les mécanismes et protocoles d’authentification sans mot de passe avec windows 10
TRANSCRIPT
Sans Mot De Passe, c’est plus sécurisé !Version 1.0
Albertino Matias – SR Escalation Engineer (Identity & Security)
Didier Pilon – Principal PFE (PMC)
Etape 0 : Enregistrement du Device
User
Device
Windows 10
DirectoryActive Directory
Azure Active Directory
Microsoft Account
Other IDP’s
12FA
2
3
4
…
User object Account-ID
Password
UPN
Device Object Device-ID
Cert thumprint
…
user@device
user@device
…
6
Etape 1 : Enregistrement de Clés
User
Device
Windows 10
Key registration request Client sends NGC key
5 Access Token (JWT) : Login proof Token
Includes user’s UPN
Friendly Key name
Pub(Kngc) + Kngc Attestation blob
Pub(Ksrk) + Ksrk Attestation blob
AIKcert
…
NGC Key-ID
Server verifies
Access token;
AIKcert certificate chain;
Kngc using Kngc attestation blob;
Ksrk using Ksrk attestation blob;
DirectoryActive Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User object Account ID
Password
UPN
Device object Device ID
AIK
Ksrk
…
NGC object NGC Key-ID
Friendly Name
Account ID
Device ID
Kngc
NGC KEY-ID : SHA256(Kngc)
Key registration response: The
TLS Clientuser@device
key for transporting the session key
certificate used for key attestation (used to sign keys)
Kngc attestation
Ksrk attestation
Attestation : proof the key is hardware bound.= signature based on the private key of the AIKCert
TLS secure channel
Server stores
Kngc,
Ksrk
and AIKcert
user@device
B
Etape 2 : Authentification utilisateur avec une clé Kngcenregistrée
User
Device
Windows 10
(GetNonce): Client sends “Hello” requestA
encrypted current server time. Nonce is valid for 5 minutes).
NGC Key-ID
AuthN request (GetPRTWithNGC) : Client sends NGC sign-on request (the JWT will have NGC signed assertion.)
CAuthInfo;Username; Sign( Nonce, NGC Key-ID )Kngc
Locate user/device
pair based on
NGC key-ID
Retrieves Ksrk & Kngc
Verify Kngc signature
Verify NONCE
Builds the response…
DAuthN response : Server replies with Primary Refresh Token and Access Token
(Empty OAuth2.0 pass grant request)
…
PRT[Account-ID, Ksk,…]; Enc(Ksk)Ksrk ; Sign(Access-Token)Ksk
Client decrypts and imports symmetric session key (Ksk) into TPM
Client verifies signature of the Access Token
DirectoryActive Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User Account-ID
Password
UPN
Device Device-ID
AIK
Ksrk
…
NGC object NGC Key-ID
Friendly Name
Account-ID
Device-ID
Kngc
…
TLS secure channel
Where :
PRT : Primary Refresh Token [Account-ID,Ksk,…]
Ksk : Symmetric Session Key encrypted with the transport key (Ksrk) : E[Ksk]Ksrk
Access Token
Access Token Signature : Sign[Access Token]Ksk
..
F
Etape 3 :
User
Device
Windows 10
Access Token Request : Client sends service ticket request to serverE
Access Token Response : Ksk2
Ksk1 Ksk
Request Signature
verification
Generate Access token
Derives new signature
Ksk2 keys
from Ksk1 using Salt
Client verifies signature
DirectoryActive Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User Account ID
Password
UPN
Device Device ID
AIK
Ksrk
…
NGC Key ID
Friendly Name
Account ID
Device ID
Kngc
Salt1, Sign( TargetServiceName, PRT, … )Ksk1, ...
Salt2, Sign( Access Token )Ksk2, …
TLS secure channel
Ksk
Access Token
Access Token
Nouveau périmètre de sécurité avec Hyper-V
Host OS
User
Kernel
Secure ModeNormal Mode
Firmware (UEFI)
Hardware
Trust Boundary
Hypervisor
Secure LSA
SLAT, IOMMUTPM 2,0 VT-x2
Normal
LSA
Hardened
Boundary
NGC
Containers
Guest
Physical
Address
memory
(Virtual in fact!)
Gue
st P
hysi
cal
to S
yste
m P
hysi
cal m
emor
y m
ap (
System
Physical
Address
memory
User Mode
Code IntegrityVirtual Infra DriverHyper-V Code
Integrity
VSM Platform requirements
Virtualization extensions (Intel VT-x)
Second Level Address Translation
(Intel EPT)
IOMMU (Intel VT-d)
UEFI 2.3.1
TPM v2.0
Secure boot
Trusted boot
OS Loader
Kernel
System Driver
System Files
Early Launch
Anti malware
Measu
red
du
rin
g s
ecu
re b
oo
t
Manages processor scheduling
& physical memory allocation
tech.days 2015#mstechdays
• Authentification à base de clé asymétrique (plus de mot de passe)• Le device est utilisé comme second facteur d’authentification
VSM • Apporte un double environnement d’exécution garanti par l’hyperviseur • Mode normal• Mode sécurisé
• Espace d’adressage mémoire protégé