1 / 18

Smart card logon

Smart card logon. Ing. Ond řej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com. Motivation. Use certificates for logon Random keys stronger than passwords SHA-1 >> 12 character password

alagan
Download Presentation

Smart card logon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart card logon Ing. Ondřej Ševeček MCSM:Directory| MVP:Enterprise Security |Certified Ethical Hacker | MCSE:SharePoint ondrej@sevecek.com | www.sevecek.com

  2. Motivation • Use certificates for logon • Random keys stronger than passwords • SHA-1 >> 12 character password • Passwords can be stolen in clear • Thursday, 10:30 :-) • Multifactor authentication with smart card • private key never leaves the card • must have the card to logon • simple PIN just to prevent an accidental loss

  3. Technology • PC/SC chip + reader • Credit card format • transport in wallet or stripe • printed • RFID • requires separate reader • Token • attach to keys • no reader necessary • no printing • no RFID

  4. Drivers • Reader driver • USB CCID compatible built-in • many other built-in • Chip driver • Cryptographic Service Provider (CSP) • SafeSign, CryptPlus, Schlumberger, … • minidriverfor Microsoft Base Smart Card CSP • CERTUTIL -csplist

  5. Vendors • Card + reader ~ 1000 CZK • Gemalto • .NET v2 ~ IDPrime IM v2 ~ IDPrime .NET ~ IPPrime IM v3 ~ AxaltoCryptoflex .NET • the only mini-driver built-in • Monet+ • Czech vendor • mini-driver installable • Aladin, … • require full CSP $$$

  6. Card management • CERTUTIL -scinfo • Excel :-) • third-party tools

  7. CA hierarchy? • Trust maintenance • may be expensive to be trusted • may be even more expensive to revoke root • risk analysis • Revocation of subordinates • Distributed administration • Qualified subordination • CRL (Certificate Revocation List) • OSCP (Online Certificate Status Protocol)

  8. CA hierarchy? GOPAS Root CA GOPASPrague CA GOPASLondon CA GOPASParis CA Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate

  9. CA hierarchy? GOPAS RootPrague CA GOPAS RootLondon CA GOPAS RootParis CA Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate

  10. Where the nonsense leads • Offline root • OS license • hardware • physical access to publish CRLs • Degenerate CRL publishing • once several months • or only once!

  11. Trust maintenance in Windows domain

  12. Risk assessment in Windows domain • Risk of AD Domain Controller single DC compromised = whole forest compromised • Online AD integrated enterprise PKI cannot have higher risks than any DC • NTAuth CAs have the same level of risk as any DC

  13. CA hierarchy?

  14. Algorithms • SHA-1 • well compatible with XP, 2003 • stronger than 12 character passwords • SHA-256, SHA-384, SHA-512 • requires XP SP3 • requires manual download update KB938397 for 2003 • requires manual download update KB968730 for auto-enrollment on XP SP3 and 2003 • no problem with the card hardware • RSA 2048 • well supported by card hardware • only 112 bit strength • RSA 4096 • stronger, but limited support by card hardware • ECDH • bad application and no card hardware support

  15. Comparable Algorithm Strengths (SP800-57)

  16. DomainSC User with RSA

  17. Certificate mapping • altSecurityIdentities • all reverted • Subjectand Issuerfields X509:<I>DC=virtual,DC=gopas,CN=GOPASRootCA<S>CN=kamil • Subject DN X509:<S>CN=kamil • SubjectKeyIdentifier X509:<SKI>ddde2ca4b86db8a908b95c6cbcc8bb1ac7a09a41 • Issuer, and SerialNumber X509:<I>DC=gopas,DC=virtual,CN=GOPAS Root CA<SR>32000000000003bde810 • SHA1 Hash X509:<SHA1-PUKEY>ed913fa41377dbfb8eac2bc6fcae71ecd4a974fd • RFC822 name X509:<RFC822>kamil@gopas.cz

  18. Kurzy Počítačové školy Gopas na www.gopas.cz GOC170 - AD Monitoring with SCOM and ACS GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting GOC173 - Enterprise PKI GOC174 - SharePoint Architecture and Troubleshooting GOC175 - Advanced Security GOC169 - Auditing ISO/IEC 2700x Získejte tričko TechEd 2014 za vyplněný hodnotící dotazník.

More Related