Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
ClientCer)ficates
SecurityProfessionals2012PreconferenceSeminar
8:30‐Noon,Tuesday,May15th,2012WhiteRiverBallroomB,JWMarrioE,IndianapolisIN
JoeStSauver,Ph.D.(joe@[email protected])InCommonCerPficateProgramManagerand
Internet2NaPonwideSecurityProgramsManager
hEp://pages.uoregon.edu/joe/secprof2012/
Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.
Preface
2
OurTimeTogetherToday
• SincethreehoursisarelaPvelylongPmeforasinglesession,we'regoingtogothroughmaterialforaboutanhourandahalf(unPlabout10:00),andthenwe'lltakeacoffeebreakoutsideofroom103forahalfhourorso.Around10:30,we'llcrankbackupandfinishtherestofthematerialwewanttogoover.
• IfyouhaveanyquesPonsatanyPme,feelfreetospeakup.WhileI'vepreparedafairlystructuredsessiongiventhenumberofaEendeesthatareexpected,I'vesPlltriedtobuildinPmefordiscussion,andIknowthatsomeofyoumayalreadybeexperiencedwihclientcertsandhavemuchtoshareyourselves.
• Finally,Ialsowanttomakesurewe'vegotPmetohelpyouactuallygetaclientcertinstalledandupandrunningonyoursystem,ifyou'dliketotrydoingthis.
• ArethereanyquesPonsatthispoint?3
Introduc)ons
• Let'stakeaminuteortwotogoaroundtheroomandintroduceourselves.
• Pleasesay:
‐‐whoyouare‐‐whatschoolyou'rewith‐‐anythingyoursitemaycurrentlybedoingwithclientcerts‐‐whyyou'reinterestedinclientcerts/anythingyouparPcularlyhopewecovertoday
4
StrongCryptographyandFederal/Interna)onalLaw
• Strongcryptographyiscri)caltocomputerandnetworksecurity,includingenablingsecureauthenPcaPonandonlinecommerce,protecPngpersonallyidenPfiableinformaPon(PII)storedonline,andlegiPmatelyensuringpersonalprivacyforlaw‐abidingciPzens.
• AtthesamePme,strongcryptographyissubjecttocomplexregula)oninmanycountries,includingtheUnitedStates.Why?UseofencrypPonmakesitharderfornaPonalsecurityagenciesandlawenforcementorganizaPonstolawfullyinterceptcriminalcommunicaPonsandnaPonal‐security‐relatedcommunicaPons.
• Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna)onaltrea)esrela)ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmournaPonalsecurityorinterferewiththelawfulinvesPgaPonandprosecuPonofcriminals.
5
SinceWe’llBeGivingYouStrongHardwareCryptoProducts
• Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcryptoproductsorsoKware,NORareyoubarredfromreceivingtrainingonit.
• Specifically,thismeansthatyouassertthatyouareNOTaciPzen,naPonal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.
• YouareNOTa"deniedperson,"a"speciallydesignatednaPonal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)
• Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabricaPonoruseofweaponsofmassdestrucPon(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)
• YouagreeNOTtoredistributeorretransfercryptographicproductsorsofwaretoanyonewhoisinoneofthepreviouslymenPonedprohibitedcategories.
• YouunderstandandagreethattheforgoingisbywayofexampleandisnotanexhausPvedescripPonofallprohibitedenPPes,andthatthisisnotlegaladvice.ForlegaladvicerelaPngtostrongcrypto,pleaseconsultyourownaEorney. 6
"First,DoNoHarm"
• Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouruniversity)isNOT"lockeddown"byyouruniversityITdepartment.
• IfyouhaveNOTbackedupyoursystemrecently,oryouruniversityITdepartmentdoesNOTwantyoutoPnkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsofwareorotherwisemodifyyoursystem.
• Also,ifyoualreadyhaveaclientcerPficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinparPcularPLEASEdoNOTinten)onallydeleteanyclientcer)ficatesyoumayalreadyhaveinstalledonyoursystem!
7
Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvanced
Crypto‐RelatedMathema)csToday
• OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseclientcerPficates,parPcularlyforsecureemail,andgemngyoutothepointwhereyouunderstandthepracPcallimitaPonsassociatedwiththosetechnologies.Youdon'tneedadvancedmathemaPcstodothat.
• SoifyouhatedmathemaPcswhilegoingthroughschool,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathemaPcal.
• Let’sdiverightin.We'llbeginbytalkingaboutwhyyoumightwanttouseclientcerPficates,parPcularlyforsigningandencrypPngemail.
8
I.Mo)va)ngAnInterestinClientCer)ficates("PKI"):
SecuringEmail
9
WhyMightWeNeedToSignand/orEncryptEmail?
• Putsimply,regularemailishorriblyinsecure.
• Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusidenPtyinformaPonintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orpreEymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.
• Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiEedorstored,sounauthorizedparPescanreadyourcommunicaPons."Trustedinsiders"mayalsoaccessconfidenPalcommunicaPons.
• Let'stakealookatacoupleofpracPcalexamplesofthesesortofexposures.
10
TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird
11[Yes,thiswillwork.Butno,pleasedon'tactuallydothis.]
"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"
• SPF(www.openspf.org)andDKIM(www.dkim.org)weremeanttohelpfixspoofing,andtheydo,butthey'renotatotalsoluPon.
• Forinstance,SPF/DKIMcannotprotectyouagainstspoofedemailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofaEack.
• Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")soluPonsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?
12
ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark
• Sendasimplemailmessage...
% mailx -s "testing 123" [email protected] Joe!
I don't think this is very secure, do you?
Joe .
• IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:
13
"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"
• SitessomePmeshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.
• Youmayalreadybeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehEp://eEercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inpracPce,thatprocessmayfailtomaintaintrafficseparaPon.
• Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.
• Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.
14
OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMessages...
% suPassword: # cat /var/mail/joe From [email protected] Sun Feb 12 14:30:54 2012Return-Path: <[email protected]>Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: [email protected]: Some thoughts on the insider threatMessage-Id: <[email protected]>Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: [email protected] (Joe St Sauver)Status: O
Hi Joe,
I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...
Joe 15
BUTIfYourEmailIsEncrypted,ItMayNotMaberIfSomeoneDoesALible"Browsing:"TheFollowingIsn'tVeryInforma)ve,IsIt?
MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw
11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo
UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR
[This base64 encoded file is actually a base64 encoded encrypted file] 16
EmailIsAlsoPoten)allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure
17hEp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138
ReducingTheTransportEmailSniffingVulnerability:Opportunis)cSSL/TLSEncryp)on
• YoucanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunisPcSSL/TLSencrypPon.ThismeansthatiftheMTAsonbothsidesoftheconversaPonarereadyandwillingtodoSSL/TLSencrypPon,itwillbenegoPatedandusedwheneveritcanbe.Seeforexample:
hEp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhEp://www.posdix.org/TLS_README.htmlhEp://www.sendmail.org/~ca/email/starEls.html
• However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdesPnaPon.Thatis,itisnot"end‐to‐end."
18
Obtaining*End‐to‐End*Protec)onRequiresMessage‐LevelSigningandEncryp)onE.G.,UseofPGP/GPG,orUseofS/MIME
• Therearetwobasicapproachestogemngend‐to‐endprotecPonforemailmessages:
• PreEyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*
• S/MIME(RFC5751)withpersonalcerPficates.
• PGP/GPGisprobablythemorecommonofthosetwoopPons,andonethatmanyofyoumayalreadyuse,buttodaywe'regoingtotalkaboutusingS/MIMEwithclientcerPficates,instead.
• Beforewecandigin,however,weneedaliEle"cryptobackfill"19
II.AMinisculeLibleBitofCryptographicBackfill
20
PublicKeyCryptography
• Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.
• Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).
• BothPGP/GPGandS/MIMEwithpersonalcerPficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathemaPcally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathemaPcalprocess.
21
ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...
• Well,thatmaybeaslightexaggeraPon.
• Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:
‐‐itcan'tbechangedwithoutinvalidaPngthemessagesignature(e.g.,itactsasananP‐tamperingchecksumvalue)
‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey
22
HowDoCer)ficatesFitIntoAllThis?
• Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.YoumaywonderhowcerPficatesfitintoallthis.
• TheansweristhatcerPficatesaEachanidenPtytoacryptographickeypair.
• Ifyou'relikemostfolks,whenyouhear"cerPficates"inanonlinecontext,youthinkofSSLwebservercerPficates.That'snotwhatwe'regoingtobetalkingabouttoday.ThosecerPficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.
• Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:meePnganewpersoninreallife.
23
MappingUserstoIden))esIn"RealLife"
• IfImeetyouface‐to‐face,perhapsatthehotelbar,youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaEerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertedidenPty."That'sOK.
• IfitturnsoutthatIeventuallyneedconfirmaPonofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.
• OtherPmes,forexampleifyou'reinastrangecity,orsomeone'strusPngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."(ObCheers:"Norm!")
24
MappingUsersToIden))esOnline:PGP/GPG
• Asimilarproblemexistsonline.HowdoyouknowwhichpubliclyofferedPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'scredenPals?InPGP/GPG,thisisdoneviaa"weboftrust."
• InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisofengetsdoneatPGP/GPG"keysigningparPes,"liketheonethatwillhappenat6:30PMonWednesdaynight).NormallyakeyholderwillgetsignaturesfrommulPplefriendsorcolleagues.
• Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.
• Whilethissoundsincrediblyadhocandkludgy,inpracPce,itactuallyworkspreEywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.
25
TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)
• Animportantnoteaboutthecryptographic"weboftrust:"
SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.
Completelyevilpeoplemayhavewell‐signedPGP/GPGkeys!
• Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:
‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.
Thatis,they'rebindinganiden9tytoacryptographiccreden9al.26
PersonalCer)ficates
• InthecaseofS/MIMEwithpersonalcerPficates,aweboftrustisn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").
• Thatis,apersonalcerPficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcerPficateauthority("CA"),anenPtythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingidenPPestocredenPals.
• CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(specifically,verycarefultodowhattheysaythey'regoingtodointheir"CerPficatePracPcesStatement"),becauseiftheydon't,people(includingbrowservendorsandtheCABForum)willstoptrusPngthemandthenthey'llquicklybetotallyoutofbusiness(literally).
27
'SoWhat'sthis"CABForum?"'
• No,it'snotataxicabassociaPon.• TheCerPficateandBrowserForumisaninfluenPalbodymadeup
ofCerPficateAuthoriPes(that'sthe"CA"intheirname)andBrowserVendors(that'sthe"B"intheirname).
• TheirwebsiteishEp://www.cabforum.org
• AsapracPcalmaEer,increasinglythey'reeffecPvelyestablishingthepracPces/normsthatapplytotheenPrecerPficateindustry,andFWIW,they'remakingtheshipfarmoreshipshape.:‐)
• Previously,variousindustrygroups,suchastheMozillaFoundaPon,hadalottodowithwhatwasorwasn'tacceptable:putsimply,ifyouwantedyourcerPficatestobetrustedinFirefox,youcompliedwithwhattheMozillaFoundaPonrequired.DiEoforInternetExplorerandMicrosof,etc.
28
"WhatDoesaCPSActuallyLookLike?"
• CPSdocumentsasaclassareprobablyoneofthemostwidelyignoredcategoriesofdocumentsintheworld.
• Howver,somePmesfolkswhohaveahardPmesleepingactuallywanttoreadCerPficatePracPcesStatements.Ifyou'dliketochecksomeout,youcansee,forexample,InCommon'sCerPficateServiceCPS:hEps://www.incommon.org/cert/repository/
• You'llseeseparateCPSfortheInCommonstandardSSLcerPficateoffering,theextendedvalidaPoncerPficateoffering,theclientcerPficateoffering,andthecodesigningcerPficateoffering.Thevarious"profile"documentsarealsopotenPallyquiteinformaPve.
• SimilardocumentsshouldbeavailableforanypubliccerPficateissuer.
• OneofthethingstheycoverishowidenPtygetsvalidated,andwhatexpectaPonsshouldbeforaparPculartypeofcert.
29
III.Iden))esandLevelsofAssurance
30
ARealName,orJustAnEmailAddress?
• Theremaybesomeconfusionwhenitcomestothe"idenPty"thatacryptographiccredenPalasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?
• Theansweris,“itmaydepend.”SomestandardassurancepersonalcerPficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.
• OtherclientcerPficatesmayrequiremuchmorerigorous"idenPtyproofing,"perhapsrequiringtheusertosupplygovernmentissuedidenPficaPon(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.
31
HSPD‐12andFederalCAC/PIV‐ICards
• OnAugust27th,2004,then‐PresidentGeorgeW.Bushissued"HomelandSecurityPresidenPalDirecPve12,"(seehEp://www.idmanagement.gov/documents/HSPD‐12.htm)mandaPngtheestablishmentofacommonidenPtystandardforfederalemployeesandcontractors.
• Asaresult,thefederalgovernment(andapprovedcommercialcontractorsacPngonthegovernment'sbehalf)havealreadycollecPvelyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIdenPtyVerificaPon‐Interoperable"("PIV‐I")smartcards.
• "Firstresponders"alone(asdefinedinHSPD‐8)mayulPmatelyrequireissuanceofover25.3millionsuchcards.(seehEp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)
• PartofthatprocessisidenPtyproofingthoseusers–including,inthscase,evendoingbackgroundinvesPgaPons.
32
33Source:hEp://www.idmanagement.gov/presentaPons/HSPD12_Current_Status.pdf
AnAside:CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users
• IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."ThisisarealtesPmonytothehardworkofthefederalemployeesandcontractorswhohavebeeninvolvedwiththatproject.
• Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereducaPonistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard:www.nps.edu/Technology/Security/CAC‐guide.pdf
Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.
34
WhyAreTheFedsUsingClientCerts?IfYouNeedNIST"LOA‐4",They'reBasicallyYourOnlyPrac)calOp)on
• NIST800‐63Version1.0.2(seecsrc.nist.gov/publicaPons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:
"Level4–Level4isintendedtoprovidethehighestpracPcalremotenetworkauthenPcaPonassurance.Level4authenPcaPonisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalidaPonrequirementsarestrengthened,andsubsequentcriPcaldatatransfersmustbeauthenPcatedviaakeyboundtotheauthenPcaPonprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthenPcaPonatLevel2andhigher,thislevelensuresgood,twofactorremoteauthenPcaPon."
35
AnAside....DoesHigherEd*HAVE*AnyUseCasesThatActuallyRequireLOA‐4?
• WearingmyInCommonCerPficateProgramManagerhatforaminute,currentlyInCommonhasonlyoneclientcerPficateoffering,standardassuranceclientcerts.ShouldwealsohaveaclientcerPficateofferingsPedtotheInCommonAssuranceProgram(e.g.,Bronze,Silver,etc.)?
• DowehaveanyusagecasethatwouldrequireLOA‐4,orwouldLOA‐3be"goodenough"forallpotenPalhigheredusagescenarios?(LOA‐3requirestwofactor,butnotnecessarilyclientcerts).I'mstronglyinterestedinunderstandingwhatmightdriveLOA‐4adopPon...
• IfwedidofferanLOA‐3orLOA‐4compliantcertprofile,itwouldimplystrongeridenPtyproofing.WouldhighereducaPonusersbewillingtoputupwithrigorousidenPtyproofinghassles?(bywayofcomparison,wehaven'tseenatremendousnumberofextendedvalidaPonservercerPficatesrequested,eventhoughthey'reavailableatnoaddiPonalcostaspartoftheInCommonCerPficateProgram)
36
AnAside:"Iden)tyProofing"forRegularCi)zens• Ifyoutravelextensively,you'veprobablyrunintolonglinesatcustoms,
eitherwhilecomingintotheU.S.,orperhapswhiletravellingintoCanadaorMexico.Ifso,youmayhavenoPcedthatsomefolks("TrustedTravellers")canusethe"GlobalOnlineEntrySystem"("GOES")and/orNEXUS/SENTRItoavoidthoselines.Agrowingnumberofairportsalsooffer"TSAPreCheck"linesforparPcipantsinthatprogram.(seehEp://www.globalentry.gov/)."TrustedTravellers"areissuedamachinereadablehigh‐assurancecredenPal($50for5years)forthatpurpose.
• Obviously,however,itwouldbebadtoissueacredenPalofthissorttoapersonyouhadn'tthoroughlyidenPtyproofed.Therefore,ifyouapplytobeaTrustedTraveller,youridenPtyisvalidatedinmulPplewaysincludingareviewofgovernmentrecords(youdon'twanttoissueacardtoacriminal,forexample!);reviewofexisPngdocuments(suchasyourpassport);collecPonofbiometrics,e.g.,aphotograph,fingerprints,andinsomecasesapictureofiris/rePna.Youalsoneedtophysicallyappearinpersonforaninterview.Travellerswearyofbeingstalledattheborderwillputupwiththosehassles,butwouldregularhigheredusersdoso?
