Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker |...
-
Upload
gabriel-gray -
Category
Documents
-
view
219 -
download
0
Transcript of Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker |...
![Page 1: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/1.jpg)
Ing. Ondřej ŠevečekMCSM:Directory | MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePoint
[email protected] | www.sevecek.com
Smart card logon
![Page 2: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/2.jpg)
Motivation
Use certificates for logon Random keys stronger than passwords
– SHA-1 >> 12 character password
Passwords can be stolen in clear– Thursday, 10:30 :-)
Multifactor authentication with smart card– private key never leaves the card– must have the card to logon– simple PIN just to prevent an accidental loss
![Page 3: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/3.jpg)
Technology
PC/SC chip + reader Credit card format
– transport in wallet or stripe– printed– RFID– requires separate reader
Token– attach to keys– no reader necessary– no printing– no RFID
![Page 4: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/4.jpg)
Drivers
Reader driver– USB CCID compatible built-in– many other built-in
Chip driver– Cryptographic Service Provider (CSP)
• SafeSign, CryptPlus, Schlumberger, …
– minidriver for Microsoft Base Smart Card CSP– CERTUTIL -csplist
![Page 5: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/5.jpg)
Vendors
Card + reader ~ 1000 CZK Gemalto
– .NET v2 ~ IDPrime IM v2 ~ IDPrime .NET ~ IPPrime IM v3 ~ Axalto Cryptoflex .NET
– the only mini-driver built-in
Monet+– Czech vendor– mini-driver installable
Aladin, …– require full CSP $$$
![Page 6: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/6.jpg)
Card management
CERTUTIL -scinfo Excel :-) third-party tools
![Page 7: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/7.jpg)
CA hierarchy?
Trust maintenance– may be expensive to be trusted– may be even more expensive to revoke root– risk analysis
Revocation of subordinates Distributed administration
– Qualified subordination
CRL (Certificate Revocation List) OSCP (Online Certificate Status Protocol)
7
![Page 8: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/8.jpg)
CA hierarchy?
GOPAS Root CA
GOPASLondon CA
GOPASParis CA
GOPASPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
![Page 9: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/9.jpg)
CA hierarchy?
GOPAS RootLondon CA
GOPAS RootParis CA
GOPAS RootPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
![Page 10: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/10.jpg)
Where the nonsense leads
Offline root– OS license– hardware– physical access to publish CRLs
Degenerate CRL publishing– once several months– or only once!
![Page 11: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/11.jpg)
Trust maintenance in Windows domain
![Page 12: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/12.jpg)
Risk assessment in Windows domain
Risk of AD Domain Controllersingle DC compromised = whole forest compromised
Online AD integrated enterprise PKI cannot have higher risks than any DC
NTAuth CAs have the same level of risk as any DC
![Page 13: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/13.jpg)
CA hierarchy?
![Page 14: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/14.jpg)
Algorithms
SHA-1– well compatible with XP, 2003
– stronger than 12 character passwords
SHA-256, SHA-384, SHA-512– requires XP SP3
– requires manual download update KB938397 for 2003
– requires manual download update KB968730 for auto-enrollment on XP SP3 and 2003
– no problem with the card hardware
RSA 2048– well supported by card hardware
– only 112 bit strength
RSA 4096– stronger, but limited support by card hardware
ECDH– bad application and no card hardware support
![Page 15: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/15.jpg)
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
![Page 16: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/16.jpg)
Domain SC User with RSAExtension Value
Subject Common Name or Distinguished Name
SAN UPNor AD mapped subject (Windows 6.0+)
Exporatable Key no?
Archive Key no, transport encryption only
Key Type Signature (AllowSignatureOnlyKeys GPO on Windows 6.0+)Encryption (required on 2000+, more secure)
Key Usage Digital Signature
CSP Smart Card compatible provider
EKU Smart Card Logon1.3.6.1.4.1.311.20.2.2can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU
Autoenrollment no?
Publish in AD no
![Page 17: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/17.jpg)
Certificate mapping
altSecurityIdentities all reverted
Subject and Issuer fields X509:<I>DC=virtual,DC=gopas,CN=GOPAS Root CA<S>CN=kamil
Subject DN X509:<S>CN=kamil
Subject Key Identifier X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41
Issuer, and Serial NumberX509:<I>DC=gopas,DC=virtual,CN=GOPAS Root CA<SR>32000000000003bde810
SHA1 Hash X509:<SHA1-PUKEY>ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd
RFC822 name X509:<RFC822>[email protected]
![Page 18: Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | Smart card.](https://reader030.fdocuments.us/reader030/viewer/2022033108/56649da85503460f94a944dc/html5/thumbnails/18.jpg)
Kurzy Počítačové školy Gopas na www.gopas.cz
GOC170 - AD Monitoring with SCOM and ACSGOC171 - Active Directory TroubleshootingGOC172 - Kerberos TroubleshootingGOC173 - Enterprise PKIGOC174 - SharePoint Architecture and TroubleshootingGOC175 - Advanced SecurityGOC169 - Auditing ISO/IEC 2700x
Získejte tričko TechEd 2014za vyplněný hodnotící dotazník.