Presentation is loading. Please wait.

Presentation is loading. Please wait.

Our Journey to Smart Cards Ross Wilper, Manager IT Platform Systems October 18 th, 2016 Protecting Privileged Accounts.

Published bySilas Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "Our Journey to Smart Cards Ross Wilper, Manager IT Platform Systems October 18 th, 2016 Protecting Privileged Accounts."— Presentation transcript:

1 Our Journey to Smart Cards Ross Wilper, Manager IT Platform Systems October 18 th, 2016 Protecting Privileged Accounts

2 2 Introduction SLAC National Accelerator Laboratory is one of 10 Department of Energy (DOE) Office of Science laboratories and is operated by Stanford University on behalf of the DOE. Since its opening in 1962, SLAC has been helping create the future. We built the world’s longest particle accelerator, discovered some of the fundamental building blocks of matter and created the first website in North America.

3 3 Where the journey begins Office of Personnel Management Cyber Security Breaches in 2015. Directive to implement Level of Assurance 4 (LoA 4) for all users

4 4 Levels of Assurance LoA Level Identity ProofingExample credential types 1NonePassword, PIN 2Present identifying documentation, picture compared to applicant Username/Password 3Applicant presents and RA verifies identifying documentation. Username/Password + One time passwords, RSA tokens, or Duo Push 4Requires in-person proofing and two forms of verified ID. Background checks are done. FIPS 140-2 certified token required Levels of assurance are defined in NIST Special Publication 800-63

5 5 So, what does this mean? Good things about Smart Cards Bruce force logon attempts become impractical Compromised operating systems cannot leak authentication information Depending on form factor, can be converged with physical access badge Built in to Windows as a credential provider since Windows 2000

6 6 So, what does this mean? Some not so good things about Smart Cards Onboarding can be difficult Card issuance and management is expensive Requires additional infrastructure Also, no added protection against pass-the-credential attacks

7 7 Track A, Take 1 – Virtual Smart Card Good: Takes advantage of the TPM chip in all supported PCs We were already building machines centrally Not so good: Preferred OS is still Windows 7, so we need 3 rd party software or upgrade PCs

8 8 Two ways to use TPMs with certificates Providers under the “Key Storage Providers” category

9 9 Key Attestation (Platform Crypto Provider only)

10 10 Track B, Phase 1 DUO Windows Logon Client for Servers Relatively simple to implement. Proposed to DoE as alternative to LoA4 Already in use for some sensitive servers Push client really well liked SLAC only provides phone stipends for a very small set of staff, so we made sure to include OTP tokens in our plan

11 11 Track A, Take 2 – An “A-ha” moment YubiKey NEO can be enabled as PIV compatible smart cards YubiKey NEO Manager to activate functionality YubiKey PIV Manager to request certificates ==

12 12 DUO + Smart Card = Bad

13 13 So, where did we end up at the end of phase 1? Domain Admins require Smart Cards (YubiKey NEO) for logon. Server Admins require DUO for logon (Push or OTC only). Not compliant, but big improvement

14 14 Time Passes – More Clarity Exclusion granted for science users Possible exception for standard user account access to moderate-level mission support systems in academic-like environments

15 15 Department of Energy PIV-I to the rescue Department of Energy wide service to provide PIV-I smartcards leveraging existing processes for PIV cards Cards/Readers Processes Enrollment/Activation stations

16 16 New Plan Privileged users get enrolled for PIV-I and will use smart cards Mission support users get DUO on their desktops As of early October 2016, DUO Client for Windows v2.1.0 now has a configuration to not disable the smart card credential provider.

17 17 Mapping 3 rd party cards to our AD All of our testing to date used default Subject Alternative Name to AD User default mapping. Cards have a UPN on them that has no relation to our identity system Domain controllers need to be able to validate certificates Need to create mappings in altSecurityIdentities Need to tell KDC and clients not to use default mapping

18 18 altSecurityIdentities Many options available, but most implementations seem to use Issuer and Subject format: altSecurityIdentities: X509: CN=Issuing CA CN=me Two oddities that we ran into: The order of the name parts displayed in the certificate UI was reversed from how they need to appear in altSecurityIdentities Two name parts that have a comma between them in the UI needed to be entered run together Add the altSecurityIdentities mapping to all Active Directory accounts the card should have access to

19 19 Disabling UPN Mapping in the Domain Controller HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\KDC UseSubjectAltName = DWORD: 0

20 20 Disabling UPN Mapping on the Clients HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Lsa\Kerberos\Parameters SendPreauthForNewerETypes = DWORD: 1 UseSubjectAltName = DWORD: 0

21 21 Using multiple accounts from one smart card HKEY_LOCAL_MACHINE\SOFTWARE \Policies\Microsoft\Windows\SmartCardCredentialProvider X509HintsNeeded = DWORD: 1

22 22 Username Hint

23 23 Panic moment – What about other mapped certificates? Our secure wireless uses EAP-TLS … What will happen to that if we turn off default certificate mapping on the RADIUS servers? After quite a bit of testing, it appears the answer is “Nothing” (But still nervous)

24 24 What’s still to come Identity automation to get mapping data from the external card provider into Active Directory Test ActivClient What about Linux? Possible move from PIV-I to YubiKey NEOs? Authentication Method Assurance?

25 Questions?

26 Divider – Extra Slides

27 Creating a Virtual Smart Card PS C:\WINDOWS\system32> TPMVSCMGR.exe create /Name "TestVirtualSC" /pin prompt /adminkey default /generate Enter PIN: ********* Confirm PIN: ********* Using default Admin Key: 010203040506070801020304050607080102030405060708 Creating TPM Smart Card... Initializing the Virtual Smart Card component... Creating the Virtual Smart Card component... Initializing the Virtual Smart Card Simulator... Creating the Virtual Smart Card Simulator... Initializing the Virtual Smart Card Reader... Creating the Virtual Smart Card Reader... Waiting for TPM Smart Card Device... Authenticating to the TPM Smart Card... Generating filesystem on the TPM Smart Card... TPM Smart Card created. Smart Card Reader Device Instance ID = ROOT\SMARTCARDREADER\0000

28 28 What is a Smart Card For Windows environments, smart card usually means a cryptographic device conforming to the PC/SC (Personal Computer/Smart Card) set of standards. These standards dictate a card form factor and a common set of command interfaces that all smart cards use. In many implementations, smart cards chips are converged with other access technologies on the same physical card to support logical and physical access.

29 29 Certificates on a PIV (FIPS 201) smartcard Authentication Certificate (Slot 9a) Signing Certificate (Slot 9c) Encryption Certificate (Slot 9d) Card Management Certificate (Slot 9e)

30 30 Smart Card Types using the FIPS 201 Specification PIV – Personal Identity Verification A smart card variant used by the US government and defined in NIST FIPS 201. This is the most common card issued to government employees and contractors for compliance with Homeland Security Presidential Directive 12 (HSPD-12) PIV-I – PIV Interoperable Very similar to PIV, but with less vigorous identity vetting. It uses distinct topography to make it easily distinguishable from a PIV. CIV – Commercial Identity Verification A smart card that uses the same format and specification as PIV, but does not require cross certification with Federal Public Key Infrastructure (PKI) Bridge

31 31 Smart Card Protection PIN, PUK, and Management Key PIN The “Password” for the smart card. Depending on the smart card, this may be numbers only or alphanumeric PUK The “PIN Unlock Code” is a second PIN on some smartcards to allow an unblock of the card after too many failed attempts on the PIN Management Key A hexadecimal key used to unblock or reset the smart card. In many cases, when this key is used, all private keys are destroyed.

32 32 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) https://tools.ietf.org/html/rfc4556 Recently added RFC – Something new in Windows Server 2016? https://www.ietf.org/id/draft-ietf-kitten-pkinit-freshness- 07.pdf

33 33 Authentication Method Assurance An empty Universal security group can be linked to a Certificate Policy OID (Issuance Policy) If the Issuance Policy OID is present in the certificate used for smart card logon, then the resulting token has membership in the group msPKI-Enterprise-Oid object in Configuration container msDS-OIDToGroupLink attribute

Download ppt "Our Journey to Smart Cards Ross Wilper, Manager IT Platform Systems October 18 th, 2016 Protecting Privileged Accounts."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Mobile Devices in the DoD

Mobile Devices in the DoD
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
NIH is a Valuable Place with Valuable People: We Need to Protect it! Cyber threat is one of the most serious economic and national security challenges.

NIH is a Valuable Place with Valuable People: We Need to Protect it! Cyber threat is one of the most serious economic and national security challenges.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.

Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.

Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google