Upload
krikor
View
87
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com |. Windows PKI. Outline. Hash algorithms Symmetric algorithms Asymmetric algorithms Current algorithms in use Cryptographic standards - PowerPoint PPT Presentation
Citation preview
WINDOWS PKI
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
2
Outline
Hash algorithms Symmetric algorithms Asymmetric algorithms Current algorithms in use Cryptographic standards Operating system support
Security Services
Confidentiality Data Integrity
accidental vs. deliberate modification Authentication
plus role-based authentication when more individuals share authentication information
Authorization Non-repudiation
key establishment and random number
Cryptographic Algorithms
Hash algorithms no keys
Symmetric key algorithms secret key
Asymmetric key algorithms public and private key
5
HASH ALGORITHMSCryptography
6
Hashing
Clear-text
hash
Hash
Hash
Data authentication and integrity in conjunction with keys HMAC – Hashed Message Authentication
Code Compression of messages for digital
signatures Deriving keys Generation of deterministic random
numbers
8
Incorrect hash example
Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52
Can obtain arbitrary clear-text (collision) without brute-forcing
Two similar clear-texts lead to similar output
9
Hash collisions
Pure arithmetic collisions limited exploitability
Post-signing collisions Chosen-prefix collisions
10
Post-signing collision
Name: Ondrej
Owes: 100 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Name: Ondrej
Owes: 1 000 000 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Trash: XX349%$@#BB...
11
Chosen-prefix collision
CN: www.idtt.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 35B87AA11...
CN: www.microsoft.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 4B3318C9D...
12
MD5 problems
Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions
Practically proved for certificates with predictable serial numbers
2^50
13
SHA-1 problems
General brute-force attack at 2^80 as about 12 characters complex
password Some collisions found at 2^63
pure arithmetic collisions, no exploitation proved
14
SYMMETRIC ALGORITHMSCryptography
Symmetric key
Data confidentiality Authentication and integrity
MAC – Message Authentication Code, single key to generate, the same to validate
Key establishment Generation of deterministic random
numbers
16
Cipher-text
Password and key
Password
Key
Clear-text
Cipher
Hash
17
Clear-text
Encryption key
Key
Cipher
Cipher-text
Key
18
ASYMMETRIC ALGORITHMSCryptography
Asymmetric keys
Digital signatures Key establishment Generation of random numbers
20
Clear-text
Encryption and decryption keys
Encryption key
Cipher
Cipher-text
Decryption key
21
Private and public key
Signing
Private key
Signature
validationSignatur
e validati
onSignature
validation
Public key
Public key
Public key
22
Private and public key
Decryption
Private key
Signature
validationSignatur
e validati
onEncrypti
on
Public key
Public key
Public key
Performance considerations Asymmetric algorithms use large
keys EC is about 10 times smaller
Encryption/decryption time about 100x longer symmetric is faster
Document
Private key
Digital Signature (incorect)
Document
Private key
Digital Signature
Document
Hash
Storage Encryption (slow)
Public key
Document
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (User B)
Symmetric key
Transport encryption
Public keySymmetric Key
Public key
Symmetric KeyData
Client Server
Diffie-Hellman Key Exchange Asymmetric algorithm for key
exchange most commonly used for key exchange
Automatically generates the same encryption key for symmetric encryption on both sides
Private key
Digital Signature and time stamping (incorrect)
Document
Hash Timestamp
TA private keyPrivate key
Time authority (incorrect)
Document
Hash Timestamp
TA private keyPrivate key
Time authority (correct)
Document
Hash TimestampHash
TA private keyPrivate key
Time authority (correct)
Document
Hash TimestampHash Public
key
Random Number Generators
Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated
symmetric keys DNS cache poisoning
Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules
Random Number Generators
CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)
Entropy from system time, process id, thread id, tick
counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …
Random Number Generators
new Random() just a time seed several instances created
simultaneously may have the same seed
37
CURRENT ALGORITHMSCryptography
38
Symmetric algorithm history DES (1976, 56 bit) 3DES, TDEA (1998, 168/112 bit) RC4 (1987, 128 bit) AES-128, AES-192, AES-256 (2001)
39
Hash algorithm history
MD4 (1990, 128 bit) MD5 (1991, 128 bit) SHA-1 (1995, 160 bit) SHA-224, SHA-256, SHA-384, SHA-
512 (2001)
40
Asymmetric algorithm history RSA (1973) DSA (1991) ECDSA (2000) ECDH (2000)
41
CRYPTOGRAPHIC STANDARDSCryptography
US standards
FIPS – Federal Information Processing Standards provides standard algorithms
NIST – National Institute for Standards and Technology approves the algorithms for US government
non-classified but sensitive use latest NIST SP800-57, March 2007
NSA – National Security Agency Suite-B for Secure and Top Secure (2005)
Hash functions (SP800-57)
SHA-1 hash size output is 160
SHA-2 SHA-224, SHA-256, SHA-384, SHA-512 hash size output is 224, 256, 384, 512
Symmetric key (SP800-57)
AES-128, AES-192, AES-256 encrypts data in 128-bit blocks uses 128, 192, 256-bit keys
Triple DEA (TDEA) encrypts data in 64-bit blocks uses three 56-bit keys
Digital Signatures (SP800-57) DSA (Digital Signature Algorithm)
key sizes of 1024, 2048 and 3072-bit produces 320, 448, 512-bit signatures
RSA (Rivest – Shamir – Adleman) key sizes according to FIPS186-3
ECDSA (Elliptic Curve DSA) key sizes of at least 160-bit produces 2x key length signatures types of curves specified in FIPS186-3
Cryptoperiods (SP800-57)
Key CryptoperiodPrivate signature 1 – 3 yearsSymmetric authentication <= 5 years
Private authentication 1-2 yearsSymmetric data encryption <= 5 years
Public key transport key 1-2 years
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
Security lifetimes (SP800-57 and Suite-B)
Lifetime Strength Level
2010 80 bit US Confidential
2030
112 bit US Confidential
128 bit US Secure
192 bit US Top-Secure
Beyond 2030 128 bit US Confidential
49
OPERATING SYSTEM SUPPORTCryptography
FIPS Compliant Algorithms
51
Cryptographic Providers
Cryptographic Service Provider – CSP Windows 2000+ DLL loaded into client processes can use only V1 and V2 templates
Cryptography Next Generation – CNG Windows Vista+ different API functions, isolated private keys use only V3 templates enables use of ECC
CERTUTIL -CSPLIST
52
Cryptography supportSystem DES
3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1 SHA-256SHA-384SHA-512
ECDSAECDH
Windows 2000
yes no yes yes no no
Windows XP yes yes yes yes yes noWindows 2003
yes yes yes yes non-public updateyes
no
Windows Vista/2008
yes yes yes yes yes yes
Windows 7/2008 R2
yes yes yes yes yes yes
53
Cryptography support
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1 SHA-256SHA-384SHA-512
ECDSAECDH
Windows Mobile 6.5
yes yes yes yes no no
Windows Mobile 7
yes yes yes yes yes yes
TMG 2010 yes yes noSCCM 2007 yes no noSCOM 2007 yes yes no
EncryptionEFS BitLocke
r IPSec Kerberos NTLM RDP
DES 2000 + 2000 + 2000 +
LM password hash, NTLM
3DES 2000 + 2000 + 2000 +
RC4 2000 + 2000 +
AES 2003 + Vista + Vista + Vista +
DH 2000 + 2000 +
RSA 2000 + Seven + 2000 + 2000 + 2003 +
ECC Seven + Vista + Seven +
55
HashingMD4 MD5 SHA-1 SHA-2
NT password
hashNT4 +
Digest password
hash2003 +
IPSec 2000 + 2000 + Seven +
NTLM NTLMv2
MS-CHAP MS-CHAPv2
SHA-2 Support
CSPs can store and validate the SHA-2 certificates Windows XP SP3 Windows Server 2003 – KB 938397 Windows Mobile 7
New SHA-2 certificates can be issued only by Windows 2008+ CA
Autoenrollment client can enroll for SHA-2 certificates only on Windows 2008/Vista+
CNG Not Supported
EFS Windows 2008/Vista- user encryption certificates
VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication
TMG 2010 server certificates on web listeners
Outlook 2003 user email certificates for signatures or encryption
Kerberos Windows 2008/Vista- DC certificates
System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2
58
SAN and wildcards *
Application Supports * Supports SAN
Internet Explorer 4.0 and older no noInternet Explorer 5.0 and newer yes yes
Internet Explorer 7.0 yes yes, if SAN present Subject is ignored
Windows Pocket PC 3.0 a 4.0 no noWindows Mobile 5.0 no yesWindows Mobile 6.0 and newer yes yesOutlook 2003 and newer yes yesRDP/TS proxy yes yes, if SAN present Subject is
ignoredISA Server firewall certificate yes yesISA Server 2000 and 2004 published server certificate no no
ISA Server 2006 published server certificate yes yes, only the first SAN name
59
OCSP and Delta CRLSystem Checks OCSP Delta CRLWindows 2000 and older no noWindows XP and older no yesWindows Vista and newer yes, preffered yesWindows Pocket PC 4.0 and older
no no
Windows Mobile 5.0 no yesWindows Mobile 6.0 no yesWindows Mobile 6.1 and newer
yes, preffered yes
ISA Server 2006 and older no yesTMG 2010 and newer yes, preffered yes
60
CRL checks in Internet Explorer
Version CRL and OSCP checking
4.0 and older no checks
5.0 and newer
can check CRL, disabled by default
7.0 and newer
can check OCSP (if supported by OS) and CRL, enabled by default
Automatic Root Certificate Update Windows XP/2003
whole list periodically updated from Windows Update
Windows Vista/2008+ individual CAs updated on demand from
Windows Update Windows Mobile 6.5+
individual CAs updated on demand from Windows Update
62
Windows Mobile 2003/5.0 CAs
Company Certificate Name Windows Mobile
Cybertrust GlobalSign Root CA 2003 and 5.0Cybertrust GTE CyberTrust Global Root 2003 and 5.0Cybertrust GTE CyberTrust Root 2003 and 5.0
Verisign Class 2 Public Primary Certification Authority 2003 and 5.0
Verisign Thawte Premium Server CA 2003 and 5.0Verisign Thawte Server CA 2003 and 5.0Verisign Secure Server Certification Authority 2003 and 5.0
Verisign Class 3 Public Primary Certification Authority 2003 and 5.0
Entrust Entrust.net Certification Authority (2048) 2003 and 5.0
Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0
Geotrust Equifax Secure Certificate Authority 2003 and 5.0Godaddy http://www.valicert.com/ 5.0
63
Windows Mobile 6.0 CAsComodo AAA Certificate ServicesComodo AddTrust External CA Root
Cybertrust Baltimore CyberTrust RootCybertrust GlobalSign Root CACybertrust GTE CyberTrust Global Root
Verisign Class 2 Public Primary Certification AuthorityVerisign Thawte Premium Server CAVerisign Thawte Server CAVerisign Secure Server Certification AuthorityVerisign Class 3 Public Primary Certification AuthorityEntrust Entrust.net Certification Authority (2048)Entrust Entrust.net Secure Server Certification Authority
Geotrust Equifax Secure Certificate AuthorityGeotrust GeoTrust Global CAGodaddy Go Daddy Class 2 Certification AuthorityGodaddy http://www.valicert.com/Godaddy Starfield Class 2 Certification Authority
64
RSA 2048 browser supportBrowser First VersionInternet Explorer 5.01Mozila Firefox 1.0Opera 6.1Apple Safari 1.0Google ChromeAOL 5Netscape Communicator
4.51
Rad Hat Linux KonquerorApple iPhoneWindows Mobile 2003Windows CE 4.0RIM Blackberry 4.3.0PalmOS 5Sony Playstation PortableSony Playstation 3Nintendo Wii
65
Extended Validation browsers
Browser First VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0
66
S/MIME RSA 2048 client support
Browser First VersionMicrosoft Outlook 99Mozila Thunderbird 1.0Qualcomm Eudora 6.2Lotus Notes 6Netscape Communicator
4.51
Mulberry MailApple MailWindows MailThe Bat
CA Hierarchy
IDTT Root CA
IDTT London CA IDTT Paris CAIDTT Roma
CA
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
68
THANK YOU!
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |