Transcript Windows PKI
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | WINDOWS PKI Outline Hash algorithms Symmetric algorithms Asymmetric algorithms Current algorithms in use Cryptographic standards Operating system support 2 Security Services Confidentiality Data Integrity accidental vs. deliberate modification Authentication plus role-based authentication when more individuals share authentication information Authorization Non-repudiation key establishment and random number Cryptographic Algorithms Hash algorithms no keys Symmetric key algorithms secret key Asymmetric key algorithms public and private key Cryptography HASH ALGORITHMS 5 Hashing Clear-text Hash hash 6 Hash Data authentication and integrity in conjunction with keys HMAC – Hashed Message Authentication Code Compression of messages for digital signatures Deriving keys Generation of deterministic random numbers Incorrect hash example Sum alphabet letter positions HELLO = 8 + 5 + 12 + 12 + 15 = 52 Can obtain arbitrary clear-text (collision) without brute-forcing Two similar clear-texts lead to similar output 8 Hash collisions Pure arithmetic collisions limited exploitability Post-signing collisions Chosen-prefix collisions 9 Post-signing collision Name: Ondrej Name: Ondrej Owes: 100 $ Owes: 1 000 000 $ To: Kamil To: Kamil Hash: 14EEDA49C1B7 Trash: XX349%$@#BB... Signature: 3911BA85 Hash: 14EEDA49C1B7 Signature: 3911BA85 10 Chosen-prefix collision Serial #: 325 Serial #: 325 CN: www.idtt.com CN: www.microsoft.com Valid: 2010 Valid: 2010 Public: 35B87AA11... Public: 4B3318C9D... Hash: 24ECDA49C1B7 Hash: 24ECDA49C1B7 Signature: 5919BA85 Signature: 5919BA85 11 MD5 problems Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions Practically proved for certificates with predictable serial numbers 2^50 12 SHA-1 problems General brute-force attack at 2^80 as about 12 characters complex password Some collisions found at 2^63 pure arithmetic collisions, no exploitation proved 13 Cryptography SYMMETRIC ALGORITHMS 14 Symmetric key Data confidentiality Authentication and integrity MAC – Message Authentication Code, single key to generate, the same to validate Key establishment Generation of deterministic random numbers Password and key Password Clear-text Hash Cipher Key Cipher-text 16 Encryption key Key Clear-text Cipher Key Cipher-text 17 Cryptography ASYMMETRIC ALGORITHMS 18 Asymmetric keys Digital signatures Key establishment Generation of random numbers Encryption and decryption keys Encryption key Clear-text Cipher Decryption key Cipher-text 20 Private and public key Private key Public key Signing Signature Public key validation Signature Public key validation Signature validation 21 Private and public key Private key Public key Decryption Signature Public key validation Signature Public key validation Encryption 22 Performance considerations Asymmetric algorithms use large keys EC is about 10 times smaller Encryption/decryption time about 100x longer symmetric is faster Digital Signature (incorect) Document Document Private key Digital Signature Document Hash Private key Storage Encryption (slow) Document Public key Storage Encryption Document Symmetric encryption key (random) Symmetric key Symmetric key Public key (User A) Public key (User B) Transport encryption Public key Client Symmetric Key Public key Data Symmetric Key Server Diffie-Hellman Key Exchange Asymmetric algorithm for key exchange most commonly used for key exchange Automatically generates the same encryption key for symmetric encryption on both sides Digital Signature and time stamping (incorrect) Document Hash Timestamp Private key Time authority (incorrect) Document Hash Timestamp Private key TA private key Time authority (correct) Document Hash Private key Hash Timestamp TA private key Time authority (correct) Document Hash Private key Hash Timestamp TA private key Public key Random Number Generators Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated symmetric keys DNS cache poisoning Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules Random Number Generators CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2) Entropy from system time, process id, thread id, tick counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, … Random Number Generators new Random() just a time seed several instances created simultaneously may have the same seed Cryptography CURRENT ALGORITHMS 37 Symmetric algorithm history DES (1976, 56 bit) 3DES, TDEA (1998, 168/112 bit) RC4 (1987, 128 bit) AES-128, AES-192, AES-256 (2001) 38 Hash algorithm history MD4 (1990, 128 bit) MD5 (1991, 128 bit) SHA-1 (1995, 160 bit) SHA-224, SHA-256, SHA-384, SHA-512 (2001) 39 Asymmetric algorithm history RSA (1973) DSA (1991) ECDSA (2000) ECDH (2000) 40 Cryptography CRYPTOGRAPHIC STANDARDS 41 US standards FIPS – Federal Information Processing Standards provides standard algorithms NIST – National Institute for Standards and Technology approves the algorithms for US government non- classified but sensitive use latest NIST SP800-57, March 2007 NSA – National Security Agency Suite-B for Secure and Top Secure (2005) Hash functions (SP800-57) SHA-1 hash size output is 160 SHA-2 SHA-224, SHA-256, SHA-384, SHA-512 hash size output is 224, 256, 384, 512 Symmetric key (SP800-57) AES-128, AES-192, AES-256 encrypts data in 128-bit blocks uses 128, 192, 256-bit keys Triple DEA (TDEA) encrypts data in 64-bit blocks uses three 56-bit keys Digital Signatures (SP800-57) DSA (Digital Signature Algorithm) key sizes of 1024, 2048 and 3072-bit produces 320, 448, 512-bit signatures RSA (Rivest – Shamir – Adleman) key sizes according to FIPS186-3 ECDSA (Elliptic Curve DSA) key sizes of at least 160-bit produces 2x key length signatures types of curves specified in FIPS186-3 Cryptoperiods (SP800-57) Key Cryptoperiod Private signature 1 – 3 years Symmetric authentication <= 5 years Private authentication 1-2 years Symmetric data encryption <= 5 years Public key transport key 1-2 years Comparable Algorithm Strengths (SP800-57) Strength Symetric RSA ECDSA SHA 80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1 112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224 128 bit AES-128 RSA 3072 ECDSA 256 SHA-256 192 bit AES-192 RSA 7680 ECDSA 384 SHA-384 256 bit AES-256 RSA 15360 ECDSA 512 SHA-512 Security lifetimes (SP800-57 and Suite-B) Lifetime Strength Level 2010 80 bit US Confidential 112 bit US Confidential 128 bit US Secure 192 bit US Top-Secure 128 bit US Confidential 2030 Beyond 2030 Cryptography OPERATING SYSTEM SUPPORT 49 FIPS Compliant Algorithms Cryptographic Providers Cryptographic Service Provider – CSP Windows 2000+ DLL loaded into client processes can use only V1 and V2 templates Cryptography Next Generation – CNG Windows Vista+ different API functions, isolated private keys use only V3 templates enables use of ECC CERTUTIL -CSPLIST 51 Cryptography support System DES 3DES RC2 RC4 AES 128 MD2 AES 192 MD5 AES 256 HMAC SHA-1 SHA-256 SHA-384 SHA-512 ECDSA ECDH Windows 2000 yes no yes yes no no Windows XP yes yes yes yes yes no Windows 2003 yes yes yes yes non-public update yes no Windows Vista/2008 yes yes yes yes yes yes Windows 7/2008 R2 yes yes yes yes yes yes 52 Cryptography support System DES 3DES RC2 RC4 AES 128 MD2 AES 192 MD5 AES 256 HMAC SHA-1 SHA-256 ECDSA SHA-384 ECDH SHA-512 Windows Mobile 6.5 yes yes yes yes no no Windows Mobile 7 yes yes yes yes yes yes TMG 2010 yes yes no SCCM 2007 yes no no SCOM 2007 yes yes no 53 Encryption EFS BitLocker IPSec DES 2000 + 2000 + 3DES 2000 + 2000 + RC4 AES Kerberos 2000 + Vista + DH Vista + 2000 + ECC Seven + Seven + LM password hash, NTLM 2000 + Vista + 2000 + RSA RDP 2000 + 2000 + 2003 + NTLM 2000 + 2000 + 2000 + Vista + Seven + 2003 + Hashing MD4 NT password hash MD5 SHA-2 NT4 + Digest password hash 2003 + IPSec 2000 + NTLM NTLMv2 MS-CHAP SHA-1 2000 + Seven + MS-CHAPv2 55 SHA-2 Support CSPs can store and validate the SHA-2 certificates Windows XP SP3 Windows Server 2003 – KB 938397 Windows Mobile 7 New SHA-2 certificates can be issued only by Windows 2008+ CA Autoenrollment client can enroll for SHA-2 certificates only on Windows 2008/Vista+ CNG Not Supported EFS Windows 2008/Vista user encryption certificates VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7 user or computer certificate authentication TMG 2010 server certificates on web listeners Outlook 2003 user email certificates for signatures or encryption Kerberos Windows 2008/Vista- DC certificates System Center Operations Manager 2007 R2 System Center Configuration Manager 2007 R2 SAN and wildcards * Application Supports * Supports SAN Internet Explorer 4.0 and older Internet Explorer 5.0 and newer no yes no yes Internet Explorer 7.0 yes yes, if SAN present Subject is ignored Windows Pocket PC 3.0 a 4.0 Windows Mobile 5.0 Windows Mobile 6.0 and newer Outlook 2003 and newer no no yes yes no yes yes yes RDP/TS proxy yes yes, if SAN present Subject is ignored ISA Server firewall certificate yes yes ISA Server 2000 and 2004 published server certificate no no ISA Server 2006 published server certificate yes yes, only the first SAN name 58 OCSP and Delta CRL System Checks OCSP Delta CRL Windows 2000 and older no no Windows XP and older no yes Windows Vista and newer yes, preffered yes Windows Pocket PC 4.0 and older no no Windows Mobile 5.0 no yes Windows Mobile 6.0 no yes Windows Mobile 6.1 and newer yes, preffered yes ISA Server 2006 and older no yes TMG 2010 and newer yes, preffered yes 59 CRL checks in Internet Explorer Version CRL and OSCP checking 4.0 and older no checks 5.0 and newer can check CRL, disabled by default 7.0 and newer can check OCSP (if supported by OS) and CRL, enabled by default 60 Automatic Root Certificate Update Windows XP/2003 whole list periodically updated from Windows Update Windows Vista/2008+ individual CAs updated on demand from Windows Update Windows Mobile 6.5+ individual CAs updated on demand from Windows Update Windows Mobile 2003/5.0 CAs Company Certificate Name Windows Mobile Cybertrust GlobalSign Root CA 2003 and 5.0 Cybertrust GTE CyberTrust Global Root 2003 and 5.0 Cybertrust GTE CyberTrust Root 2003 and 5.0 Verisign Class 2 Public Primary Certification Authority 2003 and 5.0 Verisign Thawte Premium Server CA 2003 and 5.0 Verisign Thawte Server CA 2003 and 5.0 Verisign Secure Server Certification Authority 2003 and 5.0 Verisign Class 3 Public Primary Certification Authority 2003 and 5.0 Entrust Entrust.net Certification Authority (2048) 2003 and 5.0 Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0 Geotrust Equifax Secure Certificate Authority 2003 and 5.0 Godaddy http://www.valicert.com/ 5.0 62 Windows Mobile 6.0 CAs Comodo AAA Certificate Services Comodo AddTrust External CA Root Cybertrust Baltimore CyberTrust Root Cybertrust GlobalSign Root CA Cybertrust GTE CyberTrust Global Root Verisign Class 2 Public Primary Certification Authority Verisign Thawte Premium Server CA Verisign Thawte Server CA Verisign Secure Server Certification Authority Verisign Class 3 Public Primary Certification Authority Entrust Entrust.net Certification Authority (2048) Entrust Entrust.net Secure Server Certification Authority Geotrust Equifax Secure Certificate Authority Geotrust GeoTrust Global CA Godaddy Go Daddy Class 2 Certification Authority Godaddy http://www.valicert.com/ Godaddy Starfield Class 2 Certification Authority 63 RSA 2048 browser support Browser First Version Internet Explorer 5.01 Mozila Firefox 1.0 Opera 6.1 Apple Safari 1.0 Google Chrome AOL 5 Netscape Communicator 4.51 Rad Hat Linux Konqueror Apple iPhone Windows Mobile 2003 Windows CE 4.0 RIM Blackberry 4.3.0 PalmOS 5 Sony Playstation Portable Sony Playstation 3 Nintendo Wii 64 Extended Validation browsers Browser First Version Internet Explorer 7.0 Opera 9.5 Firefox 3 Google Chrome - Apple Safari 3.2 Apple iPhone 3.0 65 S/MIME RSA 2048 client support Browser First Version Microsoft Outlook 99 Mozila Thunderbird 1.0 Qualcomm Eudora 6.2 Lotus Notes 6 Netscape Communicator 4.51 Mulberry Mail Apple Mail Windows Mail The Bat 66 CA Hierarchy IDTT Root CA IDTT Roma CA Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate IDTT London CA Leaf certificate Leaf certificate Leaf certificate Leaf certificate Leaf certificate IDTT Paris CA 68 Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | THANK YOU!