PKI Design
description
Transcript of PKI Design
![Page 1: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/1.jpg)
PKI DESIGN
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012
![Page 2: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/2.jpg)
ALGORITHMSPKI Design
![Page 3: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/3.jpg)
Cryptographic Algorithms
Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384,
SHA-512 Symmetric key algorithms
secret key RC4, DES, 3-DES, AES
Asymmetric key algorithms public and private key RSA, DH, EC
![Page 4: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/4.jpg)
THOUGHTS ON HASHINGPKI Design
![Page 5: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/5.jpg)
Hash example (not good)
Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52
Can obtain arbitrary clear-text (collision) without brute-forcing
Several similar clear-texts lead to similar output
5
![Page 6: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/6.jpg)
Hash collisions
Pure arithmetic collisions limited exploitability
Post-signing collisions Chosen-prefix collisions
6
![Page 7: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/7.jpg)
Post-signing collision
7
Name: Ondrej
Owes: 100 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Name: Ondrej
Owes: 1 000 000 $
Hash: 14EEDA49C1B7
To: Kamil
Signature: 3911BA85
Trash: XX349%$@#BB...
![Page 8: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/8.jpg)
Chosen-prefix collision
8
CN: www.idtt.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 35B87AA11...
CN: www.microsoft.com
Valid: 2010
Hash: 24ECDA49C1B7
Serial #: 325
Signature: 5919BA85
Public: 4E9618C9D...
![Page 9: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/9.jpg)
MD5 problems
Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions
Practically proved for certificates with predictable serial numbers
2^50
9
![Page 10: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/10.jpg)
SHA-1 problems
General brute-force attack at 2^80 as about 12 characters complex
password Some collisions found at 2^63
pure arithmetic collisions, no exploitation proved
10
![Page 11: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/11.jpg)
ALGORITHM COMBINATIONSPKI Design
![Page 12: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/12.jpg)
Performance considerations Asymmetric algorithms use large
keys EC is about 10 times smaller
Encryption/decryption time about 100x longer symmetric is faster
![Page 13: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/13.jpg)
Document
Private key
Digital Signature (not good)
Document
![Page 14: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/14.jpg)
Private key
Digital Signature
Document
Hash
![Page 15: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/15.jpg)
Storage Encryption (slow)
Public key
Document
![Page 16: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/16.jpg)
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
![Page 17: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/17.jpg)
Public key (User A)
Storage Encryption
Symmetric encryption key (random)
Symmetric key
Document
Public key (User B)
Symmetric key
![Page 18: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/18.jpg)
Transport encryption
Client Server
Public key
Public key
Symmetric Key
Symmetric KeyData
![Page 19: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/19.jpg)
FUN WITH RANDOM NUMBERSPKI Design
![Page 20: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/20.jpg)
Random Number Generators
Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated
symmetric keys DNS cache poisoning
Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules
![Page 21: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/21.jpg)
Random Number Generators
CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)
Entropy from system time, process id, thread id, tick
counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …
![Page 22: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/22.jpg)
STANDARDSPKI Design
![Page 23: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/23.jpg)
US standards
FIPS – Federal Information Processing Standards provides standard algorithms
NIST – National Institute for Standards and Technology approves the algorithms for US government
non-classified but sensitive use latest NIST SP800-57, March 2007
NSA – National Security Agency Suite-B for Secure and Top Secure (2005)
![Page 24: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/24.jpg)
Cryptoperiods (SP800-57)
Key Cryptoperiod
Private signature 1 – 3 years
Public signature verification >3 years
Symmetric authentication <= 5 years
Private authentication 1-2 years
Symmetric data encryption <= 5 years
Public key transport key 1-2 years
Private/public key agreement key 1-2 years
![Page 25: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/25.jpg)
Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
![Page 26: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/26.jpg)
Security lifetimes (SP800-57 and Suite-B)
Lifetime Strength Level
2010 80 bit US Confidential
2030
112 bit US Confidential
128 bit US Secure
192 bit US Top-Secure
Beyond 2030 128 bit US Confidential
![Page 27: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/27.jpg)
NSA Suite-B Algorithms
NSA publicly published algorithms (2005) as against Suite-A which is private
AES-128, ECDH-256, ECDSA-256, SHA-256 Secret
AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret
27
![Page 28: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/28.jpg)
OPERATING SYSTEM SUPPORTPKI Design
![Page 29: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/29.jpg)
Cryptographic Providers
Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates
Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC
CERTUTIL -CSPLIST
29
![Page 30: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/30.jpg)
Cryptographic Providers
30
Type Operating System Algos Template
CSP Windows 2000Windows 2003
AES, SHA-1, RSA v1, v2
CSP Windows XP SP3Windows 2003 KB938397
AES, SHA-1, RSA, SHA-2 v1, v2
CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC
v3
![Page 31: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/31.jpg)
SHA-2 Support
Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future
![Page 32: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/32.jpg)
Cryptography support
32
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows 2000
yes no yes yes no no
Windows XP yes yes yes yes yes noWindows 2003
yes yes yes yes non-public updateyes
no
Windows Vista/2008
yes yes yes yes yes yes
Windows 7/2008 R2
yes yes yes yes yes yes
![Page 33: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/33.jpg)
Cryptography support
33
System DES3DESRC2RC4
AES 128 AES 192 AES 256
MD2MD5HMAC
SHA-1
SHA-256SHA-384SHA-512
ECDSAECDH
Windows Mobile 6.5
yes yes yes yes no no
Windows Mobile 7
yes yes yes yes yes yes
TMG 2010 yes yes noSCCM 2007 yes no noSCOM 2007 yes yes no
![Page 34: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/34.jpg)
EncryptionEFS BitLock
er IPSec Kerberos NTLM RDP
DES 2000 + 2000 + 2000 +
LM password hash, NTLM
3DES 2000 + 2000 + 2000 +
RC4 2000 + 2000 +
AES 2003 + Vista + Vista + Vista +
DH 2000 + 2000 +
RSA 2000 + Seven + 2000 + 2000 + 2003 +
ECC Seven + Vista + Seven +
![Page 35: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/35.jpg)
Hashing
35
MD4 MD5 SHA-1 SHA-2
NT password
hashNT4 +
Digest password
hash2003 +
IPSec 2000 + 2000 + Seven +
NTLM NTLMv2
MS-CHAP MS-CHAPv2
![Page 36: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/36.jpg)
CNG (v3) Not Supported
EFS Windows 2008/Vista-
VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication
TMG 2010 server certificates on web listeners
Outlook 2003 user email certificates for signatures or encryption
Kerberos Windows 2008/Vista- DC certificates
System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2
SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)
![Page 37: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/37.jpg)
CA HIERARCHYPKI Design
![Page 38: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/38.jpg)
CA Hierarchy
IDTT Root CA
IDTT London CA IDTT Paris CAIDTT Roma
CA
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
Leaf certificateLeaf
certificateLeaf certificateLeaf
certificateLeaf certificate
![Page 39: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/39.jpg)
Offline Root
Root CA cannot be revoked if compromised
Making new RootCA trusted may be difficult
Delegation of administration Must issue CRLs
the more frequent the more secure, but more “costly”
![Page 40: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/40.jpg)
Active Directory
Group Policy every 120 minutes by default
Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates
![Page 41: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/41.jpg)
41
![Page 42: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/42.jpg)
AD CS FEATURESPKI Design
![Page 43: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/43.jpg)
SKU Features
43
Windows Server
Certificate
Templates
Autoenrollment
Key Archival
SMTP Exit Module
Role Separation
Cross-forest
Enrollment
2008 R2 Standard V1, V2, V3 Yes Yes No2008 R2
Enterprise V1, V2, V3 Yes Yes Yes
2008 Standard V1 No No No
2008 Enterprise V1, V2, V3 Yes Yes No
2003 Standard V1 No No No
2003 Enterprise V1, V2 Yes Yes No
![Page 44: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/44.jpg)
SKU Features
44
Windows Server
Web Enrollment
Enrollment Web
ServicesOCSP
ResponderSCEP
Enrollment
2008 R2 Standard yes yes no no
2008 R2 Enterprise yes yes yes yes
2008 Standard yes no no no
2008 Enterprise yes no yes yes
2003 Standard yes no no no
2003 Enterprise yes no no no
![Page 45: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/45.jpg)
Role Separation
Enrollment Agent = Registration Authority sign cert request
Certificate Managers approve cert requests
Different groups of EA/CM approve requests for different groups of Enrollees
![Page 46: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/46.jpg)
PUBLIC CERTIFICATESPKI Design
![Page 47: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/47.jpg)
SSL Certificate prices
Verisign – 1999 300$ year
Thawte – 2003 150$ year
Go Daddy – 2005 60$ year
GlobalSign – 2006 250$ year
StartCom – 2009 free
![Page 48: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/48.jpg)
EV Certificate prices
Verisign – 1999 1500$ year
Thawte – 2003 600$ year
Go Daddy – 2005 100$ year
GlobalSign – 2006 900$ year
StartCom – 2009 50$ year
![Page 49: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/49.jpg)
Support for SAN and wildcards
49
Application Supports * Supports SAN
Internet Explorer 4.0 and older no noInternet Explorer 5.0 and newer yes yes
Internet Explorer 7.0 yes yes, if SAN present Subject is ignored
Windows Pocket PC 3.0 a 4.0 no noWindows Mobile 5.0 no yesWindows Mobile 6.0 and newer yes yesOutlook 2003 and newer yes yesRDP/TS proxy yes yes, if SAN present Subject is
ignoredISA Server firewall certificate yes yesISA Server 2000 and 2004 published server certificate no no
ISA Server 2006 published server certificate yes yes, only the first SAN name
![Page 50: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/50.jpg)
OCSP and Delta CRL
50
System Checks OCSP Delta CRLWindows 2000 and older no noWindows XP and older no yesWindows Vista and newer yes, preffered yesWindows Pocket PC 4.0 and older
no no
Windows Mobile 5.0 no yesWindows Mobile 6.0 no yesWindows Mobile 6.1 and newer
yes, preffered yes
ISA Server 2006 and older no yesTMG 2010 and newer yes, preffered yes
![Page 51: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/51.jpg)
CRL checks in Internet Explorer
51
Version CRL and OSCP checking
4.0 and older no checks
5.0 and newer
can check CRL, disabled by default
7.0 and newer
can check OCSP (if supported by OS) and CRL, enabled by default
![Page 52: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/52.jpg)
Windows Mobile 2003 and 5.0 trusted CAs
52
Company Certificate Name Windows Mobile
Cybertrust GlobalSign Root CA 2003 and 5.0Cybertrust GTE CyberTrust Global Root 2003 and 5.0Cybertrust GTE CyberTrust Root 2003 and 5.0
Verisign Class 2 Public Primary Certification Authority 2003 and 5.0
Verisign Thawte Premium Server CA 2003 and 5.0Verisign Thawte Server CA 2003 and 5.0Verisign Secure Server Certification Authority 2003 and 5.0
Verisign Class 3 Public Primary Certification Authority 2003 and 5.0
Entrust Entrust.net Certification Authority (2048) 2003 and 5.0
Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0
Geotrust Equifax Secure Certificate Authority 2003 and 5.0Godaddy http://www.valicert.com/ 5.0
![Page 53: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/53.jpg)
Windows Mobile 6.0 trusted CAs
53
Comodo AAA Certificate ServicesComodo AddTrust External CA Root
Cybertrust Baltimore CyberTrust RootCybertrust GlobalSign Root CACybertrust GTE CyberTrust Global Root
Verisign Class 2 Public Primary Certification AuthorityVerisign Thawte Premium Server CAVerisign Thawte Server CAVerisign Secure Server Certification AuthorityVerisign Class 3 Public Primary Certification AuthorityEntrust Entrust.net Certification Authority (2048)Entrust Entrust.net Secure Server Certification Authority
Geotrust Equifax Secure Certificate AuthorityGeotrust GeoTrust Global CAGodaddy Go Daddy Class 2 Certification AuthorityGodaddy http://www.valicert.com/Godaddy Starfield Class 2 Certification Authority
![Page 54: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/54.jpg)
RSA 2048 browser support
54
Browser First VersionInternet Explorer 5.01Mozila Firefox 1.0Opera 6.1Apple Safari 1.0Google ChromeAOL 5Netscape Communicator
4.51
Rad Hat Linux KonquerorApple iPhoneWindows Mobile 2003Windows CE 4.0RIM Blackberry 4.3.0PalmOS 5Sony Playstation PortableSony Playstation 3Nintendo Wii
![Page 55: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/55.jpg)
Extended Validation browsers
55
Browser First VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0
![Page 56: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/56.jpg)
S/MIME RSA 2048 client support
56
Browser First VersionMicrosoft Outlook 99Mozila Thunderbird 1.0Qualcomm Eudora 6.2Lotus Notes 6Netscape Communicator
4.51
Mulberry MailApple MailWindows MailThe Bat
![Page 58: PKI Design](https://reader033.fdocuments.net/reader033/viewer/2022061606/56816668550346895dd9fdd0/html5/thumbnails/58.jpg)
THANK YOU!
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
GOPASTECHED 2012