Upload
trey
View
80
Download
0
Tags:
Embed Size (px)
DESCRIPTION
GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com |. PKI Design. PKI Design. Algorithms. Cryptographic Algorithms. Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384, SHA-512 - PowerPoint PPT Presentation
Citation preview
PKI DESIGN
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012
ALGORITHMSPKI Design
Cryptographic Algorithms
Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384,
SHA-512 Symmetric key algorithms
secret key RC4, DES, 3-DES, AES
Asymmetric key algorithms public and private key RSA, DH, EC
THOUGHTS ON HASHINGPKI Design
Hash example (not good)
Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52
Can obtain arbitrary clear-text (collision) without brute-forcing
Several similar clear-texts lead to similar output
5
Hash collisions
Pure arithmetic collisions limited exploitability
Post-signing collisions Chosen-prefix collisions
6
Post-signing collision
7
Name: Ondrej
Owes: 100 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Name: Ondrej
Owes: 1 000 000 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Trash: XX349%$@#BB...
Chosen-prefix collision
8
CN: www.idtt.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 35B87AA11...
CN: www.microsoft.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 4E9618C9D...
MD5 problems
Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions
Practically proved for certificates with predictable serial numbers
2^50
9
SHA-1 problems
General brute-force attack at 2^80 as about 12 characters complex
password Some collisions found at 2^63
pure arithmetic collisions, no exploitation proved
10
ALGORITHM COMBINATIONSPKI Design
Performance considerations Asymmetric algorithms use large
keys EC is about 10 times smaller
Encryption/decryption time about 100x longer symmetric is faster
Document
Private key
Digital Signature (not good)
Document
Private key
Digital Signature
Document
Hash
Storage Encryption (slow)
Public key
Document
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (User B)
Symmetric key
Transport encryption
Client Server
Public key
Public key
Symmetric Key
Symmetric KeyData
FUN WITH RANDOM NUMBERSPKI Design
Random Number Generators
Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated
symmetric keys DNS cache poisoning
Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules
Random Number Generators
CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)
Entropy from system time, process id, thread id, tick
counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …
STANDARDSPKI Design
US standards
FIPS – Federal Information Processing Standards provides standard algorithms
NIST – National Institute for Standards and Technology approves the algorithms for US government
non-classified but sensitive use latest NIST SP800-57, March 2007
NSA – National Security Agency Suite-B for Secure and Top Secure (2005)
Cryptoperiods (SP800-57)
Key Cryptoperiod
Private signature 1 – 3 years
Public signature verification >3 years
Symmetric authentication <= 5 years
Private authentication 1-2 years
Symmetric data encryption <= 5 years
Public key transport key 1-2 years
Private/public key agreement key 1-2 years
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
Security lifetimes (SP800-57 and Suite-B)
Lifetime Strength Level
2010 80 bit US Confidential
2030
112 bit US Confidential
128 bit US Secure
192 bit US Top-Secure
Beyond 2030 128 bit US Confidential
NSA Suite-B Algorithms
NSA publicly published algorithms (2005) as against Suite-A which is private
AES-128, ECDH-256, ECDSA-256, SHA-256 Secret
AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret
27
OPERATING SYSTEM SUPPORTPKI Design
Cryptographic Providers
Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates
Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC
CERTUTIL -CSPLIST
29
Cryptographic Providers
30
Type Operating System Algos Template
CSP Windows 2000Windows 2003
AES, SHA-1, RSA v1, v2
CSP Windows XP SP3Windows 2003 KB938397
AES, SHA-1, RSA, SHA-2 v1, v2
CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC
v3
SHA-2 Support
Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future
Cryptography support
32
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows 2000
yes no yes yes no no
Windows XP yes yes yes yes yes noWindows 2003
yes yes yes yes non-public updateyes
no
Windows Vista/2008
yes yes yes yes yes yes
Windows 7/2008 R2
yes yes yes yes yes yes
Cryptography support
33
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows Mobile 6.5
yes yes yes yes no no
Windows Mobile 7
yes yes yes yes yes yes
TMG 2010 yes yes noSCCM 2007 yes no noSCOM 2007 yes yes no
EncryptionEFS BitLock
er IPSec Kerberos NTLM RDP
DES 2000 + 2000 + 2000 +
LM password hash, NTLM
3DES 2000 + 2000 + 2000 +
RC4 2000 + 2000 +
AES 2003 + Vista + Vista + Vista +
DH 2000 + 2000 +
RSA 2000 + Seven + 2000 + 2000 + 2003 +
ECC Seven + Vista + Seven +
Hashing
35
MD4 MD5 SHA-1 SHA-2
NT password
hashNT4 +
Digest password
hash2003 +
IPSec 2000 + 2000 + Seven +
NTLM NTLMv2
MS-CHAP MS-CHAPv2
CNG (v3) Not Supported
EFS Windows 2008/Vista-
VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication
TMG 2010 server certificates on web listeners
Outlook 2003 user email certificates for signatures or encryption
Kerberos Windows 2008/Vista- DC certificates
System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2
SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)
CA HIERARCHYPKI Design
CA Hierarchy
IDTT Root CA
IDTT London CA IDTT Paris CAIDTT Roma
CA
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
Offline Root
Root CA cannot be revoked if compromised
Making new RootCA trusted may be difficult
Delegation of administration Must issue CRLs
the more frequent the more secure, but more “costly”
Active Directory
Group Policy every 120 minutes by default
Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates
41
AD CS FEATURESPKI Design
SKU Features
43
Windows Server
Certificate
Templates
Autoenrollment
Key Archival
SMTP Exit Module
Role Separation
Cross-forest
Enrollment
2008 R2 Standard V1, V2, V3 Yes Yes No2008 R2
Enterprise V1, V2, V3 Yes Yes Yes
2008 Standard V1 No No No
2008 Enterprise V1, V2, V3 Yes Yes No
2003 Standard V1 No No No
2003 Enterprise V1, V2 Yes Yes No
SKU Features
44
Windows Server
Web Enrollment
Enrollment Web
ServicesOCSP
ResponderSCEP
Enrollment
2008 R2 Standard yes yes no no
2008 R2 Enterprise yes yes yes yes
2008 Standard yes no no no
2008 Enterprise yes no yes yes
2003 Standard yes no no no
2003 Enterprise yes no no no
Role Separation
Enrollment Agent = Registration Authority sign cert request
Certificate Managers approve cert requests
Different groups of EA/CM approve requests for different groups of Enrollees
PUBLIC CERTIFICATESPKI Design
SSL Certificate prices
Verisign – 1999 300$ year
Thawte – 2003 150$ year
Go Daddy – 2005 60$ year
GlobalSign – 2006 250$ year
StartCom – 2009 free
EV Certificate prices
Verisign – 1999 1500$ year
Thawte – 2003 600$ year
Go Daddy – 2005 100$ year
GlobalSign – 2006 900$ year
StartCom – 2009 50$ year
Support for SAN and wildcards
49
Application Supports * Supports SAN
Internet Explorer 4.0 and older no noInternet Explorer 5.0 and newer yes yes
Internet Explorer 7.0 yes yes, if SAN present Subject is ignored
Windows Pocket PC 3.0 a 4.0 no noWindows Mobile 5.0 no yesWindows Mobile 6.0 and newer yes yesOutlook 2003 and newer yes yesRDP/TS proxy yes yes, if SAN present Subject is
ignoredISA Server firewall certificate yes yesISA Server 2000 and 2004 published server certificate no no
ISA Server 2006 published server certificate yes yes, only the first SAN name
OCSP and Delta CRL
50
System Checks OCSP Delta CRLWindows 2000 and older no noWindows XP and older no yesWindows Vista and newer yes, preffered yesWindows Pocket PC 4.0 and older
no no
Windows Mobile 5.0 no yesWindows Mobile 6.0 no yesWindows Mobile 6.1 and newer
yes, preffered yes
ISA Server 2006 and older no yesTMG 2010 and newer yes, preffered yes
CRL checks in Internet Explorer
51
Version CRL and OSCP checking
4.0 and older no checks
5.0 and newer
can check CRL, disabled by default
7.0 and newer
can check OCSP (if supported by OS) and CRL, enabled by default
Windows Mobile 2003 and 5.0 trusted CAs
52
Company Certificate Name Windows Mobile
Cybertrust GlobalSign Root CA 2003 and 5.0Cybertrust GTE CyberTrust Global Root 2003 and 5.0Cybertrust GTE CyberTrust Root 2003 and 5.0
Verisign Class 2 Public Primary Certification Authority 2003 and 5.0
Verisign Thawte Premium Server CA 2003 and 5.0Verisign Thawte Server CA 2003 and 5.0Verisign Secure Server Certification Authority 2003 and 5.0
Verisign Class 3 Public Primary Certification Authority 2003 and 5.0
Entrust Entrust.net Certification Authority (2048) 2003 and 5.0
Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0
Geotrust Equifax Secure Certificate Authority 2003 and 5.0Godaddy http://www.valicert.com/ 5.0
Windows Mobile 6.0 trusted CAs
53
Comodo AAA Certificate ServicesComodo AddTrust External CA Root
Cybertrust Baltimore CyberTrust RootCybertrust GlobalSign Root CACybertrust GTE CyberTrust Global Root
Verisign Class 2 Public Primary Certification AuthorityVerisign Thawte Premium Server CAVerisign Thawte Server CAVerisign Secure Server Certification AuthorityVerisign Class 3 Public Primary Certification AuthorityEntrust Entrust.net Certification Authority (2048)Entrust Entrust.net Secure Server Certification Authority
Geotrust Equifax Secure Certificate AuthorityGeotrust GeoTrust Global CAGodaddy Go Daddy Class 2 Certification AuthorityGodaddy http://www.valicert.com/Godaddy Starfield Class 2 Certification Authority
RSA 2048 browser support
54
Browser First VersionInternet Explorer 5.01Mozila Firefox 1.0Opera 6.1Apple Safari 1.0Google ChromeAOL 5Netscape Communicator
4.51
Rad Hat Linux KonquerorApple iPhoneWindows Mobile 2003Windows CE 4.0RIM Blackberry 4.3.0PalmOS 5Sony Playstation PortableSony Playstation 3Nintendo Wii
Extended Validation browsers
55
Browser First VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0
S/MIME RSA 2048 client support
56
Browser First VersionMicrosoft Outlook 99Mozila Thunderbird 1.0Qualcomm Eudora 6.2Lotus Notes 6Netscape Communicator
4.51
Mulberry MailApple MailWindows MailThe Bat
THANK YOU!
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012