passwords are not able to keep user safe
TRANSCRIPT
The state of Windows 8.1 Security: Modern Access ControlNelly PorterPrincipal Program Manager Lead
WIN-B347
Agenda
Biometric Fingerprints: Moving beyond LoginTPM Key Attestation: Proofing machine identityStrong User Identity: Virtual Smart Card
Consumer Reports survey 20139.8 million adult Facebook users had their account used by an unauthorized person; had their reputation harmed; or were harassed, threatened, or defrauded
Deloitte Study 2013In a recent study of six million actual user passwords, the 10,000 most common passwords would have accessed 98.1 percent of accounts
Cybercrime costing UK billions, 201363% of small businesses were attacked by an unauthorized outsider in the last year, up from 41% in the previous year. For large organizations, the comparable figures stood at 78% and 73%
Passwords are not able to keep user safe
Biometric Fingerprints: Beyond Login
FamiliarModern
Ease users’ struggle to enter credentials on
touch devices
Built-in Windows experiences
Introduce a new “touch” fingerprint sensors
Light up a few engaging scenarios
Our Goals for Windows 8.1
User loved the simplicity seen as a fix to the password problemReplacement for many passwords and ideal for touch devicesQuicker to perform than typing a password and more user-friendly
Understood gesture as verifying identity before impactful activityUnlike UAC, user knows the result of confirmingGesture is so simple and well understood that it is not seen as intrusive to experience
Biometrics seen as easier than password
Windows Biometric Service
Windows BiometricsBiometri
cCredenti
alProvider
Windows Biometric Client API (WinBio.DLL)
Win32Applications
Windows Store apps
Windows Runtime (WinRT)
Media Foundation
Engine AdapterStorage Adapter
(inbox but can be replaced by 3rd party if needed)
Sensor Adapter(inbox but can be replaced by 3rd party if
needed)
Windows Biometric Device Interface (WBDI) Driver
Sensor
Enrollment
OS component
3rd party application3rd party driver and companion components
EAS Policy EnhancementsIn Windows 8, disabling convenience logon in Exchange ActiveSync will disable biometric logon and remove any credentials saved by previous enrollments
Default Group Policy settings disable domain logon with fingerprintRemoval of legacy control panel makes changing this setting more difficult
Multiple changes were made to EAS Policy handlingWhen EAS disables convenience logon, in-box registration is still allowed, but no credential is savedIf the machine is protected with BitLocker, then we still allow the saving of credentialsIf a domain user that is a local admin enrolls for fingerprints, domain logon will be enabled without having to dig through GP settings
In-box enrollment takes care of all these situations and informs the user beforehand
Demo: Biometrics from Enrollment to Acquisition
Confirming purchase, profile change, in-app experiences
Helps control and personalize device experience
Highly desired as a means to control high-value transactions, e.g. purchases
Can benefit “cloaking” apps, access to an app, release credentials…
Biometrics “UserConsentVerifier” apis
WinRT APIs for your app
Namespace
Windows.Security.Credentials.UI
Class
UserConsentVerifier
Methods
CheckAvailabilityAsync
RequestVerificationAsync
Capabilities
None required
WinBio + WBS + WBDI
Bio CredProvWindows StoreApp
CredUI
UCVWinRT API
CredUI Broker
LocalSystem
Request Verifi
cation
Check Availability
OS componentsApps
Bio-protected Keys and Certificates
Windows Blue introduces the ability to perform authentication and signature operations with a fingerprint
Easily enabled by setting a property on the key before finalizing itThe PIN that authorizes use of the key is randomly generated and encrypted by the Bio service before being stored on-disk
Demo: Biometric WinRT apis: UserConsentVerifier
Hardware Bounded (TPM)
Keys and Certs
Windows 8 Enabled
TPM KSP to generate certificates with keys sealed by TPMAdmin CA Templates to select TPM KSPCustomers asked us: can we guarantee that the key or the cert is actually protected by TPM?can we limit the set of TPMs that can be used/trusted within the enterprise?
TPM Key Attestation Terminology
Endorsement Key (EK) Burned by manufacturer, cannot be altered or exported later, …can act as GPS for the computer!
Endorsement Certificate (EKCert)Some TPMs ship with EK certificate that chains up to a trusted root
Attestation Identity Key (AIK)An intermediate key to hide EK due to privacy concerns
EK
AIK
TPM Key Attestation Terminology
Allow user-attested EK
Whitelisted set of known EKs appears in PKI admin-managed list
EK certificate chain validates through admin-supplied TPM intermediate and root CA certs
TPM Key Attestation: Certificate Enrollment
User with TPM capable device
EKPubs and EkCert obtained
out of bandHere my RSA (pub), signed by AIKAlso, my AIK(pub), signed by EKAnd here is my EK(pub)
Validate EK && generate challenge
Validate secret
Here is a secret, Encrypted to your EK(pub), Can you tell me a secret?
Here is your decrypted secretwhich proves I own EK(priv)
Certificate issued for RSA key
EK
AIK
RSA
TPM Key Attestation: Use Case
RADIUS + VPN
Certificate Authority
TPM Attested Certificate Non-Attested Certificate
Request and Get CertificateRequest and Get Certificate
Connect … Rejected !
Connect … Ok!
TPM Attested Certificate
WalkthroughWalkthrough
Certificates: WinRT apis
Now developers can build Windows store apps to Create and manage Virtual Smart Cards including pin policyCreate certificate objects and build certificate chain, verify itPerform certificate-based operations like signing/verification and encryption/decryption including CMS-based signing and verification Enumerate user My store Filter certificatesInstall certificates to user My store
Mail App: Client auth
Mail App package
WWAHost
Select client auth cert
LiveComm
Use the selected cert for SSL
Mail server
VPN app: Cert selection
RAS Select certificate
VPN appUse the selected
certificate over SSL
VPN server
var certNamespace = Windows.Security.Cryptography.Certificates;var selectedCert;var query = new certNamespace.CertificateQuery();query.friendlyName = “clientAuthCert”;certNamespace.CertificateStores.findAllAsync(query).done(function); (certs) { if (certs.size > 0) { for (var i = 0; i < certs.size; i++) { if (certs[i].isStronglyProtected) { selectedCert = certs[i]; break; } } }});
Sample code (cert selection)
Simple Certificate Enrollment Protocol (SCEP) A device management protocol designed for management of mobile devices SCEP is a very simple certificate enrollment protocol developed 10 years ago for routersStarting from Windows 8.1, we will natively support SCEP
Strong User Identity with Virtual Smart Card
Familiar
Modern
Simple Certificate Enrollment Protocol (SCEP) Virtual Smart Cards enables devices to be used as a virtual smart card
TPM provide three most important features of smart cards non-exportabilityisolated cryptoanti-hammering
No cost beyond the TPM enabled device
Easy to use, difficult to steal
Demo: VSC Provisioning
Simple Certificate Enrollment Protocol (SCEP) 2FA for local and remote accessClient authentication/mutual auth SSLVSC redirection for remote connectionsS/MIME email encryptionBitLocker keys for data volumesExample - the drive cannot be removed from the original machine
Windows 8.1 VSC
MSIT pilot moved to production, enrolling MS employees’ Surfaces and Intel machines 10,000 people are enrolled on Surfaces, 81K on x86 machinesVSC on Surfaces enables VPN and Remote Apps accessMS Policy is required users to request Manager Approval or,use Physical Smart Card to provide the same level of assurance as Physical Smart Card
To sum it up …
We feel passwords are not sufficient to keep users safe
With Windows 8.1 we offer several methods to fix user authentication fiasco with stronger User credentialsrooted in hardware based on asymmetric secretsstrong MFA with VSC
So What’s the Conclusion?
Text• Text• Text
Theft Proofing and Identities
Stronger Single Factor AuthenticationTwo Factor Authentication
Text• Text• Text
Text• Text• Text
Windows 8.1 delivers cost effective and more secure identity options than
passwords!
Breakout SessionsThe State of Windows 8.1 Security: Malware Resistance - May 12th 4:45PM; Room: 371A
Malware Hunting with Mark Russinovich - May 15th 10:15AM; Room: Grand Ballrm C
Bulletproofing Your Network Security - May 12th 1:15 PM; Grand Ballrm A
Social Engineering: Targeted Attacks, and IT Security - May 13 5:00 PM - 6:15 PM Room: Grand Ballrm A
Instructor Led labsImplementing Endpoint Protection in SCCM - May 13th 10:15; AM Room: Hall E ILL Room 3
Implementing Endpoint Protection in SCCM - May 15th 8:30; AM Room: Hall E ILL Room 3
Related content
Windows Enterprise windows.com/enterprise windowsphone.com/business
Windows Track Resources
Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)
microsoft.com/mdop Windows To Go microsoft.com/windows/wtg
Windows Phone Developer developer.windowsphone.com
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.