave~$6/user/yeartocoverothercosts,assumingclientcertsaregemngdeployedonUSBformathardtokens.
45
![Page 46: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/46.jpg)
InSomeCases,TheClientCertsThemselvesAre"Free"
• Ifyou'vesigneduptoparPcipateintheInCommonCerPficateprogram,yougetthebundledabilitytoissueclientcertsatnoaddiPonalcost,andevenifyourschooldoesn'tparPcipateintheInCommonCerPficateprogram,individualscansPllgetfreeclientcerPficatesforpersonal/homeuse,see:
www.comodo.com/home/email‐security/free‐email‐cerPficate.php
• Thatsaid,obviouslythecostofthecertsthemselvesarenottheonlycostsassociatedwithrollingoutclientcerts(forexample,ontheprecedingpage,wetalkedabouthardtokencosts).
• Sowhatothernon‐technicalexplanaPons,otherthancost,dopeopleofferforclientcerPficatenon‐deployment?
46
![Page 47: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/47.jpg)
IsUsabilityActuallyTheProblem?
• "Despitemanyyearsofeffort,PKItechnologyhasfailedtotakeoffexceptinafewnicheareas.Reasonsforthisabound[…]Probablytheprimaryfactorattheuserlevel[…]isthehighlevelofdifficultyinvolvedindeployingandusingaPKI.Thereisconsiderableevidencefrommailinglists,Usenetnewsgroupsandwebforums,anddirectlyfromtheusersthemselves,thatacquiringacerPficateisthesinglebiggesthurdlefacedbyusers.Forexamplevarioususercommentsindicatethatittakesaskilledtechnicaluserbetween30minutesand4hoursworktoobtainacerPficatefromapublicCAthatperformsliEletonoverificaPon[...][A]setofhighlytechnicalusers,mostwithPhDsincomputerscience,tookovertwohourstosetupacerPficatefortheirownuseandrateditasthemostdifficultcomputertaskthatthey’deverbeenaskedtoperform."
PeterGutmann,UniversityofAuckland,Usenix'03,hEp://dl.acm.org/citaPon.cfm?id=1251353.1251357
47
![Page 48: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/48.jpg)
ThingsHaveComeALongWay,Usability‐Wise
• Forexample,thesedays,theprocessforobtainingaclientcerPficatecanbeassimpleas:‐‐Completeashortonlinesecurewebform‐‐ClickonalinksenttoyoubyemailtodownloadyourclientcerPficateintoyourbrowser.Don'tbelieveit?We'llhaveeveryonetrygemngtheirownclientcertlaterinthissession.(Wemightalsotalkaboutwhetherthishasswungtoofarinthe"tooeasy"direcPon,Isuppose)
• TheremaysPllbesomeuglybitstodoafergemngyourcert(dependingonhowyouwanttouseit),butatleastsomeedusiteshavedevelopedlocalscriptsthatmaketheinstallaPonprocesspreEypainlessfortheirusers.
• Internet2/InCommonis/soonwillbeworkingonofferingagenerallyavailablecerPficateinstallaPontool,basedon/modeledaferthosesite‐specificinstallaPontools.
48
![Page 49: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/49.jpg)
OrIsTheProblemThatOtherSolu)onsHaveUsurpedPKI'sMarketNiche(s)?
• Ifyou'vegotPGP(orGNUPrivacyGuard)tosignorencryptemail,doyoualsoneedPKIclientcertsandS/MIMEforsigned/encryptedemail?
• IfyoursiteisusingonePmepassword(OTP)cryptofobs(oryouusesshwithpresharedkeys),doyousPllneedclientcertsforauthtosensiPvesystems?(Andwhatabouta2ndchannelsoluPonleveragingsmartphones,suchasInCommon'snewofferingwithDuoSecurity,seehEp://www.incommon.org/duo/index.html)
• HasthesuccessofInCommon(andotherfederatedauthenPcaPonefforts)eliminatedtheneedforPKI‐basedcross‐enPtycredenPals?FederaPonseemstobethedirecPonthattheNaPonalStrategyforTrustedIdenPPesinCyberspace(NSTIC)isgoing,anditmaybeworthnoPngthatsomehavealwaysworriedabouttheprivacyimplicaPonsofPKI‐style"naPonalIDcards"online...
49
![Page 50: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/50.jpg)
"IsNSTICaplantointroduceana)onalIDcardoraninternetdriver'slicense?DoIhavetogetone?"
"No.ThegovernmentwillnotrequirethatyougetatrustedID.Ifyouwanttogetone,youwillbeabletochooseamongmulPpleidenPtyproviders—bothprivateandpublic—andamongmulPpledigitalcredenPals.SuchamarketplacewillensurethatnosinglecredenPalorcentralizeddatabasecanemerge.EvenifyoudochoosetogetacredenPalfromanIDprovider,youwouldsPllbeabletosurftheWeb,writeablog,visitchatrooms,ordootherthingsonlineanonymouslyorunderapseudonym".[FAQitemresponseconPnueshere]
*hEp://www.nist.gov/nsPc/faqs.html
.
50
![Page 51: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/51.jpg)
AHumorousComment(WithAnUnderlyingGrainofTruth?):ThePKIDeLorean*Hypothesis
• "[M]aybethepossiblefutureinwhicheverythingisPKI‐enabledanddigitalcerPficatesareubiquitousissohorrendousthatitactuallysentripplesofbadluckbackthroughPmethatsabotagedthedevelopmentanddeploymentofPKItechnology.Somethingsactuallyseemtomakealotofsensefromthispointofview."
"WhyPKIFailed,"LutherMarPn,29October2009,hEp://superconductor.voltage.com/2009/10/why‐pki‐failed.html[ablogaboutsecurity,cryptographyandusability]
*C.F.hEp://en.wikipedia.org/wiki/Back_to_the_Future
51
![Page 52: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/52.jpg)
"FixingPKI"–ACobageIndustryofItsOwn
• PKIhasbeensuccessfulinone(quiteperverseway):ithassucceededininspiringhundredsofpapersandtalksaEempPngtoexplainpreciselywhyPKIhasfailedsofar.
• Oneauthorevenwentsofarastosay,
'[I]tseemsariteofpassagefortheserioussecurity researchertowriteapaperwithaPtlesuchas "ImprovingPKI..."Neverinthefieldofsecurity researchhassomuchbeenwriEenbysomany,to bereadbysofew.' hEp://iang.org/ssl/pki_considered_harmful.html
52
![Page 53: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/53.jpg)
OrAreSomeFundamentalTechnicalBitsSoBrokenThatTheyMakeSanePeopleRunAwayFromPKI?
• Forexample,whataboutrevokingorcancellingclientcerPficates?
• HypothePcallyimaginethatyou'reamanagerandyou'refiringanemployee.Aspartofdoingthat,youcollecttheirdoorkeyandcompanycreditcard(oryouhavethelockschangedandthecreditcardcancelledifthey'vebeen"lost").
• ButwhataboutrevokingaclientcerPficatetheymighthavebeenissued?(Fornow,let'sassumethatitwasn'tissuedinnon‐exportableformonasmartcardorPKIhardtoken)
• Howwouldyoucancelorrevokeit?53
![Page 54: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/54.jpg)
RevokingAClientCert
• Unfortunately,unlike"takingback"aphysicaldoorkeyorcumngupacreditcard,it'sharderto"takeback"anelectroniccredenPal.
• CRLs("cerPficaterevocaPonlists",seeRFC3280andRFC5280)weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthatstoresusedtogetfromthebankcardcompaniesbankintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaycheckordownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstosort‐of‐revokeacompromisedcredenPal,nordoyoureallywantmillionsofusertohavetopotenPallydownloadahugefilelisPngpilesofrevokedcerts!
• OCSP("onlinecerPficatestatusprotocol",RFC2560)wasmeanttohandlethisissuemuchmoredirectly,andinteracPvely,butmanybrowsersandemailclientsdon'tcheckacert'sOCSPstatus.Ugh.
54
![Page 55: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/55.jpg)
LocallyImpor)ngaCRL
• AnexampleofaCRLis:hEp://crl.usertrust.com/AddTrustExternalCARoot.crl
• IfyouvisitthatURL,itwillbeimportedintoyourbrowser.• YoucanalsoscheduletheCRLtobeautomaPcallyupdated,if
you'dliketodoso...
• But,andthisiscriPcalifyoubelievescalabilityisimportant:youshouldn'tneedtodownloadanevergrowinglistofkilledcerts.
55
![Page 56: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/56.jpg)
CRLs:The"hosts"FileofPKI
• NotethateachCAwillofferoneormoreCRLs,andtherearehundredsofCAsoutthere!NormallyyouwouldNOTwanttorouPnelyimportallthoseCRLsallthePmeoneachsystem!Thissimplydoesn'tscaletoInternet‐sizeaudiences.
• Inmanyways,thisremindsmestronglyof"hosts"filesintheoldpre‐DNSdays–youknow,peoplewouldcopyaroundstaPcfileswithmappingsofhostnamestoIPaddresses.
• Doyoureallythinkwe'dhavethesizeInternetwehavetoday,ifthatsortofthingsPllhadtohappen?Clearly,no.
56
![Page 57: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/57.jpg)
SoWhatAboutOCSP?
• YoucanchecktoseehowOCSPisconfiguredinFirefoxbygoingtoabout:configandthenfilteringforocsp.Forexample(enlargedforeaseofviewing):
• NotethatOCSPischeckedbutisNOTREQUIREDbydefaultinFirefox.Youcanchangeittoberequiredifyouwantto,butindoingso,you'llbreakaccesstosomeSSL/TLS‐securedsites.
57
![Page 58: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/58.jpg)
Chicken/EggInterac)onsandInsis)ngonOCSP
• Assumeyou'reconnecPngviaacapPveportal,andthecapPveportalblocksallexternalaccessbydefaultunPlyou'veloggedintoanSSL/TLS‐securedpages.
• NowassumethatyouareusingabrowserthatstrictlyrequiresOCSPvalidaPon...butOCSPvalidaPonrequirestheabilitytoconnecttotheOCSPresponder,andthatrequirestheabilitytoresolvetheDNSname,andtoconnecttothathost...butthatrequiresnetworkaccess...Nicecirculardeadlock,eh?
• MypointindwellingonCRLsandOCSPsearlyintoday'ssessionistogiveyouaheadsupthattherearesomearchitecturalandsecuritycomplexiPesthatdoexist,andthatmaybenecessaryto"resolve"ifyouwantcertstoworkinsomeenvironments...butthosedon'tneedtobe"showstoppers"inmyopinion.
• ClearlycertrevocaPonis(orcanpotenPallybe)tricky.Thisiswhy,whenitreallymaEers,browservendorsissuepatchestokillcerts
58
![Page 59: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/59.jpg)
AListofSomeFirefoxSecurityAdvisories
59
![Page 60: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/60.jpg)
ExampleofOneofThoseSpecificAdvisories
60
![Page 61: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/61.jpg)
I'veRambledEnough...
• Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sseehowthisallactuallyworks...let'sgetaclientcertandgetsetuptosendandreceivesecureemail.
• Thenextpartoftoday'ssessionthuslookslike:
‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME
61
![Page 62: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/62.jpg)
V.GelngAFreeS/MIMEClientCer)ficate
62
![Page 63: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/63.jpg)
GelngaFreeClientCertforS/MIMEWithFirefox
• TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcerPficatefromComodo.Thankyou,Comodo!Togetit,goto:hEp://Pnyurl.com/free‐cert(hEp://www.comodo.com/home/email‐security/free‐email‐cerPficate.php)
• We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanusepreEymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/firefox/fx/
• Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosofWindowsorLinuxwillbevirtuallyidenPcal.
63
![Page 64: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/64.jpg)
Comodo’sFreeSecureEmailCer)ficateWebSite
64
![Page 65: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/65.jpg)
TheApplica)onFormYou’llComplete
65
![Page 66: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/66.jpg)
SuccessfulApplica)on…
66
Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…
![Page 67: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/67.jpg)
Collec)ngYourCer)ficate
67
Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided
![Page 68: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/68.jpg)
SuccessfulCer)ficateDownload…
68
![Page 69: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/69.jpg)
"WhereElseCanIGetClientCerts?"
• Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:
‐‐hEp://www.enterprisessl.com/ssl‐cerPficate‐products/addsupport/secure‐email‐cerPficates.html
‐‐hEp://www.globalsign.com/authenPcaPon‐secure‐email/digital‐id/compare‐digital‐id.html
‐‐hEp://www.symantec.com/verisign/digital‐id/buy
‐‐hEp://www.trustcenter.de/en/products/tc_personal_id.htm
69
![Page 70: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/70.jpg)
InCommon'sClientCer)ficateProgram
• BecausethisisahighereducaPonaudience,I'llalsonotethatifyousignupforInCommon'sClientCerPficateService(seehEp://www.incommon.org/cert/),InCommonincludestheabilityforyoutoissueclientcerPficatesaswellastradiPonalSSL/TLSservercerPficatesatnoextracharge.
• AlsonotethatifyouparPcipateinInCommon'sCerPficateProgram,youcanissuecertsbothviaawebinterface(the"ComodoCerPficateManager")andviaaprogrammableAPIwithsynchronousclientcertissuancewithinfiveseconds.
• SeehEps://www.incommon.org/cert/repository/fortheInCommonCerPficateManager(CM)Guide,theEndUserGuideforClientCerPficates,andtheCerPficateManager(CM)SMIMEEnrollAPIGuideformoreinformaPon.
70
![Page 71: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/71.jpg)
VI.ExaminingandBackingUpYourNewClientCer)ficate
71
![Page 72: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/72.jpg)
"Okay,I'veGotMyClientCert.WhatDoIDoNow?"
• WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.
• Weagreethat'sagoodidea.
• Youalsoneedto"backupyourcerPficate"inordertobeabletogetitintoThunderbirdforuseinemail.
• Therefore,launchFirefoxifyouaren'talreadyrunningit.
72
![Page 73: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/73.jpg)
InFirefox,GotoFirefox‐‐>Preferences…
73
![Page 74: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/74.jpg)
TheFirefoxCer)ficateManager
74
Notes:Selectthe“YourCerPficates”tabontheCerPficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocerPficates.You’llprobablyonlyseeonecerPficate,theoneyoujustgotfromComodo.ButjustasamaEerofform,let’sconfirmthatitreallyisyours…
![Page 75: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/75.jpg)
TheGeneralTabTellsUsWhenTheCertExpires
75
![Page 76: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/76.jpg)
TheDetails"ViewCert"TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert
76[Closethe“ViewCer)ficate”boxwhenyou’redonelookingatit]
![Page 77: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/77.jpg)
Okay,We'vePickedThe"RightOne,"SoLet'sBackItUp…
77
![Page 78: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/78.jpg)
The"NameYourBackup"DialogBox
78
PickanameforyourcerPficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.
![Page 79: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/79.jpg)
TheFirefoxCertManagerBackup‐PasswordDialogBox
79
Pickastrongpasswordtosecureyourcertbackupfile.
PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!
![Page 80: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/80.jpg)
BackupSuccessful…
80
NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.
![Page 81: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/81.jpg)
VII.Impor)ngYourCer)ficateIntoThunderbird
81
![Page 82: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/82.jpg)
We'reNowGoingToImportOurNewCer)ficateIntoThunderbird
• Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)
• Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/thunderbird/
• NotethatThunderbirdhasanautomatedinstallaPonwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Acau)ontoanynon‐technicalpersonlookingattheseslideslater:inselngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!
82
![Page 83: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/83.jpg)
"WhyCan'tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?
They'reBothMozillaApplica)ons,Aren'tThey?"
• Yes,bothFirefoxandThunderbirdAREfromMozilla.
• WhilesomeapplicaPonsrelyoncerPficatesstoredcentrallyinasingleoperaPng‐system‐providedcerPficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.
• FirefoxandThunderbirduseseparateper‐applicaPoncerPficatestores,instead.ThisgivesuserstheflexibilitytotailorwhatcertsgetpotenPallyshowntoeachsuchapplicaPon,butthedownsideisaslightlymorecomplicatediniPalsetup(youneedtoinstallyournewcerPficateinmulPplelocaPons)
• Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaferlookingatFirefox’s
83
![Page 84: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/84.jpg)
InThunderbird,GotoThunderbird‐‐>Preferences…
84
![Page 85: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/85.jpg)
InTheCer)ficateManager,"YourCer)ficates"Tab,ClickonImport
85
![Page 86: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/86.jpg)
SelectThe.p12BackupFileYouWantToImport
86
![Page 87: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/87.jpg)
SupplythePasswordYouUsedforTheCertBackup
87
![Page 88: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/88.jpg)
SuccessfulImporta)onofTheCertIntoThunderbird
88
![Page 89: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/89.jpg)
VIII.InThunderbird,AssociateYourCer)ficateWithYourEmailAccountAnd
ConfigureThunderbirdToDoDigitalSigning
89
![Page 90: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/90.jpg)
Thunderbird:Tools‐‐>AccountSelngs
90
![Page 91: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/91.jpg)
Security
91
![Page 92: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/92.jpg)
SelectTheCertYouWantToUseForDigitalSigning
92
![Page 93: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/93.jpg)
ConfirmThatYouWantToAlsoUseThatSameCertforEncryp)ng/Decryp)ngMessages
93
![Page 94: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/94.jpg)
MakeSureYou’reSetToDigitallySignYourMessagesByDefault
94
![Page 95: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/95.jpg)
ThunderbirdConfigura)onIsNowComplete…
• Thehardpartisover!YouarenowsettoautomaPcallydigitallysignyourThunderbirdemailmessagesbydefault.
• Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,unPljustbeforeyourfreeComodopersonalcerPficateisclosetoexpiring)
• Huzzah!
95
![Page 96: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/96.jpg)
IX.DigitallySigningAMessageInThunderbird
96
![Page 97: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/97.jpg)
StartWri)ngAMessageTheWayYouNormallyWould
97NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!
![Page 98: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/98.jpg)
Op)onal:ConfirmThatTheMessageWillBeSigned
98
ClickOnThePadlockIconOnTheBarOrTheLiQleRedSealInTheBoQomRightCornerIfYouEverWantToDoubleCheck!
![Page 99: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/99.jpg)
ProceedtoSendYourMessage
• …justlikeyounormallywould.ItwillautomaPcallybedigitallysignedwithyourcerPficate.
• Yourrecipientswillseeyournormalmessage,plusanaddiPonal“p7s”aEachmentthatwillhaveyourpublickey/cerPficate.(no,that'snotmalware:‐))
• Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautomaPcallycheckandvalidateyourdigitalsignature.
• Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saEachment.
99
![Page 100: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/100.jpg)
X.Encryp)ngAMessageInThunderbird
100
![Page 101: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/101.jpg)
Signingvs.Encryp)ng
• Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecansPllreadthatmessage:it’scryptographicallysigned,it’snotencrypted.
• IfthebodyofyourmessageissensiPve,youmayalsowanttoconsiderencrypPngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.
• Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.
101
![Page 102: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/102.jpg)
GelngThePublicKeyofYourCorrespondent
• Toencryptamessageyou’llneedyourcorrespondent’spublickey.
• Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.
• YouremailclientwillautomaPcallyextractthepublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.
• Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaEempttoextenditInternet‐wide.
102
![Page 103: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/103.jpg)
AMetaQues)on:ShouldIEncryptTheMailISend?
• Maybeyes,maybeno.
• Firstofall,notethatyouusuallywon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(sothatyou’llhavehispublickeyandcert)
• Ifthecontentofyouremailisn’tsensiPve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?– Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently
easilysearchthosemessages.
– And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopotenPallyloseallthecontentencryptedwiththatkey?
– You'lldrivecommandlineemailclientusersnuts.103
![Page 104: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/104.jpg)
AndSomeArgumentsInFavorofRou)neEncryp)on
• What'snotsensiPvetome,mightbesensiPvetosomeoneelse.Likewise,itmightnotbesensiPveNOW,butitmightbesensiPveLATER.
• IfyouonlyencryptsensiPvemessages,thatsuremakesthemstandsout,doesn'tit?Wouldn'titbeniceifthosemessageswerejustpartofalargervolumeofrouPnelyencryptedmessages?
• It'srelaPvelyeasytoforgettoenableencrypPon,andtoaccidentallysendoutasensiPvemessageincleartext.IfyourouPnelyencrypt,thatwon'thappen.
• Ifyouwantpeopletosecuretheiremail,youneedtosettheexampleandnudgethemalong.Iftheygetsetuptodoencryptedemail,butthennevergetany,theymayfeellikethey'rewasPngtheirPme.
• Finally,it*is*sortofcool/funtodoso.:‐)104
![Page 105: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/105.jpg)
HedgingTheRiskofDataLoss:KeyEscrow• Let'spretendthatyouhaveafacultymemberwho'sdoing
absolutelycriPcal(andhighlysensiPve)workforyourschool,andyouwantthemtorouPnelyencryptasaresult.AtthesamePme,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcriPcalfacultypersonwilldieorbekilled,ormaybejustquitandstartabusinessmakinghome‐madepremiumsoapsomeday.Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?
• EscrowingencrypPonkeysallowsyoutogetacopyofotherwiseunavailableencrypPonkeysinavarietyofcarefullypredefinedemergencysituaPons.Companiesnormallypayextraforthis"insurance."KeysrecoveredviaescrowmayhavetheassociatedcertrevokedatthesamePme.
105
![Page 106: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/106.jpg)
"ItISWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"
106
![Page 107: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/107.jpg)
"WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?"
107
![Page 108: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/108.jpg)
WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)
108
![Page 109: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/109.jpg)
AnExampleofUsingaNon‐MatchingCert
109
![Page 110: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/110.jpg)
Addi)onalImportantS/MIMECaveats
• S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,DONOTputanythingthatneedstobekeptconfidenPalintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpumngANYTHINGintothesubjectlineofencryptedmessages.
• EncryptedmessagebodiescannotbeautomaPcallyscannedonthenetworkforvirusesorothermalware.
• SomemailinglistprogramsmaytamperwithmessagesbydoingthingslikeaddingfootersorrewriPnglinksorstrippingaEachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailingliststhatdothesesortofthings,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.
110
![Page 111: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/111.jpg)
XI.WhatIfIWantToUseOutlookInsteadofThunderbird?
111
![Page 112: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/112.jpg)
OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt
112
Can’tfindKeychainAccess?CheckApplicaPons‐‐>UPliPes
![Page 113: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/113.jpg)
Impor)ngOurKey/Cert
113
![Page 114: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/114.jpg)
SuccessImpor)ngOurKeyandCert
114
Nowwe’rereadytolaunchOutlook…
![Page 115: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/115.jpg)
Outlook’sOpeningScreen…
115
![Page 116: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/116.jpg)
Outlook‐‐>Preferences…
116
![Page 117: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/117.jpg)
Accounts
117
![Page 118: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/118.jpg)
AdvancedBubon…
118
![Page 119: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/119.jpg)
PickingACertontheAccountSecurityTab
119
![Page 120: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/120.jpg)
120
![Page 121: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/121.jpg)
WhatTheSenderSeesWhenSendingASignedMessageinOutlook
121
![Page 122: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/122.jpg)
OutlookAsksForConfirma)onTheFirstTimeItUsesYourPrivateKey/Cer)ficate
122
[Note:ifyou'reparPcularlysecurityconscious,youmayjustwanttoclick"Allow"ratherthan"AlwaysAllow"]
![Page 123: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/123.jpg)
WhatTheRecipientSeesInOutlookWhenGelngAMessageThat’sSigned
123
![Page 124: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/124.jpg)
WhatIfWeWantToEncryptAMessage?
124
![Page 125: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/125.jpg)
XII."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"
125
![Page 126: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/126.jpg)
GmailDoesNOTNa)velySupportS/MIME
• YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)
• However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletonaPvelyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvacaPontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).
• Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)
• Warning:PenangoiscloselyintegratedwithFirefox,andonlysupportssomeversions.Checktheversionyou'reusing!
126
![Page 127: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/127.jpg)
127
![Page 128: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/128.jpg)
OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox
128
![Page 129: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/129.jpg)
PlugInYourGmailAddress
129[someaccountdetailselidedabove]
![Page 130: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/130.jpg)
Uncheck"Automa)callyencryptnewmessages"
130[someaccountdetailselidedabove]
![Page 131: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/131.jpg)
ComposingaSignedGmailMsgWithPenango
131
[someaccountdetailselidedabove]
![Page 132: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/132.jpg)
SomePenango‐RelatedSendingIdiosyncrasies
• WhenyousendasignedorencryptedmessageusingPenango,themessagegetssubmiEed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.
• Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.
• TheIPofthehandoffhostdoesappearintheGmailheaders.
• Thebodyofthemessagemaybebase64encodedevenifthemessageyou'resigningisplain‐text‐only.Penangoalsousesalong/uglynameforthe.p7saEachment
• Speakingof,somemessagetext/messageformamngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.
132
![Page 133: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/133.jpg)
XIII.HardTokens/SmartCards
133
![Page 134: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/134.jpg)
Alterna)vesToStoringYourKeysandCertsOnYourDesktoporLaptop
• InhighereducaPon,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.
• Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircerPficatesonboththosesystems,butmightnotwanttoleavetheircredenPalsstoredonmulPplesystemsiftheydon'thaveto.
• Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.ObviouslyitwouldbebadforthatusertodownloadandinstalltheircredenPalsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenextPmetheyvisitthelab.
• WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.
134
![Page 135: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/135.jpg)
HardTokens/SmartCardsAdvantages
• UserscanuseonesetofPKIcredenPalseverywhere.• UserscancarrytheircredenPalswiththemwherevertheygo(it's
justanotherblobonyourkeychain,oranother"creditcard"inyourwalletorpurse)
• Theuser'sprivate/publickeypaircanpotenPally*begeneratedon‐token(oron‐smartcard),withtheprivatekeyneverleavingthedevice
• Theusercaninsertandunlocktheirtokenorsmartcardonlywhentheyneedit,keepingthatcredenPaloffline(andshelteredfromonlineaEack)therestofthePme
• Clientcertissuancecanmimicotherwellestablishedcreden)alissuanceprocesses(suchasthoseforIDcardsordoorkeys);diboforclientcertuseprocesses.
* NotcurrentlypossibleforInCommonclientcerPficates. 135
![Page 136: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/136.jpg)
GeTngAnIns)tu)onalID(orDoorKey)
GemngauniversityIDcardora doorkeyusuallyinvolves:‐‐ObtainingproofofauthorizaPon,suchasaleEerofadmissionorasignedcontract(oracompletedkeyauthform)‐‐Takingyourpaperworkandadriverslicenseorpassport,andvisiPngthecampuscardoffice(oradistributedcredenPaldistribuPonsite,perhapslocatedinthestudenthousingofficeorpersonneldepartment)‐‐PaperworkandcurrentproofofidenPtygetreviewedandOK’d‐‐One'sphotogetstaken(fortheIDcard)oradepositgetscollectedforakey,anditgetsissuedwhile‐you‐wait.
Thisworks.Notpainless,butnothorrible,andit'srelaPvelysecure.NowvisualizetheIDcardasactuallyasmartcard(withaclientcertonit),orthe"key"actuallybeingaUSBformatPKIhardtoken...wouldthatprocessneedtobemateriallydifferentthanthecurrentprocessofissuingIDcardsordoorkeys?No...
136
![Page 137: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/137.jpg)
UsingAnIns)tu)onalID(orDoorKey)
EveryoneknowshowtousetheirIDcard(orkeys):
‐‐Carryitwithyou,soyouhaveitwithyouwhenyouneedit‐‐Whenneeded,allowyourcardtobescannedorinspected(orsPckyourkeyinthelockandturnittoopenthedoor);thisissimple,sotrainingisnotrequired.
‐‐IfyouloseyourIDoryourkey(s),youreportitsoyoucangetareplacement,andsoyouroldonecanbemarkedasinvalid(orsoanylocksassociatedwiththelostkeycanbepotenPallychanged)‐‐Ifyourkeydoesn'tgetyouintoaspaceyouneedtoaccess,you'llbegivenanotherone(repeatthe"gemngakey"process).‐‐YourIDcardorkeysgetcollectedifyouleaveorarekickedout.
UsingclientcertsneedstobeaseasyasusinganIDcardordoorkey,andcanbeifhardtokens/smartcardsareused.
137
![Page 138: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/138.jpg)
USB‐FormatPKIHardTokens
• USB‐formatPKIhardtokenslookalotlikearegularUSBthumbdrive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.
• Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessorwithintegratedsecurestorage.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcerPficate,butwithoutpumngthosecredenPalsatriskofbeing"harvested"/stolen.Thesedays,withallthecredenPalharvesPngmalwarethat'soutthere,that'sapreEycoolthing.
• Infact,USB‐formatPKIhardtokenshavetheabilitytopotenPallygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession(andinfactthat'salsonotsupportedforInCommonClientCerPficates)
138
![Page 139: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/139.jpg)
SafeneteTokenPRO72K
• ThroughthegenerosityofChenArbelatSafenet,we'reabletoprovideeachSecurityProfessionalsclientcerttrainingparPcipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversofwareanddocumentaPon.Thankyou,ChenandSafenet!
• Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereducaPon,andisparPcularlyniceifyouworkinacrosspla�ormenvironmentsinceitissupportedunderMicrosofWindows,MacOSX,andLinux.
Imagecredit:hEp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg139
![Page 140: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/140.jpg)
"ThanksforOne,ButINeedABunchofThem!"
• USB‐formatPKIhardtokensareavailablefrommanymajorITchannels.Forexample,CDW‐GcurrentlyofferstheSafenete‐TokenProfor$38.89/each(qty1‐100),andtheSAC(requiredsofwaredrivers)costs$18.94.IfyouthrowononeoftheliEleprotecPveshells(liketheoneweprovidedforyoutoday),that'sanothercouplebucksfromCDW‐G,bringingthepricerightuptoaround$60.00/unit.Naturally,while~$60/unitisn'tabigdealforasmallnumberofusers,itaddsuppreEyquicklyifyouwanttoissuehardtokenstoawholecampus,parPcularlyiftherearecompePngtwofactorauthsoluPonsthatmaybe~$5/user.
• Fortunately,InCommonhasarrangedtobeabletoselldeeplydiscountedSafeNetPKIhardtokenstoInCommonhighereducaPonsubscribers.FormoreinformaPon,seehEp://www.incommon.org/safenet/index.html(note:aminimumorderoftwohundredunitsapplies)
140
![Page 141: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/141.jpg)
"ButIOnlyWantToOrderADozenTokens!"
• If you're only buying a small number of tokens for a test deployment, you can already get those on the open market. Internet2/InCommon doesn't need to get involved in order for that to be practical. Our goal is explicitly not to make small-scale test PKI deployments cheap(er).
• On the other hand, if the community is trying to deploy thousands, tens of thousands, hundreds of thousands, or even millions of client certificates, THAT's the sort of process we want to facilitate, and where central coordination may be critical.
• Put another way, Internet2/InCommon is, and should be, all about facilitating "deployment at scale."
• This is an important principle that Randy Frank deserves special acknowledgement for correctly emphasizing.
141
![Page 142: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/142.jpg)
SafenetDrivers,LocalTokenManagementSoKware,AndDocumenta)on
• MostsystemswillrequiretheinstallaPonoftokendriversand/orlocaltokenmanagementsofware(soyoucanloadyourexisPngcerPficateontothetoken).WithSafenet'spermissionwearemakingthatsofwareanddocumentaPonforthisproduct,availabletoyouforinstallaPonviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoKware:pleasedoNOTredistributeit!
• Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b
142
![Page 143: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/143.jpg)
InstallingtheSACOntheMac
• InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveUPlity,Stuffit,orwhateverapplicaPonyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"DocumentaPon"and"MacInstaller."
• READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar)cular,readtheAdministrator'sGuideandreadtheReadMefile,par)cularly"KnownIssues/Limita)ons"
• Really,Ikidyounot,readthedangdocumenta)on,please!
• ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthenPcaPonClient.8.1.0.5.dmg
• Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthenPcaPonClient8.1.mpkg
• Installit.You'llneedtorebootwhenitfinishes143
![Page 144: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/144.jpg)
FirefoxSecurityModule
• AsmenPonedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthenPcaPonClient,itdoesn'tautomaPcallyinstallthesecuritymoduleinFirefox.Youneedtodothatmanually.
• Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK
• RepeatthisprocessforThunderbird,too.
144
![Page 145: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/145.jpg)
"ButI'mUsingWindows,NotAMac!"
• WindowsusersshouldseeAppendixIattheendoftheseslides.
IthasinstrucPonsforsemngupyourSafeNethardtokenwithaWindows7box.
• We'dhavebundledtheminhere,inline,butwedidn'twanttointerruptthings/confusetheMacusers.
145
![Page 146: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/146.jpg)
NowLaunchtheSafeNetAuthen)ca)onTools
146
![Page 147: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/147.jpg)
GoToTheGearMenu("Advanced")
147
![Page 148: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/148.jpg)
Select"ViewTokenInforma)on,"ThenIni)alizeIt
148
![Page 149: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/149.jpg)
EnterYourNewPasswordsandThenGoToTheAdvancedScreen
149DO*NOT*FORGETTHESECRITICALPASSWORDS!
![Page 150: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/150.jpg)
BeSureToAskfor2048bitkeysupport
150
![Page 151: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/151.jpg)
NowActuallyIni)alizeTheHardToken...
151
![Page 152: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/152.jpg)
LoginToTheHardToken
152
![Page 153: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/153.jpg)
You'llNeedToEnterYourPasswordForIt
153
![Page 154: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/154.jpg)
GoToTheImportCertScreen
154
![Page 155: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/155.jpg)
ImportOurCer)ficate
155
Pickthep12backupfilewesavedearlier.
Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.
![Page 156: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/156.jpg)
BeSureToIncludetheCACertsOnTheToken,Too
156
![Page 157: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/157.jpg)
ViewOurCertOnTheHardToken
157
![Page 158: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/158.jpg)
AnAside:What'sThat"UnknownPurpose"Note?
158
Butcomingbacktoactuallyusingourhardtoken...
![Page 159: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/159.jpg)
TellingThunderbirdToUseTheHardToken(WeNeedToUnlockTheToken,First)
159
![Page 160: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/160.jpg)
We'reThenShownTheTokenandItsCert
160
![Page 161: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/161.jpg)
NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse
161
![Page 162: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/162.jpg)
AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!
162
![Page 163: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/163.jpg)
XI.DoingAllThis"AtScale"
163
![Page 164: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/164.jpg)
GetALibleExperience,First• It'ssomePmestempPngto"swingforthebleachers,"tryingtohita
grandslamthefirstPmeyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.
• I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensiPvesystems,tofirstspendaliElePmejustexperimenPngwithclientcerts.
• Getafreeclientcertforyourself,andforyourteammembers.
• UsethemforrelaPvelylowimpactacPviPes,suchassigningyouremail,whileyougainfamiliaritywiththem.
• Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.
164
![Page 165: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/165.jpg)
ClientCertDeploymentScale:Test,Departmental,Site‐Wide,edu‐Wide?
• Wecanimaginefourdifferent"scales"ofclientcertdeployment:‐‐Testdeployment(maybehalfadozenoradozenclientcerts,perhapsissuedonlytohighlytechnicalsystemsorsecuritystaff)‐‐Departmental‐scaledeployment(hundredsoreventhousandsofcerts,perhapsissuedtoallauthorizedadministraPvecompuPngusersortoallauthorizedhighperformancecompuPngusersatasite)‐‐Site‐widedeploymentto"everyone"(allfaculty/staff,allstudents,andpotenPallyeventoall"other"users)‐‐Ormaybeevenbroadedu‐wide(cross‐realm)deployment?
• Theseareradicallydifferentanimals.IfweDON'Tneedtodothecross‐realmcase,wemightevenbeabletogetalongwithlocallyissuedclientcerts.Doyouthinkthat'sonereasonwhyemail,aclassicinter‐realmapp,hasleadtoclientcertsofenbeingcalled'S/MIMEcerts?'(Ifyou'reonlyissuingclientcertsforintra‐realmuse,atthesamePmeyouissueacert,youcouldjustpushalocalrootcert).
165
![Page 166: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/166.jpg)
SmallDeployments?==>TargetedBenefitsLargerDeployments?==>BroadAcceptance
• WhileIdon'tmeantoimplythatthere'snobenefittofolksdoingPKItesPng,orevensmallscaledeploymentsforacarefullydefinedlocalcommunity,thosesortofprojectsdeliveradifferentsortofbenefitthanmorebroadlyadoptedefforts.Hasthe)mecomeforustoconsiderabroadlyacceptedcross‐ins)tu)onalclientcerteffort?
• Contrastalocally‐issuedlibrarycardwithapassport:‐‐Alocally‐issuedlibrarycardisterrificallyusefulifIwanttocheckoutsomebooks,butunfortunatelynooneexceptmylibrary,e.g.,theonethatissuedit,willrecognizeoracceptit‐‐Apassport,ontheotherhand,whilenotadocumentthatwillbeacceptedforthepurposeofcheckingoutlibrarymaterials,isuniversallyacceptedasaproofofpersonalidenPty(includingbeingpotenPallyusedorthingslikegeUngalocallibrarycard)
166
![Page 167: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/167.jpg)
TimeForAStandardizedHigher‐Ed‐WideIDCard?
• Oneofthereasonspassportsareusefulisthatthey'restandardized.CurrentlyeachuniversityissuesitsownuniquetypeofIDcard,withliEleinthewayofformalhighered‐widestandardizaPon.Mosthaveaname,anumber(hopefullynotaSSN!)andapicture.Mostalsohaveamagswipestrip,abarcode,andmaybeanRFIDtag.
• Hasthe)mecomeforcollegeanduniversityIDcardstoalsohavesmartcardfunc)onalityandaclientcert?Infact,shouldhigheredbestrivingtoestablishacommunity‐widegeneralstandardforcollegeanduniversityIDcards?(arguably,there'salreadyconsiderabledefactostandardiza)on)
• Note:Iexplicitlyhavenodesiretosteponcardoffice"turf"atschoolsallacrossthecountrybyinnocentlyaskingthoseques9ons!Idoalsorecognizethattherearea*lot*ofsubtleissuesthatareraisedjustbyaskingthosetwoques9ons.
167
![Page 168: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/168.jpg)
WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands
• Theprocessesyousawearlierinthissession,whichcanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.
• Forexample,ifyou'regoingtoinstallcerPficatesdirectlyonusersystems,youneedabeEerwaytodropcerPficatesonthosesystems,andabeEerwaytoconfiguretheuser'sapplicaPonstoknowaboutandusethem(InCommonisworkingonthis).
• Similarly,ifyou'regoingtousehardwaretokens,instead,youlikelyneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriEenlocally.
• Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyopPon.
168
![Page 169: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/169.jpg)
Smartcards?
• TheUSBformatPKIhardtokensyoureceivedarebasicallyasmartcardwithanintegratedsmartcardreader(withabuilt‐inUSBinterface).Thatcanbeveryconvenient–it's"allinone."
• However,smartcardstendtobesomewhatcheaperthanUSBformattokens(e.g.,$15.13vs.$19.80),whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)
• AdisPnctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaEedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecerPficatestore.Thismaybethebestofallpossibleworlds.
• Butwhatwillyoudoformobiledevices,suchassmartphonesortablets?
169
![Page 170: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/170.jpg)
Slick‐SidedMobileDevicesandHardTokens
• Mobiledevicesareincreasinglyimportantoncampus,soweshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.
• Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaEer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.
• ThesoluPon?YoucantryBluetooth‐connectedsmartcardreaders(somePmesalsoknownas"CACsleds"),buttheyaren'tcheapandtheydon'tsupportalldevicesorallsmartcards.
• Inthefuture,itmaybepossibletostoreclientcertssecurelybystoringpartoftheclientcertdirectlyonthedevice,whilestoringtherestoftheclientcertinthecloud,usingthresholdcryptographytoreconsPtutetheclientcertsecurely.
170
![Page 171: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/171.jpg)
WhatAboutDirectories
• Oneofthesubtlethingsthatcanreallymakelifeeasierifyou'redeployingclientcerPficatesatscaleisadirectoryofallthepublickeysandcerPficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).
• TradiPonalkeydistribuPonalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencrypPon.YouneedanalternaPvesourceforkeysinthatcase.
• Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.EvendeployingadirectoryforanenPtyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysoluPonthatwouldworktoholdclientcerPficatesforallInternetusers(assumingeveryonehadthem).
171
![Page 172: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/172.jpg)
SomeDirectoryComplica)ons
• Organiza)onaldirectoriesareforlocalcorrespondents:Ifallmyemailislocal,andmysiteisdoingclientcerts,Icanprobablyjustcheckmylocaldirectory,butthesedays,manyusersexchangemoreemailoff‐sitethanon.AndwhatifI'man"isolatedadopter,"andthere'snotevenanorganizaPonaldirectoryformetoevenuse?
• Organiza)onaldirectories(distributed,Internet‐wide):HowdoIfindtherightdirectorytousetolookupsomeoneelse'sS/MIMEcreds?There'scurrentlyno"directoryofdirectories"(nordoIthinkthere'smomentum/communitysupporttocreatesuchananimal,givenspamproblemsandsecurityworries–manysitesmaybereluctanttoallowunfeEeredpublicdirectoryaccessduetopotenPalharvesPngissues).
• Whataboutacentralized/consolidateInternet‐widedirectorythatlists"everyone?"Um,no.Peoplejustwon'twanttocontributetheirdata,itwouldbeimpossibletokeepcurrent,andthereareO(20million)usersinUShighered!WeneedtotakealessonfromDNS.ThearchitectsofDNSdidadistributedmodelforgoodreasons!
172!
![Page 173: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/173.jpg)
PGP/GPG‐ishS/MIMEKeyservers?
• ThereisonealternaPvecryptographicdirectorymodelthatseemstohaveworkedpreEywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendtheirkeydirectly.
• I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehEp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescripPonofwhatIhaveinmind.
173
![Page 174: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/174.jpg)
S/MIMEIsn'tTheOnlyUseforClientCerts
• ClientcerPficatescanbeusedforabunchofthingsotherthanjustsigningorencrypPngemail.
• Forexample,clientcerPficatescanalsobeusedtosigndocuments,orforauthenPcaPon,orasabuildingentrycredenPal.(Notethatifyou'reheadedinthe"authenPcaPon"or"buildingaccesscontrol"direcPon,youwillprobablyneedatradiPonalenterprisePKIdirectorytosupportthatapplicaPon)
• Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.
• NOTE:Clientcertsshouldonlybeusedforpurposesconsistentwiththeirapproveduses.Forexample,theclientcertwedownloadedearlierspecifiedthatitwasforuseinconjunc)onwithsecureemail.However,manyapplicaPonsdoNOTstrictlycheck/enforcetheObjectIDs("OIDs")associatedwithacert,soyoumaybeabletouseagivencertforotherpurposes,too.
174
![Page 175: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/175.jpg)
SigningStuff(OtherThanJustS/MIMESigning)
• SigningMicrosoKWorddocuments(Windowsonly),seehEp://pages.uoregon.edu/joe/signing‐a‐word‐document/
• NeedtosigndocumentsonaMac?TryOpenOffice:hEp://Pnyurl.com/openoffice‐signing
• AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcerPficatesforsigningPDFs,see:hEp://Pnyurl.com/adobe‐signing(PDF,114pages)
NotethatthisisdifferentthanAdobe's"CerPfiedDocumentServices"programwhichalsoinvolvesdigitalsignatures,butismoreexpensive(andnotsupportedbyComodo/InCommonclientcertsatthisPme)
175
![Page 176: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/176.jpg)
Encryp)onUsingClientCerts(OtherThanS/MIME)
• PGPWholeDiskEncryp)on(seethedatasheetlinkedfromhEp://www.symantec.com/business/whole‐disk‐encrypPon)
• MicrosoKWindowsEncryptedFileSystemhEp://technet.microsof.com/en‐us/library/bb457116.aspx
• IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcerPficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcerPficatesifdesired—see,forexample,hEp://www.strongswan.org/andhEp://www.cisco.com/en/US/docs/soluPons/Enterprise/Security/DCertPKI.html)
176
![Page 177: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/177.jpg)
Authen)ca)onUsingSmartCards/ClientCerts
• RedHatEnterpriseLinuxSmartCardLoginSeehEp://Pnyurl.com/redhat‐smartcards
• WindowsAc)veDirectoryLoginwithSmartCardsSeehEp://support.microsof.com/kb/281245
• OpenSSHauthen)ca)on(viathirdpartyX.509patches)hEp://roumenpetrov.info/openssh/
• MacOSXhasbeengoingthroughsomechangeswhenitcomestonaPvesupportforsmartcards,butseehEp://smartcardservices.macosforge.org/andhEp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html
177
![Page 178: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/178.jpg)
Authen)ca)onUsingClientCerts(cont.)
• ControllingaccesstowebcontentservedbyApache:www.dwheeler.com/essays/apache‐cac‐configuraPon.html(it'smuchmorehelpfulthanthemoregeneralpageathEpd.apache.org/docs/2.5/mod/mod_ssl.html#sslrequire)
• ControllingaccesstowebcontentservedbyMicrosoKIIS7hEp://technet.microsof.com/en‐us/library/cc732996%28v=ws.10%29.aspx
• ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See
hEp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland
hEp://www.internet2.edu/presentaPons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf
178
![Page 179: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/179.jpg)
ClientCer)ficatesCanEvenPoten)allyBeUsedForBuildingAccessControlPurposes
179
![Page 180: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/180.jpg)
XII.Don'tForgetAboutPolicies,GovernanceAndPoten)alLegalIssues
180
![Page 181: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/181.jpg)
ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures
• Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsthat'shardtomissisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbytheissuingandrelyingcommuniPes.
• Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplicaPonsofmovingtoclientcerts,notjustthetechnologyissues.
• Forexample,whataboutprivacy?Doesuseofclientcertshaveanyimpactonuserprivacy?Maybe...
• Whatifyouremailclientcheckedadirectoryforapublickey/certforeveryemailcorrespondentyouexchangedemailwith?
• OrhowaboutthisliEleexposure...seethenextslide...181
![Page 182: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/182.jpg)
AnyWebSiteCanAskForYourBrowser'sClientCertAndThusPoten)allyGetYourName/EmailAddress
182
![Page 183: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/183.jpg)
AnotherPrivacyThreat:ClientCertsAreNowBeingTargetedByMalware
• UserswhoemployedclientcertsfortwofactorauthenPcaPonhavelongenjoyedfeelingrelaPvely"abovethefray"whenitcametohacker/crackeraEacks.However,in2012,itbecameclearthatatleastonemalwarefamily,Sykipot,hasbeguntospecificallytargetfederalCAC/PIVclientcerPficatecredenPals.See,forexample:hEp://labs.alienvault.com/labs/index.php/2012/when‐the‐apt‐owns‐your‐smart‐cards‐and‐certs
• BecauseclientcertcredenPalsaretypically"nonexportable"fromsmartcards,malwaretargePngclientcertswillnormallyaEempttoexecutea"maninthebrowser"or"maninthemachine"aEack:‐‐intercepttheuser'ssmartcardPIN,‐‐usetheclientcert"in‐situ,"proxyingrequestsforresourcescontrolledbycertsthroughthecompromisedmachineitself,then‐‐exfiltratethesurrepPPouslyaccessedmaterialsoffsite.
• ConscienPouspatchingandaggressivemeasurestocontrolmalware,remainextremelyimportant,evenif(especiallyif?)you'reusingclientcerPficatestocontrolaccesstosensiPvecontent.
183!
![Page 184: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/184.jpg)
KeepYourLawyersInTheLoop,Too
• Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.
IfyouplantoissueclientcerPficatestoallyouremployeesrememberthatsomeusers,asmenPonedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpotenPallyclientcerPficates.Formoreonthispoint,pleaseconsultwithyouraEorneyregardingtheprovisionsofthe"DeemedExport"rule.AsastarPngpoint,seehEp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html
• IncreaseduseofencrypPonforofficialrecords,mayalsoraiselongtermrecordmanagementandaccessissues.
184
![Page 185: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/185.jpg)
ThanksfortheChanceToTalkToday!
• ArethereanyquesPons?
185
![Page 186: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/186.jpg)
AppendixI:UsingTheSafeNetHardTokenonWindows7
186
![Page 187: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/187.jpg)
"I'mUsingWindows,NotAMac!"
• There'saversionoftheSACforWindows7ontheCDwegaveyou,too.
• DragtheSAC8_1SP1zippedarchivefromtheCDtoyourdesktop.Doubleclickonit,thenselecttheSAC8_1SP1folder.
• Gotothe32X64Installerfolder.DragtheapplicaPonyou’llseethereontoyourdesktop.
• Assumingyou'rerunningWindows7,rightclickontheinstallerandselectRunasAdministrator.
• Youshouldseethengothroughaseriesofscreenswherethedefaultanswerswillusuallyfine...seethenextslides.
187
![Page 188: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/188.jpg)
TheCD'sContents
188
![Page 189: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/189.jpg)
189
![Page 190: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/190.jpg)
190
![Page 191: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/191.jpg)
PlugInYourToken
• Whenyoudo,itmayautomaPcallydownloadaddiPonaldriversfromWindowsUpdate.ThefirstPme,whenitfinishes,itwillpromptyoutochangeyourtoken'spassword.Thedefaultpasswordis1234567890asmenPonedinthedocumentaPon.
191
![Page 192: Client Cerficates · Use of encrypon makes it harder for naonal security agencies and law enforcement organizaons to lawfully intercept criminal communicaons and naonal‐security‐related](https://reader033.fdocuments.in/reader033/viewer/2022052105/604080ee32b6502b543b9dde/html5/thumbnails/192.jpg)
ThunderbirdCan'tSeeTheSafeNetHardTokens?
• IniPally,Thunderbird(andpotenPallyFirefox)maynot"see"theSafeNethardtoken.Ifyouexperiencethat,you'llneedtomanuallyloadtheeTPKCS11.dllfilefromeither
c:\Windows\System32\eTPKCS11.dll (32bit)orc:\Windows\SysWOW64\eTPKCS11.dll (64bit)
Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,underModulefilename,entertheappropriatefilename(asshownabove)IntheConfirmwindow,clickOK
192