1 / 19

Windows and Smart Card Logon

Windows and Smart Card Logon. Ing. Ondřej Ševeček | GOPAS a.s. | MC S M:Directory | MVP:Enterprise | CEH | MCSE:Windows2012 ondrej@sevecek.com | www.sevecek.com |. GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS. Certificate logon. Motivation

baba
Download Presentation

Windows and Smart Card Logon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows and Smart Card Logon Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise| CEH | MCSE:Windows2012 ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz | www.facebook.com/P.S.GOPAS

  2. Certificate logon • Motivation • Kerberos smart card logon vs. TLS client certificate authentication • CA requirements • Certificate requirements • Enrollment agents

  3. Motivation

  4. Assumption • We are as secure as possible on Windows with standard Ethernet • no LM hashes • no plaintext passwords • no intrusion detection • Kerberos where possible • NTLMv2 if a must

  5. Motivation • Passwords shorter than 12 chars are insecure • Can be cracked from • AD, local databases, password caches, NLTM and Kerberos traffic, LDAP simple bind, stored passwords, … • Windows passwords are MD4 • cracking, Rainbow tables • Certificates are SHA-1 or SHA2 • random keys, not transported easily without smart cards

  6. SHA-1 problems • General brute-force attack at 2^80

  7. Windows passwords • 8 characters password? • 80^8 possible passwords • 2^x = 80^8 ?? • x * log 2 = 8 * log 80 • x = 8 * log 80 / log 2 • x ~= 51 • 10 characters ~= 2^63 • 12 characters ~= 2^76

  8. Cracking 8 characters passwords • single CPU in Cain • 25 years • 10 low-end GPUs in Distributed Password Recovery • days • Rainbow table • minutes • 576 GB

  9. Kerberos • Rainbow tables inefficient due to salting • NTLMv2 as well • Can use smart cards • Armoring on Windows 8/2012 • Better services such as delegation, compound authentication, claims • Newer algorithms • AES

  10. Certificate logon

  11. Kerberos vs. TLS • Kerberos TGT generation • password • PKINIT with certificate • TLS client certificate logon • require client certificate • prevents before-authentication attacks

  12. CA requirements • Trusted • NTAuth super-trusted • CRL/OCSP available

  13. CA best practices • Do not bother with hierarchy and offline roots • May be on a DC • the same threat and security level • Always make CRL available on public DNS • could be made internet accessible in the future

  14. Certificate requirements • Domain Controllers • name of the domain • Smart Card Logon + Kerberos Authentication • User certificates • Kerberos PKINIT: Smart Card Logon • TLS client certificate auth: Client Authentication

  15. Domain TLS User with RSA

  16. Domain SC User with RSA

  17. Enrollment Agent • aka Registration Authority (RA) • Generates requests signed by its own RA certificate • AD CS can apply more granular policies

  18. Thank you! ondrej@sevecek.com | www.sevecek.com | GOPAS: info@gopas,cz| www.gopas.cz | www.facebook.com/P.S.GOPAS

  19. Pripravované konferencie, semináre Raňajky na tému: 11.11. 2013 To najdôležitejšie o TLS a SSL na Windows – Ondřej Ševeček ShowIT 2014 11.-13.02.2014 Technická IT konferencia 60 prednášok Novinky z oblasti BackOffice, Development a Security Perlička: EthicalHacking Prekvapenie: moderovaný speaker panel

More Related