1 / 21

Kieran Jacobsen HP

Kieran Jacobsen HP. Understanding PKI and Certificate Services. Gold Sponsors. Silver Sponsors. agenda. Why Should I care? Contoso Requirements Design Considerations CA Hierarchy CA Lifespan Physical or Virtual? Private key storage Key lengths Certificate Revocation lists

adie
Download Presentation

Kieran Jacobsen HP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kieran Jacobsen HP Understanding PKI and Certificate Services Gold Sponsors Silver Sponsors

  2. agenda • Why Should I care? • Contoso Requirements • Design Considerations • CA Hierarchy • CA Lifespan • Physical or Virtual? • Private key storage • Key lengths • Certificate Revocation lists • AIA and CDP Locations • Stuff we missed… • Ouch! Pain Points • PowerShell to the rescue

  3. Why Should I Care? There are a number of technologies which need PKI • Cloud Infrastructure • Federated identity systems. E.G. ADFS • HTTPS/SSL • SMTPS • Multi factor authentication. E.G. Smart cards • SMIME • Encrypting File System (EFS) • Code signing • 802.1x Authentication and/or NAP • Remote Desktop Services Many organizations have legal requirements for PKI with serious financial or legal ramifications for a breach of that infrastructure!

  4. Contoso Requirements • Contoso is developing a new web application suite • ADFS to provide SSO • Almost 1million end users • 3rd party certificates for HTTPS • Private certificate infrastructure for internal use • Network is segregated into internal/corporate and perimeter networks. • Certificates will be in use both in the corporate and perimeter networks • Use of certificates to be extended to other applications, remote access, partners and 3rd parties at a later date. • High availability and continuity planning is a must

  5. Protecting your privates • The first rule of security in PKI, is protect the private key! • Protecting private key of authorities is absolutely critical • If a bad guy has access to your private key or can determine your private key…

  6. CA Hierarchy • Single/One Tier • Root and Issuing CA on are the same • Simple to manage • Hard to manage if a breach occurs • Not RECOMMENDED!

  7. CA Hierarchy • Single/One Tier • Two Tier • Root and Issuing CA on are the separated • Slightly more difficult to manage • Security breach of issuing CA easy to manage • Highly scalable • RECOMMENDED!

  8. CA Hierarchy • Single/One Tier • Two Tier • Three Tier • Root, Policy and Issuing CA separated • Quite difficult to manage • Security breach of issuing CA easy to manage • Very highly scalable • Not RECOMMENDED!

  9. CA lifespan • Certificate Expiry = Date of certificate issue + Validity period • Validity period defined by: • Certificate Template • CA Policy • Expiry Date of CA’s certificate • Certificates cannot be issued by an authority with a expiry which is after the expiry of the authorities own certificate • A subordinate authority cannot have its certificate expiry to longer than its superior authority. I..E. In a two tier hierarchy, issuing CA certificates must have an expiry that is before the Offline Root CA. • When an authorities certificate expires: • All certificates will have, logically, expired • Cannot sign CRL files!

  10. CA lifespan 2 Validity period factors: • Deploying an authority is a lot of work • Certificates issued must expire before authorities certificate • Subordinate authorities must expire before superior authorities • Are we going to renew CA certificates or replace? • When are we going to start the work? Recommended Validity Periods • Offline Authorities: 10 to 25 years • Issuing Authorities: 5 to 10 years Replacement Schedule ->

  11. Physical or Virtualized Hardware

  12. Private key storage • By default, private keys are stored in Local Certificate Store • Local Certificate Store is vulnerable to: • Security vulnerability in software API controlling access • Can bypass API with physical access to storage/server • Risk mitigation by : • Encrypting Operating System disk with Bit Locker • Storing physical disk media in a safe • Storing Private keys in USB Tokens, Smart cards • Ultimate security: Hardware Security Module (HSM)

  13. Key Length • Offline authorities (root and policy): 4096 bits • Issuing authorities: 2048 bits • Certificates: 2048 bits • Avoid using keys of 1024 bits and 512bits.

  14. Certificate Revocation Lists • CRL: Certificate Revocation List • A list of all the certificates clients should not trust • Signed by a the certificate authority which issued the list • Each authority will maintain its own list • Released on a regular time, generally hourly, daily, weekly, monthly, 6 monthly or yearly. • Valid for a limit period of time. The time period is slightly longer than release schedule • Delta files can be used

  15. AIA & CDP • AIA: Authority Information Access -> used to help validate a certificate is trusted • CDP: CRL Distribution Point -> Used to determine a certificates revocation status • Protocols allowed: LDAP, HTTP, FTP and UNC Paths • Placement of locations • Corporate Network • DMZ/Permiter • External? Cloud? • How to we ensure locations are highly available?

  16. AIA & CDP at Contoso • LDAP • LDAP location based off corporate domain, contoso.local • Only systems in corporate network will have access • HTTP • HTTP location based of certs.contosocorporation.com • Server to be in perimeter network • All locations internally have access to this location • External access easily made available at a later date

  17. Other things to consider • Use Sensible names • Define corporate policy: • Certificate Policy (CP) • Certificate Practice Statement (CPS) • Auto Enrollment • Online Certificate Status Protocol (OCSP) • Key Archival

  18. Deployment summary • Hierarchy: 2 Tier – Offline Root and Single Issuing • CA Lifespan: • Offline: 25 years, to be replaced in 22 ½ years • Issuing: 5 years, to be replaced in 4 ½ years • Private Key/Hardware: All Virtual • Key Lengths: • Offline: 4096bits • Issuing: 2048bits • CRL: • Offline: Every 6 Months • Issuing: Base Weekly, Delta Daily • AIA/CDP Locations: • LDAP: Contoso.local corporate AD • HTTP: certs.contosocorporation.com

  19. OUCH!! Pain points! • CA hashing algorithms • LDAP for a CRL and AIA distribution point • ADFS requires specific CA Template versions • AIA specification bug

  20. PowerShell to the rescue • CRL Monitoring and validation • Backups • Private Key backups • CRL Publishing

  21. question and answer time PRIZES WIN useful links My Website: http://aperturescience.su PowerShell CRL Copy by PKI Blog: http://bit.ly/v5Buuf Designing and Implementing a PKI by Directory Services Team: http://bit.ly/tuf0T6 Voyager PRO UC headset. Submit your feedback to WIN. WIN $2650 worth of training from 20% off all books @ MSPress Code ISBRIS Gold Sponsors Silver Sponsors

More Related