Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | |

PKI DESIGN

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |

GOPASTECHED 2012

ALGORITHMSPKI Design

Cryptographic Algorithms

Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384,

SHA-512 Symmetric key algorithms

secret key RC4, DES, 3-DES, AES

Asymmetric key algorithms public and private key RSA, DH, EC

THOUGHTS ON HASHINGPKI Design

Hash example (not good)

Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52

Can obtain arbitrary clear-text (collision) without brute-forcing

Several similar clear-texts lead to similar output

5

Hash collisions

Pure arithmetic collisions limited exploitability

Post-signing collisions Chosen-prefix collisions

6

Post-signing collision

7

Name: Ondrej

Owes: 100 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Name: Ondrej

Owes: 1 000 000 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Trash: XX349%$@#BB...

Chosen-prefix collision

8

CN: www.idtt.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 35B87AA11...

CN: www.microsoft.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 4E9618C9D...

MD5 problems

Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions

Practically proved for certificates with predictable serial numbers

2^50

9

SHA-1 problems

General brute-force attack at 2^80 as about 12 characters complex

password Some collisions found at 2^63

pure arithmetic collisions, no exploitation proved

10

ALGORITHM COMBINATIONSPKI Design

Performance considerations Asymmetric algorithms use large

keys EC is about 10 times smaller

Encryption/decryption time about 100x longer symmetric is faster

Document

Private key

Digital Signature (not good)

Document

Private key

Digital Signature

Document

Hash

Storage Encryption (slow)

Public key

Document

Public key (User A)

Storage Encryption

Symmetric encryption key (random)

Symmetric key

Document

Public key (User A)

Storage Encryption

Symmetric encryption key (random)

Symmetric key

Document

Public key (User B)

Symmetric key

Transport encryption

Client Server

Public key

Public key

Symmetric Key

Symmetric Key

Data

FUN WITH RANDOM NUMBERSPKI Design

Random Number Generators

Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated

symmetric keys DNS cache poisoning

Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules

Random Number Generators

CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)

Entropy from system time, process id, thread id, tick

counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …

STANDARDSPKI Design

US standards

FIPS – Federal Information Processing Standards provides standard algorithms

NIST – National Institute for Standards and Technology approves the algorithms for US government

non-classified but sensitive use latest NIST SP800-57, March 2007

NSA – National Security Agency Suite-B for Secure and Top Secure (2005)

Cryptoperiods (SP800-57)

Key Cryptoperiod

Private signature 1 – 3 years

Public signature verification >3 years

Symmetric authentication <= 5 years

Private authentication 1-2 years

Symmetric data encryption <= 5 years

Public key transport key 1-2 years

Private/public key agreement key 1-2 years

Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256



Security lifetimes (SP800-57 and Suite-B)

Lifetime Strength Level

2010 80 bit US Confidential

2030

112 bit US Confidential

128 bit US Secure

192 bit US Top-Secure

Beyond 2030 128 bit US Confidential

NSA Suite-B Algorithms

NSA publicly published algorithms (2005) as against Suite-A which is private

AES-128, ECDH-256, ECDSA-256, SHA-256 Secret

AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret

27

OPERATING SYSTEM SUPPORTPKI Design

Cryptographic Providers

Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates

Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC

CERTUTIL -CSPLIST

29

Cryptographic Providers

30

Type Operating System Algos Template

CSP Windows 2000Windows 2003

AES, SHA-1, RSA v1, v2

CSP Windows XP SP3Windows 2003 KB938397

AES, SHA-1, RSA, SHA-2 v1, v2

CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC

v3

SHA-2 Support

Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future

Cryptography support

32

System DES3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1

SHA-256SHA-384SHA-512

ECDSAECDH

Windows 2000

yes no yes yes no no

Windows XP yes yes yes yes yes no

Windows 2003

yes yes yes yes non-public updateyes

no

Windows Vista/2008

yes yes yes yes yes yes

Windows 7/2008 R2


Cryptography support

33

System DES3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1

SHA-256SHA-384SHA-512

ECDSAECDH

Windows Mobile 6.5

yes yes yes yes no no

Windows Mobile 7


TMG 2010 yes yes no

SCCM 2007 yes no no

SCOM 2007 yes yes no

EncryptionEFS

BitLocker IPSec

Kerberos NTLM RDP

DES 2000 + 2000 + 2000 +

LM password hash, NTLM

3DES 2000 + 2000 + 2000 +

RC4 2000 + 2000 +

AES 2003 + Vista + Vista + Vista +

DH 2000 + 2000 +

RSA 2000 + Seven + 2000 + 2000 + 2003 +

ECC Seven + Vista + Seven +

Hashing

35

MD4 MD5 SHA-1 SHA-2

NT password

hashNT4 +

Digest password

hash2003 +

IPSec 2000 + 2000 + Seven +

NTLM NTLMv2

MS-CHAP MS-CHAPv2

CNG (v3) Not Supported

EFS Windows 2008/Vista-

VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication

TMG 2010 server certificates on web listeners

Outlook 2003 user email certificates for signatures or encryption

Kerberos Windows 2008/Vista- DC certificates

System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2

SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)

CA HIERARCHYPKI Design

CA Hierarchy

IDTT Root CA

IDTT London CA

IDTT Paris CAIDTT Roma

CA

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

Offline Root

Root CA cannot be revoked if compromised

Making new RootCA trusted may be difficult

Delegation of administration Must issue CRLs

the more frequent the more secure, but more “costly”

