Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Similar presentations


Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

2 PKI Design

3 Cryptographic Algorithms  Hash algorithms  no keys  MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512  Symmetric key algorithms  secret key  RC4, DES, 3-DES, AES  Asymmetric key algorithms  public and private key  RSA, DH, EC

4 PKI Design

5 Hash example (not good)  Sum alphabet letter positions HELLO = = 52  Can obtain arbitrary clear-text (collision) without brute-forcing  Several similar clear-texts lead to similar output 5

6 Hash collisions  Pure arithmetic collisions  limited exploitability  Post-signing collisions  Chosen-prefix collisions 6

7 Post-signing collision 7 Name: Ondrej Owes: 100 $ Hash: 14EEDA49C1B7 To: Kamil Signature: 3911BA85 Name: Ondrej Owes: $ Hash: 14EEDA49C1B7 To: Kamil Signature: 3911BA85 Trash:

8 Chosen-prefix collision 8 CN: Valid: 2010 Hash: 24ECDA49C1B7 Serial #: 325 Signature: 5919BA85 Public: 35B87AA11... CN: Valid: 2010 Hash: 24ECDA49C1B7 Serial #: 325 Signature: 5919BA85 Public: 4E9618C9D...

9 MD5 problems  Pure arithmetic in 2^112 evaluations  Post-signing collisions suspected  Chosen-prefix collisions  Practically proved for certificates with predictable serial numbers  2^50 9

10 SHA-1 problems  General brute-force attack at 2^80  as about 12 characters complex password  Some collisions found at 2^63  pure arithmetic collisions, no exploitation proved 10

11 PKI Design

12 Performance considerations  Asymmetric algorithms use large keys  EC is about 10 times smaller  Encryption/decryption time about 100x longer  symmetric is faster

13 Document Private key Digital Signature (not good) Document

14 Private key Digital Signature Document Hash

15 Storage Encryption (slow) Public key Document

16 Public key (User A) Storage Encryption Symmetric encryption key (random) Symmetric key Document

17 Public key (User A) Storage Encryption Symmetric encryption key (random) Symmetric key Document Public key (User B) Symmetric key

18 Transport encryption Client Server Public key Symmetric Key Data

19 PKI Design

20 Random Number Generators  Deterministic RNG use cryptographic algorithms and keys to generate random bits  attack on randomly generated symmetric keys  DNS cache poisoning  Nondeterministic RNG (true RNG) use physical source that is outside human control  smart cards, tokens  HSM – hardware security modules

21 Random Number Generators  CryptGenRandom()  hashed  Vista+ AES (NIST )  DSS (FIPS 186-2)  Entropy from  system time, process id, thread id, tick counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …

22 PKI Design

23 US standards  FIPS – Federal Information Processing Standards  provides standard algorithms  NIST – National Institute for Standards and Technology  approves the algorithms for US government non- classified but sensitive use  latest NIST SP800-57, March 2007  NSA – National Security Agency  Suite-B for Secure and Top Secure (2005)

24 Cryptoperiods (SP800-57) KeyCryptoperiod Private signature1 – 3 years Public signature verification>3 years Symmetric authentication<= 5 years Private authentication1-2 years Symmetric data encryption<= 5 years Public key transport key1-2 years Private/public key agreement key1-2 years

25 Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512

26 Security lifetimes (SP and Suite-B) LifetimeStrengthLevel bitUS Confidential bitUS Confidential 128 bitUS Secure 192 bitUS Top-Secure Beyond bitUS Confidential

27 NSA Suite-B Algorithms  NSA publicly published algorithms (2005)  as against Suite-A which is private  AES-128, ECDH-256, ECDSA-256, SHA-256  Secret  AES-256, ECDH-384, ECDSA-384, SHA-384  Top Secret 27

28 PKI Design

29 Cryptographic Providers  Cryptographic Service Provider – CSP  Windows  can use only V1 and V2 templates  Cryptography Next Generation – CNG  Windows Vista+  require V3 templates  enables use of ECC  CERTUTIL -CSPLIST 29

30 Cryptographic Providers 30 TypeOperating SystemAlgosTemplate CSPWindows 2000 Windows 2003 AES, SHA-1, RSAv1, v2 CSPWindows XP SP3 Windows 2003 KB AES, SHA-1, RSA, SHA-2v1, v2 CNGWindows VistaAES, SHA-1, RSA, SHA-2, ECv3

31 SHA-2 Support  Windows XP  Windows KB  Windows Phone 7  AD CS on Windows  Autoenrollment on XP with KB  TMG 2010 with KB in the future

32 Cryptography support 32 SystemDES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows 2000yesnoyes no Windows XPyes no Windows 2003yes non-public update yes no Windows Vista/2008 yes Windows 7/2008 R2 yes

33 Cryptography support 33 SystemDES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows Mobile 6.5 yes no Windows Mobile 7 yes TMG 2010yes no SCCM 2007yesno SCOM 2007yes no

34 Encryption EFSBitLockerIPSecKerberosNTLMRDP DES LM password hash, NTLM 3DES RC AES Vista + DH RSA Seven ECC Seven +Vista +Seven +

35 Hashing 35 MD4MD5SHA-1SHA-2 NT password hash NT4 + Digest password hash IPSec Seven + NTLM NTLMv2 MS-CHAP MS-CHAPv2

36 CNG (v3) Not Supported  EFS  Windows 2008/Vista-  VPN/WiFi Client (EAPTLS, PEAP Client)  Windows 2008/7-  user or computer certificate authentication  TMG 2010  server certificates on web listeners  Outlook 2003  user certificates for signatures or encryption  Kerberos  Windows 2008/Vista- DC certificates  System Center Operations Manager 2007 R2 System Center Configuration Manager 2007 R2  SQL Server 2008 R2-  Forefront Identity Manager 2010 (Certificate Management)

37 PKI Design

38 CA Hierarchy IDTT Root CA IDTT London CAIDTT Paris CAIDTT Roma CA Leaf certificate

39 Offline Root  Root CA cannot be revoked if compromised  Making new RootCA trusted may be difficult  Delegation of administration  Must issue CRLs  the more frequent the more secure, but more “costly”

40 Active Directory  Group Policy  every 120 minutes by default  Trusted Root CAs  Untrusted CAs  NTAuth CA issues logon certificates

41 41

42 PKI Design

43 SKU Features 43 Windows Server Certificate Templates Autoenrollment Key Archival SMTP Exit Module Role Separation Cross-forest Enrollment 2008 R2 StandardV1, V2, V3Yes No 2008 R2 EnterpriseV1, V2, V3Yes 2008 StandardV1No 2008 EnterpriseV1, V2, V3Yes No 2003 StandardV1No 2003 EnterpriseV1, V2Yes No

44 SKU Features 44 Windows Server Web Enrollment Enrollment Web Services OCSP Responder SCEP Enrollment 2008 R2 Standard yes no 2008 R2 Enterprise yes 2008 Standard yesno 2008 Enterprise yesnoyes 2003 Standard yesno 2003 Enterprise yesno

45 Role Separation  Enrollment Agent = Registration Authority  sign cert request  Certificate Managers  approve cert requests  Different groups of EA/CM approve requests for different groups of Enrollees

46 PKI Design

47 SSL Certificate prices  Verisign – 1999  300$ year  Thawte – 2003  150$ year  Go Daddy – 2005  60$ year  GlobalSign – 2006  250$ year  StartCom – 2009  free

48 EV Certificate prices  Verisign – 1999  1500$ year  Thawte – 2003  600$ year  Go Daddy – 2005  100$ year  GlobalSign – 2006  900$ year  StartCom – 2009  50$ year

49 Support for SAN and wildcards 49 ApplicationSupports *Supports SAN Internet Explorer 4.0 and olderno Internet Explorer 5.0 and neweryes Internet Explorer 7.0yesyes, if SAN present Subject is ignored Windows Pocket PC 3.0 a 4.0no Windows Mobile 5.0noyes Windows Mobile 6.0 and neweryes Outlook 2003 and neweryes RDP/TS proxyyesyes, if SAN present Subject is ignored ISA Server firewall certificateyes ISA Server 2000 and 2004 published server certificate no ISA Server 2006 published server certificate yesyes, only the first SAN name

50 OCSP and Delta CRL 50 SystemChecks OCSPDelta CRL Windows 2000 and olderno Windows XP and oldernoyes Windows Vista and neweryes, prefferedyes Windows Pocket PC 4.0 and olderno Windows Mobile 5.0noyes Windows Mobile 6.0noyes Windows Mobile 6.1 and neweryes, prefferedyes ISA Server 2006 and oldernoyes TMG 2010 and neweryes, prefferedyes

51 CRL checks in Internet Explorer 51 VersionCRL and OSCP checking 4.0 and olderno checks 5.0 and newercan check CRL, disabled by default 7.0 and newercan check OCSP (if supported by OS) and CRL, enabled by default

52 Windows Mobile 2003 and 5.0 trusted CAs 52 CompanyCertificate NameWindows Mobile CybertrustGlobalSign Root CA2003 and 5.0 CybertrustGTE CyberTrust Global Root2003 and 5.0 CybertrustGTE CyberTrust Root2003 and 5.0 VerisignClass 2 Public Primary Certification Authority2003 and 5.0 VerisignThawte Premium Server CA2003 and 5.0 VerisignThawte Server CA2003 and 5.0 VerisignSecure Server Certification Authority2003 and 5.0 VerisignClass 3 Public Primary Certification Authority2003 and 5.0 EntrustEntrust.net Certification Authority (2048)2003 and 5.0 EntrustEntrust.net Secure Server Certification Authority2003 and 5.0 GeotrustEquifax Secure Certificate Authority2003 and 5.0 Godaddyhttp://www.valicert.com/5.0

53 Windows Mobile 6.0 trusted CAs 53 ComodoAAA Certificate Services ComodoAddTrust External CA Root CybertrustBaltimore CyberTrust Root CybertrustGlobalSign Root CA CybertrustGTE CyberTrust Global Root VerisignClass 2 Public Primary Certification Authority VerisignThawte Premium Server CA VerisignThawte Server CA VerisignSecure Server Certification Authority VerisignClass 3 Public Primary Certification Authority EntrustEntrust.net Certification Authority (2048) EntrustEntrust.net Secure Server Certification Authority GeotrustEquifax Secure Certificate Authority GeotrustGeoTrust Global CA GodaddyGo Daddy Class 2 Certification Authority Godaddyhttp://www.valicert.com/ GodaddyStarfield Class 2 Certification Authority

54 RSA 2048 browser support 54 BrowserFirst Version Internet Explorer5.01 Mozila Firefox1.0 Opera6.1 Apple Safari1.0 Google Chrome AOL5 Netscape Communicator4.51 Rad Hat Linux Konqueror Apple iPhone Windows Mobile2003 Windows CE4.0 RIM Blackberry4.3.0 PalmOS5 Sony Playstation Portable Sony Playstation3 Nintendo Wii

55 Extended Validation browsers 55 BrowserFirst Version Internet Explorer7.0 Opera9.5 Firefox3 Google Chrome- Apple Safari3.2 Apple iPhone3.0

56 S/MIME RSA 2048 client support 56 BrowserFirst Version Microsoft Outlook99 Mozila Thunderbird1.0 Qualcomm Eudora6.2 Lotus Notes6 Netscape Communicator4.51 Mulberry Mail Apple Mail Windows Mail The Bat

57

58 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |


Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |"

Similar presentations


Ads by Google