infrastructure saturday 2011 - understanding pki and certificate services
DESCRIPTION
In every organization, there is a growing need for a strong well-designed public key infrastructure solution and in many of these; Active Directory Certificate Services will be used. This session will guide you through a solution based on best practice, shed some light on common issues encountered and some shortcuts to assist in management with PowerShell.TRANSCRIPT
KIERAN JACOBSEN HP
Understanding PKI and Certificate Services
Gold Sponsors
Silver Sponsors
Why Should I care?Contoso RequirementsDesign Considerations
CA HierarchyCA LifespanPhysical or Virtual?Private key storageKey lengthsCertificate Revocation listsAIA and CDP LocationsStuff we missed…
Ouch! Pain PointsPowerShell to the rescue
AGENDA
Why Should I Care?There are a number of technologies which need PKI
Cloud InfrastructureFederated identity systems. E.G. ADFSHTTPS/SSLSMTPSMulti factor authentication. E.G. Smart cardsSMIMEEncrypting File System (EFS)Code signing802.1x Authentication and/or NAPRemote Desktop Services
Many organizations have legal requirements for PKI with serious financial or legal ramifications for a breach of that infrastructure!
Contoso Requirements
Contoso is developing a new web application suiteADFS to provide SSOAlmost 1million end users3rd party certificates for HTTPSPrivate certificate infrastructure for internal useNetwork is segregated into internal/corporate and perimeter networks.Certificates will be in use both in the corporate and perimeter networksUse of certificates to be extended to other applications, remote access, partners and 3rd parties at a later date.High availability and continuity planning is a must
Protecting your privates
The first rule of security in PKI, is protect the private key!Protecting private key of authorities is absolutely criticalIf a bad guy has access to your private key or can determine your private key…
CA Hierarchy
Single/One TierRoot and Issuing CA on are the sameSimple to manageHard to manage if a breach occursNot RECOMMENDED!
CA Hierarchy
Single/One TierTwo Tier
Root and Issuing CA on are the separatedSlightly more difficult to manageSecurity breach of issuing CA easy to manageHighly scalableRECOMMENDED!
CA Hierarchy
Single/One TierTwo TierThree Tier
Root, Policy and Issuing CA separatedQuite difficult to manageSecurity breach of issuing CA easy to manageVery highly scalableNot RECOMMENDED!
CA lifespan
Certificate Expiry = Date of certificate issue + Validity periodValidity period defined by:
Certificate TemplateCA PolicyExpiry Date of CA’s certificate
Certificates cannot be issued by an authority with a expiry which is after the expiry of the authorities own certificateA subordinate authority cannot have its certificate expiry to longer than its superior authority. I..E. In a two tier hierarchy, issuing CA certificates must have an expiry that is before the Offline Root CA.When an authorities certificate expires:
All certificates will have, logically, expiredCannot sign CRL files!
CA lifespan 2
Validity period factors:Deploying an authority is a lot of workCertificates issued must expire before authorities certificateSubordinate authorities must expire before superior authoritiesAre we going to renew CA certificates or replace?When are we going to start the work?
Recommended Validity PeriodsOffline Authorities: 10 to 25 yearsIssuing Authorities: 5 to 10 years
Replacement Schedule ->
Validity Period
Replace at 75% Replace at 90%
5 years 3 years, 9 months 4 years, 6 months
10 years 7 years, 6 months 9 years
15 years 11 years, 3 months 13 years, 6 months
20 years 15 years 18 years25 years 18 years, 9 months 22 years, 6
months
Physical or Virtualized Hardware
Physical Hardware Virtualized
Hardware dependent Hardware Independent
Strong private key protection Weaker private key protection
Hard to replicate Easy to replicate
Hard to make highly available Highly available by nature
Additional key protection options available
Only encryption available as an additional layer of protection
Private key storage
By default, private keys are stored in Local Certificate StoreLocal Certificate Store is vulnerable to:
Security vulnerability in software API controlling accessCan bypass API with physical access to storage/server
Risk mitigation by :Encrypting Operating System disk with Bit LockerStoring physical disk media in a safeStoring Private keys in USB Tokens, Smart cardsUltimate security: Hardware Security Module (HSM)
Key Length
Offline authorities (root and policy): 4096 bitsIssuing authorities: 2048 bitsCertificates: 2048 bitsAvoid using keys of 1024 bits and 512bits.
Certificate Revocation Lists
CRL: Certificate Revocation ListA list of all the certificates clients should not trustSigned by a the certificate authority which issued the listEach authority will maintain its own listReleased on a regular time, generally hourly, daily, weekly, monthly, 6 monthly or yearly. Valid for a limit period of time. The time period is slightly longer than release scheduleDelta files can be used
AIA & CDP
AIA: Authority Information Access -> used to help validate a certificate is trustedCDP: CRL Distribution Point -> Used to determine a certificates revocation statusProtocols allowed: LDAP, HTTP, FTP and UNC Paths
Placement of locationsCorporate NetworkDMZ/PermiterExternal? Cloud?
How to we ensure locations are highly available?
AIA & CDP at Contoso
LDAPLDAP location based off corporate domain, contoso.localOnly systems in corporate network will have access
HTTPHTTP location based of certs.contosocorporation.comServer to be in perimeter networkAll locations internally have access to this locationExternal access easily made available at a later date
Other things to consider
Use Sensible namesDefine corporate policy:
Certificate Policy (CP)Certificate Practice Statement (CPS)
Auto EnrollmentOnline Certificate Status Protocol (OCSP)Key Archival
Deployment summary
Hierarchy: 2 Tier – Offline Root and Single IssuingCA Lifespan:
Offline: 25 years, to be replaced in 22 ½ yearsIssuing: 5 years, to be replaced in 4 ½ years
Private Key/Hardware: All VirtualKey Lengths:
Offline: 4096bitsIssuing: 2048bits
CRL: Offline: Every 6 MonthsIssuing: Base Weekly, Delta Daily
AIA/CDP Locations:LDAP: Contoso.local corporate ADHTTP: certs.contosocorporation.com
OUCH!! Pain points!
CA hashing algorithmsLDAP for a CRL and AIA distribution pointADFS requires specific CA Template versionsAIA specification bug
PowerShell to the rescue
CRL Monitoring and validationBackupsPrivate Key backupsCRL Publishing
question and answer time
useful links
My Website: http://aperturescience.su
PowerShell CRL Copy by PKI Blog:http://bit.ly/v5Buuf
Designing and Implementing a PKI by Directory Services Team:http://bit.ly/tuf0T6
Gold Sponsors
Silver Sponsors
PRIZES
Submit your feedback to WIN.
$2650 worth of training from
Voyager PRO UC headset.
20% off all books @ MSPress Code
ISBRIS
WI
N
WI
N