2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene

7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene

http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 1/107

Technical overview of the

Microsoft PKI

Active Directory Certificate

Services 2008 R2

ESEC – European Secur ity Expertise Center

Fabien DUCHENEhttp://www.car-online.fr/en/spaces/fabien_duchene/

Reviewers: Jonathan BOURGAIN, Jeremy RENARD, Rida BENBRAHIM

Technical overview of theMicrosoft PKI ADCS 2008 R2

1

Certificate Services

2011-01

v.1.02

http://www.car-online.fr/en/spaces/fabien_duchene/







0. Table of content

1. Introduction… PKI?

2. MS PKI 2008 (R2)

foundations

3. Establishing & maintaining

4. Auditing

5. Beyond the MS PKI

6. References

Technical overview of the Microsoft PKI ADCS2008 R2

2




1. Introduction … PKI?

- Some PKI application scenarios

- Why setting up a PKI?

- asymmetric cryptography

- PKI – overview

- Certificate

- Certificate Authority

- Validation

- Revocation


3




1.a. Some PKI application scenarios


4

Strong

authentication

VPN Access

Secure Wireless

Websites

Terminal Services

Document encryption

Email signing

Encrypted File System

Application integritySmart

Card

EAP-TLS SSL / TLS

802.1xIPSec

Network

Access

Control

PKI

Identity store Operating system




1.b. Why setting up a PKI?

• Previous quoted applications + building TRUST

• Legal requirements (eg. EU privacy laws, CNIL, RGS)

• PKI alternatives:


5

Alternative Issues

Password, static keys, self-

signed certificates

Management costs and security

concerns (complexity, lifetime)

Purchased certificatesCost (as certificate applications

proliferate)

Specific application

functionalities

Compliance => common

management




1.c. Before setting up a PKI …

…you should consider…

• Organizational policies: auditing, procedures

• Ongoing Costs … like any other IT application !

– Scalability, high availability (revocation)

– (plus physical security)

• Complexity

– Technical requirements: HW, netw, SW

– Training: End-Users, IT staff, Security team• Legals: key length, used algorithm, data exchanges,

PII…


6


http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 7/107ESEC – European Secur ity Expertise Center

Common mistakes: mind the gap!

• There is no need for a PKI nor a CA to performasymmetric cryptography. Eg: Web-Of-Trust (PGP), SSH

• In french:

– Encryption/enciphering = chiffrer !!crypter!! – Decryption/deciphering = déchiffrer

– Breaking an encrypted message = décrypter

• => when the user does not have access to the private key

• Not trusting a PKI does not imply the communication isnot encrypted! ( eg: https://esec.fr.sogeti.com )


7

https://esec.fr.sogeti.com/

https://esec.fr.sogeti.com/



1.d.1. PKI - definition

• PKI: Public Key Infrastructure- Hardware, software, people, policies and procedures

to manage the lifecycle of digital certificates (manage, distribute, use, store and revoke)

– It uses: asymmetric cryptography

• … and is ONE solution to associate certificates with identity

= hierarchical model

• … other models exist:

– local trust model (eg: SPKI)

– web of trust (eg: PGP)


8

X«C» X«A» Z«B»

V

W

X

C A B

Z

Y

U

TISO3960-94/d04

U«V»

V«U»

V«W»

W«V»

W«X»

X«W»

X«Z»

Y«Z»

Z«Y»

Z«X»

V«Y»

Y«V»

Figure 4 – CA hierarchy – A hypothetical example



1.d.2. PKI - components


9

Keys and certificates

management tools, auditing… Certificate publication and

revocation distribution points

(CRL, OCSP)

Certification Authority

(CA)

Certificate(s) Requestors (computer, user)

URLs

http://

file://

ldap://

Security policy

Certificate enrollment and

Revocation policy

authentication

Identity Provider(ADDS)

Applications and services

.. able to interact with certificates

http://en.wikipedia.org/wiki/File:SmartCardPinout.svg



1.e.1. asymmetric cryptography

• Assumptions:

– hardness to of mathematical problem: primes factoring, discrete logarithm

– limited computational power... and time is this always true? Eg.

Cloud, quantum comp.

• Basics: – Two related keys: 1 public, 1 private

– Two functions: Encrypt ; Decrypt : {message,key} -> {message}

– Properties:

• Decrypt(Encrypt(msg,E_pub),E_priv)=msg

• Decrypt(Encrypt(msg,E_priv),E_pub)=msg

• Knowing E_pub it is “computationally very hard” to find E_priv


10

Pictures from Wikipedia – Public Key Cryptography

http://en.wikipedia.org/wiki/Public-key_cryptography


http://en.wikipedia.org/wiki/File:Public-key-crypto-1.svg



1.e.2. asymetric cryptography - applications

• Immediate applications:

… But also Diffie-Hellman key exchange


11

Encryption Signature

Pictures from Wikipedia – Public Key Cryptography



http://en.wikipedia.org/wiki/File:Public_key_encryption.svg

http://en.wikipedia.org/wiki/File:Public_key_signing.svg




1.e.2. asymmetric cryptography (cont.)