Active Directory

Group Policy every 120 minutes by default

Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates

41

AD CS FEATURESPKI Design

SKU Features

43

Windows Server

Certificate

Templates

Autoenrollment

Key Archival

SMTP Exit Module

Role Separation

Cross-forest

Enrollment

2008 R2 Standard V1, V2, V3 Yes Yes No

2008 R2 Enterprise V1, V2, V3 Yes Yes Yes

2008 Standard V1 No No No

2008 Enterprise V1, V2, V3 Yes Yes No

2003 Standard V1 No No No

2003 Enterprise V1, V2 Yes Yes No

SKU Features

44

Windows Server

Web Enrollment

Enrollment Web

Services

OCSP Responder

SCEP Enrollment

2008 R2 Standard yes yes no no

2008 R2 Enterprise

yes yes yes yes

2008 Standard yes no no no

2008 Enterprise yes no yes yes

2003 Standard yes no no no

2003 Enterprise yes no no no

Role Separation

Enrollment Agent = Registration Authority sign cert request

Certificate Managers approve cert requests

Different groups of EA/CM approve requests for different groups of Enrollees

PUBLIC CERTIFICATESPKI Design

SSL Certificate prices

Verisign – 1999 300$ year

Thawte – 2003 150$ year

Go Daddy – 2005 60$ year

GlobalSign – 2006 250$ year

StartCom – 2009 free

EV Certificate prices

Verisign – 1999 1500$ year

Thawte – 2003 600$ year

Go Daddy – 2005 100$ year

GlobalSign – 2006 900$ year

StartCom – 2009 50$ year

Support for SAN and wildcards

49

ApplicationSupport

s *Supports SAN

Internet Explorer 4.0 and older

no no

Internet Explorer 5.0 and newer

yes yes

Internet Explorer 7.0 yesyes, if SAN present Subject is ignored

Windows Pocket PC 3.0 a 4.0 no no

Windows Mobile 5.0 no yesWindows Mobile 6.0 and newer

yes yes

Outlook 2003 and newer yes yes

RDP/TS proxy yesyes, if SAN present Subject is ignored

ISA Server firewall certificate yes yes

ISA Server 2000 and 2004 published server certificate

no no

ISA Server 2006 published server certificate

yes yes, only the first SAN name

OCSP and Delta CRL

50

System Checks OCSP Delta CRL

Windows 2000 and older no no

Windows XP and older no yes

Windows Vista and newer yes, preffered yes

Windows Pocket PC 4.0 and older

no no

Windows Mobile 5.0 no yes

Windows Mobile 6.0 no yes

Windows Mobile 6.1 and newer

yes, preffered yes

ISA Server 2006 and older no yes

TMG 2010 and newer yes, preffered yes

CRL checks in Internet Explorer

51

Version CRL and OSCP checking

4.0 and older no checks

5.0 and newer

can check CRL, disabled by default

7.0 and newer

can check OCSP (if supported by OS) and CRL, enabled by default

Windows Mobile 2003 and 5.0 trusted CAs

52

Company Certificate NameWindows Mobile

Cybertrust GlobalSign Root CA 2003 and 5.0

Cybertrust GTE CyberTrust Global Root 2003 and 5.0

Cybertrust GTE CyberTrust Root 2003 and 5.0

Verisign Class 2 Public Primary Certification Authority 2003 and 5.0

Verisign Thawte Premium Server CA 2003 and 5.0

Verisign Thawte Server CA 2003 and 5.0

Verisign Secure Server Certification Authority 2003 and 5.0

Verisign Class 3 Public Primary Certification Authority 2003 and 5.0

Entrust Entrust.net Certification Authority (2048) 2003 and 5.0

Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0

Geotrust Equifax Secure Certificate Authority 2003 and 5.0

Godaddy http://www.valicert.com/ 5.0

Windows Mobile 6.0 trusted CAs

53

Comodo AAA Certificate Services

Comodo AddTrust External CA Root

Cybertrust Baltimore CyberTrust Root

Cybertrust GlobalSign Root CA

Cybertrust GTE CyberTrust Global Root

Verisign Class 2 Public Primary Certification Authority

Verisign Thawte Premium Server CA

Verisign Thawte Server CA

Verisign Secure Server Certification Authority

Verisign Class 3 Public Primary Certification Authority

Entrust Entrust.net Certification Authority (2048)

Entrust Entrust.net Secure Server Certification Authority

Geotrust Equifax Secure Certificate Authority

Geotrust GeoTrust Global CA

Godaddy Go Daddy Class 2 Certification Authority

Godaddy http://www.valicert.com/

Godaddy Starfield Class 2 Certification Authority

RSA 2048 browser support

54

Browser First Version

Internet Explorer 5.01

Mozila Firefox 1.0

Opera 6.1

Apple Safari 1.0

Google Chrome

AOL 5

Netscape Communicator

4.51

Rad Hat Linux Konqueror

Apple iPhone

Windows Mobile 2003

Windows CE 4.0

RIM Blackberry 4.3.0

PalmOS 5

Sony Playstation Portable

Sony Playstation 3

Nintendo Wii

Extended Validation browsers

55


Internet Explorer 7.0

Opera 9.5

Firefox 3

Google Chrome -

Apple Safari 3.2

Apple iPhone 3.0

S/MIME RSA 2048 client support

56


Microsoft Outlook 99

Mozila Thunderbird 1.0

Qualcomm Eudora 6.2

Lotus Notes 6

Netscape Communicator

4.51

Mulberry Mail

Apple Mail

Windows Mail

The Bat

DOTAZNÍKWWW.TECHED.CZGOPASTECHED

GOPASTECHED 2012

http://www.teched.cz/

THANK YOU!

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |

GOPASTECHED 2012

Documents

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | |