GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | PKI Design
PKI Design Algorithms
Cryptographic Algorithms Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512 Symmetric key algorithms secret key RC4, DES, 3-DES, AES Asymmetric key algorithms public and private key RSA, DH, EC
PKI Design Thoughts ON Hashing
Hash example (not good) Sum alphabet letter positions HELLO = 8 + 5 + 12 + 12 + 15 = 52 Can obtain arbitrary clear-text (collision) without brute-forcing Several similar clear-texts lead to similar output
Hash collisions Pure arithmetic collisions Post-signing collisions limited exploitability Post-signing collisions Chosen-prefix collisions
Post-signing collision Name: Ondrej Name: Ondrej Owes: 100 $ Owes: 1 000 000 $ To: Kamil To: Kamil Hash: 14EEDA49C1B7 Trash: XX349%$@#BB... Signature: 3911BA85 Hash: 14EEDA49C1B7 Signature: 3911BA85
Chosen-prefix collision Serial #: 325 Serial #: 325 CN: www.idtt.com CN: www.microsoft.com Valid: 2010 Valid: 2010 Public: 35B87AA11... Public: 4E9618C9D... Hash: 24ECDA49C1B7 Hash: 24ECDA49C1B7 Signature: 5919BA85 Signature: 5919BA85
MD5 problems Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions Practically proved for certificates with predictable serial numbers 2^50
SHA-1 problems General brute-force attack at 2^80 as about 12 characters complex password Some collisions found at 2^63 pure arithmetic collisions, no exploitation proved
Algorithm Combinations PKI Design Algorithm Combinations
Performance considerations Asymmetric algorithms use large keys EC is about 10 times smaller Encryption/decryption time about 100x longer symmetric is faster
Digital Signature (not good) Document Private key Document
Digital Signature Document Private key Hash
Storage Encryption (slow) Public key Document
Symmetric encryption key (random) Storage Encryption Symmetric encryption key (random) Document Public key (User A) Symmetric key
Symmetric encryption key (random) Storage Encryption Symmetric encryption key (random) Document Public key (User A) Public key (User B) Symmetric key Symmetric key
Transport encryption Public key Server Client Symmetric Key Public key Data
Fun With Random Numbers PKI Design Fun With Random Numbers
Random Number Generators Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated symmetric keys DNS cache poisoning Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules
Random Number Generators CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2) Entropy from system time, process id, thread id, tick counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …
PKI Design Standards
US standards FIPS – Federal Information Processing Standards provides standard algorithms NIST – National Institute for Standards and Technology approves the algorithms for US government non-classified but sensitive use latest NIST SP800-57, March 2007 NSA – National Security Agency Suite-B for Secure and Top Secure (2005)
Cryptoperiods (SP800-57) Key Cryptoperiod Private signature 1 – 3 years Public signature verification >3 years Symmetric authentication <= 5 years Private authentication 1-2 years Symmetric data encryption Public key transport key Private/public key agreement key
Comparable Algorithm Strengths (SP800-57) Symetric RSA ECDSA SHA 80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1 112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224 128 bit AES-128 RSA 3072 ECDSA 256 SHA-256 192 bit AES-192 RSA 7680 ECDSA 384 SHA-384 256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
Security lifetimes (SP800-57 and Suite-B) Strength Level 2010 80 bit US Confidential 2030 112 bit 128 bit US Secure 192 bit US Top-Secure Beyond 2030
NSA Suite-B Algorithms NSA publicly published algorithms (2005) as against Suite-A which is private AES-128, ECDH-256, ECDSA-256, SHA-256 Secret AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret
OperatinG System Support PKI Design OperatinG System Support
Cryptographic Providers Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC CERTUTIL -CSPLIST
Cryptographic Providers Type Operating System Algos Template CSP Windows 2000 Windows 2003 AES, SHA-1, RSA v1, v2 Windows XP SP3 Windows 2003 KB938397 AES, SHA-1, RSA, SHA-2 CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC v3
SHA-2 Support Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future
Cryptography support System DES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1 SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows 2000 yes no Windows XP Windows 2003 non-public update yes Windows Vista/2008 Windows 7/2008 R2
Cryptography support System DES 3DES RC2 RC4 AES 128 AES 192 AES 256 MD2 MD5 HMAC SHA-1 SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows Mobile 6.5 yes no Windows Mobile 7 TMG 2010 SCCM 2007 SCOM 2007
Encryption EFS BitLocker IPSec Kerberos NTLM RDP DES 3DES RC4 AES DH 2000 + LM password hash, NTLM 3DES RC4 AES 2003 + Vista + DH RSA Seven + ECC
