Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |...
-
Upload
billy-sandland -
Category
Documents
-
view
214 -
download
0
Transcript of Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |...
![Page 1: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/1.jpg)
PKI DESIGN
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012
![Page 2: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/2.jpg)
ALGORITHMSPKI Design
![Page 3: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/3.jpg)
Cryptographic Algorithms
Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384,
SHA-512 Symmetric key algorithms
secret key RC4, DES, 3-DES, AES
Asymmetric key algorithms public and private key RSA, DH, EC
![Page 4: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/4.jpg)
THOUGHTS ON HASHINGPKI Design
![Page 5: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/5.jpg)
Hash example (not good)
Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52
Can obtain arbitrary clear-text (collision) without brute-forcing
Several similar clear-texts lead to similar output
5
![Page 6: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/6.jpg)
Hash collisions
Pure arithmetic collisions limited exploitability
Post-signing collisions Chosen-prefix collisions
6
![Page 7: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/7.jpg)
Post-signing collision
7
Name: Ondrej
Owes: 100 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Name: Ondrej
Owes: 1 000 000 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Trash: XX349%$@#BB...
![Page 8: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/8.jpg)
Chosen-prefix collision
8
CN: www.idtt.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 35B87AA11...
CN: www.microsoft.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 4E9618C9D...
![Page 9: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/9.jpg)
MD5 problems
Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions
Practically proved for certificates with predictable serial numbers
2^50
9
![Page 10: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/10.jpg)
SHA-1 problems
General brute-force attack at 2^80 as about 12 characters complex
password Some collisions found at 2^63
pure arithmetic collisions, no exploitation proved
10
![Page 11: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/11.jpg)
ALGORITHM COMBINATIONSPKI Design
![Page 12: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/12.jpg)
Performance considerations Asymmetric algorithms use large
keys EC is about 10 times smaller
Encryption/decryption time about 100x longer symmetric is faster
![Page 13: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/13.jpg)
Document
Private key
Digital Signature (not good)
Document
![Page 14: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/14.jpg)
Private key
Digital Signature
Document
Hash
![Page 15: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/15.jpg)
Storage Encryption (slow)
Public key
Document
![Page 16: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/16.jpg)
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
![Page 17: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/17.jpg)
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (User B)
Symmetric key
![Page 18: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/18.jpg)
Transport encryption
Client Server
Public key
Public key
Symmetric Key
Symmetric Key
Data
![Page 19: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/19.jpg)
FUN WITH RANDOM NUMBERSPKI Design
![Page 20: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/20.jpg)
Random Number Generators
Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated
symmetric keys DNS cache poisoning
Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules
![Page 21: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/21.jpg)
Random Number Generators
CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)
Entropy from system time, process id, thread id, tick
counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …
![Page 22: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/22.jpg)
STANDARDSPKI Design
![Page 23: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/23.jpg)
US standards
FIPS – Federal Information Processing Standards provides standard algorithms
NIST – National Institute for Standards and Technology approves the algorithms for US government
non-classified but sensitive use latest NIST SP800-57, March 2007
NSA – National Security Agency Suite-B for Secure and Top Secure (2005)
![Page 24: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/24.jpg)
Cryptoperiods (SP800-57)
Key Cryptoperiod
Private signature 1 – 3 years
Public signature verification >3 years
Symmetric authentication <= 5 years
Private authentication 1-2 years
Symmetric data encryption <= 5 years
Public key transport key 1-2 years
Private/public key agreement key 1-2 years
![Page 25: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/25.jpg)
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
![Page 26: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/26.jpg)
Security lifetimes (SP800-57 and Suite-B)
Lifetime Strength Level
2010 80 bit US Confidential
2030
112 bit US Confidential
128 bit US Secure
192 bit US Top-Secure
Beyond 2030 128 bit US Confidential
![Page 27: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/27.jpg)
NSA Suite-B Algorithms
NSA publicly published algorithms (2005) as against Suite-A which is private
AES-128, ECDH-256, ECDSA-256, SHA-256 Secret
AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret
27
![Page 28: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/28.jpg)
OPERATING SYSTEM SUPPORTPKI Design
![Page 29: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/29.jpg)
Cryptographic Providers
Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates
Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC
CERTUTIL -CSPLIST
29
![Page 30: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/30.jpg)
Cryptographic Providers
30
Type Operating System Algos Template
CSP Windows 2000Windows 2003
AES, SHA-1, RSA v1, v2
CSP Windows XP SP3Windows 2003 KB938397
AES, SHA-1, RSA, SHA-2 v1, v2
CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC
v3
![Page 31: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/31.jpg)
SHA-2 Support
Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future
![Page 32: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/32.jpg)
Cryptography support
32
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows 2000
yes no yes yes no no
Windows XP yes yes yes yes yes no
Windows 2003
yes yes yes yes non-public updateyes
no
Windows Vista/2008
yes yes yes yes yes yes
Windows 7/2008 R2
yes yes yes yes yes yes
![Page 33: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/33.jpg)
Cryptography support
33
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows Mobile 6.5
yes yes yes yes no no
Windows Mobile 7
yes yes yes yes yes yes
TMG 2010 yes yes no
SCCM 2007 yes no no
SCOM 2007 yes yes no
![Page 34: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/34.jpg)
EncryptionEFS
BitLocker IPSec
Kerberos NTLM RDP
DES 2000 + 2000 + 2000 +
LM password hash, NTLM
3DES 2000 + 2000 + 2000 +
RC4 2000 + 2000 +
AES 2003 + Vista + Vista + Vista +
DH 2000 + 2000 +
RSA 2000 + Seven + 2000 + 2000 + 2003 +
ECC Seven + Vista + Seven +
![Page 35: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/35.jpg)
Hashing
35
MD4 MD5 SHA-1 SHA-2
NT password
hashNT4 +
Digest password
hash2003 +
IPSec 2000 + 2000 + Seven +
NTLM NTLMv2
MS-CHAP MS-CHAPv2
![Page 36: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/36.jpg)
CNG (v3) Not Supported
EFS Windows 2008/Vista-
VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication
TMG 2010 server certificates on web listeners
Outlook 2003 user email certificates for signatures or encryption
Kerberos Windows 2008/Vista- DC certificates
System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2
SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)
![Page 37: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/37.jpg)
CA HIERARCHYPKI Design
![Page 38: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/38.jpg)
CA Hierarchy
IDTT Root CA
IDTT London CA
IDTT Paris CAIDTT Roma
CA
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
![Page 39: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/39.jpg)
Offline Root
Root CA cannot be revoked if compromised
Making new RootCA trusted may be difficult
Delegation of administration Must issue CRLs
the more frequent the more secure, but more “costly”
![Page 40: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/40.jpg)
Active Directory
Group Policy every 120 minutes by default
Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates
![Page 41: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/41.jpg)
41
![Page 42: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/42.jpg)
AD CS FEATURESPKI Design
![Page 43: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/43.jpg)
SKU Features
43
Windows Server
Certificate
Templates
Autoenrollment
Key Archival
SMTP Exit Module
Role Separation
Cross-forest
Enrollment
2008 R2 Standard V1, V2, V3 Yes Yes No
2008 R2 Enterprise V1, V2, V3 Yes Yes Yes
2008 Standard V1 No No No
2008 Enterprise V1, V2, V3 Yes Yes No
2003 Standard V1 No No No
2003 Enterprise V1, V2 Yes Yes No
![Page 44: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/44.jpg)
SKU Features
44
Windows Server
Web Enrollment
Enrollment Web
Services
OCSP Responder
SCEP Enrollment
2008 R2 Standard yes yes no no
2008 R2 Enterprise
yes yes yes yes
2008 Standard yes no no no
2008 Enterprise yes no yes yes
2003 Standard yes no no no
2003 Enterprise yes no no no
![Page 45: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/45.jpg)
Role Separation
Enrollment Agent = Registration Authority sign cert request
Certificate Managers approve cert requests
Different groups of EA/CM approve requests for different groups of Enrollees
![Page 46: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/46.jpg)
PUBLIC CERTIFICATESPKI Design
![Page 47: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/47.jpg)
SSL Certificate prices
Verisign – 1999 300$ year
Thawte – 2003 150$ year
Go Daddy – 2005 60$ year
GlobalSign – 2006 250$ year
StartCom – 2009 free
![Page 48: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/48.jpg)
EV Certificate prices
Verisign – 1999 1500$ year
Thawte – 2003 600$ year
Go Daddy – 2005 100$ year
GlobalSign – 2006 900$ year
StartCom – 2009 50$ year
![Page 49: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/49.jpg)
Support for SAN and wildcards
49
ApplicationSupport
s *Supports SAN
Internet Explorer 4.0 and older
no no
Internet Explorer 5.0 and newer
yes yes
Internet Explorer 7.0 yesyes, if SAN present Subject is ignored
Windows Pocket PC 3.0 a 4.0 no no
Windows Mobile 5.0 no yesWindows Mobile 6.0 and newer
yes yes
Outlook 2003 and newer yes yes
RDP/TS proxy yesyes, if SAN present Subject is ignored
ISA Server firewall certificate yes yes
ISA Server 2000 and 2004 published server certificate
no no
ISA Server 2006 published server certificate
yes yes, only the first SAN name
![Page 50: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/50.jpg)
OCSP and Delta CRL
50
System Checks OCSP Delta CRL
Windows 2000 and older no no
Windows XP and older no yes
Windows Vista and newer yes, preffered yes
Windows Pocket PC 4.0 and older
no no
Windows Mobile 5.0 no yes
Windows Mobile 6.0 no yes
Windows Mobile 6.1 and newer
yes, preffered yes
ISA Server 2006 and older no yes
TMG 2010 and newer yes, preffered yes
![Page 51: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/51.jpg)
CRL checks in Internet Explorer
51
Version CRL and OSCP checking
4.0 and older no checks
5.0 and newer
can check CRL, disabled by default
7.0 and newer
can check OCSP (if supported by OS) and CRL, enabled by default
![Page 52: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/52.jpg)
Windows Mobile 2003 and 5.0 trusted CAs
52
Company Certificate NameWindows Mobile
Cybertrust GlobalSign Root CA 2003 and 5.0
Cybertrust GTE CyberTrust Global Root 2003 and 5.0
Cybertrust GTE CyberTrust Root 2003 and 5.0
Verisign Class 2 Public Primary Certification Authority 2003 and 5.0
Verisign Thawte Premium Server CA 2003 and 5.0
Verisign Thawte Server CA 2003 and 5.0
Verisign Secure Server Certification Authority 2003 and 5.0
Verisign Class 3 Public Primary Certification Authority 2003 and 5.0
Entrust Entrust.net Certification Authority (2048) 2003 and 5.0
Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0
Geotrust Equifax Secure Certificate Authority 2003 and 5.0
Godaddy http://www.valicert.com/ 5.0
![Page 53: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/53.jpg)
Windows Mobile 6.0 trusted CAs
53
Comodo AAA Certificate Services
Comodo AddTrust External CA Root
Cybertrust Baltimore CyberTrust Root
Cybertrust GlobalSign Root CA
Cybertrust GTE CyberTrust Global Root
Verisign Class 2 Public Primary Certification Authority
Verisign Thawte Premium Server CA
Verisign Thawte Server CA
Verisign Secure Server Certification Authority
Verisign Class 3 Public Primary Certification Authority
Entrust Entrust.net Certification Authority (2048)
Entrust Entrust.net Secure Server Certification Authority
Geotrust Equifax Secure Certificate Authority
Geotrust GeoTrust Global CA
Godaddy Go Daddy Class 2 Certification Authority
Godaddy http://www.valicert.com/
Godaddy Starfield Class 2 Certification Authority
![Page 54: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/54.jpg)
RSA 2048 browser support
54
Browser First Version
Internet Explorer 5.01
Mozila Firefox 1.0
Opera 6.1
Apple Safari 1.0
Google Chrome
AOL 5
Netscape Communicator
4.51
Rad Hat Linux Konqueror
Apple iPhone
Windows Mobile 2003
Windows CE 4.0
RIM Blackberry 4.3.0
PalmOS 5
Sony Playstation Portable
Sony Playstation 3
Nintendo Wii
![Page 55: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/55.jpg)
Extended Validation browsers
55
Browser First Version
Internet Explorer 7.0
Opera 9.5
Firefox 3
Google Chrome -
Apple Safari 3.2
Apple iPhone 3.0
![Page 56: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/56.jpg)
S/MIME RSA 2048 client support
56
Browser First Version
Microsoft Outlook 99
Mozila Thunderbird 1.0
Qualcomm Eudora 6.2
Lotus Notes 6
Netscape Communicator
4.51
Mulberry Mail
Apple Mail
Windows Mail
The Bat
![Page 58: Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | |](https://reader036.fdocuments.in/reader036/viewer/2022062712/56649c755503460f94928a78/html5/thumbnails/58.jpg)
THANK YOU!
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012