37
SomeFederalHighSecurityApplica)onsThatNowUseClientCertsMayBeSurprising
38
ClientCertsCanEvenBeSecureEnoughforUseinConjunc)onwithNa)onalSecuritySystems
• Seethe"NaPonalPolicyforPublicKeyInfrastructureinNaPonalSecuritySystems,"March2009(hEp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefoundaPonforNSSuses:
"(U)NSSoperaPngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSoperaPngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCerPficateAuthority(CA)operatedonbehalfofthenaPonalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."
• TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.39
Cer)ficatesAreNowAlsoBeingUsedtoSecureNa)onalCri)calInfrastructure
• Forexample,considerthenaPonalelectricalgrid.TheNorthAmericanEnergyStandardsBoard's("NAESB")2012AnnualPlanfortheWholesaleElectricQuadrantspecificallydiscussestheirplansfordeployingPKIonpages4andfollowing.(SeehEp://www.naesb.org/pdf4/weq_2012_annual_plan.docxandhEp://www.naesb.org/weq/weq_pki.asp)
• Thisisbeginingtobedeployed/madereal,too,rightnow:
‐‐"ShifSystemsIdenPfiedastheFirstNAESBAuthorizedCerPficaPonAuthority,"Feb16,2012,hEp://www.prnewswire.com/news‐releases/shif‐systems‐idenPfied‐as‐the‐first‐naesb‐authorized‐cerPficaPon‐authority‐139493283.html
‐‐"OATIwebCARESAuthorizedbyNAESBforwebRegistry,"Apr11,2012,hEp://www.prweb.com/releases/2012/4/prweb9390545.htm
‐‐"GlobalSignAnnouncesAccreditaPnasAuthorizedCerPficateAuthorityfortheNorthAmericanEnergyStandardsBoard,"Apr23,2012,hEp://www.prweb.com/releases/2012/4/prweb9431614.htm
40
And,OfCourse,SomeLargeCorpora)onsandAgenciesHaveUsedClientCer)ficatesforYears
• AniceindicaPonofinterestin/useofclientcerPficatescanbeseeninthingslikeparPcipaPoninthe"SmartCardAlliance,"see
hEp://www.smartcardalliance.org/pages/alliance‐membersincluding:AmericanExpress,BankofAmerica,BoozAllenHamilton,CapitalOne,Chase,CSC,DeloiEe&Touche,HewleE‐Packard,IngersollRand,LockheedMarPn,MasterCard,SAIC,Visa,WellsFargo,andmanyothers.
• TounderstandhowsmartcardsrelatetoclientcerPficates,notethatsmartcardsareawaytosecurelystoreclientcerPficatesonwhatlookslikeacreditcard(ifyoulookclosely,you'llseethatasmartcarddiffersfromatradiPonalcreditcardinthatithasasmallsetofflushgold‐coloredcontactsonthefront).
• ManylargecompaniesusesmartcardsasthefoundaPonfortheircorporateemployeeIDcards.
41
IV."NonAdop)on"ofClientCerts
42
SoWhyHaven'tClientCerts"TakenOff"MoreBroadly?
• Andwhatcanwedotofixthis,assumingwewantto?
• Itisn'tsimplythatclientcertsarenew...hEp://en.wikipedia.org/wiki/Public_key_infrastructure#HistoryPestheoriginofPKIto1969,withpublicdisclosureofsomeofthekeyalgorithmsdaPngto1976–that'sthirtyfiveyearsago.TheRSAPKCS("PublicKeyCryptographyStandards")documentsdateto1993–that'seighteenyearsago.ByInternetstandards,allofthisworkis"ancient"(or"wellestablished,"ifyouprefer).
• Soitisn'tsimplythatPKI'sthe"newkidontheblock."
• Thereare(ormaybe)manyotherpossiblereasonswhyclientcerPficateshavestruggledsofar....
43
Economics?AreClientCertsTooExpensive?
• "ThereareseveralreasonsPKIhasfailed,saysPeterTippeE,headoftheindustrysoluPonsandsecuritypracPceatVerizonBusiness.
"ThemainreasonorganisaPondonotusePKI,hetold aEendeesofRSAConference2011,isthatitcoststoomuch. "SpeakingonadebateontheimportanceofidenPtyto internetsecurity,hesaidveryfeworganisaPonsareableto makeabusinesscaseforspending$200to$300peruser,per year."
"WhyPublicKeyInfrastructureHasFailed",hEp://www.computerweekly.com/blogs/read‐all‐about‐it/2011/02/why‐public‐key‐infrastructure.html[emphasisadded]
HowmuchwouldYOURschoolpayperuser,peryear? 44
MyTargetCostforClientCerts:$1/user/month
• Lackingharddata,I'mgoingtosuggestanominalamountthatmightbeacceptable:$1/user/month(inclusiveofallcosts),overanormalfouryearundergraduateenrollment,or$48.00peruseroveraquadrennialperiod.
• Forcontext:(a)www.nacs.orgstatesthattheaveragepriceforanewtextbookin2009‐2010was$62.00(b)onemajoronlinevendorquotesquotes3yearRSASecurID700onePmepasswordTokens(ina5pack)@$55.60/token
• InCommonsellshardtokensfor$19.80/unittoInternet2members(seehEp://www.incommon.org/safenet/pricing.html)whichwouldleave~$6/user/yeartocoverothercosts,assumingclientcertsaregemngdeployedonUSBformathardtokens.
45
InSomeCases,TheClientCertsThemselvesAre"Free"
• Ifyou'vesigneduptoparPcipateintheInCommonCerPficateprogram,yougetthebundledabilitytoissueclientcertsatnoaddiPonalcost,andevenifyourschooldoesn'tparPcipateintheInCommonCerPficateprogram,individualscansPllgetfreeclientcerPficatesforpersonal/homeuse,see:
www.comodo.com/home/email‐security/free‐email‐cerPficate.php
• Thatsaid,obviouslythecostofthecertsthemselvesarenottheonlycostsassociatedwithrollingoutclientcerts(forexample,ontheprecedingpage,wetalkedabouthardtokencosts).
• Sowhatothernon‐technicalexplanaPons,otherthancost,dopeopleofferforclientcerPficatenon‐deployment?
46
IsUsabilityActuallyTheProblem?
• "Despitemanyyearsofeffort,PKItechnologyhasfailedtotakeoffexceptinafewnicheareas.Reasonsforthisabound[…]Probablytheprimaryfactorattheuserlevel[…]isthehighlevelofdifficultyinvolvedindeployingandusingaPKI.Thereisconsiderableevidencefrommailinglists,Usenetnewsgroupsandwebforums,anddirectlyfromtheusersthemselves,thatacquiringacerPficateisthesinglebiggesthurdlefacedbyusers.Forexamplevarioususercommentsindicatethatittakesaskilledtechnicaluserbetween30minutesand4hoursworktoobtainacerPficatefromapublicCAthatperformsliEletonoverificaPon[...][A]setofhighlytechnicalusers,mostwithPhDsincomputerscience,tookovertwohourstosetupacerPficatefortheirownuseandrateditasthemostdifficultcomputertaskthatthey’deverbeenaskedtoperform."
PeterGutmann,UniversityofAuckland,Usenix'03,hEp://dl.acm.org/citaPon.cfm?id=1251353.1251357
47
ThingsHaveComeALongWay,Usability‐Wise
• Forexample,thesedays,theprocessforobtainingaclientcerPficatecanbeassimpleas:‐‐Completeashortonlinesecurewebform‐‐ClickonalinksenttoyoubyemailtodownloadyourclientcerPficateintoyourbrowser.Don'tbelieveit?We'llhaveeveryonetrygemngtheirownclientcertlaterinthissession.(Wemightalsotalkaboutwhetherthishasswungtoofarinthe"tooeasy"direcPon,Isuppose)
• TheremaysPllbesomeuglybitstodoafergemngyourcert(dependingonhowyouwanttouseit),butatleastsomeedusiteshavedevelopedlocalscriptsthatmaketheinstallaPonprocesspreEypainlessfortheirusers.
• Internet2/InCommonis/soonwillbeworkingonofferingagenerallyavailablecerPficateinstallaPontool,basedon/modeledaferthosesite‐specificinstallaPontools.
48
OrIsTheProblemThatOtherSolu)onsHaveUsurpedPKI'sMarketNiche(s)?
• Ifyou'vegotPGP(orGNUPrivacyGuard)tosignorencryptemail,doyoualsoneedPKIclientcertsandS/MIMEforsigned/encryptedemail?
• IfyoursiteisusingonePmepassword(OTP)cryptofobs(oryouusesshwithpresharedkeys),doyousPllneedclientcertsforauthtosensiPvesystems?(Andwhatabouta2ndchannelsoluPonleveragingsmartphones,suchasInCommon'snewofferingwithDuoSecurity,seehEp://www.incommon.org/duo/index.html)
• HasthesuccessofInCommon(andotherfederatedauthenPcaPonefforts)eliminatedtheneedforPKI‐basedcross‐enPtycredenPals?FederaPonseemstobethedirecPonthattheNaPonalStrategyforTrustedIdenPPesinCyberspace(NSTIC)isgoing,anditmaybeworthnoPngthatsomehavealwaysworriedabouttheprivacyimplicaPonsofPKI‐style"naPonalIDcards"online...
49
"IsNSTICaplantointroduceana)onalIDcardoraninternetdriver'slicense?DoIhavetogetone?"
"No.ThegovernmentwillnotrequirethatyougetatrustedID.Ifyouwanttogetone,youwillbeabletochooseamongmulPpleidenPtyproviders—bothprivateandpublic—andamongmulPpledigitalcredenPals.SuchamarketplacewillensurethatnosinglecredenPalorcentralizeddatabasecanemerge.EvenifyoudochoosetogetacredenPalfromanIDprovider,youwouldsPllbeabletosurftheWeb,writeablog,visitchatrooms,ordootherthingsonlineanonymouslyorunderapseudonym".[FAQitemresponseconPnueshere]
*hEp://www.nist.gov/nsPc/faqs.html
.
50
AHumorousComment(WithAnUnderlyingGrainofTruth?):ThePKIDeLorean*Hypothesis
• "[M]aybethepossiblefutureinwhicheverythingisPKI‐enabledanddigitalcerPficatesareubiquitousissohorrendousthatitactuallysentripplesofbadluckbackthroughPmethatsabotagedthedevelopmentanddeploymentofPKItechnology.Somethingsactuallyseemtomakealotofsensefromthispointofview."
"WhyPKIFailed,"LutherMarPn,29October2009,hEp://superconductor.voltage.com/2009/10/why‐pki‐failed.html[ablogaboutsecurity,cryptographyandusability]
*C.F.hEp://en.wikipedia.org/wiki/Back_to_the_Future
51
"FixingPKI"–ACobageIndustryofItsOwn
• PKIhasbeensuccessfulinone(quiteperverseway):ithassucceededininspiringhundredsofpapersandtalksaEempPngtoexplainpreciselywhyPKIhasfailedsofar.
• Oneauthorevenwentsofarastosay,
'[I]tseemsariteofpassagefortheserioussecurity researchertowriteapaperwithaPtlesuchas "ImprovingPKI..."Neverinthefieldofsecurity researchhassomuchbeenwriEenbysomany,to bereadbysofew.' hEp://iang.org/ssl/pki_considered_harmful.html
52
OrAreSomeFundamentalTechnicalBitsSoBrokenThatTheyMakeSanePeopleRunAwayFromPKI?
• Forexample,whataboutrevokingorcancellingclientcerPficates?
• HypothePcallyimaginethatyou'reamanagerandyou'refiringanemployee.Aspartofdoingthat,youcollecttheirdoorkeyandcompanycreditcard(oryouhavethelockschangedandthecreditcardcancelledifthey'vebeen"lost").
• ButwhataboutrevokingaclientcerPficatetheymighthavebeenissued?(Fornow,let'sassumethatitwasn'tissuedinnon‐exportableformonasmartcardorPKIhardtoken)
• Howwouldyoucancelorrevokeit?53
RevokingAClientCert
• Unfortunately,unlike"takingback"aphysicaldoorkeyorcumngupacreditcard,it'sharderto"takeback"anelectroniccredenPal.
• CRLs("cerPficaterevocaPonlists",seeRFC3280andRFC5280)weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthatstoresusedtogetfromthebankcardcompaniesbankintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaycheckordownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstosort‐of‐revokeacompromisedcredenPal,nordoyoureallywantmillionsofusertohavetopotenPallydownloadahugefilelisPngpilesofrevokedcerts!
• OCSP("onlinecerPficatestatusprotocol",RFC2560)wasmeanttohandlethisissuemuchmoredirectly,andinteracPvely,butmanybrowsersandemailclientsdon'tcheckacert'sOCSPstatus.Ugh.
54
LocallyImpor)ngaCRL
• AnexampleofaCRLis:hEp://crl.usertrust.com/AddTrustExternalCARoot.crl
• IfyouvisitthatURL,itwillbeimportedintoyourbrowser.• YoucanalsoscheduletheCRLtobeautomaPcallyupdated,if
you'dliketodoso...
• But,andthisiscriPcalifyoubelievescalabilityisimportant:youshouldn'tneedtodownloadanevergrowinglistofkilledcerts.
55
CRLs:The"hosts"FileofPKI
• NotethateachCAwillofferoneormoreCRLs,andtherearehundredsofCAsoutthere!NormallyyouwouldNOTwanttorouPnelyimportallthoseCRLsallthePmeoneachsystem!Thissimplydoesn'tscaletoInternet‐sizeaudiences.
• Inmanyways,thisremindsmestronglyof"hosts"filesintheoldpre‐DNSdays–youknow,peoplewouldcopyaroundstaPcfileswithmappingsofhostnamestoIPaddresses.
• Doyoureallythinkwe'dhavethesizeInternetwehavetoday,ifthatsortofthingsPllhadtohappen?Clearly,no.
56
SoWhatAboutOCSP?
• YoucanchecktoseehowOCSPisconfiguredinFirefoxbygoingtoabout:configandthenfilteringforocsp.Forexample(enlargedforeaseofviewing):
• NotethatOCSPischeckedbutisNOTREQUIREDbydefaultinFirefox.Youcanchangeittoberequiredifyouwantto,butindoingso,you'llbreakaccesstosomeSSL/TLS‐securedsites.
57
Chicken/EggInterac)onsandInsis)ngonOCSP
• Assumeyou'reconnecPngviaacapPveportal,andthecapPveportalblocksallexternalaccessbydefaultunPlyou'veloggedintoanSSL/TLS‐securedpages.
• NowassumethatyouareusingabrowserthatstrictlyrequiresOCSPvalidaPon...butOCSPvalidaPonrequirestheabilitytoconnecttotheOCSPresponder,andthatrequirestheabilitytoresolvetheDNSname,andtoconnecttothathost...butthatrequiresnetworkaccess...Nicecirculardeadlock,eh?
• MypointindwellingonCRLsandOCSPsearlyintoday'ssessionistogiveyouaheadsupthattherearesomearchitecturalandsecuritycomplexiPesthatdoexist,andthatmaybenecessaryto"resolve"ifyouwantcertstoworkinsomeenvironments...butthosedon'tneedtobe"showstoppers"inmyopinion.
• ClearlycertrevocaPonis(orcanpotenPallybe)tricky.Thisiswhy,whenitreallymaEers,browservendorsissuepatchestokillcerts
58
AListofSomeFirefoxSecurityAdvisories
59
ExampleofOneofThoseSpecificAdvisories
60
I'veRambledEnough...
• Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sseehowthisallactuallyworks...let'sgetaclientcertandgetsetuptosendandreceivesecureemail.
• Thenextpartoftoday'ssessionthuslookslike:
‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME
61
V.GelngAFreeS/MIMEClientCer)ficate
62
GelngaFreeClientCertforS/MIMEWithFirefox
• TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcerPficatefromComodo.Thankyou,Comodo!Togetit,goto:hEp://Pnyurl.com/free‐cert(hEp://www.comodo.com/home/email‐security/free‐email‐cerPficate.php)
• We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanusepreEymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/firefox/fx/
• Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosofWindowsorLinuxwillbevirtuallyidenPcal.
63
Comodo’sFreeSecureEmailCer)ficateWebSite
64
TheApplica)onFormYou’llComplete
65
SuccessfulApplica)on…
66
Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…
Collec)ngYourCer)ficate
67
Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided
SuccessfulCer)ficateDownload…
68
"WhereElseCanIGetClientCerts?"
• Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:
‐‐hEp://www.enterprisessl.com/ssl‐cerPficate‐products/addsupport/secure‐email‐cerPficates.html
‐‐hEp://www.globalsign.com/authenPcaPon‐secure‐email/digital‐id/compare‐digital‐id.html
‐‐hEp://www.symantec.com/verisign/digital‐id/buy
‐‐hEp://www.trustcenter.de/en/products/tc_personal_id.htm
69
InCommon'sClientCer)ficateProgram
• BecausethisisahighereducaPonaudience,I'llalsonotethatifyousignupforInCommon'sClientCerPficateService(seehEp://www.incommon.org/cert/),InCommonincludestheabilityforyoutoissueclientcerPficatesaswellastradiPonalSSL/TLSservercerPficatesatnoextracharge.
• AlsonotethatifyouparPcipateinInCommon'sCerPficateProgram,youcanissuecertsbothviaawebinterface(the"ComodoCerPficateManager")andviaaprogrammableAPIwithsynchronousclientcertissuancewithinfiveseconds.
• SeehEps://www.incommon.org/cert/repository/fortheInCommonCerPficateManager(CM)Guide,theEndUserGuideforClientCerPficates,andtheCerPficateManager(CM)SMIMEEnrollAPIGuideformoreinformaPon.
70
VI.ExaminingandBackingUpYourNewClientCer)ficate
71
"Okay,I'veGotMyClientCert.WhatDoIDoNow?"
• WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.
• Weagreethat'sagoodidea.
• Youalsoneedto"backupyourcerPficate"inordertobeabletogetitintoThunderbirdforuseinemail.
• Therefore,launchFirefoxifyouaren'talreadyrunningit.
72
InFirefox,GotoFirefox‐‐>Preferences…
73
TheFirefoxCer)ficateManager
74
Notes:Selectthe“YourCerPficates”tabontheCerPficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocerPficates.You’llprobablyonlyseeonecerPficate,theoneyoujustgotfromComodo.ButjustasamaEerofform,let’sconfirmthatitreallyisyours…
TheGeneralTabTellsUsWhenTheCertExpires
75
TheDetails"ViewCert"TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert
76[Closethe“ViewCer)ficate”boxwhenyou’redonelookingatit]
Okay,We'vePickedThe"RightOne,"SoLet'sBackItUp…
77
The"NameYourBackup"DialogBox
78
PickanameforyourcerPficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.
TheFirefoxCertManagerBackup‐PasswordDialogBox
79
Pickastrongpasswordtosecureyourcertbackupfile.
PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!
BackupSuccessful…
80
NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.
VII.Impor)ngYourCer)ficateIntoThunderbird
81
We'reNowGoingToImportOurNewCer)ficateIntoThunderbird
• Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)
• Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/thunderbird/
• NotethatThunderbirdhasanautomatedinstallaPonwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Acau)ontoanynon‐technicalpersonlookingattheseslideslater:inselngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!
82
"WhyCan'tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?
They'reBothMozillaApplica)ons,Aren'tThey?"
• Yes,bothFirefoxandThunderbirdAREfromMozilla.
• WhilesomeapplicaPonsrelyoncerPficatesstoredcentrallyinasingleoperaPng‐system‐providedcerPficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.
• FirefoxandThunderbirduseseparateper‐applicaPoncerPficatestores,instead.ThisgivesuserstheflexibilitytotailorwhatcertsgetpotenPallyshowntoeachsuchapplicaPon,butthedownsideisaslightlymorecomplicatediniPalsetup(youneedtoinstallyournewcerPficateinmulPplelocaPons)
• Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaferlookingatFirefox’s
83
InThunderbird,GotoThunderbird‐‐>Preferences…
84
InTheCer)ficateManager,"YourCer)ficates"Tab,ClickonImport
85
SelectThe.p12BackupFileYouWantToImport
86
SupplythePasswordYouUsedforTheCertBackup
87
SuccessfulImporta)onofTheCertIntoThunderbird
88
VIII.InThunderbird,AssociateYourCer)ficateWithYourEmailAccountAnd
ConfigureThunderbirdToDoDigitalSigning
89
Thunderbird:Tools‐‐>AccountSelngs
90
Security
91
SelectTheCertYouWantToUseForDigitalSigning
92
ConfirmThatYouWantToAlsoUseThatSameCertforEncryp)ng/Decryp)ngMessages
93
MakeSureYou’reSetToDigitallySignYourMessagesByDefault
94
ThunderbirdConfigura)onIsNowComplete…
• Thehardpartisover!YouarenowsettoautomaPcallydigitallysignyourThunderbirdemailmessagesbydefault.
• Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,unPljustbeforeyourfreeComodopersonalcerPficateisclosetoexpiring)
• Huzzah!
95
IX.DigitallySigningAMessageInThunderbird
96
StartWri)ngAMessageTheWayYouNormallyWould
97NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!
Op)onal:ConfirmThatTheMessageWillBeSigned
98
ClickOnThePadlockIconOnTheBarOrTheLiQleRedSealInTheBoQomRightCornerIfYouEverWantToDoubleCheck!
ProceedtoSendYourMessage
• …justlikeyounormallywould.ItwillautomaPcallybedigitallysignedwithyourcerPficate.
• Yourrecipientswillseeyournormalmessage,plusanaddiPonal“p7s”aEachmentthatwillhaveyourpublickey/cerPficate.(no,that'snotmalware:‐))
• Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautomaPcallycheckandvalidateyourdigitalsignature.
• Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saEachment.
99
X.Encryp)ngAMessageInThunderbird
100
Signingvs.Encryp)ng
• Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecansPllreadthatmessage:it’scryptographicallysigned,it’snotencrypted.
• IfthebodyofyourmessageissensiPve,youmayalsowanttoconsiderencrypPngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.
• Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.
101
GelngThePublicKeyofYourCorrespondent
• Toencryptamessageyou’llneedyourcorrespondent’spublickey.
• Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.
• YouremailclientwillautomaPcallyextractthepublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.
• Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaEempttoextenditInternet‐wide.
102
AMetaQues)on:ShouldIEncryptTheMailISend?
• Maybeyes,maybeno.
• Firstofall,notethatyouusuallywon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(sothatyou’llhavehispublickeyandcert)
• Ifthecontentofyouremailisn’tsensiPve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?– Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently
easilysearchthosemessages.
– And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopotenPallyloseallthecontentencryptedwiththatkey?
– You'lldrivecommandlineemailclientusersnuts.103
AndSomeArgumentsInFavorofRou)neEncryp)on
• What'snotsensiPvetome,mightbesensiPvetosomeoneelse.Likewise,itmightnotbesensiPveNOW,butitmightbesensiPveLATER.
• IfyouonlyencryptsensiPvemessages,thatsuremakesthemstandsout,doesn'tit?Wouldn'titbeniceifthosemessageswerejustpartofalargervolumeofrouPnelyencryptedmessages?
• It'srelaPvelyeasytoforgettoenableencrypPon,andtoaccidentallysendoutasensiPvemessageincleartext.IfyourouPnelyencrypt,thatwon'thappen.
• Ifyouwantpeopletosecuretheiremail,youneedtosettheexampleandnudgethemalong.Iftheygetsetuptodoencryptedemail,butthennevergetany,theymayfeellikethey'rewasPngtheirPme.
• Finally,it*is*sortofcool/funtodoso.:‐)104
HedgingTheRiskofDataLoss:KeyEscrow• Let'spretendthatyouhaveafacultymemberwho'sdoing
absolutelycriPcal(andhighlysensiPve)workforyourschool,andyouwantthemtorouPnelyencryptasaresult.AtthesamePme,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcriPcalfacultypersonwilldieorbekilled,ormaybejustquitandstartabusinessmakinghome‐madepremiumsoapsomeday.Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?
• EscrowingencrypPonkeysallowsyoutogetacopyofotherwiseunavailableencrypPonkeysinavarietyofcarefullypredefinedemergencysituaPons.Companiesnormallypayextraforthis"insurance."KeysrecoveredviaescrowmayhavetheassociatedcertrevokedatthesamePme.
105
"ItISWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"
106
"WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?"
107
WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)
108
AnExampleofUsingaNon‐MatchingCert
109
Addi)onalImportantS/MIMECaveats
• S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,DONOTputanythingthatneedstobekeptconfidenPalintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpumngANYTHINGintothesubjectlineofencryptedmessages.
• EncryptedmessagebodiescannotbeautomaPcallyscannedonthenetworkforvirusesorothermalware.
• SomemailinglistprogramsmaytamperwithmessagesbydoingthingslikeaddingfootersorrewriPnglinksorstrippingaEachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailingliststhatdothesesortofthings,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.
110
XI.WhatIfIWantToUseOutlookInsteadofThunderbird?
111
OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt
112
Can’tfindKeychainAccess?CheckApplicaPons‐‐>UPliPes
Impor)ngOurKey/Cert
113
SuccessImpor)ngOurKeyandCert
114
Nowwe’rereadytolaunchOutlook…
Outlook’sOpeningScreen…
115
Outlook‐‐>Preferences…
116
Accounts
117
AdvancedBubon…
118
PickingACertontheAccountSecurityTab
119
120
WhatTheSenderSeesWhenSendingASignedMessageinOutlook
121
OutlookAsksForConfirma)onTheFirstTimeItUsesYourPrivateKey/Cer)ficate
122
[Note:ifyou'reparPcularlysecurityconscious,youmayjustwanttoclick"Allow"ratherthan"AlwaysAllow"]
WhatTheRecipientSeesInOutlookWhenGelngAMessageThat’sSigned
123
WhatIfWeWantToEncryptAMessage?
124
XII."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"
125
GmailDoesNOTNa)velySupportS/MIME
• YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)
• However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletonaPvelyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvacaPontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).
• Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)
• Warning:PenangoiscloselyintegratedwithFirefox,andonlysupportssomeversions.Checktheversionyou'reusing!
126
127
OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox
128
PlugInYourGmailAddress
129[someaccountdetailselidedabove]
Uncheck"Automa)callyencryptnewmessages"
130[someaccountdetailselidedabove]
ComposingaSignedGmailMsgWithPenango
131
[someaccountdetailselidedabove]
SomePenango‐RelatedSendingIdiosyncrasies
• WhenyousendasignedorencryptedmessageusingPenango,themessagegetssubmiEed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.
• Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.
• TheIPofthehandoffhostdoesappearintheGmailheaders.
• Thebodyofthemessagemaybebase64encodedevenifthemessageyou'resigningisplain‐text‐only.Penangoalsousesalong/uglynameforthe.p7saEachment
• Speakingof,somemessagetext/messageformamngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.
132
XIII.HardTokens/SmartCards
133
Alterna)vesToStoringYourKeysandCertsOnYourDesktoporLaptop
• InhighereducaPon,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.
• Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircerPficatesonboththosesystems,butmightnotwanttoleavetheircredenPalsstoredonmulPplesystemsiftheydon'thaveto.
• Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.ObviouslyitwouldbebadforthatusertodownloadandinstalltheircredenPalsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenextPmetheyvisitthelab.
• WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.
134
HardTokens/SmartCardsAdvantages
• UserscanuseonesetofPKIcredenPalseverywhere.• UserscancarrytheircredenPalswiththemwherevertheygo(it's
justanotherblobonyourkeychain,oranother"creditcard"inyourwalletorpurse)
• Theuser'sprivate/publickeypaircanpotenPally*begeneratedon‐token(oron‐smartcard),withtheprivatekeyneverleavingthedevice
• Theusercaninsertandunlocktheirtokenorsmartcardonlywhentheyneedit,keepingthatcredenPaloffline(andshelteredfromonlineaEack)therestofthePme
• Clientcertissuancecanmimicotherwellestablishedcreden)alissuanceprocesses(suchasthoseforIDcardsordoorkeys);diboforclientcertuseprocesses.
* NotcurrentlypossibleforInCommonclientcerPficates. 135
GeTngAnIns)tu)onalID(orDoorKey)
GemngauniversityIDcardora doorkeyusuallyinvolves:‐‐ObtainingproofofauthorizaPon,suchasaleEerofadmissionorasignedcontract(oracompletedkeyauthform)‐‐Takingyourpaperworkandadriverslicenseorpassport,andvisiPngthecampuscardoffice(oradistributedcredenPaldistribuPonsite,perhapslocatedinthestudenthousingofficeorpersonneldepartment)‐‐PaperworkandcurrentproofofidenPtygetreviewedandOK’d‐‐One'sphotogetstaken(fortheIDcard)oradepositgetscollectedforakey,anditgetsissuedwhile‐you‐wait.
Thisworks.Notpainless,butnothorrible,andit'srelaPvelysecure.NowvisualizetheIDcardasactuallyasmartcard(withaclientcertonit),orthe"key"actuallybeingaUSBformatPKIhardtoken...wouldthatprocessneedtobemateriallydifferentthanthecurrentprocessofissuingIDcardsordoorkeys?No...
136
UsingAnIns)tu)onalID(orDoorKey)
EveryoneknowshowtousetheirIDcard(orkeys):
‐‐Carryitwithyou,soyouhaveitwithyouwhenyouneedit‐‐Whenneeded,allowyourcardtobescannedorinspected(orsPckyourkeyinthelockandturnittoopenthedoor);thisissimple,sotrainingisnotrequired.
‐‐IfyouloseyourIDoryourkey(s),youreportitsoyoucangetareplacement,andsoyouroldonecanbemarkedasinvalid(orsoanylocksassociatedwiththelostkeycanbepotenPallychanged)‐‐Ifyourkeydoesn'tgetyouintoaspaceyouneedtoaccess,you'llbegivenanotherone(repeatthe"gemngakey"process).‐‐YourIDcardorkeysgetcollectedifyouleaveorarekickedout.
UsingclientcertsneedstobeaseasyasusinganIDcardordoorkey,andcanbeifhardtokens/smartcardsareused.
137
USB‐FormatPKIHardTokens
• USB‐formatPKIhardtokenslookalotlikearegularUSBthumbdrive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.
• Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessorwithintegratedsecurestorage.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcerPficate,butwithoutpumngthosecredenPalsatriskofbeing"harvested"/stolen.Thesedays,withallthecredenPalharvesPngmalwarethat'soutthere,that'sapreEycoolthing.
• Infact,USB‐formatPKIhardtokenshavetheabilitytopotenPallygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession(andinfactthat'salsonotsupportedforInCommonClientCerPficates)
138
SafeneteTokenPRO72K
• ThroughthegenerosityofChenArbelatSafenet,we'reabletoprovideeachSecurityProfessionalsclientcerttrainingparPcipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversofwareanddocumentaPon.Thankyou,ChenandSafenet!
• Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereducaPon,andisparPcularlyniceifyouworkinacrosspla�ormenvironmentsinceitissupportedunderMicrosofWindows,MacOSX,andLinux.
Imagecredit:hEp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg139
"ThanksforOne,ButINeedABunchofThem!"
• USB‐formatPKIhardtokensareavailablefrommanymajorITchannels.Forexample,CDW‐GcurrentlyofferstheSafenete‐TokenProfor$38.89/each(qty1‐100),andtheSAC(requiredsofwaredrivers)costs$18.94.IfyouthrowononeoftheliEleprotecPveshells(liketheoneweprovidedforyoutoday),that'sanothercouplebucksfromCDW‐G,bringingthepricerightuptoaround$60.00/unit.Naturally,while~$60/unitisn'tabigdealforasmallnumberofusers,itaddsuppreEyquicklyifyouwanttoissuehardtokenstoawholecampus,parPcularlyiftherearecompePngtwofactorauthsoluPonsthatmaybe~$5/user.
• Fortunately,InCommonhasarrangedtobeabletoselldeeplydiscountedSafeNetPKIhardtokenstoInCommonhighereducaPonsubscribers.FormoreinformaPon,seehEp://www.incommon.org/safenet/index.html(note:aminimumorderoftwohundredunitsapplies)
140
"ButIOnlyWantToOrderADozenTokens!"
• If you're only buying a small number of tokens for a test deployment, you can already get those on the open market. Internet2/InCommon doesn't need to get involved in order for that to be practical. Our goal is explicitly not to make small-scale test PKI deployments cheap(er).
• On the other hand, if the community is trying to deploy thousands, tens of thousands, hundreds of thousands, or even millions of client certificates, THAT's the sort of process we want to facilitate, and where central coordination may be critical.
• Put another way, Internet2/InCommon is, and should be, all about facilitating "deployment at scale."
• This is an important principle that Randy Frank deserves special acknowledgement for correctly emphasizing.
141
SafenetDrivers,LocalTokenManagementSoKware,AndDocumenta)on
• MostsystemswillrequiretheinstallaPonoftokendriversand/orlocaltokenmanagementsofware(soyoucanloadyourexisPngcerPficateontothetoken).WithSafenet'spermissionwearemakingthatsofwareanddocumentaPonforthisproduct,availabletoyouforinstallaPonviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoKware:pleasedoNOTredistributeit!
• Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b
142
InstallingtheSACOntheMac
• InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveUPlity,Stuffit,orwhateverapplicaPonyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"DocumentaPon"and"MacInstaller."
• READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar)cular,readtheAdministrator'sGuideandreadtheReadMefile,par)cularly"KnownIssues/Limita)ons"
• Really,Ikidyounot,readthedangdocumenta)on,please!
• ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthenPcaPonClient.8.1.0.5.dmg
• Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthenPcaPonClient8.1.mpkg
• Installit.You'llneedtorebootwhenitfinishes143
FirefoxSecurityModule
• AsmenPonedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthenPcaPonClient,itdoesn'tautomaPcallyinstallthesecuritymoduleinFirefox.Youneedtodothatmanually.
• Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK
• RepeatthisprocessforThunderbird,too.
144
"ButI'mUsingWindows,NotAMac!"
• WindowsusersshouldseeAppendixIattheendoftheseslides.
IthasinstrucPonsforsemngupyourSafeNethardtokenwithaWindows7box.
• We'dhavebundledtheminhere,inline,butwedidn'twanttointerruptthings/confusetheMacusers.
145
NowLaunchtheSafeNetAuthen)ca)onTools
146
GoToTheGearMenu("Advanced")
147
Select"ViewTokenInforma)on,"ThenIni)alizeIt
148
EnterYourNewPasswordsandThenGoToTheAdvancedScreen
149DO*NOT*FORGETTHESECRITICALPASSWORDS!
BeSureToAskfor2048bitkeysupport
150
NowActuallyIni)alizeTheHardToken...
151
LoginToTheHardToken
152
You'llNeedToEnterYourPasswordForIt
153
GoToTheImportCertScreen
154
ImportOurCer)ficate
155
Pickthep12backupfilewesavedearlier.
Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.
BeSureToIncludetheCACertsOnTheToken,Too
156
ViewOurCertOnTheHardToken
157
AnAside:What'sThat"UnknownPurpose"Note?
158
Butcomingbacktoactuallyusingourhardtoken...
TellingThunderbirdToUseTheHardToken(WeNeedToUnlockTheToken,First)
159
We'reThenShownTheTokenandItsCert
160
NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse
161
AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!
162
XI.DoingAllThis"AtScale"
163
GetALibleExperience,First• It'ssomePmestempPngto"swingforthebleachers,"tryingtohita
grandslamthefirstPmeyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.
• I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensiPvesystems,tofirstspendaliElePmejustexperimenPngwithclientcerts.
• Getafreeclientcertforyourself,andforyourteammembers.
• UsethemforrelaPvelylowimpactacPviPes,suchassigningyouremail,whileyougainfamiliaritywiththem.
• Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.
164
ClientCertDeploymentScale:Test,Departmental,Site‐Wide,edu‐Wide?
• Wecanimaginefourdifferent"scales"ofclientcertdeployment:‐‐Testdeployment(maybehalfadozenoradozenclientcerts,perhapsissuedonlytohighlytechnicalsystemsorsecuritystaff)‐‐Departmental‐scaledeployment(hundredsoreventhousandsofcerts,perhapsissuedtoallauthorizedadministraPvecompuPngusersortoallauthorizedhighperformancecompuPngusersatasite)‐‐Site‐widedeploymentto"everyone"(allfaculty/staff,allstudents,andpotenPallyeventoall"other"users)‐‐Ormaybeevenbroadedu‐wide(cross‐realm)deployment?
• Theseareradicallydifferentanimals.IfweDON'Tneedtodothecross‐realmcase,wemightevenbeabletogetalongwithlocallyissuedclientcerts.Doyouthinkthat'sonereasonwhyemail,aclassicinter‐realmapp,hasleadtoclientcertsofenbeingcalled'S/MIMEcerts?'(Ifyou'reonlyissuingclientcertsforintra‐realmuse,atthesamePmeyouissueacert,youcouldjustpushalocalrootcert).
165
SmallDeployments?==>TargetedBenefitsLargerDeployments?==>BroadAcceptance
• WhileIdon'tmeantoimplythatthere'snobenefittofolksdoingPKItesPng,orevensmallscaledeploymentsforacarefullydefinedlocalcommunity,thosesortofprojectsdeliveradifferentsortofbenefitthanmorebroadlyadoptedefforts.Hasthe)mecomeforustoconsiderabroadlyacceptedcross‐ins)tu)onalclientcerteffort?
• Contrastalocally‐issuedlibrarycardwithapassport:‐‐Alocally‐issuedlibrarycardisterrificallyusefulifIwanttocheckoutsomebooks,butunfortunatelynooneexceptmylibrary,e.g.,theonethatissuedit,willrecognizeoracceptit‐‐Apassport,ontheotherhand,whilenotadocumentthatwillbeacceptedforthepurposeofcheckingoutlibrarymaterials,isuniversallyacceptedasaproofofpersonalidenPty(includingbeingpotenPallyusedorthingslikegeUngalocallibrarycard)
166
TimeForAStandardizedHigher‐Ed‐WideIDCard?
• Oneofthereasonspassportsareusefulisthatthey'restandardized.CurrentlyeachuniversityissuesitsownuniquetypeofIDcard,withliEleinthewayofformalhighered‐widestandardizaPon.Mosthaveaname,anumber(hopefullynotaSSN!)andapicture.Mostalsohaveamagswipestrip,abarcode,andmaybeanRFIDtag.
• Hasthe)mecomeforcollegeanduniversityIDcardstoalsohavesmartcardfunc)onalityandaclientcert?Infact,shouldhigheredbestrivingtoestablishacommunity‐widegeneralstandardforcollegeanduniversityIDcards?(arguably,there'salreadyconsiderabledefactostandardiza)on)
• Note:Iexplicitlyhavenodesiretosteponcardoffice"turf"atschoolsallacrossthecountrybyinnocentlyaskingthoseques9ons!Idoalsorecognizethattherearea*lot*ofsubtleissuesthatareraisedjustbyaskingthosetwoques9ons.
167
WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands
• Theprocessesyousawearlierinthissession,whichcanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.
• Forexample,ifyou'regoingtoinstallcerPficatesdirectlyonusersystems,youneedabeEerwaytodropcerPficatesonthosesystems,andabeEerwaytoconfiguretheuser'sapplicaPonstoknowaboutandusethem(InCommonisworkingonthis).
• Similarly,ifyou'regoingtousehardwaretokens,instead,youlikelyneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriEenlocally.
• Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyopPon.
168
Smartcards?
• TheUSBformatPKIhardtokensyoureceivedarebasicallyasmartcardwithanintegratedsmartcardreader(withabuilt‐inUSBinterface).Thatcanbeveryconvenient–it's"allinone."
• However,smartcardstendtobesomewhatcheaperthanUSBformattokens(e.g.,$15.13vs.$19.80),whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)
• AdisPnctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaEedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecerPficatestore.Thismaybethebestofallpossibleworlds.
• Butwhatwillyoudoformobiledevices,suchassmartphonesortablets?
169
Slick‐SidedMobileDevicesandHardTokens
• Mobiledevicesareincreasinglyimportantoncampus,soweshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.
• Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaEer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.
• ThesoluPon?YoucantryBluetooth‐connectedsmartcardreaders(somePmesalsoknownas"CACsleds"),buttheyaren'tcheapandtheydon'tsupportalldevicesorallsmartcards.
• Inthefuture,itmaybepossibletostoreclientcertssecurelybystoringpartoftheclientcertdirectlyonthedevice,whilestoringtherestoftheclientcertinthecloud,usingthresholdcryptographytoreconsPtutetheclientcertsecurely.
170
WhatAboutDirectories
• Oneofthesubtlethingsthatcanreallymakelifeeasierifyou'redeployingclientcerPficatesatscaleisadirectoryofallthepublickeysandcerPficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).
• TradiPonalkeydistribuPonalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencrypPon.YouneedanalternaPvesourceforkeysinthatcase.
• Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.EvendeployingadirectoryforanenPtyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysoluPonthatwouldworktoholdclientcerPficatesforallInternetusers(assumingeveryonehadthem).
171
SomeDirectoryComplica)ons
• Organiza)onaldirectoriesareforlocalcorrespondents:Ifallmyemailislocal,andmysiteisdoingclientcerts,Icanprobablyjustcheckmylocaldirectory,butthesedays,manyusersexchangemoreemailoff‐sitethanon.AndwhatifI'man"isolatedadopter,"andthere'snotevenanorganizaPonaldirectoryformetoevenuse?
• Organiza)onaldirectories(distributed,Internet‐wide):HowdoIfindtherightdirectorytousetolookupsomeoneelse'sS/MIMEcreds?There'scurrentlyno"directoryofdirectories"(nordoIthinkthere'smomentum/communitysupporttocreatesuchananimal,givenspamproblemsandsecurityworries–manysitesmaybereluctanttoallowunfeEeredpublicdirectoryaccessduetopotenPalharvesPngissues).
• Whataboutacentralized/consolidateInternet‐widedirectorythatlists"everyone?"Um,no.Peoplejustwon'twanttocontributetheirdata,itwouldbeimpossibletokeepcurrent,andthereareO(20million)usersinUShighered!WeneedtotakealessonfromDNS.ThearchitectsofDNSdidadistributedmodelforgoodreasons!
172!
PGP/GPG‐ishS/MIMEKeyservers?
• ThereisonealternaPvecryptographicdirectorymodelthatseemstohaveworkedpreEywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendtheirkeydirectly.
• I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehEp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescripPonofwhatIhaveinmind.
173
S/MIMEIsn'tTheOnlyUseforClientCerts
• ClientcerPficatescanbeusedforabunchofthingsotherthanjustsigningorencrypPngemail.
• Forexample,clientcerPficatescanalsobeusedtosigndocuments,orforauthenPcaPon,orasabuildingentrycredenPal.(Notethatifyou'reheadedinthe"authenPcaPon"or"buildingaccesscontrol"direcPon,youwillprobablyneedatradiPonalenterprisePKIdirectorytosupportthatapplicaPon)
• Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.
• NOTE:Clientcertsshouldonlybeusedforpurposesconsistentwiththeirapproveduses.Forexample,theclientcertwedownloadedearlierspecifiedthatitwasforuseinconjunc)onwithsecureemail.However,manyapplicaPonsdoNOTstrictlycheck/enforcetheObjectIDs("OIDs")associatedwithacert,soyoumaybeabletouseagivencertforotherpurposes,too.
174
SigningStuff(OtherThanJustS/MIMESigning)
• SigningMicrosoKWorddocuments(Windowsonly),seehEp://pages.uoregon.edu/joe/signing‐a‐word‐document/
• NeedtosigndocumentsonaMac?TryOpenOffice:hEp://Pnyurl.com/openoffice‐signing
• AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcerPficatesforsigningPDFs,see:hEp://Pnyurl.com/adobe‐signing(PDF,114pages)
NotethatthisisdifferentthanAdobe's"CerPfiedDocumentServices"programwhichalsoinvolvesdigitalsignatures,butismoreexpensive(andnotsupportedbyComodo/InCommonclientcertsatthisPme)
175
Encryp)onUsingClientCerts(OtherThanS/MIME)
• PGPWholeDiskEncryp)on(seethedatasheetlinkedfromhEp://www.symantec.com/business/whole‐disk‐encrypPon)
• MicrosoKWindowsEncryptedFileSystemhEp://technet.microsof.com/en‐us/library/bb457116.aspx
• IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcerPficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcerPficatesifdesired—see,forexample,hEp://www.strongswan.org/andhEp://www.cisco.com/en/US/docs/soluPons/Enterprise/Security/DCertPKI.html)
176
Authen)ca)onUsingSmartCards/ClientCerts
• RedHatEnterpriseLinuxSmartCardLoginSeehEp://Pnyurl.com/redhat‐smartcards
• WindowsAc)veDirectoryLoginwithSmartCardsSeehEp://support.microsof.com/kb/281245
• OpenSSHauthen)ca)on(viathirdpartyX.509patches)hEp://roumenpetrov.info/openssh/
• MacOSXhasbeengoingthroughsomechangeswhenitcomestonaPvesupportforsmartcards,butseehEp://smartcardservices.macosforge.org/andhEp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html
177
Authen)ca)onUsingClientCerts(cont.)
• ControllingaccesstowebcontentservedbyApache:www.dwheeler.com/essays/apache‐cac‐configuraPon.html(it'smuchmorehelpfulthanthemoregeneralpageathEpd.apache.org/docs/2.5/mod/mod_ssl.html#sslrequire)
• ControllingaccesstowebcontentservedbyMicrosoKIIS7hEp://technet.microsof.com/en‐us/library/cc732996%28v=ws.10%29.aspx
• ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See
hEp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland
hEp://www.internet2.edu/presentaPons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf
178
ClientCer)ficatesCanEvenPoten)allyBeUsedForBuildingAccessControlPurposes
179
XII.Don'tForgetAboutPolicies,GovernanceAndPoten)alLegalIssues
180
ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures
• Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsthat'shardtomissisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbytheissuingandrelyingcommuniPes.
• Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplicaPonsofmovingtoclientcerts,notjustthetechnologyissues.
• Forexample,whataboutprivacy?Doesuseofclientcertshaveanyimpactonuserprivacy?Maybe...
• Whatifyouremailclientcheckedadirectoryforapublickey/certforeveryemailcorrespondentyouexchangedemailwith?
• OrhowaboutthisliEleexposure...seethenextslide...181
AnyWebSiteCanAskForYourBrowser'sClientCertAndThusPoten)allyGetYourName/EmailAddress
182
AnotherPrivacyThreat:ClientCertsAreNowBeingTargetedByMalware
• UserswhoemployedclientcertsfortwofactorauthenPcaPonhavelongenjoyedfeelingrelaPvely"abovethefray"whenitcametohacker/crackeraEacks.However,in2012,itbecameclearthatatleastonemalwarefamily,Sykipot,hasbeguntospecificallytargetfederalCAC/PIVclientcerPficatecredenPals.See,forexample:hEp://labs.alienvault.com/labs/index.php/2012/when‐the‐apt‐owns‐your‐smart‐cards‐and‐certs
• BecauseclientcertcredenPalsaretypically"nonexportable"fromsmartcards,malwaretargePngclientcertswillnormallyaEempttoexecutea"maninthebrowser"or"maninthemachine"aEack:‐‐intercepttheuser'ssmartcardPIN,‐‐usetheclientcert"in‐situ,"proxyingrequestsforresourcescontrolledbycertsthroughthecompromisedmachineitself,then‐‐exfiltratethesurrepPPouslyaccessedmaterialsoffsite.
• ConscienPouspatchingandaggressivemeasurestocontrolmalware,remainextremelyimportant,evenif(especiallyif?)you'reusingclientcerPficatestocontrolaccesstosensiPvecontent.
183!
KeepYourLawyersInTheLoop,Too
• Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.
IfyouplantoissueclientcerPficatestoallyouremployeesrememberthatsomeusers,asmenPonedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpotenPallyclientcerPficates.Formoreonthispoint,pleaseconsultwithyouraEorneyregardingtheprovisionsofthe"DeemedExport"rule.AsastarPngpoint,seehEp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html
• IncreaseduseofencrypPonforofficialrecords,mayalsoraiselongtermrecordmanagementandaccessissues.
184
ThanksfortheChanceToTalkToday!
• ArethereanyquesPons?
185
AppendixI:UsingTheSafeNetHardTokenonWindows7
186
"I'mUsingWindows,NotAMac!"
• There'saversionoftheSACforWindows7ontheCDwegaveyou,too.
• DragtheSAC8_1SP1zippedarchivefromtheCDtoyourdesktop.Doubleclickonit,thenselecttheSAC8_1SP1folder.
• Gotothe32X64Installerfolder.DragtheapplicaPonyou’llseethereontoyourdesktop.
• Assumingyou'rerunningWindows7,rightclickontheinstallerandselectRunasAdministrator.
• Youshouldseethengothroughaseriesofscreenswherethedefaultanswerswillusuallyfine...seethenextslides.
187
TheCD'sContents
188
189
190
PlugInYourToken
• Whenyoudo,itmayautomaPcallydownloadaddiPonaldriversfromWindowsUpdate.ThefirstPme,whenitfinishes,itwillpromptyoutochangeyourtoken'spassword.Thedefaultpasswordis1234567890asmenPonedinthedocumentaPon.
191
ThunderbirdCan'tSeeTheSafeNetHardTokens?
• IniPally,Thunderbird(andpotenPallyFirefox)maynot"see"theSafeNethardtoken.Ifyouexperiencethat,you'llneedtomanuallyloadtheeTPKCS11.dllfilefromeither
c:\Windows\System32\eTPKCS11.dll (32bit)orc:\Windows\SysWOW64\eTPKCS11.dll (64bit)
Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,underModulefilename,entertheappropriatefilename(asshownabove)IntheConfirmwindow,clickOK
192