Hashing MD4 MD5 SHA-1 SHA-2 NT password hash Digest password hash 2003 + IPSec 2000 + Seven + NTLM NTLMv2 MS-CHAP MS-CHAPv2
CNG (v3) Not Supported EFS VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/Vista- VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication TMG 2010 server certificates on web listeners Outlook 2003 user email certificates for signatures or encryption Kerberos Windows 2008/Vista- DC certificates System Center Operations Manager 2007 R2 System Center Configuration Manager 2007 R2 SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)
PKI Design CA Hierarchy
CA Hierarchy IDTT Root CA IDTT Roma CA IDTT London CA IDTT Paris CA Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate
Offline Root Root CA cannot be revoked if compromised Making new RootCA trusted may be difficult Delegation of administration Must issue CRLs the more frequent the more secure, but more “costly”
Active Directory Group Policy Trusted Root CAs Untrusted CAs every 120 minutes by default Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates
PKI Design AD CS Features
SKU Features Windows Server Certificate Templates Autoenrollment Key Archival SMTP Exit Module Role Separation Cross-forest Enrollment 2008 R2 Standard V1, V2, V3 Yes No 2008 R2 Enterprise 2008 Standard V1 2008 Enterprise 2003 Standard 2003 Enterprise V1, V2
Enrollment Web Services SKU Features Windows Server Web Enrollment Enrollment Web Services OCSP Responder SCEP Enrollment 2008 R2 Standard yes no 2008 R2 Enterprise 2008 Standard 2008 Enterprise 2003 Standard 2003 Enterprise
Role Separation Enrollment Agent = Registration Authority sign cert request Certificate Managers approve cert requests Different groups of EA/CM approve requests for different groups of Enrollees
PKI Design Public Certificates
SSL Certificate prices Verisign – 1999 300$ year Thawte – 2003 150$ year Go Daddy – 2005 60$ year GlobalSign – 2006 250$ year StartCom – 2009 free
EV Certificate prices Verisign – 1999 Thawte – 2003 Go Daddy – 2005 1500$ year Thawte – 2003 600$ year Go Daddy – 2005 100$ year GlobalSign – 2006 900$ year StartCom – 2009 50$ year
Support for SAN and wildcards Application Supports * Supports SAN Internet Explorer 4.0 and older no Internet Explorer 5.0 and newer yes Internet Explorer 7.0 yes, if SAN present Subject is ignored Windows Pocket PC 3.0 a 4.0 Windows Mobile 5.0 Windows Mobile 6.0 and newer Outlook 2003 and newer RDP/TS proxy ISA Server firewall certificate ISA Server 2000 and 2004 published server certificate ISA Server 2006 published server certificate yes, only the first SAN name
OCSP and Delta CRL System Checks OCSP Delta CRL Windows 2000 and older no Windows XP and older yes Windows Vista and newer yes, preffered Windows Pocket PC 4.0 and older Windows Mobile 5.0 Windows Mobile 6.0 Windows Mobile 6.1 and newer ISA Server 2006 and older TMG 2010 and newer
CRL checks in Internet Explorer Version CRL and OSCP checking 4.0 and older no checks 5.0 and newer can check CRL, disabled by default 7.0 and newer can check OCSP (if supported by OS) and CRL, enabled by default
Windows Mobile 2003 and 5.0 trusted CAs Company Certificate Name Windows Mobile Cybertrust GlobalSign Root CA 2003 and 5.0 GTE CyberTrust Global Root GTE CyberTrust Root Verisign Class 2 Public Primary Certification Authority Thawte Premium Server CA Thawte Server CA Secure Server Certification Authority Class 3 Public Primary Certification Authority Entrust Entrust.net Certification Authority (2048) Entrust.net Secure Server Certification Authority Geotrust Equifax Secure Certificate Authority Godaddy http://www.valicert.com/ 5.0
Windows Mobile 6.0 trusted CAs Comodo AAA Certificate Services AddTrust External CA Root Cybertrust Baltimore CyberTrust Root GlobalSign Root CA GTE CyberTrust Global Root Verisign Class 2 Public Primary Certification Authority Thawte Premium Server CA Thawte Server CA Secure Server Certification Authority Class 3 Public Primary Certification Authority Entrust Entrust.net Certification Authority (2048) Entrust.net Secure Server Certification Authority Geotrust Equifax Secure Certificate Authority GeoTrust Global CA Godaddy Go Daddy Class 2 Certification Authority http://www.valicert.com/ Starfield Class 2 Certification Authority
RSA 2048 browser support Browser First Version Internet Explorer 5.01 Mozila Firefox 1.0 Opera 6.1 Apple Safari Google Chrome AOL 5 Netscape Communicator 4.51 Rad Hat Linux Konqueror Apple iPhone Windows Mobile 2003 Windows CE 4.0 RIM Blackberry 4.3.0 PalmOS Sony Playstation Portable Sony Playstation 3 Nintendo Wii
Extended Validation browsers First Version Internet Explorer 7.0 Opera 9.5 Firefox 3 Google Chrome - Apple Safari 3.2 Apple iPhone 3.0
S/MIME RSA 2048 client support Browser First Version Microsoft Outlook 99 Mozila Thunderbird 1.0 Qualcomm Eudora 6.2 Lotus Notes 6 Netscape Communicator 4.51 Mulberry Mail Apple Mail Windows Mail The Bat
Dotazník www.teched.cz gopas TechEd
GOPAS TechEd 2012 Thank you! Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!