Presentation is loading. Please wait.

Presentation is loading. Please wait.

CredSSP in RDP Sreekanth Nadendla Windows Open Specifications.

Published byBerenice Ramsey Modified over 6 years ago

Similar presentations

Presentation on theme: "CredSSP in RDP Sreekanth Nadendla Windows Open Specifications."— Presentation transcript:

1 CredSSP in RDP Sreekanth Nadendla Windows Open Specifications

2 Topics CredSSP operation Smart card redirection – RDPESC updates

3 CredSSP Authentication
Introduced in Windows Vista/2008 Allows for second hop authentication, aka Credentials Delegation Allows computer B to authenticate with computer C as computer A Overcomes formal Kerberos delegation login A Server B Server C Kerberos:

4 CredSSP Overview MS-CSSP
The Credential Security Support Provider (CredSSP) Protocol enables an application to securely delegate a user's credentials from a client to a target server. Establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS) (as specified in [RFC2246]). The CredSSP Protocol uses TLS as an encrypted pipe; it does not rely on the client/server authentication services that are available in TLS. The CredSSP Protocol then uses the protocol extensions described in [MS-SPNG] to negotiate a Generic Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality services to securely bind to the TLS channel and encrypt the credentials for the target server. All GSS security tokens are sent over the encrypted TLS channel.

5 CredSSP Messages

6 TSRequest The CredSSP Protocol introduces the TSRequest message. The client and server use this message to encapsulate the SPNEGO tokens and TSCredentials message that the client uses to delegate the user's credentials to the CredSSP server over a TLS connection. These messages are encoded by using ASN.1 (as specified in [X690]) and Distinguished Encoding Rules (DER). TSRequest ::= SEQUENCE { version [0] INTEGER, negoTokens [1] NegoData OPTIONAL, authInfo [2] OCTET STRING OPTIONAL, pubKeyAuth [3] OCTET STRING OPTIONAL, errorCode [4] INTEGER OPTIONAL }

7 authInfo A TSCredentials structure that contains the user's credentials TSCredentials ::= SEQUENCE { credType [0] INTEGER, credentials [1] OCTET STRING } credType Meaning 1 credentials contains a TSPasswordCreds structure that defines the user's password credentials. 2 credentials contains a TSSmartCardCreds structure that defines the user's smart card credentials. 6 credentials contains a TSRemoteGuardCreds structure that defines logon and supplemental credentials.

8 Credential Structures
TSPasswordCreds ::= SEQUENCE { domainName [0] OCTET STRING, userName [1] OCTET STRING, password [2] OCTET STRING } TSCspDataDetail ::= SEQUENCE { keySpec [0] INTEGER, cardName [1] OCTET STRING OPTIONAL, readerName [2] OCTET STRING OPTIONAL, containerName [3] OCTET STRING OPTIONAL, cspName [4] OCTET STRING OPTIONAL } TSRemoteGuardCreds ::= SEQUENCE{ logonCred [0] TSRemoteGuardPackageCred, supplementalCreds [1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL } TSRemoteGuardPackageCred ::= SEQUENCE{ packageName [0] OCTET STRING, credBuffer [1] OCTET STRING }

9 pubKeyAuth This field is used to assure that the public key that is used by the server during the TLS handshake belongs to the target server and not to a "man in the middle". After the client completes the SPNEGO phase of the CredSSPProtocol, it uses GSS_WrapEx() for the negotiated protocol to encrypt the server's public key. The pubKeyAuth field carries the message signature and then the encrypted public key to the server. In response, the server uses the pubKeyAuth field to transmit to the client a modified version of the public key that is encrypted under the encryption key that is negotiated under SPNEGO.

10 Smart Card Redirection MS-RDPESC

11 Smart card Redirection
MS-RDPESC A pipe between PC/SC implementations on the client and server side. Smart Card SDK functions Smart card IOCTLs   SDK functions

12 Versioning and Capability
Determined by RDP client build number [MS-RDPBCGR] section Build Number Dialect >= 7865 SCREDIR_VERSION_WINDOWS_8 (3) >= 4034 and < 7865 SCREDIR_VERSION_LONGHORN (2) < 4034 SCREDIR_VERSION_XP (1)

13 Capabilities SCREDIR_VERSION_XP SCREDIR_VERSION_LONGHORN
Base level SCREDIR_VERSION_LONGHORN SCARD_IOCTL_READCACHEW, SCARD_IOCTL_READCACHEA, SCARD_IOCTL_WRITECACHEW, SCARD_IOCTL_WRITECACHEA, SCARD_IOCTL_GETTRANSMITCOUNT SCREDIR_VERSION_WINDOWS_8 SCARD_IOCTL_GETREADERICON, SCARD_IOCTL_GETDEVICETYPEID

14 CredSSP with HTTP In the network capture, you will see the hearders mentioned above as WWWAuthenticate: CredSSP FgMBAv0CAABRAwFW3i0gqfI50SDRncb4rJp7gbSN2wVNQK+dAYqEMgRjOSCASwAAFZTDSJsAh8lUrW8kp51iLlpG82PfAEfp+X4C+8AUAAAJABcAAP8BAAEACwAB1QAB0gABzzCCAcswggE0oAMCAQICEB4GZ1Rsl262T/Ue7d6CO2QwDQYJKoZIhvcNAQEFBQAwJDEiMCAGA1UEAxMZV1NNQU4tc2VydmVyMS5jb2 This is the base64 encoded TLS messages This is the one that trips customers the most They expect (if HTTPS is used) CredSSP to not use TLS since the HTTPS is already doing that. Not so.

15 5/26/ :01 PM © Microsoft Corporation. All rights reserved.

Download ppt "CredSSP in RDP Sreekanth Nadendla Windows Open Specifications."

Similar presentations

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
Ariel Eizenberg arielez@cs.huji.ac.il PPP Security Features Ariel Eizenberg arielez@cs.huji.ac.il.

Ariel Eizenberg PPP Security Features Ariel Eizenberg
Remote Networking Architectures

Remote Networking Architectures
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
FTP File Transfer Protocol. Introduction transfer file to/from remote host client/server model  client: side that initiates transfer (either to/from.

FTP File Transfer Protocol. Introduction transfer file to/from remote host client/server model  client: side that initiates transfer (either to/from.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.

Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Similar presentations

Ads by Google