PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security...
-
Upload
chastity-jocelyn-west -
Category
Documents
-
view
217 -
download
0
Transcript of PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security...
![Page 1: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/1.jpg)
PKI-Enabled ApplicationsThat work!
Linda PrussOffice of Campus Information Security
![Page 2: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/2.jpg)
Projects
• Strong VPN Authentication– Administrator access to restricted data networks
via VPN
• Laptop/desktop full disk encryption– Data encryption for computers storing restricted
data … the “lost” laptop problem
![Page 3: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/3.jpg)
Strong VPN AuthN
• Passwords do not provide an adequate degree of safety for systems that process or store data elements defined as restricted.
• Password while easy to use are vulnerable to a wide variety of attacks and weaknesses including guessing, impersonation, observing, borrowing, snooping and dictionary attacks.
![Page 4: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/4.jpg)
Strong VPN AuthN
• UW Madison adopted a modified version of the PCI DSS v 1.1 as the required security controls target for systems containing restricted data.
• PCI DSS 8.3 “Implement two factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as VPN with individual certificates”
![Page 5: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/5.jpg)
Strong VPN AuthN
• UW Madison adopted a modified version of NIST 800-63 as best practice.
• Authentication Level of Assurance 3 (LOA3) should be used for people who have access to restricted data. – LOA3 requires 2factor authentication– Can be achieved with either soft or hard tokens
![Page 6: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/6.jpg)
Strong VPN AuthN
• How to get beyond simple password?– Do it ourselves first • Administrators and DBAs
• How to accomplish 2 factor authentication?– One Time passwords (a la RSA SecurID)
– X.509 certificate authentication
![Page 7: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/7.jpg)
Strong VPN AuthN
• Already had existing PKI infrastructure– Mostly used for S/MIME– No infrastructure for one time passwords
• VPN approach there is no need to re-configure individual servers and other network devices.
• Many VPNs (cisco) are pki-capable
![Page 8: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/8.jpg)
Strong VPN AuthN
• Do-able– Admins– Limited and known population• Eases Identity proofing while we shore up
infrastructure
![Page 9: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/9.jpg)
Strong VPN AuthN
![Page 10: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/10.jpg)
Strong VPN AuthN Cisco ASA 5510 (server side)
![Page 11: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/11.jpg)
Strong VPN AuthN Cisco ASA 5510 (server side)
![Page 12: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/12.jpg)
Strong VPN AuthN
• CISCO SSL VPN Client (client side)– Integrated with Microsoft certificate store– Use IE and/or certificates MMC to manage
certificates– Clients for Windows, Macintosh and Linux– Windows works with hardware token– Using x.509 for administrative access to ASDM
management console, as well.
![Page 13: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/13.jpg)
Strong VPN AuthN
• Certificate Issues:– Soft or hard tokens• Not all OSs support hardware token• Hardware allows
– Password enforcement and– Private key never leaves token
– Still subject to many of same attacks• Keyboard loggers• Phishing?• Weak passwords
![Page 14: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/14.jpg)
Strong VPN AuthN
• Certificate Issues:– Using the same certificate for multiple purposes– Validity periods (too short?)– Lost token or certs …• Temporary password access
– CRLs
![Page 15: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/15.jpg)
Strong VPN AuthN
• Non-PKI Issues:– Multi-cast– Redundancy– Performance– Usability – Politics– Process – Licensing cost
![Page 16: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/16.jpg)
Full Disk Encryption
• Primary Objective– Research and recommend a FDE product for pilot
implementation
• Many requirements
• One Requirement of Solution– Integrate with existing PKI infrastructure
![Page 17: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/17.jpg)
Full Disk Encryption
• Typically disk/file encryption is done with symmetric keys
• Use public keys to encrypt the symmetric key• Microsoft EFS uses public keys to encrypt the
file encryption key.• Because of the “preboot” nature of disk
encryption and performance
![Page 18: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/18.jpg)
Full Disk Encryption
• Instead tend to support strong authentication mechanisms (tokens, smartcards)
• For effective full disk encryption, password strength is critical ie. protecting the strong with the weak.
• Use “already deployed” tokens/smartcards as a mechanism to do strong authentication i.e. two factors.
![Page 19: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/19.jpg)
Full Disk Encryption
• Selected SafeBoot (McAfee) as the FDE product to pilot.
• Safeboot has two ways to leverage our pki infrastructure:– Use token to store user symmetric key. Token
password allows you to get to symmetric key. – Use user’s public key to encrypt user’s symmetric
key. Then use token (with private key) to decrypt symmetric key.
![Page 20: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/20.jpg)
Full Disk Encryption
• Use as key store– Allows 2 factor authN to decrypt hard disk– Must sync token password via management
console
• Use to send encrypted symmetric key– No need to physically handle token– Must have public keys/certs available via
external source ---LDAP, AD
![Page 21: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/21.jpg)
Common Characteristics
• Leverage existing PKI infrastructure• Protect restricted data • Provide for strong authentication– Attaining LOA3 authentication assurance
![Page 22: PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security pruss@doit.wisc.edu.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649d985503460f94a8270a/html5/thumbnails/22.jpg)
Futures
• Strong AuthN to enterprise systems- Peoplesoft signon code
- Strong AuthN to Web single signon
- Expand use of S/MIME