Technical overview of the Microsoft PKI Active Directory Certificate

Technical overview of the

Microsoft PKI

Active Directory Certificate

Services 2008 R2

ESEC – European Security Expertise Center

Fabien DUCHENE http://www.car-online.fr/en/spaces/fabien_duchene/

Reviewers: Jonathan BOURGAIN, Jeremy RENARD, Rida BENBRAHIM


Microsoft PKI ADCS 2008 R2

1

Certificate Services

2011-01

v.1.02

http://www.car-online.fr/en/spaces/fabien_duchene/




0. Table of content

1. Introduction… PKI?

2. MS PKI 2008 (R2)

foundations

3. Establishing & maintaining

4. Auditing

5. Beyond the MS PKI

6. References

Technical overview of the Microsoft PKI ADCS

2008 R2 2


1. Introduction … PKI?

- Some PKI application scenarios

- Why setting up a PKI?

- asymmetric cryptography

- PKI – overview

- Certificate

- Certificate Authority

- Validation

- Revocation


2008 R2 3


1.a. Some PKI application scenarios


2008 R2 4

Strong authentication

VPN Access Secure Wireless

Websites Terminal Services

Document encryption Email signing

Encrypted File System Application integrity Smart

Card

EAP-TLS SSL / TLS

802.1x IPSec

Network Access Control

PKI

Identity store Operating system


1.b. Why setting up a PKI?

• Previous quoted applications + building TRUST

• Legal requirements (eg. EU privacy laws, CNIL, RGS)

• PKI alternatives:


2008 R2 5

Alternative Issues

Password, static keys, self-signed certificates

Management costs and security concerns (complexity, lifetime)

Purchased certificates Cost (as certificate applications proliferate)

Specific application functionalities

Compliance => common management


1.c. Before setting up a PKI …

…you should consider…

• Organizational policies: auditing, procedures

• Ongoing Costs … like any other IT application ! – Scalability, high availability (revocation)

– (plus physical security)

• Complexity – Technical requirements: HW, netw, SW

– Training: End-Users, IT staff, Security team

• Legals: key length, used algorithm, data exchanges, PII…


2008 R2 6


Common mistakes: mind the gap!

• There is no need for a PKI nor a CA to perform asymmetric cryptography. Eg: Web-Of-Trust (PGP), SSH

• In french: – Encryption/enciphering = chiffrer !!crypter!!

– Decryption/deciphering = déchiffrer

– Breaking an encrypted message = décrypter • => when the user does not have access to the private key

• Not trusting a PKI does not imply the communication is not encrypted! ( eg: https://esec.fr.sogeti.com )


2008 R2 7

https://esec.fr.sogeti.com/


1.d.1. PKI - definition

• PKI: Public Key Infrastructure - Hardware, software, people, policies and procedures to manage the lifecycle of digital certificates (manage, distribute, use, store and revoke)

– It uses: asymmetric cryptography

• … and is ONE solution to associate certificates with identity = hierarchical model

• … other models exist: – local trust model (eg: SPKI)

– web of trust (eg: PGP)


2008 R2 8

X«C» X«A» Z«B»

V

W

X

C A B

Z

Y

U

TISO3960-94/d04

U«V»

V«U»

V«W»

W«V»

W«X»

X«W»

X«Z»

Y«Z»

Z«Y»

Z«X»

V«Y»

Y«V»

Figure 4 – CA hierarchy – A hypothetical example


1.d.2. PKI - components


2008 R2 9

Keys and certificates management tools, auditing…

Certificate publication and revocation distribution points

(CRL, OCSP)

Certification Authority (CA)

Certificate(s) Requestors (computer, user)

URLs http:// file:// ldap://

Security policy

Certificate enrollment and Revocation policy

authentication

Identity Provider (ADDS)

Applications and services

.. able to interact with certificates

http://en.wikipedia.org/wiki/File:SmartCardPinout.svg


1.e.1. asymmetric cryptography

• Assumptions: – hardness to of mathematical problem: primes factoring, discrete logarithm

– limited computational power... and time is this always true? Eg. Cloud, quantum comp.

• Basics:

– Two related keys: 1 public, 1 private – Two functions: Encrypt ; Decrypt : {message,key} -> {message}

– Properties:

• Decrypt(Encrypt(msg,E_pub),E_priv)=msg

• Decrypt(Encrypt(msg,E_priv),E_pub)=msg

• Knowing E_pub it is “computationally very hard” to find E_priv


2008 R2 10

Pictures from Wikipedia – Public Key Cryptography

http://en.wikipedia.org/wiki/File:Public-key-crypto-1.svg

http://en.wikipedia.org/wiki/Public-key_cryptography


1.e.2. asymetric cryptography - applications

• Immediate applications:

… But also Diffie-Hellman key exchange


2008 R2 11

Encryption Signature

Pictures from Wikipedia – Public Key Cryptography

http://en.wikipedia.org/wiki/File:Public_key_signing.svg

http://en.wikipedia.org/wiki/File:Public_key_encryption.svg

http://en.wikipedia.org/wiki/Public-key_cryptography


1.e.2. asymmetric cryptography (cont.)

• Things we can guarantee: – Identity:

• Non-Repudiation (cannot deny it did perform it) -> [uses: signature]

• Authentication [signature and encryption]

– Communication: • Integrity (something has not been changed) [signature]

• Confidentiality (ensure only authorized entities ) [encryption]

• … assuming: – the previous mathematical assumptions

– the user private key is “well protected” (confidentiality)


2008 R2 12


• Main format: X509 v1(88), v2(93), v3 (96)

• File *.crt containing: – Subject, issuer, validity window, … Subject Public Key

– …

• The information are signed by

the issuing CA

1.f. Certificate


2008 R2 13


1.f. Certificate – X.509 v3


2008 R2 14

• v3 (96)

CDP: where to check if that certificate is revoked?

Picture from PKI and Certificate Security - Brian Komar, MS Press

http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us

http://www.microsoft.com/sverige/techdays/Talare.aspx?SpeakerID=1895



1.g. Certification Authority

• A trusted party (server), as part of a PKI:

– Verify the identity of a certificate requestor

– Issue certificates to requestors (users, comp) according to the issuance policy

– Manage certificate revocation*


2008 R2 15

*revocation: designing a certificate as no more

valid, even if its expiration date is future.


1.h. Certificate insuance

• A Root CA self-signs its certificate

• The most common model: the requester generates the KeyPair

• Certificate template: set of parameters (key length, authentication requirements (1/2/3 factor(s)), permissions…

16

Authenticated Certificate request

(public key, validity, certificate template…) 3

2 KeyPair generation

(according to the

chosen certificate

template parameters)

0 Authentication

1

Certificate

Templates

fetching

Certificate 6

Verifications

(template

parameters)

4

Certificate issuance

(see next slide)

5

Identity Provider

Certification

Authority

Certificate

Template store

Client


2008 R2

Ensimag 4MMSR – Network Security – Fabien Duchene (2011)

http://ensiwiki.ensimag.fr/index.php/Securite_des_Reseaux





1.h.1. Cert. Validation - AIA

• Authority Information Access

– URLs where the CA certificate can be retrieved:

• Filesystem, ldap://, http://, smb://

– CA certificate:

• *.crt (certificate)

• OCSP extension


2008 R2 17


Sheldon

Cooper

Kim Cameron

Issued certificate

GeekCompany

Root CA

1.g. The trust topology of the PKI model


2008 R2 18

• A hierarchical trust model:

– Users/computers trust the Root CA

– Transitive trust relation till the leafs

I trust that Root CA

… thus I also trust these CA

(issued cert. by the Root CA)

… thus I also trust

the identity of that

user/comp

(issued cert..)


1.h.2. Cert. validation – chain of trust

• Trust hierarchy: trusting the Root CA

• Signing: each CA signs all issued certificates

• … including the child PKI ones!


2008 R2 19

http://www.globalsign.com/certificate-authority-root-signing/microsoft-certificate-services/


1.h.2.2. Chain of trust - signature


2008 R2 20

Clear text certificate information

Thumbprint computation

Thumbprint signed with the issuing CA private key

* hash: function that takes a block of data and returns a fixed

size bit string. (eg: MD5, SHA-1, SHA-512…)

Cert. Signature field


1.h.2.3. How could the “chain of trust” be broken?

• For any certificate in that chain:

– Validity time: certificate expired?

– Subject name: the certificate information is different to what the application expects?

(eg: loading an https website by its IP, instead of FQDN)

– Revocation: has that certificate been revoked at the CDP?

– … and of course if the Root CA of that chain is not trusted!


2008 R2 21


• CRL (Certificate Revocation List) – List of revocated certificates hashes periodically fetched

• OCSP (Online Certificate Status Protocol) – Real-Time web request

Certificate

hash

The certificate is not trusted

The certificate is trusted

yes

no Periodical CRL

download (HTTP, SMB, LDAP…)

1.i.1 Revocation - Overview


2008 R2 22

Certificate

hash

The certificate is not trusted

The certificate is trusted

yes

no

Is the

certificate

revoked?

OCSP

Request OCSP signed Reply

Is the hash

present in the

signed CRL?

(by the issuing CA)


1.i.2.3. CRL – Publication & expiring intervals

• These parameters are set for the whole PKI

• Publication interval: how often are the CRL published?


2008 R2 23


1.i.4. CDP

• CRL Distribution Point

– Filesystem (smb://, file://)

– Ldap://

– http://


2008 R2 24


1.i.2.3. Revocation - CRL - problems

• Bandwidth, CRL filesize:

– the more certificates are issued, the more some are potentially revoked

• Latency: update & download frequency

• Mitigation solutions:

- Delta CRL=new revoked certificates since the last base CRL publication

– Separate base CRL & delta CRL publishing frequency


2008 R2 25


1.j. Example

• Consider the following scenario:


2008 R2 26

Should I trust the

customer CA

certificate, knowing I

obtained the Root CA

cert from the AIA?

0. Get the AIA information periodically

(URL, download the Root CA public key)

3. Is the Root CA cert. revoked

or expired? CRL, OCSP

1. The Customer CA is

presenting us its certificate

(…and the related chain of

trust)

2. Do I trust the Root

CA certificate?

(“Trusted Root

Certification

Authorities”?)

4. Check the Ext. Pol. CA

certificate signature (parent CA)

5. 6. 7. 8. …






REMINDER: Active Directory – Security basics

• Domain, Forest

• SID, access control

• Kerberos authentication

• Trust relationships


2008 R2 27


REMIND.a. Domain, forest


2008 R2 28

- AD Forest, domain:

In each domain: - Domain Controllers (DC) manage: - Kerberos authentication - LDAP directory - DNS resolution

corp.nintendo.com

jpn usa

Domain

Forest

Child domain

Root domain


REMIND.b. Access control basics - SID

• SID (Security IDentifier): – Statistically unique worldwide

– AD Objects that owns a SID (and that are stored in the LDAP database)

• Computer: (when the computer joins the domain)

• Domain controllers: (same above)

• User/service account (when the account is created)

• Security group (a security group can contain security groups, users, and computers)

• Thus, each security principal (user, comps, sec. grp, DC):

• owns a SID: user account SID

• is member of several security groups: Group SIDs


2008 R2 29


REMIND.b. – SID examples (continued)


2008 R2 30

…

• SID example: (eg. domain: CORP)

User account SID

Group SIDs


REMIND.b. – Access control basics

• ACL (Access Control List): a list of ACE (E=entry):


2008 R2 31

• ACE: “right/privilege/permission given to a specific SID on a specific resource”

• Resource examples: – Shared folder

– LDAP object

– certificate template


REMIND.c. Kerberos Authentication - overview


2008 R2 32

User /

computer

Identity provider,

Authentication Server

GC

Service Server

(eg: issuing CA)

Authentication protocols in a Microsoft environment :

LM, NTLMv1, NTLMv2, Kerberos

Ticket Grantig Service

TGS

1

“I am Mossen. I

need a Ticket to Get

Tickets” (TGT)

Key Distribution Center

Here is a TGT you will only

be able to decrypt if you know the shared secret (user/comp. pwd)

2 3

I want to access the

“Issuing CA” service. Here is a proof I decrypted the TGT

4

Here is a Service Ticket

containing your information for accessing the Issuing CA service

UserSID -------------------------

GroupMembershipsSIDs

Service

Ticket 5

6 Service communication


REMIND.d. Trust relationships

• “one-way trust” A<-B: one way (transitive or not) relation meaning a domain A considers the identities provided by B as valid

• “two-way trust” A<->B = (A<-B) AND (B<-A)


2008 R2 33

Within a forest: 2-way trust

between child and parent domains

corp.nintendo.com

jpn usa

ms.google.biz

peru

Example of one-way forest trust:

corp.nintendo.com trusts

ms.google.biz forest


2. MS PKI foundations

– Active Directory basics (authentication, ACL)

– Common criteria

– ADCS Roles

– Certification authorities (& cert. issuance)

– Certificate templates

– PKI objects: ADDS location

– Autoenrollment

– Revocation (OCSP)

– Key Recovery Agent, Enrollment Agent

– Hash and public key algorithms

– What’s new in 2008/2008R2?


2008 R2 34


2.a. Common criteria certifications

• Common criteria: (!check that what is built is conform to the specifications)

– EAL4 - methodically designed, tested and reviewed • ALC_FLR.3 (Systematic Flaw Remediation)

– Windows Server 2003: • EAL 4+ ALC_FLR.3 (2005)

– Windows Server 2003 (ADCS): • CIMC Security Level 3 Protection

• EAL 4+ ALC_FLR.3 (2005)

– Win. Vista & 2008: • EAL 4+ ALC_FLR.3 (2009)

• => includes CNG (Windows Cryptographic API)


2008 R2 35

http://www.commoncriteriaportal.org/products/


2.b.1. Windows Server - ACDS- Roles

• Windows Server role: Active Directory Certificate Services

• Sub-roles:

– Certification Authority

• Requires ADDS ; clients-CA communicate via DCOM

– CA Web Enrollment:

• Requires IIS, ASP ; communication: web-application

– CA Enrollment Web Service (CES)

– CA Enrollment Policy Web Service (CEP)

• Both require ADDS domain schema at level 2008_R2

• Communication via WS


2008 R2 36

2000

2003

2008

R2


2.b.2. ADCS Roles - overview


2008 R2 37

Certification Authority (CA)

- issue, renew, revoke certs

Active Directory - Enrollment

objects - Certificate

templates - Users, computers

Online Responder - Certificate revocation info - Web proxy cache

Client - Enrollment - Renewal

Certificate Enrollment WS (CES)

Legacy Certificate enrollment

Enroll,

autoenroll

DCOM,

HTTP app. WS

Certificate Enrollment Policy WS

(CEP)

Legacy (LDAP, smb)

Cert.

templates

Revocation

check (OCSP)

Revocation

check (CRL)


2.c.1. REMIND: Certification Authorities

• Servers aiming at 3 main goals:

– Verify the identity of a certificate requestor

• Active Directory, Kerberos authentication

– Issue certificates to requestors (users, comp) according to the issuance policy

• Root CA, Policy CA, Issuing CA

– Manage certificate revocation

• CDP, OCSP


2008 R2 38


2.c.2. Certification Authorities - levels

• Root CA: 1 self-signed cert. (which is trusted by entities)

• Intermediate CA

• Policy CA: issues cert. to CAs

• Issuing CA: issues cert. to requestors (eg: Americas CA)


2008 R2 39






2.c.3. Certification autorities - types

• Two types of MS PKI CA:

– Standalone (eg: for Root CAs)

• Ideal for Offline CAs

– Enterprise (eg: policies or issuing CA)

• Integrate into an ADDS environment

• Certificate templates support


2008 R2 40


2.c.4. Issuing CA Components


2008 R2 41

Active Directory

Clients Clients Clients

CA Service Certsrv.exe

Policy Module

Exit Module(s)

Certificate database

- Inspect cert. requests

- Issue them according

to permissions and

issuance policy

Writes to DB:

- certs

- information

Receive the

certificate matching

its keypair

Wait for the

information to be

written

Certificate

generation and signature

Cert request

(Pub. Key)

Authentication,

Template reading


2.d. Certificate templates

• Certificate models:

– Validity, renewal (frequency, new key?), publication

– Request (prompt user, allow private key export…)

– Cryptography (min. key length, algo, CSP)

– Certificate information (email, FQDN …)

– Issuance policies (under which conditions…)

– Key usage (eg. Digital signature)

– Application policies

– Permissions (read, write, enroll, autoenroll)


2008 R2 42


2.d. Certificate templates


2008 R2 43


Enrollment services objects (one per CA)

- CA Name - CA Cert

- CA template list - Enrollment URL (CES)

2.d. The relation btwn CA & Cert. templates


2008 R2 44

CA 2 / CES

CA 1

Templates container (Forest wide) - Permissions

- Enrollment requirements - Cert content

- Renewal

AD objects



2.e. PKI objects: ADDS location


2008 R2 45

Root & intermediate CA certs

Foreach issuing CA, where do they

publish their CRL?

Issuing CA certs

Templates

CA hierarchy (parent CA)

Key Recovery Agents (private key)

Object IDentifiers (MIB):

- newly created Cert Templates - newly created Application Policies - Issuance policies

Configuration Naming Context (Forest-wide replication)

Thus: Template permissions on Universal or Global security groups


2.f. AutoEnrollment - overview

• One of the best features of the MS PKI (WS2003, x.509 v2 & v3)


2008 R2 46

CA 1

Client (user / comp.)

Template cont.

Enrollment cont.

GPO

CEP

URLS CEP,

ADDS container

ADDS ldap

or ADWS: https

CEP

CES (url2) CA 2

4. Enrollment Template / Policy Cache

Template 3: ? Template 19: ?

Template / Policy Cache Template 3: CA1(DCOM)

Template 19: CA1(DCOM), url2(CES)

LDAP

WS (https)

2. On which templates

is the entity allowed to autoenroll ? (ACE)

3. Which CA(s) can issue

that template(s)?

Foreach CA:

- The templates it issues

- Enrollment URL (CES)

Brian Komar, deploying a PKI solution with ADCS

http://www.identit.ca/management.html


https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032445999&CountryCode=US


2.f. AutoEnrollment – zoom on the client store


2008 R2 47

Client (User / comp.)

Trusted Root CA

Intermediate CA


2.g. Revocation (OCSP implementation)

• ~ HTTP proxy for CRL ; Fault-tolerance


2008 R2 48

RFC: http://www.ietf.org/rfc/rfc2560.txt?number=2560

DNS-

Round-

Robin

eventually

NLB

Clients

Online Revocation Array

Online resp. 1

ocspsvc.exe Network Service

Online Resp. 2

...

OCSP web proxy 1 ApplicationPool

--

Default IIS website: /ocsp

OCSP web proxy 2

OCSP web proxy

(request decoding,

response caching)

Certificate with application

policy: “OCSP signing”

OID 1.3.6.1.5.5.7.3.9

Signing

Auditing

Microsoft Online Responder

CA_1

CA_N

...

Revocation providers

CRL

http://www.ietf.org/rfc/rfc2560.txt?number=2560




2.h. Key Recovery Agent


2008 R2 49

• Each private key issued could also be archived and accessible for one or several recovery agents

One or several CA

cert mgrs validate the request

The corresponding

issuing CA(s) are configured to archive future

issued keys with the KRA(s)

certificate(s)

Each time a new

certificate with Key Archival enabled is request, the user

private key is archived with the

KRA(s) public key(s)

A key recovery

agent certificate is

requested


• Ability to recover a client private key

• Involves: Certificate Manager(s), Key recovery agent(s), issuers, CA

• CA Exchange template: automatically issued if available, for a short period of time (1 week validity, 1 day renewal)

2.h. Key Archival - KRA

50

Certsrv

Cert. DB

2 CA Exchange cert. request

AD

3 CA Exchange return

1 Authentication,

template reading

CRL, OCSP

4

Revocation

Check

(CA Exch.)

5 Keypair

generation

6

Cert request (Client pub. key), Client Priv. key encrypted by the

CA exchange pub key

Policy, issuance…

7

Cert storage + client private key each

time encrypted with 1

KRA public keys

=encrypted PKCS #7 BLOB

8



2.i. Enrollment agent

• Enroll certificate on behalf of another user. – Trust in the application/person (potential private key access)

– Eg: FIM 2010 CM / CLM 2007:


2008 R2 51

Rida requests

An enrollment

agent certificate

Cert mgrs:

request validation

Alejandro’s

manager requests a

smart card for

Alejandro

Alejandro

Rida provisions a

smart card with a certificate for another user

and gives the SC to Alejandro

Alejandro

reinitates the SC user pin. And is now

able to use the SC.


2.j. Microsoft CSP - Supported hash and public keys algorithms

• Since Windows Vista & Server 2008:


2008 R2 52

Hash algorithms

MD2

MD4

MD5

SHA1

SHA256

SHA384

SHA512

Public key algorithms

ECDH_P256

ECDH_P384

ECDH_P521

RSA (KSP max: 16384 bits)


2.k. What’s new in ADCS 2008 & 2008 R2?

• ADCS 2008 – OCSP

– CNG support

– SCEP

• ADCS 2008 R2 – Certificate enrollment web service

– Cross forest enrollment

– CA support on Server Core

– "Database-less“ CA


2008 R2 53


2.k.1 Cryptography Next Generation

• Replacement for CryptoAPI. Windows Vista.

• Auditing: KSP

• Certification & compliance

• Cryptographic agility: negotiation

• Kernel mode support (ex: IPSec, TLS)

• Key Storage

• Key isolation: not in application (eg: TPM)


2008 R2 54


2.k.1.2. Windows cryptography system overview

• Vista


2008 R2 55


2.k.1.3 – Private key storage


2008 R2 56

Key type CNG dir.

User private %appdata%\Microsoft\Crypto\Keys

Local system private %allusersprofile%\Application Data\Microsoft\Crypto\SystemKeys

NetworkSvc / LocalSvc private

%windir%\ServiceProfiles\ {LocalService,NetworkService}

Shared private %allusersprofile%\Application Data\Microsoft\Crypto\Keys

Private keys publishing

to the FileSystem


2.k.2. ADCS Role: Network Device Enrollment Svc: Simple Cisco Enrollment Protocol

• WS 2003 (add-on) ; WS 2008 CS: integrated

• Application: deploy certificate on non-domain

joined computers (eg: Cisco switches, routers, Apple iPad!)


2008 R2 57

1 Keypair creation

Device Admin

Device

NDES

CA - ADCS

DC - ADDS

2.A Password request

2.B Permissions

check

3 Set password 5 RA request

4 Cert request

6 Issue cert

7 Return cert


2.k.3. Certificate Web-Services: cross forest enrollment

• Why?

• Enrollment Web Service

• Cross-Forest enrollment


2008 R2 58


2.k.3.1. Cert. WS - Why?

• Corporates merging:

• “how to extend PKI trust outside the AD forest?”

– Deploy the other Root CA cert. in the Trusted Root CA store

– Allow firewall flows: • revocation (SMB, LDAP, HTTP)

• enroll (.. DCOM!)

– Permissions: grant the other users the ability to enroll

– Problems: firewall traffic block, corporate: security=network

• Another solution: ADCS Cert. WS


2008 R2 59


2.k.3.2. CA Enrollment WS –protocols


2008 R2 60

CES

Active Directory Certification Authority

User Computer

HTTPS with Kerberos authentication

LDAP

Get policy

Enrolment

WS

Policy

WS

DCOM

Request certs


2.k.3.3 – Cross forest enrollment

• Ability to issue cert beyond the forest

• Requires: ADDS domain schema: 2008R2


2008 R2 61

Active Directory

Root CA

Active Directory

Domain level: 2008R2 Trust

relationship

ADCS WES, WEP

Ressource Forest Forest

Issue

certificates


2.k.4. Database less CA

• Some issued certificates are not stored in the CA DB

• Why? Eg: Network Access Control for 90.000 computers with 15 min. IPSec cert. validity: = 90.000x(1/15)=6000 issued certs/min.

• => To Reduce the storage and processing overhead.

• Configurable for each v2 & v3 certificate template:


2008 R2 62


3. Establishing a MS PKI … and maintaining it!

- Conception

- Deployment

- Maintaining in operational conditions


2008 R2 63


3.a. Conception

• CA (hierarchy, geography, dimensioning, key escrow (HSM))

• Disaster recovery (key archival)

• Role separation

• Policies: security, certificate, CPS

• Identify: applications, ACL

• Revocation

• Training: IT administrators


2008 R2 64


3.a.1. CAs infrastructure

• Tier: Two or Three? (Root, policy, issuing)

• Type: Standalone / Enterprise?

• Model examples:


2008 R2 65

Geographical

/ Network Business Unit Subscriber types Certificate use

Defense Banking … MADRID SYDNEY … Computers Users … WPA2 S/MIME …

Root

Policy

Brian Komar, deploying a PKI solution with ADCS



https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032445999&CountryCode=US


3.a.1. CA infrastructure

• Dimensioning:

– Estimate the workload (cert. template: issuing, renewal

frequency, population, key length: keypair generation duration, network, other servers load (eg: authentication))

– CPU workload pic goal: 80% ; 90%

– RAM, Fast storage (SSD, iSCSCI, SCSI 10K RPM)


2008 R2 66

At least X secrets on Y to access the CA

private key, stored on the HSM

• Key escrow: HSM

http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx









3.a.1. CA infrastructure - dependencies

• ! A MS PKI relies on:

– Computer naming system: DNS

– Identity provider: ADDS

• => High availability of these services

• Key exchange:

– CSP, KSP: which Windows version?


2008 R2 67


3.a.2. Role separation

• Common criteria roles CMIC L4: – CA administrator: assign CA roles, configure auditing, delete a

record, start/stop certsrv.exe, define CA admins

– Certificate manager: approve/deny cert. reqs, extract archived private keys, determine KRA

– Backup operator: CA config, DB, and keypair backup

– Auditor: review event log

• Enforce role separation:

!! If a person owns two or more roles: Certsrv.exe will not start !!


2008 R2 68

certutil -setreg CA\RoleSeparationEnabled 1


3.a.3. Disaster Recovery (REMIND: KRA)


2008 R2 69

• Each private key issued could also be archived and accessible for one or several recovery agents

One or several CA

cert mgrs validate the request

The corresponding

issuing CA(s) are configured to archive future

issued keys with the KRA(s)

certificate(s)

Each time a new

keypair is generated, the new

private key is

archived with the KRA(s) public

key(s) A key recovery

agent certificate is

requested


• Who will be the Cert. Mgrs? the KRA?

• On which Certificate Templates will we enable key archival?

Recovery process:

3.a.3. Disaster Recovery (Key Archival)


2008 R2 70

Cert. DB

!! This has to be decided and configured BEFORE

certificate issuance!!

Cert Mgr

KRA

The archived

user private key

associated with

the user

certificate encrypted PKCS

#7 BLOB


3.a.4. Policies: security, certificate, CPS


2008 R2 71

Security policy

Certificate policy

Certification Practice Statement (CPS)

- RFC 3647: CERTIFICATE MANAGEMENT

- Regroup certificate templates in classes,

segregated by:

- identity validation

- allowed transactions/operations

- private key storage

- How to address the corporate risks?

- eg ISO 27002 measures

- RFC 3647: CA MANAGEMENT

- How CA are managed to ensure the assurance levels

defined in the certificate policy

=Public rules that govern a PKI


3.a.5. Identity: applications, ACL

• Which applications will rely on the PKI?

– Which kind of Application Policy (OID)?

– Key usage

– Issuing requirements

– Related to the Certificate Policy!

• To whom will we issue such certificate?

– Template ACL


2008 R2 72


3.a.6. Planning revocation

• Make revocation check accessible from outside the company! • BEFORE issuing certificates! • =>In case a smart card / valuable cert. is stolen/lost. • Conceive procedures, train the actors • Whom to alert?

– logical access team – user manager

• How fast to react? – It depends of the protected assets criticality

• How to react? – Revoke certificate – Force delta CRL publishing – [Eventually] force CRL refreshing on computers – [Eventually] recover the user encrypted documents, use KRA – Generate a new smart card & keypair, for the user


2008 R2 73


3.a.7. Training: IT administrators

• What is a PKI?

• Which applications rely on the PKI?

• Who endorse which roles?

• How to manage the CA(s)?

• ! Revocation !

• Temporary SC: prevent end-user from using 2 SC!


2008 R2 74


3.b. Deployment

• The Root Key Ceremony

• Training: end-users

• Issuing certificates


2008 R2 75


3.b.1. The Root Key ceremony

• Depending on the Certificate Policy: – Notarization, legal representation, witnesses

– “Key holders”

• = start of the customer PKI!

• Issuing “policy CA” certificates

• Offline, physically secured (!VM)


2008 R2 76

The Root CA private key is generated, stored

into the HSM, and protected by a SPLIT secret.

At least X key holders on Y have to be present with

their secret to decrypt the private key.

(eg: Shamir’s polynomial ; Blake’s hyperplane)


3.b.2. Training: end-users

• Legal stakes (eg: digital signature)

• (Technical basics … for usage!)

• Process: – Do not ignore certificate warning!

– Do not store the SC PIN with your SC!

– Tell quickly when you loose your SC!

– Do not use your temporary SC & your permanent one!

– Protect your private keys and do not store them on unencrypted media!


2008 R2 77


3.b.3. Issuing certificates

• Client configuration:

– Enrollment policy locations: GPO

– Auto-Enrollment: GPO

• Communicating processes:

– CPS (link within issued cert.)

– eg: smart card issuance, smart card loose

• … Maintaining the infrastructure


2008 R2 78


3.c. Maintaining

- Certificate renewal

- Events monitoring

- Disaster recovery (see 3.a.iii.)

- Revocating certificate (see 3.a.vi.)


2008 R2 79


3.c.1. Certificate renewal – two problems

• A. Keypair renewal

– eg: OCSP response signing or IPSec communication


2008 R2 80

Validity Period

Renewal period

OCSP request,

with K1-public-key

encrypted nonce

OCSP response, with

… K2-private-key

encrypted nonce

Unable to

decrypt the

answer!

The problem:

CA – with OCSP

User willing to

check the revocation

of a cert.

• Some strategies: – closing the connection with the old keypair & reopening it with the new one – responding with the previous K1 keypair … until when? (expiration?) – using the same keypair when renewing


3.c.1. Cert. Renewal – Lifetime expiration


2008 R2 81

• B. Lifetime expiration – Eg: issuing CA

– Issuing CA cert. validity period has to be greater than the longest validity period of the cert. templates issued by that CA

– Renewal period has to be shorter … but not too much! (potential load and errors increase)

• Why renewing? – Computational power increase => hash & private private key

subject to collision, brute-force attacks

• Parameters specific to each certificate template!


3.c.2. Events monitoring

• Centralize, aggregate, and perform pro-active monitoring on PKI logs: – CA: issuing, revocation, template, permission, backup,

roles, recovery …

– Active Directory: authentication, DNS

– Client: key usage, missing private key

• Ideally integrate it into a SIEM. – Management packs do exists for SCOM 2007, 2010

• Useful for forensics

• Standard windows events. See 4.d. and http://technet.microsoft.com/en-us/library/cc731523(WS.10).aspx


2008 R2 82

http://technet.microsoft.com/en-us/library/cc731523(WS.10).aspx





4. Auditing a PKI

- Why & when auditing a PKI?

- Useful documents

- Some threats (process, implementations, services,

operations, cryptography)

- Obtaining technical proofs


2008 R2 83


4.a.1. WHY auditing a PKI?

• Justify the trust to the PKI: – For insurers, regulators: law compliance (EU Signature

Directive, EU Data Privacy Directive, France: CNIL, Payment: PCI DSS, SAS70)

– For superior CA: prove compliance

– For subscribers/customers/users: may request it

=> Show that operations are performed according to the CPS, and are done in accordance of the Certificate Policy

• Corporate image, marketing argument – ISO 27002 - compliancy, chapter 12


2008 R2 84


4.a.2. WHEN auditing a PKI?

• During/straight after the Root Key Ceremony

• Periodically, according to the CP & CPS

• In case of a major change (CA mod, new solution)

• When a disaster happens


2008 R2 85


4.b. Useful documents

• You should request the customer for:

– Threat & Risks Assessment

– The Root Key Generation process

– Certificate Policy

– Certification Practice Statement

• Interesting reading material:

– PAG, PKI Assessment Guidelines

– PKIX IETF Working group: RFCs


2008 R2 86


4.c. Some threats

- Process

- Certificate implementations

- Services

- Operations

- Cryptography


2008 R2 87


4.c.1. Threats - Process

• Private key protection: Root CA, each CA

– Physical security (virtual machine? Offline server?)

– How many people are needed to decrypt it? (HSM?)

• Role separation:

– Enabled? Administrator, Cert Mgrs, Backup, auditor +

• Key Recovery Manager: approval process

• Enrollment Agent: how is that account secured?

• Revocation: is it performed? (alert, execution, spreading)

• Training users: not to ignore cert. errors, if possible technical enforcement


2008 R2 88


4.c.2. Threats – Certificate implementations

• ASN.1/DER parsing: certificates, CRL => fuzzing • PKCS #x API vulnerability? • Revocation implementation: reachable? Up to date?

• Templates design: (is the CP secured regarding the criticality of issued certs?) – Asymmetric algorithms + key length, signature algo – ACL

• Private keys: Key cloning, key encryption? (Backup, duplication)

• Client design & configuration: – does it respect the template? – does it check correctly the revocation? – what happens if there is a revocation error?


2008 R2 89

-Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf

http://www.canola-jones.com/material/candj-rsa050218.pdf






4.c.3. Threats – Certificate services

• Revocation:

– availability: OCSP, CRL

– integrity: • OCSP replay attack => nonce protection

• time attacks (cert. expiration date, revocation)

• Corrupted DNS: service location often relies on it!

• Dimensioning of issuing CAs: Computational & storage cost

• "classic" Windows Server security

• Client security: trusted Root CA store, private key storage


2008 R2 90


4.c.3 Threats – Cert. operations

• Private key: – Theft: revocation speed, propagation, check?

– Storage: export, storing on unencrypted medium, valuable key protected by an easier to crack secret (eg: weak password policy)

• CA management: conform to CPS? – Backup, administration …

• Client management: encrypted FS, private key ACL, cache on FS storing smart card private key?

• Weak hash func. used: md5 collisions O(2 ) ; SHA-1: O(2 )


2008 R2 91

21 51


4.c.4. Threats - Cryptography

• Assumption: “hardness of a specific mathematical problem” (eg: prime factoring, discrete logarithm…)

– Asymmetric crypto: what is the impact of • mathematical discoveries in computational number theory?

• the way of computing such problems? (eg: quantum comp.)

• Increase of computing power (cloud, botnet)

• Hash functions: similar fears – (eg: preimage attack, collision, second preimage attack)

• Random Number Generation: is the entropy good enough?

- time, temp. sensors, mouse …


2008 R2 92

Stephane Manuel, Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1

http://eprint.iacr.org/2008/469.pdf




4.d. Obtaining technical proofs

• Services: health, web bindings

• Windows events


2008 R2 93


4.d.1.1. Services - Health

• Basic services configuration errors

• PKIView.msc


2008 R2 94


4.d.1.2. Services / web bindings


2008 R2 95

Role Host Service / process

Default identity

Dependencies

ADCS service Certsrv.exe Local system NO/NO

OCSP service Ocspsvc.exe Network Svc NO/NO

Web enrollment

IIS default website

/certsrv ApplicationPoolIdentity

CEP IIS default website

/ADPolicyProvider_CEP_UsernamePassword

ApplicationPoolIdentity

CES IIS default website

/%CA_NAME%_CES_UsernamePassword

ApplicationPoolIdentity

• Default configuration:


4.d.2.1. Proofs - events - graphically

• Eventvwr.msc

• Default custom view:

• Examples:


2008 R2 97


4.d.2.2. Audit – events – under the hood

• Mainly stored in the "Application" log

• ADCS filter:


2008 R2 98


4.d.2.2. Audit – events – under the hood 2

• Interesting logs: Applications, Security

• Required rights: Read permission on HKLM\SYSTEM\CurrentControlSet\services\eventlog\Applications

• Default permissions:


2008 R2 99


4.d.2.3. Audit – Events – command line

• Advice: automate tasks with Powershell cmdlets

• Examples:


2008 R2 100


• Examples (continued)

• Example using XML filter

4.d.2.3. Audit-Events – command line


2008 R2 101


4.d.4. Auditing Key Storage Provider events

On a CA, as a local system administrator:

- Then restart ADCS


2008 R2 102

auditpol /set /subcategory:"other system events"

/success:enable /failure:enable


5. Beyond the Microsoft PKI

• PKI challenges

• Other commonly used PKI

• Beyond the PKI model


2008 R2 103


5.a. PKI challenges

• Education: user, trainer, IT Pro

• Legal, patents and national security (eg. BitLocker, US gov)

– Privacy compromises: PII, PKI & biometrics?

• Technical : – Revocation: CRL (bandwidth), OCSP (latency)

– private key protection (eg: single factor authentication mechanism, weak password…)

– intense computations

– assumptions: computational number theory, naming context, computational power!

• Management costs: … PKI as a service? (eg. Verisign)


2008 R2 104


5.b. Other commonly used PKI

PKI systems • OpenSSL • OpenTrust • OpenCA • PGP Cert. server • Entrust • RSA • Digital trust • Cybertrust • Spyrus • Centrify (Mac OS X) • Red-Hat cert. systems • IBM (z/OS) • …


2008 R2 105

PKI services

• Verisign

• Globalsign

• Verizon

• …


5.c. Beyond the PKI model?

• A major problem:

– “user click fatigue”: Too many Root CA + Difficulty to push them

… while “focus on the user and all else will follow”, Google

• X.509 v3 supports additional trust topologies:

– Bridges (trust the nodes which the peers I trust do trust)

(~ to social networks trust)

– Meshes (trust dynamically a selected subset of nodes): PGP

• Concept: An object (cert.) integrity is protected by a

separate object (signature): how to mix them in one?


2008 R2 106


6. References

- Windows Server 2008, PKI and Certificate Security, Brian Komar, MS Press

- Technet: http://technet.microsoft.com

- Wikipedia

- MCTS 70-640, Active Directory, MS Press

- PKI Enhancements in Windows 7 and WS2008R2, John Morello

- PKI in practical use http://kenya.connect-soft.com/PKI%20in%20practical%20use.pdf

- http://www.verisign.com/authentication/information-center/authentication-resources/whitepaper-cost-effective-pki.pdf

- Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf

- http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx

- PAG, PKI Assessment Guidelines,


2008 R2 107

http://technet.microsoft.com/

http://kenya.connect-soft.com/PKI in practical use.pdf





http://www.verisign.com/authentication/information-center/authentication-resources/whitepaper-cost-effective-pki.pdf

























Thanks for your attention!



Microsoft PKI ADCS 2008 R2

108

http://esec.fr.sogeti.com

http://esec.fr.sogeti.com/

Technical overview of the Microsoft PKI Active Directory Certificate

Documents

Transcript of Technical overview of the Microsoft PKI Active Directory Certificate