Metody i sposoby bezpiecznego

uwierzytelnienia w Windows 7

Metody i sposoby bezpiecznego

uwierzytelnienia w Windows 7

Krzysztof BińkowskiTrener MCT Security/Forensics

28.04.2011

Krzysztof BińkowskiTrener MCT Security/Forensics

28.04.2011

Agenda

• o mnie słów kilka• Authentication = Uwierzytelnienie • Authentication / Authorization• Metody uwierzytelnienia 1FA/2FA/3FA• SmartCard Authentication • SmartCard + Biometric Authentication• Biometric Authentication• Face Authentication• Online Identity Integration

o mnie słów kilka

Posiadam kilka certyfikatów:

• MCT, MCSA/MCSE+Security, MCITP SA/EA

• ACE (Accessdata Certified Examiner)

• ACI (Accessdata Certified Instructor)

• Novell CNA/CNE

Na co dzień:

• Trener technologii Microsoft / security / forensic s w firmie COMPENDIUM Centrum Edukacyjne

• Specjalizacja: systemy Windows / Bezpieczeństwo / PKI / Forensics

• Specjalizuje się w informatyce śledczej

• Społeczny notariusz CA Cert / StartSSL

• Członek organizacji:• ISSA Polska, • SIIS (Stowarzyszenie

Instytut Informatyki Śledczej )

• SEClub

• Współlider grupy MSSUG

Uwierzytelnienie

• Authentication = Uwierzytelnienie

Nie ma słowa „autentykacja” w słowniku

języka polskiego

• Authorization = Autoryzacja

Authentication / Authorization?

User Resource

Who are you?

Authentication: Czy jesteś tym za kogo się podajesz ?

Are you on the list?

Authorization: Czy masz nadane uprawnienia do zasobów do których próbujesz się dostać np. ACL

What does the list say you can do?

Access: Na jakie działania pozwalają Ci nadane uprawnienia.

Authentication and Authorization Process

Windows Authentication

MethodDescription

Kerberos version 5 protocol

Used by Windows 7 clients and servers running Microsoft Windows Server 2000 or later

NTLMUsed for backward compatibility with computers running pre-Windows 2000 operating systems and some applications

Certificate mapping Certificates are used as authentication credentials

Windows authentication methods include:

SECURE AUTHENTICATION

Smart cards

& Tokens

Passwords & PINs

Biometrics

What You Know

What You Have

WhatYouAre

Convenient Two-Factor

Authentication2FA

Most Secure Three-Factor

Authentication3FA

Traditional Two-Factor

Authentication 2FA

New Authentication Features in Windows 7

New Authentication

FeaturesDescription

Smart cards

Several new authentication features are available for use with Smart cards, including:

•Kerberos support for Smart card logon

•Encrypt removable media using BitLocker and using the Smart card option to unlock the drive

•Document and e-mail signing

BiometricsWindows Biometric Framework (WBF) provides support for fingerprint biometric devices through a new set of components

Online Identity Integration

A new group policy setting is available that controls the ability of online IDs to authenticate to a computer

Karta inteligentna ? Karta elektroniczna ? Karta chipowa ? Karta kryptograficzna ? Karta mikroprocesorowa ?

Smart Card w języku polskim

Budowa Smart Card- Posiada wbudowany procesor- Jest programowalna- Dostarcza bezpieczny magazyn dla kluczy prywatnych- Oddziela krytyczne dla bezpieczeństwa operacje od komputera

Karta przechowuje:

Klucz prywatny Klucz publiczny

Powiązany certyfikat

Rodzaje kart

Karta, nie karta ?

• Czasem SMART CARD nazywamy tokenami USB

Czytniki kart

Smart Cards

Smart card-related Plug and Playü

Kerberos support for Smart card logonü

Encrypt removable media using BitLocker and using the Smart card option to unlock the driveü

Document and e-mail signingü

Used with line-of-business applications to enable certificate use with no additional middleware

ü

•DEMO• http://www.mysmartlogon.com/products/eidauthenticate.html

Gemalto .NET Bio

4 Tryby– 4 sposoby uwierzytelnienia

OK Cancel

Please swipe your finger OR enter your PINBiometric Verification

Biometric Authentication

PIN or Fingerprint Authentication

PIN

PIN Authentication

SWIPE FINGER

Select Finger

OK Cancel

Please swipe your finger on the biometric reader.Biometric Verification

Biometric Authentication

Fingerprint Authentication

SWIPE FINGER

Select Finger Click here for more information

OK Cancel

Please swipe your finger first, then enter your PINBiometric Verification

PIN and Fingerprint Authentication

Biometric Authentication

PIN

PIN Authentication

SWIPE FINGER

Select Finger Click here for more informationClick here for more information

BIOMETRIC

Biometric

Windows Biometric Framework (WBF) provides support for fingerprint biometric devices

through a new set of componentsü

A common API facilitates development of applications using biometrics

ü

Through a new Control Panel item, users can control the availability and use of biometric

devicesü

Device Manager support for managing drivers for biometric devicesü

Group Policy settings to enable, disable, or limit the use of biometric data for a local computer

or domain

ü

•DEMO

Face Authentication

•DEMO• http://luxand.com/index.php

Online Identity Integration

A new group policy setting is available that controls the ability of online IDs to authenticate

to a computerü

Online IDs can be used to identify individuals within a network

ü

Users must link their Windows user account to an online ID to facilitate authenticationü

Authentication occurs through the use of certificatesü

Does not affect domain accounts or local user accounts from logging on to the computer

ü

Online Identity Integration

• What's the benefit of linking my online IDs with my Windows user account?

• If you have an online account, such as an e‑mail account, you can link that account with your Windows user account. Linking these accounts provides the following benefits:

• People can share files with you on a homegroup using your online ID instead of having to create a Windows user account for you on their computer.

• You can use your online ID to access your information on other computers on a network, such as accessing files on a home computer from your work computer.

• Linking your account is a two-part process. First, you need to add your online ID provider, and then you need to link your online ID with your Windows user account.

Dziękuje za uwagę

http://securityforensics.wordpress.com/

Email:Krzysztof.Binkowski@gmail.com