CredSSP in RDP Sreekanth Nadendla Windows Open Specifications.

Slides:



Advertisements
Similar presentations
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
Advertisements

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
Remote Networking Architectures
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
FTP File Transfer Protocol. Introduction transfer file to/from remote host client/server model  client: side that initiates transfer (either to/from.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Session 11: Security with ASP.NET
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
Data Acquisition in a PACS Weina Ma Sep 24 th, 2013.
Web Services Security Patterns Alex Mackman CM Group Ltd
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
A CROSS PLATFORM REMOTE DESKTOP CONNECTION SUITE A.V.D.S.S.BHADRI RAJU D.RAMESH BABU U.JAYASREE G.NANIBABU.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
IEEE SISWG (P1619.3)‏ Messaging & Transport. AGENDA Transport Protocols & Channel Protection Messaging Layer Capability Exchange & Authentication Groups.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
Team: Unison Richard Bhuleskar Atul Patil Vinit Mahedia Virendra Kucherriya Vasanthnag Vasili.
Understand User Authentication LESSON 2.1A Security Fundamentals.
Virtual Private Networks
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
IPSecurity.
Module 9: Configuring Network Access
Network Security Gene Itkis
MQTT-255 Support alternate authenticaion mechanisms
Microsoft Windows NT 4.0 Authentication Protocols
Secure Sockets Layer (SSL)
PPP – Point to Point Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
Visit for more Learning Resources
S/MIME T ANANDHAN.
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS
On and Off Premise Secure Access
– Chapter 5 (B) – Using IEEE 802.1x
Cyber Security Authentication Methods
CLIENT/SERVER COMPUTING ENVIRONMENT
The Secure Sockets Layer (SSL) Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
Chinese wall model in the internet Environment
RFC 5539 Update Status draft-badra-netconf-rfc5539bis-00
Network Security 4/21/2019 Raj Rajarajan.
Advanced Computer Networks
Virtual Private Networks (VPN)
Presentation transcript:

CredSSP in RDP Sreekanth Nadendla Windows Open Specifications

Topics CredSSP operation Smart card redirection – RDPESC updates

CredSSP Authentication Introduced in Windows Vista/2008 Allows for second hop authentication, aka Credentials Delegation Allows computer B to authenticate with computer C as computer A Overcomes formal Kerberos delegation login A Server B Server C Kerberos:

CredSSP Overview MS-CSSP The Credential Security Support Provider (CredSSP) Protocol enables an application to securely delegate a user's credentials from a client to a target server. Establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS) (as specified in [RFC2246]). The CredSSP Protocol uses TLS as an encrypted pipe; it does not rely on the client/server authentication services that are available in TLS. The CredSSP Protocol then uses the protocol extensions described in [MS-SPNG] to negotiate a Generic Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality services to securely bind to the TLS channel and encrypt the credentials for the target server. All GSS security tokens are sent over the encrypted TLS channel.

CredSSP Messages

TSRequest The CredSSP Protocol introduces the TSRequest message. The client and server use this message to encapsulate the SPNEGO tokens and TSCredentials message that the client uses to delegate the user's credentials to the CredSSP server over a TLS connection. These messages are encoded by using ASN.1 (as specified in [X690]) and Distinguished Encoding Rules (DER). TSRequest ::= SEQUENCE { version [0] INTEGER, negoTokens [1] NegoData OPTIONAL, authInfo [2] OCTET STRING OPTIONAL, pubKeyAuth [3] OCTET STRING OPTIONAL, errorCode [4] INTEGER OPTIONAL }

authInfo A TSCredentials structure that contains the user's credentials TSCredentials ::= SEQUENCE { credType [0] INTEGER, credentials [1] OCTET STRING } credType Meaning 1 credentials contains a TSPasswordCreds structure that defines the user's password credentials. 2 credentials contains a TSSmartCardCreds structure that defines the user's smart card credentials. 6 credentials contains a TSRemoteGuardCreds structure that defines logon and supplemental credentials.

Credential Structures TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } TSCspDataDetail ::= SEQUENCE { keySpec [0] INTEGER, cardName [1] OCTET STRING OPTIONAL, readerName [2] OCTET STRING OPTIONAL, containerName [3] OCTET STRING OPTIONAL, cspName [4] OCTET STRING OPTIONAL } TSRemoteGuardCreds ::= SEQUENCE{ logonCred [0] TSRemoteGuardPackageCred, supplementalCreds [1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL } TSRemoteGuardPackageCred ::= SEQUENCE{ packageName [0] OCTET STRING, credBuffer [1] OCTET STRING }

pubKeyAuth This field is used to assure that the public key that is used by the server during the TLS handshake belongs to the target server and not to a "man in the middle". After the client completes the SPNEGO phase of the CredSSPProtocol, it uses GSS_WrapEx() for the negotiated protocol to encrypt the server's public key. The pubKeyAuth field carries the message signature and then the encrypted public key to the server. In response, the server uses the pubKeyAuth field to transmit to the client a modified version of the public key that is encrypted under the encryption key that is negotiated under SPNEGO.

Smart Card Redirection MS-RDPESC

Smart card Redirection MS-RDPESC A pipe between PC/SC implementations on the client and server side. Smart Card SDK functions https://msdn.microsoft.com/en-us/library/windows/desktop/aa374731(v=vs.85).aspx#smart_card_functions Smart card IOCTLs   SDK functions https://msdn.microsoft.com/en-us/library/cc242620.aspx

Versioning and Capability Determined by RDP client build number [MS-RDPBCGR] section 2.2.1.3.2 Build Number Dialect >= 7865 SCREDIR_VERSION_WINDOWS_8 (3) >= 4034 and < 7865 SCREDIR_VERSION_LONGHORN (2) < 4034 SCREDIR_VERSION_XP (1)

Capabilities SCREDIR_VERSION_XP SCREDIR_VERSION_LONGHORN Base level SCREDIR_VERSION_LONGHORN SCARD_IOCTL_READCACHEW, SCARD_IOCTL_READCACHEA, SCARD_IOCTL_WRITECACHEW, SCARD_IOCTL_WRITECACHEA, SCARD_IOCTL_GETTRANSMITCOUNT SCREDIR_VERSION_WINDOWS_8 SCARD_IOCTL_GETREADERICON, SCARD_IOCTL_GETDEVICETYPEID

CredSSP with HTTP In the network capture, you will see the hearders mentioned above as WWWAuthenticate: CredSSP FgMBAv0CAABRAwFW3i0gqfI50SDRncb4rJp7gbSN2wVNQK+dAYqEMgRjOSCASwAAFZTDSJsAh8lUrW8kp51iLlpG82PfAEfp+X4C+8AUAAAJABcAAP8BAAEACwAB1QAB0gABzzCCAcswggE0oAMCAQICEB4GZ1Rsl262T/Ue7d6CO2QwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAxMZV1NNQU4tc2VydmVyMS5jb2 This is the base64 encoded TLS messages This is the one that trips customers the most They expect (if HTTPS is used) CredSSP to not use TLS since the HTTPS is already doing that. Not so.

5/26/2018 10:01 PM © Microsoft Corporation. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.