• Things we can guarantee: – Identity:

• Non-Repudiation (cannot deny it did perform it) -> [uses:signature]

• Authentication [signature and encryption]

– Communication:

• Integrity (something has not been changed) [signature]

• Confidentiality (ensure only authorized entities ) [encryption]

• … assuming: – the previous mathematical assumptions

– the user private key is “well protected” (confidentiality)


12




• Main format: X509 v1(88), v2(93), v3 (96)

• File *.crt containing: – Subject, issuer, validity window, … Subject Public Key

– …

• The information are signed bythe issuing CA

1.f. Certificate


13




1.f. Certificate – X.509 v3


14

• v3 (96)

CDP: where to check if that certificate is revoked?

Picture from PKI and Certificate Security - Brian Komar , MS Press

http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us


http://www.microsoft.com/sverige/techdays/Talare.aspx?SpeakerID=1895







1.g. Certification Authority

• A trusted party (server), as part of a PKI: – Verify the identity of a certificate requestor

– Issue certificates to requestors (users, comp)

according to the issuance policy – Manage certificate revocation*


15

*revocation: designing a certificate as no more

valid, even if its expiration date is future.




1.h. Certificate insuance

• A Root CA self-signs its certificate

• The most common model: the requester generates theKeyPair

• Certificate template: set of parameters (key length, authentication

requirements (1/2/3 factor(s)), permissions…

16

Authenticated Certificate request

(public key, validity, certificate template…) 3

2KeyPair generation

(according to the

chosen certificate

template parameters)

0 Authentication

1

Certificate

Templates

fetching

Certificate6

Verifications

(template

parameters)

4

Certificate issuance

(see next slide)

5

Identity Provider

Certification

Authority

Certificate

Template store

Client


Ensimag 4MMSR – Network Security – Fabien Duchene (2011)

http://ensiwiki.ensimag.fr/index.php/Securite_des_Reseaux










1.h.1. Cert. Validation - AIA

• Authority Information Access – URLs where the CA certificate can be retrieved:

• Filesystem, ldap://, http://, smb://

– CA certificate:

• *.crt (certificate)

• OCSP extension


17




Sheldon

Cooper

Kim Cameron

Issued certificate

GeekCompany

Root CA

1.g. The trust topology of the PKI model


18

• A hierarchical trust model:

– Users/computers trust the Root CA

– Transitive trust relation till the leafs

I trust that Root CA

… thus I also trust these CA

(issued cert. by the Root CA)

… thus I also trust

the identity of thatuser/comp

(issued cert..)




1.h.2. Cert. validation – chain of trust

•Trust hierarchy: trusting the Root CA

• Signing: each CA signs all issued certificates

• … including the child PKI ones!


19

http://www.globalsign.com/certificate-authority-root-signing/microsoft-certificate-services/






1.h.2.2. Chain of trust - signature


20

Clear text certificate

information

Thumbprint computation

Thumbprint signed with the issuing CA private key

* hash: function that takes a block of data and returns a fixed

size bit string. (eg: MD5, SHA-1, SHA-512…)

Cert. Signature field

h ld h “ h f ” b b k




1.h.2.3. How could the “chain of trust” be broken?

• For any certificate in that chain:

– Validity time: certificate expired?

– Subject name: the certificate information is

different to what the application expects?

(eg: loading an https website by its IP, instead of FQDN)

– Revocation: has that certificate been revoked at

the CDP?

– … and of course if the Root CA of that chain is not

trusted!


21




• CRL (Certificate Revocation List)

– List of revocated certificates hashes periodically fetched

• OCSP (Online Certificate Status Protocol) – Real-Time web request

Certificate

hash

The certificate isnot trusted

The certificateis trusted

yes

noPeriodical CRL

download (HTTP,

SMB, LDAP…)

1.i.1 Revocation - Overview


22

Certificate

hash

The certificate isnot trusted

The certificateis trusted

yes

no

Is the

certificate

revoked?

OCSP

RequestOCSP signed Reply

Is the hash

present in the

signed CRL?

(by the issuing CA)




1.i.2.3. CRL – Publication & expiring intervals

• These parameters are set for the whole PKI

• Publication interval: how often are the CRL published?


23




1.i.4. CDP

• CRL Distribution Point – Filesystem (smb://, file://)

– Ldap://

– http://


24




1.i.2.3. Revocation - CRL - problems

• Bandwidth, CRL filesize: – the more certificates are issued, the more some

are potentially revoked

• Latency: update & download frequency• Mitigation solutions:

- Delta CRL=new revoked certificates since the last base CRL publication

– Separate base CRL & delta CRL publishingfrequency


25




1.j. Example

• Consider the following scenario:


26

Should I trust the

customer CA

certificate, knowing Iobtained the Root CA

cert from the AIA?

0. Get the AIA information periodically

(URL, download the Root CA public key)

3. Is the Root CA cert. revoked

or expired? CRL, OCSP

1. The Customer CA ispresenting us its certificate

(…and the related chain of

trust)

2. Do I trust the Root

CA certificate?(“Trusted Root

Certification

Authorities”?)

4. Check the Ext. Pol. CAcertificate signature (parent CA)

5. 6. 7. 8. …










REMINDER: Active Directory – Security basics

• Domain, Forest

• SID, access control

• Kerberos authentication

• Trust relationships


27




REMIND.a. Domain, forest


28

- AD Forest, domain:

In each domain:

- Domain Controllers (DC) manage:- Kerberos authentication

- LDAP directory

- DNS resolution

corp.nintendo.com

jpn usa

Domain

Forest

Child domain

Root domain




REMIND.b. Access control basics - SID

• SID (Security IDentifier):

– Statistically unique worldwide

– AD Objects that owns a SID (and that are stored in theLDAP database)

• Computer: (when the computer joins the domain)

• Domain controllers: (same above)

• User/service account (when the account is created)

• Security group (a security group can contain security groups,users, and computers)

• Thus, each security principal (user, comps, sec. grp, DC):• owns a SID: user account SID

• is member of several security groups: Group SIDs


29




REMIND.b. – SID examples (continued)


30

…

• SID example: (eg. domain: CORP)

User account SID

Group SIDs




REMIND.b. – Access control basics

• ACL (Access Control List): a list of ACE (E=entry):


31

• ACE:“right/privilege/permissiongiven to a specific SID on a

specific resource” • Resource examples:

– Shared folder

– LDAP object

– certi ficate template




REMIND.c. Kerberos Authentication - overview


32

User /

computer

Identity provider,

Authentication Server

GC

Service Server

(eg: issuing CA)

Authentication protocols in a Microsoft environment :

LM, NTLMv1, NTLMv2, Kerberos

Ticket Grantig Service

TGS

1

“I am Mossen. I

need a Ticket to Get

Tickets” (TGT)

Key Distribution Center

Here is a TGT you will only

be able to decrypt if youknow the shared secret(user/comp. pwd)

23

I want to access the

“Issuing CA” service.Here is a proof Idecrypted the TGT

4

Here is a Service Ticket containing yourinformation for accessingthe Issuing CA service

UserSID

-------------------------

GroupMembershipsSIDs

Service

Ticket5

6 Service communication






2. MS PKI foundations

– Active Directory basics (authentication, ACL)

– Common criteria

– ADCS Roles

– Certification authorities (& cert. issuance)

– Certificate templates

– PKI objects: ADDS location

– Autoenrollment

– Revocation (OCSP)

– Key Recovery Agent, Enrollment Agent

– Hash and public key algorithms

– What’s new in 2008/2008R2?


34




2.a. Common criteria certifications

• Common criteria: (!check that what is built is conform to the specifications)

– EAL4 - methodically designed, tested and reviewed

• ALC_FLR.3 (Systematic Flaw Remediation)

– Windows Server 2003:

• EAL 4+ ALC_FLR.3 (2005) – Windows Server 2003 (ADCS):

• CIMC Security Level 3 Protection

• EAL 4+ ALC_FLR.3 (2005)

– Win. Vista & 2008:• EAL 4+ ALC_FLR.3 (2009)

• => includes CNG (Windows Cryptographic API)


35

http://www.commoncriteriaportal.org/products/




2.b.1. Windows Server - ACDS- Roles

• Windows Server role: Active Directory Certificate Services

• Sub-roles:

– Certification Authority

• Requires ADDS ; clients-CA communicate via DCOM

– CA Web Enrollment:• Requires IIS, ASP ; communication: web-application

– CA Enrollment Web Service (CES)

– CA Enrollment Policy Web Service (CEP)

• Both require ADDS domain schema at level 2008_R2

• Communication via WS


36

2000

2003

2008

R2




2.b.2. ADCS Roles - overview


37

Certification

Authority (CA)- issue, renew, revoke

certs

Active Directory

- Enrollmentobjects

- Certificate

templates

- Users, computers

Online Responder- Certificate

revocation info

- Web proxy cache

Client- Enrollment

- Renewal

Certificate

Enrollment

WS (CES)

Legacy

Certificate

enrollment

Enroll,

autoenroll

DCOM,

HTTP app.WS

Certificate

Enrollment

Policy WS

(CEP)

Legacy(LDAP, smb)

Cert.

templates

Revocation

check (OCSP)

Revocation

check (CRL)




2.c.1. REMIND: Certification Authorities

• Servers aiming at 3 main goals: – Verify the identity of a certificate requestor

• Active Directory, Kerberos authentication

– Issue certificates to requestors (users, comp)according to the issuance policy

• Root CA, Policy CA, Issuing CA

– Manage certificate revocation

• CDP, OCSP


38




2.c.2. Certification Authorities - levels

• Root CA: 1 self-signed cert. (which is trusted by entities)

• Intermediate CA

• Policy CA: issues cert. to CAs

• Issuing CA: issues cert. to requestors (eg: Americas CA)


39










2.c.3. Certification autorities - types

• Two types of MS PKI CA: – Standalone (eg: for Root CAs)

• Ideal for Offline CAs

– Enterprise (eg: policies or issuing CA)

• Integrate into an ADDS environment

• Certificate templates support


40




2.c.4. Issuing CA Components


41

Active Directory

lientsClientsClients

CA ServiceCertsrv.exe

Policy

Module

Exit

Module(s)

Certificate

database

- Inspect cert. requests- Issue them according

to permissions and

issuance policy

Writes to DB:- certs

- information

Receive the

certificate matching

its keypair

Wait for the

information to be

written

Certificate

generation andsignature

Cert request

(Pub. Key)

Authentication,Template reading

d f l




2.d. Certificate templates

• Certificate models: – Validity, renewal (frequency, new key?), publication

– Request (prompt user, allow private key export…)

– Cryptography (min. key length, algo, CSP)

– Certificate information (email, FQDN …)

– Issuance policies (under which conditions…)

– Key usage (eg. Digital signature)

– Application policies

– Permissions (read, write, enroll, autoenroll)


42

2 d C ifi l




2.d. Certificate templates


43

d h l b l




Enrollment services

objects (one per CA)- CA Name

- CA Cert

- CA template list

- Enrollment URL (CES)

2.d. The relation btwn CA & Cert. templates


44

CA 2 /

CES

CA 1

Templates container

(Forest wide)- Permissions

- Enrollment requirements

- Cert content

- Renewal

AD objects

ClientsClientsClients

2 PKI bj t ADDS l ti




2.e. PKI objects: ADDS location


45

Root & intermediate CA certs

Foreach issuing CA, where do they

publish their CRL?

Issuing CA certs

Templates

CA hierarchy (parent CA)

Key Recovery Agents (private key)

Object IDentifiers (MIB):

- newly created Cert Templates- newly created Application Policies- Issuance policies

Configuration Naming Context (Forest-wide replication)

Thus: Template permissions on Universal or Global security groups

2 f A t E ll t i




2.f. AutoEnrollment - overview

• One of the best features of the MS PKI (WS2003, x.509 v2 & v3)


46

CA 1

Client (user / comp.)

Template cont.Enrollment cont.GPO

CEP

URLS

CEP,

ADDS

container

ADDS ldap

or ADWS: https

CEP

CES(url2) CA 2

4. Enrollment Template / Policy Cache

Template 3: ?Template 19: ?

Template / Policy Cache

Template 3: CA1(DCOM)Template 19:

CA1(DCOM), url2(CES)

LDAP

WS (https)

2. On which templates

is the entity allowed toautoenroll ? (ACE)

3. Which CA(s) can issue

that template(s)?

Foreach CA:

- The templates it issues

- Enrollment URL (CES)

Brian Komar , deploying a PKI solution with ADCS

2 f AutoEnrollment zoom on the client store

http://www.identit.ca/management.html

https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032445999&CountryCode=US







2.f. AutoEnrollment – zoom on the client store


47

Client (User / comp.)

Trusted

Root CA

Intermediate

CA

2 R ti (OCSP i l t ti )




2.g. Revocation (OCSP implementation)

• ~ HTTP proxy for CRL ; Fault-tolerance


48

RFC: http://www.ietf.org/rfc/rfc2560.txt?number=2560

DNS-

Round-Robin

eventually

NLB

Clients

Online Revocation Array

Online resp. 1

ocspsvc.exeNetwork Service

Online Resp. 2

...

OCSP

web proxy 1ApplicationPool

--

Default IIS

website: /ocsp

OCSP web

proxy 2

OCSP web proxy(request decoding,

response caching)

Certificate with application

policy: “OCSP signing”

OID 1.3.6.1.5.5.7.3.9

Signing

Auditing

Microsoft Online Responder

CA_1

CA_N...

Revocation providers

CRL

2 h K R A t

http://www.ietf.org/rfc/rfc2560.txt?number=2560









2.h. Key Recovery Agent

Technical overview of the Microsoft PKI ADCS2008 R2 49

• Each private key issued could also be archived and

accessible for one or several recovery agents

One or several CA

cert mgrs validate the request

The corresponding

issuing CA(s) areconfigured toarchive future

issued keys withthe KRA(s)

certificate(s)

Each time a new

certificate with Key Archival enabled is

request, the user

private key isarchived with the

KRA(s) publickey(s)

A key recovery

agent certificate is

requested

2 h Ke Archi al KRA




• Ability to recover a client private key

• Involves: Certificate Manager(s), Key recovery agent(s), issuers, CA

• CA Exchange template: automatically issued if

available, for a short period of time (1 week validity, 1 day renewal)

2.h. Key Archival - KRA

50

Certsrv

Cert. DB

2 CA Exchange cert. request

AD

3 CA Exchange return

1 Authentication,

template reading

CRL,

OCSP

4

Revocation

Check

(CA Exch.)

5Keypair

generation

6

Cert request (Client pub. key),Client Priv. key encrypted by the

CA exchange pub key

Policy,

issuance…

7

Cert storage+ client private key each

time encrypted with 1

KRA public keys

=encrypted PKCS #7 BLOB

8

ClientsClientsClients

2 i Enrollment agent




2.i. Enrollment agent

• Enroll certificate on behalf of another user.

– Trust in the application/person (potential private key access)

– Eg: FIM 2010 CM / CLM 2007:


Rida requests

An enrollment

agent certificate

Cert mgrs:request

validation

Alejandro’s

managerrequests a

smart card for

Alejandro

Alejandro

Rida provisions a

smart card with acertificate foranother user

and gives the SC to Alejandro

Alejandro

reinitates theSC user pin. And is now

able to use theSC.

2.j. Microsoft CSP - Supported hash and public




j pp pkeys algorithms

•Since Windows Vista & Server 2008:


Hash algorithms

MD2

MD4MD5

SHA1

SHA256

SHA384SHA512

Public key algorithms

ECDH_P256

ECDH_P384ECDH_P521

RSA (KSP max: 16384 bits)

2 k What’s new in ADCS 2008 & 2008 R2?




2.k. What’s new in ADCS 2008 & 2008 R2?

• ADCS 2008

– OCSP

– CNG support

– SCEP

• ADCS 2008 R2 – Certificate enrollment web service

– Cross forest enrollment

– CA support on Server Core

– "Database-less“ CA


2 k 1 Cryptography Next Generation




2.k.1 Cryptography Next Generation

•Replacement for CryptoAPI. Windows Vista.

• Auditing: KSP

• Certification & compliance

• Cryptographic agility: negotiation• Kernel mode support (ex: IPSec, TLS)

• Key Storage

• Key isolation: not in application (eg: TPM)


2 k 1 2 Windows cryptography system overview




2.k.1.2. Windows cryptography system overview

• Vista


2 k 1 3 Private key storage




2.k.1.3 – Private key storage


Key type CNG dir.

User private %appdata%\Microsoft\Crypto\Keys

Local system private %allusersprofile%\Application

Data\Microsoft\Crypto\SystemKeys

NetworkSvc /

LocalSvc private

%windir%\ServiceProfiles\

{LocalService,NetworkService}

Shared private %allusersprofile%\Application

Data\Microsoft\Crypto\Keys

Private keys publishingto the FileSystem

2.k.2. ADCS Role: Network Device Enrollment Svc:




Simple Cisco Enrollment Protocol

• WS 2003 (add-on) ; WS 2008 CS: integrated

• Application: deploy certificate on non-domain

joined computers (eg: Cisco switches, routers, Apple iPad!)


1 Keypair creation

Device Admin

Device

NDES

CA - ADCS

DC - ADDS

2.A Password request

2.B Permissions

check

3 Set password 5 RA request

4 Cert request

6 Issue cert

7 Return cert

2.k.3. Certificate Web-Services: cross forest




enrollment

• Why?• Enrollment Web Service

• Cross-Forest enrollment


2 k 3 1 Cert WS - Why?




2.k.3.1. Cert. WS - Why?

• Corporates merging:

• “how to extend PKI trust outside the AD forest?”

– Deploy the other Root CA cert. in the Trusted Root CA store

– Allow firewall flows:

•revocation (SMB, LDAP, HTTP)

• enroll (.. DCOM!)

– Permissions: grant the other users the ability to enroll

– Problems: firewall traffic block, corporate:

security=network

• Another solution: ADCS Cert. WS


2 k 3 2 CA Enrollment WS –protocols




2.k.3.2. CA Enrollment WS –protocols


CES

Act ive Directory Cert i f icat ion Author i ty

User Computer

HTTPS with Kerberos authentication

LDAP

Get policy

Enrolment

WS

Policy

WS

DCOM

Request certs

2 k 3 3 – Cross forest enrollment




2.k.3.3 Cross forest enrollment

• Ability to issue cert beyond the forest

• Requires: ADDS domain schema: 2008R2


Act ive Directory

Root CA

Act ive Directory

Domain level: 2008R2Trust

relationship

ADCS WES, WEP

Ressource Forest Forest

Issue

certificates

2 k 4 Database less CA




2.k.4. Database less CA

• Some issued certificates are not stored in theCA DB

• Why? Eg: Network Access Control for 90.000

computers with 15 min. IPSec cert. validity:

= 90.000x(1/15)=6000 issued certs/min.• => To Reduce the storage and processing overhead.

• Configurable for each v2 & v3 certificate template:


3 Establishing a MS PKI and maintaining it!




3. Establishing a MS PKI … and maintaining it!

- Conception

- Deployment

- Maintaining in operational conditions


3 a Conception




3.a. Conception

• CA (hierarchy, geography, dimensioning, key escrow(HSM))

• Disaster recovery (key archival)

• Role separation• Policies: security, certificate, CPS

• Identify: applications, ACL

• Revocation• Training: IT administrators


3 a 1 CAs infrastructure




3.a.1. CAs infrastructure

• Tier: Two or Three? (Root, policy, issuing)

• Type: Standalone / Enterprise?

• Model examples:

Technical overview of the Microsoft PKI ADCS

2008 R2 65

Geographical

/ NetworkBusiness Unit Subscriber types Certificate use

Defense Banking… MADRID SYDNEY… Computers Users… WPA2 S/MIME…

Root

Policy

Brian Komar , deploying a PKI solution with ADCS

3.a.1. CA infrastructure









3.a.1. CA infrastructure

• Dimensioning:

– Estimate the workload (cert. template: issuing, renewal

frequency, population, key length: keypair generation

duration, network, other servers load (eg: authentication))

– CPU workload pic goal: 80% ; 90%

– RAM, Fast storage (SSD, iSCSCI, SCSI 10K RPM)


2008 R2 66

At least X secrets on Y to access the CA

private key, stored on the HSM

• Key escrow: HSM

http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx

3.a.1. CA infrastructure - dependencies












3.a.1. CA infrastructure dependencies

• ! A MS PKI relies on:

– Computer naming system: DNS

– Identity provider: ADDS

• => High availability of these services

• Key exchange:

– CSP, KSP: which Windows version?


2008 R2 67

3.a.2. Role separation




3.a.2. Role separation

• Common criteria roles CMIC L4:

– CA administrator: assign CA roles, configure auditing, delete a

record, start/stop certsrv.exe, define CA admins

– Certificate manager: approve/deny cert. reqs, extract

archived private keys, determine KRA

– Backup operator: CA config, DB, and keypair backup – Auditor: review event log

• Enforce role separation:

!! If a person owns two or more roles: Certsrv.exe will not start !!


2008 R2 68

certutil -setreg CA\RoleSeparationEnabled 1

3.a.3. Disaster Recovery (REMIND: KRA)




3.a.3. Disaster Recovery (REMIND: KRA)


2008 R2 69

• Each private key issued could also be archived and

accessible for one or several recovery agents

One or several CA

cert mgrs validate the request

The corresponding

issuing CA(s) areconfigured toarchive future

issued keys withthe KRA(s)

certificate(s)

Each time a new

keypair isgenerated, the new

private key is

archived with theKRA(s) public

key(s) A key recovery

agent certificate is

requested



3.a.4. Policies: security, certificate, CPS




3 a o c es secu ty, ce t cate, S


2008 R2 71

Security policy

Certificate policy

Certification Practice Statement (CPS)

- RFC 3647: CERTIFICATE MANAGEMENT

- Regroup certificate templates in classes,

segregated by:- identity validation

- allowed transactions/operations

- private key storage

- How to address the corporate risks?

- eg ISO 27002 measures

- RFC 3647: CA MANAGEMENT

- How CA are managed to ensure the assurance levels

defined in the certificate policy

=Public rules that govern a PKI

3.a.5. Identity: applications, ACL




y pp ,

• Which applications will rely on the PKI?

– Which kind of Application Policy (OID)?

– Key usage

– Issuing requirements

– Related to the Certificate Policy!

• To whom will we issue such certificate?

– Template ACL


2008 R2 72

3.a.6. Planning revocation




g

• Make revocation check accessible from outside the company!

• BEFORE issuing certificates!

• =>In case a smart card / valuable cert. is stolen/lost.

• Conceive procedures, train the actors

• Whom to alert? – logical access team

– user manager• How fast to react?

– It depends of the protected assets criticality

• How to react? – Revoke certificate

– Force delta CRL publishing

– [Eventually] force CRL refreshing on computers

– [Eventually] recover the user encrypted documents, use KRA

– Generate a new smart card & keypair, for the userTechnical overview of the Microsoft PKI ADCS

2008 R2 73

3.a.7. Training: IT administrators




g

• What is a PKI?

• Which applications rely on the PKI?

• Who endorse which roles?

• How to manage the CA(s)?• ! Revocation !

• Temporary SC: prevent end-user from using 2 SC!


2008 R2 74

3.b. Deployment




p y

• The Root Key Ceremony• Training: end-users

• Issuing certificates


2008 R2 75

3.b.1. The Root Key ceremony




y y

• Depending on the Certificate Policy:

– Notarization, legal representation, witnesses

– “Key holders”

• = start of the customer PKI!

• Issuing “policy CA” certificates• Offline, physically secured (!VM)


2008 R2 76

The Root CA private key is generated, storedinto the HSM, and protected by a SPLIT secret.

At least X key holders on Y have to be present with

their secret to decrypt the private key.

(eg : Shamir’s polynomial ; Blake’s hyperplane)

3.b.2. Training: end-users




g

• Legal stakes (eg: digital signature)

• (Technical basics … for usage!)

• Process:

– Do not ignore certificate warning! – Do not store the SC PIN with your SC!

– Tell quickly when you loose your SC!

– Do not use your temporary SC & your permanent one!

– Protect your private keys and do not store them onunencrypted media!


2008 R2 77

3.b.3. Issuing certificates




g

• Client configuration: – Enrollment policy locations: GPO

– Auto-Enrollment: GPO

• Communicating processes:

– CPS (link within issued cert.)

– eg: smart card issuance, smart card loose

• … Maintaining the infrastructure


2008 R2 78

3.c. Maintaining




- Certificate renewal

- Events monitoring

- Disaster recovery (see 3.a.iii.)

- Revocating certificate (see 3.a.vi.)


2008 R2 79

3.c.1. Certificate renewal – two problems




• A. Keypair renewal

–eg: OCSP response signing or IPSec communication


2008 R2 80

Validity PeriodRenewal period

OCSP request,

with K1-public-key

encrypted nonce

OCSP response, with

… K2-private-key

encrypted nonce

Unable to

decrypt theanswer!

The problem:

CA – with OCSP

User willing to

check the revocation

of a cert.

• Some strategies: – closing the connection with the old keypair & reopening it with the new one

– responding with the previous K1 keypair … until when? (expiration?)

– using the same keypair when renewing

3.c.1. Cert. Renewal – Lifetime expiration





2008 R2 81

• B. Lifetime expiration

– Eg: issuing CA – Issuing CA cert. validity period has to be greater than the longest

validity period of the cert. templates issued by that CA

– Renewal period has to be shorter … but not too much! (potential lo

and errors increase)

• Why renewing?

– Computational power increase => hash & private private keysubject to collision, brute-force attacks

• Parameters specific to each certificate template!

3.c.2. Events monitoring




• Centralize, aggregate, and perform pro-active

monitoring on PKI logs: – CA: issuing, revocation, template, permission, backup,

roles, recovery …

– Active Directory: authentication, DNS

– Client: key usage, missing private key

• Ideally integrate it into a SIEM.

– Management packs do exists for SCOM 2007, 2010

• Useful for forensics• Standard windows events. See 4.d. and

http://technet.microsoft.com/en-us/library/cc731523(WS.10).aspx


2008 R2 82

4. Auditing a PKI









- Why & when auditing a PKI?

- Useful documents

- Some threats (process, implementations, services,

operations, cryptography)

- Obtaining technical proofs


2008 R2 83

4.a.1. WHY auditing a PKI?




• Justify the trust to the PKI:

– For insurers, regulators: law compliance (EU SignatureDirective, EU Data Privacy Directive, France: CNIL,Payment: PCI DSS, SAS70)

– For superior CA: prove compliance

– For subscribers/customers/users: may request it

=> Show that operations are performed according to theCPS, and are done in accordance of the Certificate Policy

• Corporate image, marketing argument

– ISO 27002 - compliancy, chapter 12


2008 R2 84

4.a.2. WHEN auditing a PKI?




• During/straight after the Root KeyCeremony

• Periodically, according to the CP & CPS

• In case of a major change (CA mod, new solution)

• When a disaster happens


2008 R2 85

4.b. Useful documents




• You should request the customer for:

– Threat & Risks Assessment

– The Root Key Generation process

– Certificate Policy

– Certification Practice Statement

• Interesting reading material:

– PAG, PKI Assessment Guidelines

– PKIX IETF Working group: RFCs


2008 R2 86

4.c. Some threats




- Process

- Certificate implementations

- Services

- Operations

- Cryptography


2008 R2 87

4.c.1. Threats - Process




• Private key protection: Root CA, each CA

– Physical security (virtual machine? Offline server?)

– How many people are needed to decrypt it? (HSM?)

• Role separation:

– Enabled? Administrator, Cert Mgrs, Backup, auditor +• Key Recovery Manager: approval process

• Enrollment Agent: how is that account secured?

• Revocation: is it performed? (alert, execution, spreading)

• Training users: not to ignore cert. errors, if possible

technical enforcement


2008 R2 88

4.c.2. Threats – Certificate implementations




• ASN.1/DER parsing: certificates, CRL => fuzzing

• PKCS #x API vulnerability?• Revocation implementation: reachable? Up to date?

• Templates design: (is the CP secured regarding the criticalityof issued certs?)

– Asymmetric algorithms + key length, signature algo – ACL

• Private keys: Key cloning, key encryption? (Backup, duplication)

• Client design & configuration:

– does it respect the template? – does it check correctly the revocation? – what happens if there is a revocation error?


2008 R2 89

- Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf

4.c.3. Threats – Certificate services

http://www.canola-jones.com/material/candj-rsa050218.pdf









• Revocation:

– availability: OCSP, CRL

– integrity:

• OCSP replay attack => nonce protection

• time attacks (cert. expiration date, revocation)

• Corrupted DNS: service location often relies on it!

• Dimensioning of issuing CAs: Computational & storage cost

• "classic" Windows Server security

• Client security: trusted Root CA store, private key storage


2008 R2 90

4.c.3 Threats – Cert. operations




• Private key:

– Theft: revocation speed, propagation, check? – Storage: export, storing on unencrypted medium, valuable key

protected by an easier to crack secret (eg: weak password policy)

• CA management: conform to CPS?

– Backup, administration …

• Client management: encrypted FS, private key ACL, cacheon FS storing smart card private key?

• Weak hash func. used: md5 collisions O(2 ) ; SHA-1: O(2 )


2008 R2 91

21 51

4.c.4. Threats - Cryptography




• Assumption: “hardness of a specific mathematical

problem” (eg: prime factoring, discrete logarithm…)

– Asymmetric crypto: what is the impact of• mathematical discoveries in computational number theory?

• the way of computing such problems? (eg: quantum comp.)

• Increase of computing power (cloud, botnet)

• Hash functions: similar fears

– (eg: preimage attack, collision, second preimage attack)

• Random Number Generation: is the entropy good enough?- time, temp. sensors, mouse …


2008 R2 92

Stephane Manuel, Classification and Generation of Disturbance Vectors for Col lision Attacks against SHA -1

4.d. Obtaining technical proofs

http://eprint.iacr.org/2008/469.pdf







• Services: health, web bindings• Windows events


2008 R2 93

4.d.1.1. Services - Health




• Basic services configuration errors

• PKIView.msc


2008 R2 94

4.d.1.2. Services / web bindings





2008 R2 95

Role Host Service /

process

Default

identity

Dependencies

ADCS service Certsrv.exe Local system NO/NO

OCSP service Ocspsvc.exe Network Svc NO/NO

Web

enrollment

IIS default

website

/certsrv ApplicationPoo

lIdentity

CEP IIS default

website

/ADPolicyProvi

der_CEP_Usern

amePassword

ApplicationPoo

lIdentity

CES IIS default

website

/%CA_NAME%

_CES_Usernam

ePassword

ApplicationPoo

lIdentity

• Default configuration:

4.d.2.1. Proofs - events - graphically




• Eventvwr.msc• Default custom view:

• Examples:


2008 R2 97

4.d.2.2. Audit – events – under the hood




• Mainly stored in the "Application" log

• ADCS filter:


2008 R2 98

4.d.2.2. Audit – events – under the hood 2




• Interesting logs: Applications, Security

• Required rights: Read permission onHKLM\SYSTEM\CurrentControlSet\services\eventlog\Applications

• Default permissions:


2008 R2 99



4.d.2.3. Audit-Events – command line




• Examples (continued)

• Example using XML filter


2008 R2 101

4.d.4. Auditing Key Storage Provider events




On a CA, as a local system administrator:

- Then restart ADCS


2008 R2 102

auditpol /set /subcategory:"other system events"

/success:enable /failure:enable

5. Beyond the Microsoft PKI




• PKI challenges• Other commonly used PKI

• Beyond the PKI model


2008 R2 103

5.a. PKI challenges




• Education: user, trainer, IT Pro

• Legal, patents and national security (eg. BitLocker, US gov)

– Privacy compromises: PII, PKI & biometrics?

• Technical :

– Revocation: CRL (bandwidth), OCSP (latency) – private key protection (eg: single factor authentication mechanism,

weak password…)

– intense computations

– assumptions: computational number theory, namingcontext, computational power!

• Management costs: … PKI as a service? (eg. Verisign)


2008 R2 104

5.b. Other commonly used PKI




PKI systems

• OpenSSL

• OpenTrust

• OpenCA

• PGP Cert. server

• Entrust

• RSA• Digital trust

• Cybertrust

• Spyrus

• Centrify (Mac OS X)• Red-Hat cert. systems

• IBM (z/OS)

• … Technical overview of the Microsoft PKI ADCS

2008 R2 105

PKI services

• Verisign

• Globalsign

• Verizon

• …

5.c. Beyond the PKI model?




• A major problem:

– “user click fatigue”: Too many Root CA + Difficulty to push them

… while “focus on the user and all else will follow”, Google

• X.509 v3 supports additional trust topologies:

– Bridges (trust the nodes which the peers I trust do trust)

(~ to social networks trust)

– Meshes (trust dynamically a selected subset of nodes): PGP

• Concept: An object (cert.) integrity is protected by a

separate object (signature): how to mix them in one?


2008 R2 106

6. References




- Windows Server 2008, PKI and Certificate Security, Brian Komar, MS Press

- Technet: http://technet.microsoft.com - Wikipedia

- MCTS 70-640, Active Directory, MS Press

- PKI Enhancements in Windows 7 and WS2008R2, John Morello

- PKI in practical use http://kenya.connect-soft.com/PKI%20in%20practical%20use.pdf

- http://www.verisign.com/authentication/information-center/authentication-resources/whitepaper-cost-effective-pki.pdf

- Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf

- http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx

- PAG, PKI Assessment Guidelines,


2008 R2 107

Thanks for your attention!

http://technet.microsoft.com/

http://kenya.connect-soft.com/PKI%20in%20practical%20use.pdf

http://www.verisign.com/authentication/information-center/authentication-resources/whitepaper-cost-effective-pki.pdf





































http://technet.microsoft.com/



Thanks for your attention!

http://esec.fr.sogeti.com

http://esec.fr.sogeti.com/

http://esec.fr.sogeti.com/

Documents

2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene