Client Certs and S/MIME Signing and Encrypon: An Introducon · Public Key Cryptography • There...
Transcript of Client Certs and S/MIME Signing and Encrypon: An Introducon · Public Key Cryptography • There...
ClientCertsandS/MIMESigningandEncryp5on:AnIntroduc5on
MAAWG24
12:30‐2:30,Monday,Feb20,2012OlympicRoom,Wes>nMarketSt,SFO
JoeStSauver,Ph.D.([email protected])MAAWGSeniorTechnicalAdvisor
hPp://pages.uoregon.edu/joe/maawg24/
Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.
Preface
2
StrongCryptographyandFederal/Interna5onalLaw
• Strongcryptographyiscri>caltocomputerandnetworksecurity,includingenablingsecureauthen>ca>onandonlinecommerce,protec>ngpersonallyiden>fiableinforma>on(PII)storedonline,andlegi>matelyensuringpersonalprivacyforlaw‐abidingci>zens.
• Atthesame>me,strongcryptographyissubjecttocomplexregula>oninmanycountries,includingtheUnitedStates.Why?Useofencryp>onmakesitharderforna>onalsecurityagenciesandlawenforcementorganiza>onstolawfullyinterceptcriminalcommunica>onsandna>onal‐security‐relatedcommunica>ons.
• Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna>onaltrea>esrela>ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmourna>onalsecurityorinterferewiththelawfulinves>ga>onandprosecu>onofcriminals.
3
SinceWe’llBeGivingYouStrongCryptoProducts...• Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcrypto
productsorsoIware,NORareyoubarredfromreceivingtrainingonit.
• Specifically,thismeansthatyouassertthatyouareNOTaci>zen,na>onal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.
• YouareNOTa"deniedperson,"a"speciallydesignatedna>onal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)
• Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabrica>onoruseofweaponsofmassdestruc>on(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)
• YouagreeNOTtoredistributeorretransfercryptographicproductsorsodwaretoanyonewhoisinoneofthepreviouslymen>onedprohibitedcategories.
• Youunderstandandagreethattheforgoingisbywayofexampleandisnotanexhaus>vedescrip>onofallprohibiteden>>es,andthatthisisnotlegaladvice.Forlegaladvicerela>ngtostrongcrypto,pleaseconsultyourownaPorney. 4
"First,DoNoHarm"
• Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouremployer)isNOT"lockeddown"byyourcorporateITdepartment.
• IfyouhaveNOTbackedupyoursystemrecently,oryourcorporateITdepartmentdoesNOTwantyouto>nkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsodwareorotherwisemodifyyoursystem.
• Also,ifyoualreadyhaveaclientcer>ficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinpar>cularPLEASEdoNOTinten5onallydeleteanyclientcer5ficatesyoumayalreadyhaveinstalledonyoursystem!
5
Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvancedCrypto‐RelatedMathema5csToday
• OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseS/MIMEandclientcer>ficates,andgelngyoutothepointwhereyouunderstandtheprac>callimita>onsassociatedwiththosetechnologies.Youdonotneedadvancedmathema>cstodothat.
• Soifyouhatedmathema>csinhighschoolorcollege,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathema>cal.
• Let’sdiverightin.6
I.Introduc5on
7
WhyMightWeNeedToSignand/orEncryptEmail?
• Putsimply,regularemailishorriblyinsecure.
• Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusiden>tyinforma>onintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orprePymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.
• Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiPedorstored,sounauthorizedpar>escanreadyourcommunica>ons."Trustedinsiders"mayalsoaccessconfiden>alcommunica>ons.
• Let'stakealookatacoupleofprac>calexamplesofthesesortofexposures.
8
TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird
9[Yes,thiswillwork.Butno,goodliPleboysandgirlsshouldn'ttryit.]
"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"
• SincethisisMAAWG,I*knew*thatsomeonewouldaskthis.:‐)
• LetmeaskYOU:isphishings>llaproblem,eh?• Morefundamentally,SPF/DKIMalsocannotprotectyouagainst
emailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofscenario.
• Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")solu>onsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?
10
ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark
• Sendasimplemailmessage...
% mailx -s "testing 123" [email protected] Joe!
I don't think this is very secure, do you?
Joe .
• IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:
11
"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"
• Sitessome>meshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.
• Youshouldbeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehPp://ePercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inprac>ce,thatprocessmayfailtomaintaintrafficsepara>on.
• Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.
• Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.
12
OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMsgs... % suPassword: # cat /var/mail/joe From [email protected] Sun Feb 12 14:30:54 2012Return-Path: <[email protected]>Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: [email protected]: Some thoughts on the insider threatMessage-Id: <[email protected]>Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: [email protected] (Joe St Sauver)Status: O
Hi Joe,
I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...
Joe 13
BUTIfYourEmailIsEncrypted,ItMayNotMa_erIfSomeoneDoesALi_le"Browsing:"TheFollowingIsn'tVeryInforma5ve,IsIt?
MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw
11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo
UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR
[That base64 encoded file is actually a base64 encoded encrypted file] 14
EmailIsAlsoPoten5allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure
15hPp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138
ReducingTheTransportEmailSniffingVulnerability:Opportunis5cSSL/TLSEncryp5on
• Youcanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunis>cSSL/TLSencryp>on.ThismeansthatiftheMTAsonbothsidesoftheconversa>onarereadyandwillingtodoSSL/TLSencryp>on,itwillbenego>atedandusedwheneveritcanbe.Seeforexample:
hPp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhPp://www.posdix.org/TLS_README.htmlhPp://www.sendmail.org/~ca/email/starPls.html
• However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdes>na>on.Thatis,itisnot"end‐to‐end."
16
Obtaining*End‐to‐End*Protec5onRequiresMessage‐LevelSigningandEncryp5onE.G.,UseofPGP/GPG,orUseofS/MIME
• Therearetwobasicapproachestogelngend‐to‐endprotec>onforemailmessages:
• PrePyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*
• S/MIME(RFC5751)withpersonalcer>ficates.
• PGP/GPGisprobablythemorecommonofthosetwoop>ons,buttodaywe'regoingtotalkaboutS/MIMEwithclientcer>ficates,instead.
• Beforewecandigin,however,weneedaliPle"cryptobackfill"17
PublicKeyCryptography
• Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.
• Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).
• BothPGP/GPGandS/MIMEwithpersonalcer>ficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathema>cally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathema>calprocess.
18
ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...
• Well,thatmaybeaslightexaggera>on.
• Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:
‐‐itcan'tbechangedwithoutinvalida>ngthemessagesignature(e.g.,itactsasanan>‐tamperingchecksumvalue)
‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey
19
HowDoCer5ficatesFitIntoAllThis?
• Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.Youmaywonderhowcer>ficatesfitintoallthis.
• Theansweristhatcer>ficatesaPachaniden>tytoacryptographickeypair.
• Ifyou'relikemostfolks,whenyouhear"cer>ficates"inanonlinecontext,youthinkofSSLwebservercer>ficates.That'snotwhatwe'regoingtobetalkingabouttoday.Thosecer>ficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.
• Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:mee>nganewpersoninreallife.
20
MappingUserstoIden55esIn“RealLife”• IfImeetyouface‐to‐face,perhapsattheMAAWGsocialevent,
youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaPerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertediden>ty."That'sOK.
• IfitturnsoutthatIeventuallyneedconfirma>onofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.
• Other>mes,forexampleifyou'reinastrangecity,orsomeone'strus>ngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."
21
MappingUsersToIden55esOnline:PGP/GPG• Asimilarproblemexistsonline.Howdoyouknowwhichpublicly
offeredPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'screden>als?InPGP/GPG,thisisdoneviaa"weboftrust."
• InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisodengetsdoneatPGP/GPG"keysigningpar>es").Normallyakeyholderwillgetsignaturesfrommul>plefriendsorcolleagues.
• Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.
• Whilethissoundsincrediblyadhocandkludgy,inprac>ce,itactuallyworksprePywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.
22
TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)
• Animportantnoteaboutthecryptographic"weboftrust:"
SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.
TotallyevilpeoplemayhaveproperlysignedPGP/GPGkeys!
• Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:
‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.
Thatis,they'rebindinganiden9tytoacryptographiccreden9al.23
PersonalCer5ficates• InthecaseofS/MIMEwithpersonalcer>ficates,aweboftrust
isn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").
• Thatis,apersonalcer>ficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcer>ficateauthority("CA"),anen>tythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingiden>>estocreden>als.
• CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(e.g.,verycarefultodowhattheysaythey'regoingtodointheir"Cer>ficatePrac>cesStatement"),becauseiftheydon't,people(includingbrowservendors!)willstoptrus>ngthemandthenthey'llquicklybetotallyoutofbusiness(literally).
24
ARealName,orJustAnEmailAddress?• Theremaybesomeconfusionwhenitcomestothe"iden>ty"that
acryptographiccreden>alasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?
• Theansweris,“itmaydepend.”Somestandardassurancepersonalcer>ficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.
• Otherclientcer>ficatesmayrequiremuchmorerigorous"iden>typroofing,"perhapsrequiringtheusertosupplygovernmentissuediden>fica>on(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.
25
HSPD‐12andFederalCAC/PIV‐ICards• OnAugust27th,2004,then‐PresidentGeorgeW.Bush
issued"HomelandSecurityPresiden>alDirec>ve12,"(seehPp://www.idmanagement.gov/documents/HSPD‐12.htm)manda>ngtheestablishmentofacommoniden>tystandardforfederalemployeesandcontractors.
• Asaresult,thefederalgovernment(andapprovedcommercialcontractorsac>ngonthegovernment'sbehalf)havealreadycollec>velyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIden>tyVerifica>on‐Interoperable"("PIV‐I")smartcards.
• "Firstresponders"alone(asdefinedinHSPD‐8)mayul>matelyrequireissuanceofover25.3millionsuchcards.(seehPp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)
• Thatis*NOT*atoy‐scalecertprojectbyanymeans!
26
27Source:hPp://www.idmanagement.gov/presenta>ons/HSPD12_Current_Status.pdf
CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users
• IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."
• Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereduca>onistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard,see
hPp://www.nps.edu/Technology/Security/CAC‐guide.pdf
Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.
28
WhyAreTheFedsUsingClientCerts?IfYouNeed"LOA‐4",They'reBasicallyYourOnlyPrac5calOp5on
• NIST800‐63Version1.0.2(seecsrc.nist.gov/publica>ons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:
"Level4–Level4isintendedtoprovidethehighestprac>calremotenetworkauthen>ca>onassurance.Level4authen>ca>onisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalida>onrequirementsarestrengthened,andsubsequentcri>caldatatransfersmustbeauthen>catedviaakeyboundtotheauthen>ca>onprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthen>ca>onatLevel2andhigher,thislevelensuresgood,twofactorremoteauthen>ca>on."
29
SomeFederalHighSecurityApplica5onsThatUseClientCertsMayBeSurprising
30
ClientCertsCanEvenBeSecureEnoughforUseinConjunc5onwithNa5onalSecuritySystems
• Seethe"Na>onalPolicyforPublicKeyInfrastructureinNa>onalSecuritySystems,"March2009(hPp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefounda>onforNSSuses:
"(U)NSSopera>ngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSopera>ngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCer>ficateAuthority(CA)operatedonbehalfofthena>onalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."
• TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.31
WhatIfAUser(orCA)NeedsToRevokeACert?• Unfortunately,unlike"takingback"aphysicaldoorkeyorculng
upacreditcard,it'sharderto"takeback"anelectroniccreden>al.
• CRLs("cer>ficaterevoca>onlists")weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthateverymerchantusedtogetfromthebankcardcompaniesintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaydownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstorevokeacompromisedcreden>al,nordoyoureallywantmillionsofusertoeachhavetopoten>allydownloadahugefilelis>ngpilesofrevokedcer>ficates!
• OCSP("onlinecer>ficatestatusprotocol")wasmeanttohandlethisissuemuchmoredirectly,andinterac>vely,butmanybrowsersandemailclientsdon'tbothercheckingacert'sOCSPstatus.Ugh. 32
OK,That'sEnoughBackground–Let'sGetStarted
• Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sjustdiverightinandseehowthisallprac>callyfitstogether.
• Thenextpartofouragendalookslike:
‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME
33
II.GemngAFreeS/MIMEClientCer5ficate
34
GemngaFreeClientCertforS/MIMEWithFirefox
• TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcer>ficatefromComodo.Thankyou,Comodo!Togetit,goto:hPp://>nyurl.com/free‐cert(hPp://www.comodo.com/home/email‐security/free‐email‐cer>ficate.php)
• We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanuseprePymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hPp://www.mozilla.org/en‐US/firefox/fx/
• Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosodWindowsorLinuxwillbevirtuallyiden>cal.
35
Comodo’sFreeSecureEmailCer5ficateWebSite
36
TheApplica5onFormYou’llComplete
37
SuccessfulApplica5on…
38
Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…
Collec5ngYourCer5ficate
39
Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided
SuccessfulCer5ficateDownload…
40
"WhereElseCanIGetClientCerts?"
• Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:
‐‐hPp://www.enterprisessl.com/ssl‐cer>ficate‐products/addsupport/secure‐email‐cer>ficates.html
‐‐hPp://www.globalsign.com/authen>ca>on‐secure‐email/digital‐id/compare‐digital‐id.html
‐‐hPp://www.symantec.com/verisign/digital‐id/buy
‐‐hPp://www.trustcenter.de/en/products/tc_personal_id.htm
41
III.ExaminingandBackingUpYourNewClientCer5ficate
42
"Okay,I'veGotMyClientCert.WhatDoIDoNow?"
• WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.
• Weagreethat'sagoodidea.
• Youalsoneedto"backupyourcer>ficate"inordertobeabletogetitintoThunderbirdforuseinemail.
• Therefore,launchFirefoxifyouaren'talreadyrunningit.
43
InFirefox,GotoFirefox‐‐>Preferences…
44
TheFirefoxCer5ficateManager
45
Notes:Selectthe“YourCer>ficates”tabontheCer>ficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocer>ficates.You’llprobablyonlyseeonecer>ficate,theoneyoujustgotfromComodo.ButjustasamaPerofform,let’sconfirmthatitreallyisyours…
TheGeneralTabTellsUsWhenTheCertExpires
46
TheDetails“ViewCert”TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert
47[Closethe“ViewCer5ficate”boxwhenyou’redonelookingatit]
Okay,We’vePickedThe“RightOne,”SoLet’sBackItUp…
48
The“NameYourBackup”DialogBox
49
Pickanameforyourcer>ficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.
TheCertManagerBackup‐PasswordDialogBox
50
Pickastrongpasswordtosecureyourcertbackupfile.
PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!
BackupSuccessful…
51
NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.
IV.Impor5ngYourCer5ficateIntoThunderbird
52
We’reNowGoingToImportOurNewCer5ficateIntoThunderbird
• Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)
• Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hPp://www.mozilla.org/en‐US/thunderbird/
• NotethatThunderbirdhasanautomatedinstalla>onwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Onecau5ontoanynon‐technicalpersonlookingattheseslides:insemngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!
53
“WhyCan’tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?
They'reBothMozillaApplica5ons,Aren'tThey?”
• Yes,bothFirefoxandThunderbirdAREfromMozilla.
• Whilesomeapplica>onsrelyoncer>ficatesstoredcentrallyinasingleopera>ng‐system‐providedcer>ficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.
• FirefoxandThunderbirduseseparateper‐applica>oncer>ficatestores,instead.Thisgivesuserstheflexibilitytotailorwhatcertsgetpoten>allyshowntoeachsuchapplica>on,butthedownsideisaslightlymorecomplicatedini>alsetup(youneedtoinstallyournewcer>ficateinmul>pleloca>ons)
• Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaderlookingatFirefox’s
54
InThunderbird,GotoThunderbird‐‐>Preferences…
55
InTheCer5ficateManager,“YourCer5ficates”Tab,ClickonImport
56
SelectThe.p12BackupFileYouWantToImport
57
SupplythePasswordYouUsedforTheCertBackup
58
SuccessfulImporta5onofTheCertIntoThunderbird
59
V.InThunderbird,AssociateYourCer5ficateWithYourEmailAccountAnd
ConfigureThunderbirdToDoDigitalSigning
60
Thunderbird:Tools‐‐>AccountSemngs
61
Security
62
SelectTheCertYouWantToUseForDigitalSigning
63
ConfirmThatYouWantToAlsoUseThatSameCertforEncryp5ng/Decryp5ngMessages
64
MakeSureYou’reSetToDigitallySignYourMessagesByDefault
65
ThunderbirdConfigura5onIsNowComplete…
• Thehardpartisover!Youarenowsettoautoma>callydigitallysignyourThunderbirdemailmessagesbydefault.
• Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,un>ljustbeforeyourfreeComodopersonalcer>ficateisclosetoexpiring)
• Huzzah!
66
VI.DigitallySigningAMessageInThunderbird
67
StartWri5ngAMessageTheWayYouNormallyWould
68NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!
Op5onal:ConfirmThatTheMessageWillBeSigned
69
ClickOnThePadlockIconOnTheBarOrTheLiMleRedSealInTheBoMomRightCornerIfYouEverWantToDoubleCheck!
ProceedtoSendYourMessage
• …justlikeyounormallywould.Itwillautoma>callybedigitallysignedwithyourcer>ficate.
• Yourrecipientswillseeyournormalmessage,plusanaddi>onal“p7s”aPachmentthatwillhaveyourpublickey/cer>ficate.
• Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautoma>callycheckandvalidateyourdigitalsignature.
• Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saPachment.
70
VII.Encryp5ngAMessageInThunderbird
71
Signingvs.Encryp5ng
• Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecans>llreadthatmessage:it’scryptographicallysigned,it’snotencrypted.
• Ifthebodyofyourmessageissensi>ve,youmayalsowanttoconsiderencryp>ngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.
• Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.
72
GemngThePublicKeyofYourCorrespondent
• Toencryptamessageyou’llneedyourcorrespondent’spublickey.
• Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.
• Youremailclientwillautoma>callyextracthispublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.
• Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaPempttoextenditInternet‐wide.
73
AMetaQues5on:ShouldIEncryptTheMailISend?
• Maybeyes,maybeno.
• Firstofall,notethatyouwon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(soyou’llhavehispublickeyandcert)
• Ifthecontentofyouremailisn’tsensi>ve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?– Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently
easilysearchthosemessages.
– And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopoten>allyloseallthecontentencryptedwiththatkey?
74
HedgingTheRiskofDataLoss:KeyEscrow• Let'spretendthatyouhaveapersonwho'sdoingabsolutely
cri>cal(andhighlysensi>ve)workforyouoryourcompany,andyouwantthemtorou>nelyencryptasaresult.Atthesame>me,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcri>calemployee'sgoingtodieorbekilled,ormaybejustgotoworkforsomeoneelse(givingyou"thefinger"onthewayout).Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?
• Escrowingencryp>onkeysallowsyoutogetacopyofotherwiseunavailableencryp>onkeysinavarietyofcarefullypredefinedemergencysitua>ons.Companiesnormallypayextraforthis"insurance."Keysrecoveredviaescrowwilltypicallyhavetheassociatedcertrevokedatthesame>me.
75
"It'sWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"
76
“WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?”
77
WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)
78
Addi5onalImportantS/MIMECaveats
• S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,doNOTputanythingthatneedstobekeptconfiden>alintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpulngANYTHINGintothesubjectlineofencryptedmessages.
• Encryptedmessagebodiescannotbeautoma>callyscannedonthenetworkforvirusesorothermalware.
• SomemailinglistprogramsmaystripaPachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailinglists,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.
79
VIII.WhatIfIWantToUseOutlookInsteadofThunderbird?
80
OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt
81
Can’tfindKeychainAccess?CheckApplica>ons‐‐>U>li>es
Impor5ngOurKey/Cert
82
SuccessImpor5ngOurKeyandCert
83
Nowwe’rereadytolaunchOutlook…
Outlook’sOpeningScreen…
84
Outlook‐‐>Preferences…
85
Accounts
86
AdvancedBu_on…
87
PickingACertontheAccountSecurityTab
88
89
WhatTheSenderSeesWhenSendingASignedMessageinOutlook
90
OutlookAsksForConfirma5onTheFirstTimeItUsesYourPrivateKey/Cer5ficate
91
WhatTheRecipientSeesInOutlookWhenGemngAMessageThat’sSigned
92
WhatIfWeWantToEncryptAMessage?
93
IX."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"
94
GmailDoesNOTNa5velySupportS/MIME
• YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)
• However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletona>velyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvaca>ontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).
• Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)
95
96
OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox
97
PlugInYourGmailAddress
98
Uncheck“Automa5callyencryptnewmessages”
99
ComposingaSignedGmailMsgWithPenango
100
[someaccountdetailselidedabove]
SomePenango‐RelatedSendingIdiosyncrasies• WhenyousendasignedorencryptedmessageusingPenango,the
messagegetssubmiPed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.
• Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.
• TheIPofthehandoffhostdoesappearintheGmailheaders.
• Thebodyofthemessagemaybebase64encodedevenifyou'rejustsigningwhatwasaplain‐text‐onlymessage,andPenangousesalong/uglynameforthe.p7saPachment
• Speakingof,somemessagetext/messageformalngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.
101
X.HardTokens/SmartCards
102
Alterna5vesToStoringYourKeysandCertsOnYourDesktoporLaptop
• Inhighereduca>on,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.
• Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircer>ficatesonboththosesystems,butmightnotwanttoleavetheircreden>alsstoredonmul>plesystemsiftheydon'thaveto.
• Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.Obviouslyitwouldbebadforthatusertodownloadandinstalltheircreden>alsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenext>metheyvisitthelab.
• WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.
103
USB‐FormatPKIHardTokens• USB‐formatPKIhardtokenslookalotlikearegularUSBthumb
drive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.
• Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessor.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcer>ficate,butwithoutpulngthosecreden>alsatriskofbeing"harvested"/stolen.Thesedays,withallthecreden>alharves>ngmalwarethat'soutthere,that'saprePycoolthing.
• Infact,USB‐formatPKIhardtokenshavetheabilitytopoten>allygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession.
104
SafeneteTokenPRO72K• ThroughthegenerosityofChen
ArbelatSafenet,we'reabletoprovideeachMAAWGS/MIMEtrainingpar>cipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversodwareanddocumenta>on.Thankyou,ChenandSafenet!
• Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereduca>on,andispar>cularlyniceifyouworkinacrosspla}ormenvironmentsinceitissupportedunderMicrosodWindows,MacOSX,andLinux.
Imagecredit:hPp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg105
SafenetDrivers,LocalTokenManagementSoIware,AndDocumenta5on
• Mostsystemswillrequiretheinstalla>onoftokendriversand/orlocaltokenmanagementsodware(soyoucanloadyourexis>ngcer>ficateontothetoken).WithSafenet'spermissionwearemakingthatsodware,anddocumenta>onforthisproduct,availabletoyouforinstalla>onviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoIware:pleasedoNOTredistributeit!
• Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b
106
InstallingOntheMac
• InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveU>lity,Stuffit,orwhateverapplica>onyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"Documenta>on"and"MacInstaller."
• READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar5cular,readtheAdministrator'sGuideandreadtheReadMefile,par5cularly"KnownIssues/Limita5ons"
• Really,Ikidyounot,readthedangdocumenta5on,please!
• ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthen>ca>onClient.8.1.0.5.dmg
• Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthen>ca>onClient8.1.mpkg
• Installit.You'llneedtorebootwhenitfinishes107
FirefoxSecurityModule
• Asmen>onedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthen>ca>onClient,itdoesn'tautoma>callyinstallthesecuritysecuritymoduleinFirefox.Youneedtodothatmanually.
• Firefox‐‐>Preferences...‐‐>AdvancedIntheEncryp>ontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK
• RepeatthisprocessforThunderbird,too.
108
NowLaunchtheSafeNetAuthen5ca5onTools
109
GoToTheGearMenu("Advanced")
110
ViewTheToken,ThenIni5alizeIt
111
ViewTheToken,ThenIni5alizeIt
112
EnterYourNewPasswordsandThenGoToTheAdvancedScreen
113DO*NOT*FORGETTHESECRITICALPASSWORDS!
BeSureToAskfor2048bitkeysupport
114DO*NOT*SELECTFIPSMODE!
NowActuallyIni5alizeTheHardToken...
115
LoginToTheHardToken
116
You'llNeedToEnterYourPasswordForIt
117
GoToTheImportCertScreen
118
ImportOurCer5ficate
119
Pickthep12backupfilewesavedearlier.
Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.
BeSureToIncludetheCACertsOnTheToken,Too
120
ViewTheCertsOnTheHardToken
121
TellThunderbirdToUseTheHardToken;WeNeedToUnlockTheToken,First
122
We'reThenShownTheTokenandItsCert
123
NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse
124
AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!
125
XI.DoingAllThis"AtScale"
126
GetALi_leExperience,First• It'ssome>mestemp>ngto"swingforthebleachers,"tryingtohita
grandslamthefirst>meyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.
• I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensi>vesystems,tofirstspendaliPle>mejustexperimen>ngwithclientcerts.
• Getfreeclientcertsforyourself,andforyourteammembers.
• Usethemforrela>velylowimpactac>vi>es,suchassigningyouremail,whileyougainfamiliaritywiththem.
• Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.
127
WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands
• Theprocessesyousawearlierinthissession,whiletheycanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.
• Forexample,ifyou'regoingtoinstallcer>ficatesdirectlyonusersystems,youneedabePerwaytodropcer>ficatesonthosesystems,andabePerwaytoconfiguretheuser'sapplica>onstoknowaboutandusethem(InCommonwillbe/isworkingonthis).
• Similarly,ifyou'regoingtousehardwaretokens,instead,youneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriPenlocally.
• Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyop>on.
128
Smartcards?• TheUSBformatPKIhardtokensyoureceivedarebasicallya
smartcardwithanintegratedsmartcardreader(withaUSBinterface).Thatcanbeveryconvenient–it's"allinone."
• However,smartcardstendtobecheaperthanUSBformattokens,whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)
• Adis>nctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaPedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecer>ficatestore.Thismaybethebestofallpossibleworlds.
• Butwhatwillyoudofor...mobiledevices,suchassmartphonesortablets?
129
Slick‐SidedMobileDevicesandHardTokens
• SinceMAAWGhasanewemphasison"mobile":‐),weshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.
• Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaPer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.
• Thesolu>on?Youcanbuyso‐calledBluetoothsmartcardreaders(some>mesalsoknownas"CACsleds")toallowBlackBerriesorselectedothermobiledevicestoaccesssmartcardsviasecureBluetooth,buttheymaycost$200+.Seewww.apriva.com/products/iss/authen>ca>on/reader
• Android?iPhone?SeehPp://www.biometricassociates.com/products‐baimobile/smart‐card‐reader‐iphone‐android.html
130
WhatAboutDirectories• Oneofthesubtlethingsthatcanreallymakelifeeasierifyou're
deployingclientcer>ficatesatscaleisadirectoryofallthepublickeysandcer>ficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).
• Thatmethodofkeydistribu>onalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencryp>on.Youneedanalterna>vesourceforkeysinthatcase.
• Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.Evendeployingadirectoryforanen>tyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysolu>onthatwouldworktoholdclientcer>ficatesforallInternetusers(assumingeveryonehadthem).
131
PGP/GPG‐ishS/MIMEKeyservers?• Ironically,oneofthethingsthatmakesInternetscaledirectories
difficultis...waitforit...spam.Canyouimaginehowmuchaspammerwouldlovetobeabletoharvestemailaddressesfor"everyoneontheInternet"fromasinglecentraldirectoryserver?
• ThereisonecryptographicdirectorymodelthatseemstohaveworkedprePywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendyoutheirkeysdirectly.
• I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehPp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescrip>onofwhatIhaveinmind.
132
S/MIMEIsn'tTheOnlyUseforClientCerts• Clientcer>ficatescanbeusedforabunchofthingsotherthanjust
signingorencryp>ngemail.
• Forexample,clientcer>ficatescanalsobeusedtosigndocuments,orforauthen>ca>on,orasabuildingentrycreden>al.(Notethatifyou'reheadedinthe"authen>ca>on"or"buildingaccesscontrol"direc>on,youwillprobablyneedatradi>onalenterprisePKIdirectorytosupportthatapplica>on)
• Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.
133
SigningStuff(OtherThanJustUsingS/MIME)
• Clientcertscandolotsmore,includingsigningdocuments...
• SigningMicrosoIWorddocuments(Windowsonly),seehPp://pages.uoregon.edu/joe/signing‐a‐word‐document/
• NeedtosigndocumentsonaMac?TryOpenOffice:hPp://>nyurl.com/openoffice‐signing
• AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcer>ficatesforsigningPDFs,see:hPp://>nyurl.com/adobe‐signing
134
Encryp5onUsingClientCerts(OtherThanS/MIME)
• PGPWholeDiskEncryp5on(seethedatasheetlinkedfromhPp://www.symantec.com/business/whole‐disk‐encryp>on)
• MicrosoIWindowsEncryptedFileSystemhPp://technet.microsod.com/en‐us/library/bb457116.aspx
• IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcer>ficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcer>ficatesifdesired—see,forexample,hPp://www.strongswan.org/andhPp://www.cisco.com/en/US/docs/solu>ons/Enterprise/Security/DCertPKI.html)
135
Authen5ca5onUsingSmartCards/ClientCerts
• RedHatEnterpriseLinuxSmartCardLoginSeehPp://>nyurl.com/redhat‐smartcards
• WindowsAc5veDirectoryLoginwithSmartCardsSeehPp://support.microsod.com/kb/281245
• OpenSSHauthen5ca5on(viathirdpartyX.509patches)hPp://roumenpetrov.info/openssh/
• MacOSXhasdeprecatedna>vesupportforsmartcards,butthirdpartyprovidersdos>lloffersupport,seehPp://smartcardservices.macosforge.org/andhPp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html
136
Authen5ca5onUsingClientCerts(cont.)
• ControllingaccesstowebcontentservedbyApachehPp://hPpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients(seealso)www.dwheeler.com/essays/apache‐cac‐configura>on.html
• ControllingaccesstowebcontentservedbyMicrosoIIIS7hPp://technet.microsod.com/en‐us/library/cc732996%28v=ws.10%29.aspx
• ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See
hPp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland
hPp://www.internet2.edu/presenta>ons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf
137
ClientCer5ficatesCanEvenPoten5allyBeUsedForBuildingAccessControlPurposes
138
XII.Don'tForgetAboutPolicies,GovernanceAndPoten5alLegalIssues
139
ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures
• Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsI'mstruckbyisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbythecommunity.
• Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplica>onsofmovingtoclientcerts,notjustthetechnologyissues.
140
BeSureToKeepCorporateCounselInTheLoop,Too
• Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.Ifyouplantoissueclientcer>ficatestoallyouremployeesrememberthatsomeusers,asmen>onedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpoten>allyclientcer>ficates.Formoreonthispoint,pleaseconsultwithyouraPorneyregardingtheprovisionsofthe"DeemedExport"rule.Asastar>ngpoint,seehPp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html
• Increaseduseofencryp>onforofficialrecords,mayalsoraiselongtermrecordmanagementissues.
141
ThanksfortheChanceToTalkToday!
• Arethereanyques>ons?
142