windows and smart card logon
DESCRIPTION
Windows and Smart Card Logon. Ing. Ondřej Ševeček | GOPAS a.s. | MC S M:Directory | MVP:Enterprise | CEH | MCSE:Windows2012 [email protected] | www.sevecek.com |. GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS. Certificate logon. Motivation - PowerPoint PPT PresentationTRANSCRIPT
Windows and Smart Card Logon
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise | CEH | MCSE:[email protected] | www.sevecek.com |
Certificate logon
Motivation Kerberos smart card logon vs. TLS client certificate
authentication CA requirements Certificate requirements Enrollment agents
Motivation
Assumption
We are as secure as possible on Windows with standard Ethernet• no LM hashes• no plaintext passwords• no intrusion detection• Kerberos where possible• NTLMv2 if a must
Motivation
Passwords shorter than 12 chars are insecure Can be cracked from
• AD, local databases, password caches, NLTM and Kerberos traffic, LDAP simple bind, stored passwords, …
Windows passwords are MD4• cracking, Rainbow tables
Certificates are SHA-1 or SHA2• random keys, not transported easily without smart cards
SHA-1 problems
General brute-force attack at 2^80
6
Windows passwords
8 characters password? 80^8 possible passwords 2^x = 80^8 ??
• x * log 2 = 8 * log 80• x = 8 * log 80 / log 2• x ~= 51
10 characters ~= 2^63 12 characters ~= 2^76
7
Cracking 8 characters passwords
single CPU in Cain• 25 years
10 low-end GPUs in Distributed Password Recovery• days
Rainbow table• minutes• 576 GB
Kerberos
Rainbow tables inefficient due to salting• NTLMv2 as well
Can use smart cards Armoring on Windows 8/2012 Better services such as delegation, compound
authentication, claims Newer algorithms
• AES
Certificate logon
Kerberos vs. TLS
Kerberos TGT generation• password• PKINIT with certificate
TLS client certificate logon• require client certificate• prevents before-authentication attacks
CA requirements
Trusted NTAuth super-trusted CRL/OCSP available
CA best practices
Do not bother with hierarchy and offline roots May be on a DC
• the same threat and security level Always make CRL available on public DNS
• could be made internet accessible in the future
Certificate requirements
Domain Controllers• name of the domain• Smart Card Logon + Kerberos Authentication
User certificates• Kerberos PKINIT: Smart Card Logon• TLS client certificate auth: Client Authentication
Domain TLS User with RSAExtension ValueSubject Common Name or Distinguished Name
SAN UPN
Exportable Key no?
Archive Key no, transport encryption only
Key Type Signature
Key Usage Digital Signature
CSP all Base, Enhanced, AES providers
EKU Client Authentication1.3.6.1.5.5.7.3.2
Autoenrollment yes
Publish in AD no
Domain SC User with RSAExtension ValueSubject Common Name or Distinguished Name
SAN UPNor AD mapped subject (Windows 6.0+)
Exportable Key no?
Archive Key no, transport encryption only
Key Type Signature (AllowSignatureOnlyKeys GPO on Windows 6.0+)Encryption (required on 2000+, more secure)
Key Usage Digital Signature
CSP Smart Card compatible provider
EKU Smart Card Logon1.3.6.1.4.1.311.20.2.2can be empty on Windows 6.0+, but if present, must contain Smart Card Logon EKU
Autoenrollment no?
Publish in AD no
Enrollment Agent
aka Registration Authority (RA) Generates requests signed by its own RA certificate AD CS can apply more granular policies
Thank you!
GOPAS: info@gopas,cz | www.gopas.cz | www.facebook.com/P.S.GOPAS
[email protected] | www.sevecek.com |
Pripravované konferencie, semináre
11.11. 2013 To najdôležitejšie o TLS a SSL na Windows – Ondřej Ševeček
ShowIT 2014
11.-13.02.2014 Technická IT konferencia 60 prednášok Novinky z oblasti BackOffice, Development a Security Perlička: Ethical Hacking Prekvapenie: moderovaný speaker panel
Raňajky na tému: