smart card logon

18
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint [email protected] | www.sevecek.com Smart card logon

Upload: alagan

Post on 26-Feb-2016

126 views

Category:

Documents


5 download

DESCRIPTION

Smart card logon. Ing. Ond řej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint [email protected] | www.sevecek.com. Motivation. Use certificates for logon Random keys stronger than passwords SHA-1 >> 12 character password - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Smart card logon

Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:[email protected] | www.sevecek.com

Smart card logon

Page 2: Smart card logon

Motivation

Use certificates for logon Random keys stronger than passwords

– SHA-1 >> 12 character password Passwords can be stolen in clear

– Thursday, 10:30 :-) Multifactor authentication with smart card

– private key never leaves the card– must have the card to logon– simple PIN just to prevent an accidental loss

Page 3: Smart card logon

Technology

PC/SC chip + reader Credit card format

– transport in wallet or stripe– printed– RFID– requires separate reader

Token– attach to keys– no reader necessary– no printing– no RFID

Page 4: Smart card logon

Drivers

Reader driver– USB CCID compatible built-in– many other built-in

Chip driver– Cryptographic Service Provider (CSP)

• SafeSign, CryptPlus, Schlumberger, …– minidriver for Microsoft Base Smart Card CSP– CERTUTIL -csplist

Page 5: Smart card logon

Vendors

Card + reader ~ 1000 CZK Gemalto

– .NET v2 ~ IDPrime IM v2 ~ IDPrime .NET ~ IPPrime IM v3 ~ Axalto Cryptoflex .NET

– the only mini-driver built-in Monet+

– Czech vendor– mini-driver installable

Aladin, …– require full CSP $$$

Page 6: Smart card logon

Card management

CERTUTIL -scinfo Excel :-) third-party tools

Page 7: Smart card logon

CA hierarchy?

Trust maintenance– may be expensive to be trusted– may be even more expensive to revoke root– risk analysis

Revocation of subordinates Distributed administration

– Qualified subordination CRL (Certificate Revocation List) OSCP (Online Certificate Status Protocol)

7

Page 8: Smart card logon

CA hierarchy?

GOPAS Root CA

GOPASLondon CA

GOPASParis CA

GOPASPrague CA

Leaf certificateLeaf certificate

Leaf certificateLeaf certificate

Leaf certificate

Leaf certificateLeaf certificate

Leaf certificateLeaf certificate

Leaf certificate

Page 9: Smart card logon

CA hierarchy?

GOPAS RootLondon CA

GOPAS RootParis CA

GOPAS RootPrague CA

Leaf certificateLeaf certificate

Leaf certificateLeaf certificate

Leaf certificate

Leaf certificateLeaf certificate

Leaf certificateLeaf certificate

Leaf certificate

Page 10: Smart card logon

Where the nonsense leads

Offline root– OS license– hardware– physical access to publish CRLs

Degenerate CRL publishing– once several months– or only once!

Page 11: Smart card logon

Trust maintenance in Windows domain

Page 12: Smart card logon

Risk assessment in Windows domain

Risk of AD Domain Controllersingle DC compromised = whole forest compromised

Online AD integrated enterprise PKI cannot have higher risks than any DC

NTAuth CAs have the same level of risk as any DC

Page 13: Smart card logon

CA hierarchy?

Page 14: Smart card logon

Algorithms

SHA-1– well compatible with XP, 2003– stronger than 12 character passwords

SHA-256, SHA-384, SHA-512– requires XP SP3– requires manual download update KB938397 for 2003– requires manual download update KB968730 for auto-enrollment on XP SP3 and 2003– no problem with the card hardware

RSA 2048– well supported by card hardware– only 112 bit strength

RSA 4096– stronger, but limited support by card hardware

ECDH– bad application and no card hardware support

Page 15: Smart card logon

Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256

192 bit AES-192 RSA 7680 ECDSA 384 SHA-384

256 bit AES-256 RSA 15360 ECDSA 512 SHA-512

Page 16: Smart card logon

Domain SC User with RSAExtension Value

Subject Common Name or Distinguished Name

SAN UPNor AD mapped subject (Windows 6.0+)

Exporatable Key no?

Archive Key no, transport encryption only

Key Type Signature (AllowSignatureOnlyKeys GPO on Windows 6.0+)Encryption (required on 2000+, more secure)

Key Usage Digital Signature

CSP Smart Card compatible provider

EKU Smart Card Logon1.3.6.1.4.1.311.20.2.2can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU

Autoenrollment no?

Publish in AD no

Page 17: Smart card logon

Certificate mapping

altSecurityIdentities all reverted

Subject and Issuer fields X509:<I>DC=virtual,DC=gopas,CN=GOPAS Root CA<S>CN=kamil

Subject DN X509:<S>CN=kamil

Subject Key Identifier X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41

Issuer, and Serial NumberX509:<I>DC=gopas,DC=virtual,CN=GOPAS Root CA<SR>32000000000003bde810

SHA1 Hash X509:<SHA1-PUKEY>ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd

RFC822 name X509:<RFC822>[email protected]

Page 18: Smart card logon

Kurzy Počítačové školy Gopas na www.gopas.cz

GOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced SecurityGOC169 - Auditing ISO/IEC 2700x

Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.