Seminar 02A - Client CertificatesPLEASE NOTE: Separate registration and fee are required to attend...
192
Client Cer)ficates Security Professionals 2012 Preconference Seminar 8:30‐Noon, Tuesday, May 15 th, 2012 White River Ballroom B, JW MarrioE, Indianapolis IN Joe St Sauver, Ph.D. (joe@internet2 or [email protected]) InCommon CerPficate Program Manager and Internet2 NaPonwide Security Programs Manager hEp://pages.uoregon.edu/joe/secprof2012/ Disclaimer: The opinions expressed in this talk represent those of its author, and do not necessarily represent the opinion of any other en9ty.
description
Client certificates (also known as personal certificates or S/MIME certificates) have been around for a decade, but they're rarely seen in higher education, even though the federal government and large corporations have successfully deployed them for highly sensitive security environments involving millions of users. This seminar, taught by the manager of InCommon's certificate program, will bring you up to speed on client certificates and give you the background and skills you need to successfully deploy client certs at your school, whether for a small group of system admins or campus-wide. Technical level: intermediate. http://www.educause.edu/events/security-professionals-conference-2012-1/2012/seminar-02a-client-certificatesplease-note-separate-registration-and-fee
Transcript of Seminar 02A - Client CertificatesPLEASE NOTE: Separate registration and fee are required to attend...
ClientCer)ficates
SecurityProfessionals2012PreconferenceSeminar
8:30‐Noon,Tuesday,May15th,2012WhiteRiverBallroomB,JWMarrioE,IndianapolisIN
JoeStSauver,Ph.D.(joe@[email protected])InCommonCerPficateProgramManagerand
Internet2NaPonwideSecurityProgramsManager
hEp://pages.uoregon.edu/joe/secprof2012/
Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.
Preface
2
OurTimeTogetherToday
• SincethreehoursisarelaPvelylongPmeforasinglesession,we'regoingtogothroughmaterialforaboutanhourandahalf(unPlabout10:00),andthenwe'lltakeacoffeebreakoutsideofroom103forahalfhourorso.Around10:30,we'llcrankbackupandfinishtherestofthematerialwewanttogoover.
• IfyouhaveanyquesPonsatanyPme,feelfreetospeakup.WhileI'vepreparedafairlystructuredsessiongiventhenumberofaEendeesthatareexpected,I'vesPlltriedtobuildinPmefordiscussion,andIknowthatsomeofyoumayalreadybeexperiencedwihclientcertsandhavemuchtoshareyourselves.
• Finally,Ialsowanttomakesurewe'vegotPmetohelpyouactuallygetaclientcertinstalledandupandrunningonyoursystem,ifyou'dliketotrydoingthis.
• ArethereanyquesPonsatthispoint?3
Introduc)ons
• Let'stakeaminuteortwotogoaroundtheroomandintroduceourselves.
• Pleasesay:
‐‐whoyouare‐‐whatschoolyou'rewith‐‐anythingyoursitemaycurrentlybedoingwithclientcerts‐‐whyyou'reinterestedinclientcerts/anythingyouparPcularlyhopewecovertoday
4
StrongCryptographyandFederal/Interna)onalLaw
• Strongcryptographyiscri)caltocomputerandnetworksecurity,includingenablingsecureauthenPcaPonandonlinecommerce,protecPngpersonallyidenPfiableinformaPon(PII)storedonline,andlegiPmatelyensuringpersonalprivacyforlaw‐abidingciPzens.
• AtthesamePme,strongcryptographyissubjecttocomplexregula)oninmanycountries,includingtheUnitedStates.Why?UseofencrypPonmakesitharderfornaPonalsecurityagenciesandlawenforcementorganizaPonstolawfullyinterceptcriminalcommunicaPonsandnaPonal‐security‐relatedcommunicaPons.
• Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna)onaltrea)esrela)ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmournaPonalsecurityorinterferewiththelawfulinvesPgaPonandprosecuPonofcriminals.
5
SinceWe’llBeGivingYouStrongHardwareCryptoProducts
• Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcryptoproductsorsoKware,NORareyoubarredfromreceivingtrainingonit.
• Specifically,thismeansthatyouassertthatyouareNOTaciPzen,naPonal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.
• YouareNOTa"deniedperson,"a"speciallydesignatednaPonal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)
• Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabricaPonoruseofweaponsofmassdestrucPon(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)
• YouagreeNOTtoredistributeorretransfercryptographicproductsorsofwaretoanyonewhoisinoneofthepreviouslymenPonedprohibitedcategories.
• YouunderstandandagreethattheforgoingisbywayofexampleandisnotanexhausPvedescripPonofallprohibitedenPPes,andthatthisisnotlegaladvice.ForlegaladvicerelaPngtostrongcrypto,pleaseconsultyourownaEorney. 6
"First,DoNoHarm"
• Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouruniversity)isNOT"lockeddown"byyouruniversityITdepartment.
• IfyouhaveNOTbackedupyoursystemrecently,oryouruniversityITdepartmentdoesNOTwantyoutoPnkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsofwareorotherwisemodifyyoursystem.
• Also,ifyoualreadyhaveaclientcerPficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinparPcularPLEASEdoNOTinten)onallydeleteanyclientcer)ficatesyoumayalreadyhaveinstalledonyoursystem!
7
Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvanced
Crypto‐RelatedMathema)csToday
• OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseclientcerPficates,parPcularlyforsecureemail,andgemngyoutothepointwhereyouunderstandthepracPcallimitaPonsassociatedwiththosetechnologies.Youdon'tneedadvancedmathemaPcstodothat.
• SoifyouhatedmathemaPcswhilegoingthroughschool,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathemaPcal.
• Let’sdiverightin.We'llbeginbytalkingaboutwhyyoumightwanttouseclientcerPficates,parPcularlyforsigningandencrypPngemail.
8
I.Mo)va)ngAnInterestinClientCer)ficates("PKI"):
SecuringEmail
9
WhyMightWeNeedToSignand/orEncryptEmail?
• Putsimply,regularemailishorriblyinsecure.
• Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusidenPtyinformaPonintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orpreEymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.
• Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiEedorstored,sounauthorizedparPescanreadyourcommunicaPons."Trustedinsiders"mayalsoaccessconfidenPalcommunicaPons.
• Let'stakealookatacoupleofpracPcalexamplesofthesesortofexposures.
10
TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird
11[Yes,thiswillwork.Butno,pleasedon'tactuallydothis.]
"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"
• SPF(www.openspf.org)andDKIM(www.dkim.org)weremeanttohelpfixspoofing,andtheydo,butthey'renotatotalsoluPon.
• Forinstance,SPF/DKIMcannotprotectyouagainstspoofedemailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofaEack.
• Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")soluPonsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?
12
ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark
• Sendasimplemailmessage...
% mailx -s "testing 123" [email protected] Joe!
I don't think this is very secure, do you?
Joe .
• IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:
13
"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"
• SitessomePmeshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.
• Youmayalreadybeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehEp://eEercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inpracPce,thatprocessmayfailtomaintaintrafficseparaPon.
• Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.
• Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.
14
OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMessages...
% suPassword: # cat /var/mail/joe From [email protected] Sun Feb 12 14:30:54 2012Return-Path: <[email protected]>Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: [email protected]: Some thoughts on the insider threatMessage-Id: <[email protected]>Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: [email protected] (Joe St Sauver)Status: O
Hi Joe,
I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...
Joe 15
BUTIfYourEmailIsEncrypted,ItMayNotMaberIfSomeoneDoesALible"Browsing:"TheFollowingIsn'tVeryInforma)ve,IsIt?
MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw
11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo
UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR
[This base64 encoded file is actually a base64 encoded encrypted file] 16
EmailIsAlsoPoten)allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure
17hEp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138
ReducingTheTransportEmailSniffingVulnerability:Opportunis)cSSL/TLSEncryp)on
• YoucanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunisPcSSL/TLSencrypPon.ThismeansthatiftheMTAsonbothsidesoftheconversaPonarereadyandwillingtodoSSL/TLSencrypPon,itwillbenegoPatedandusedwheneveritcanbe.Seeforexample:
hEp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhEp://www.posdix.org/TLS_README.htmlhEp://www.sendmail.org/~ca/email/starEls.html
• However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdesPnaPon.Thatis,itisnot"end‐to‐end."
18
Obtaining*End‐to‐End*Protec)onRequiresMessage‐LevelSigningandEncryp)onE.G.,UseofPGP/GPG,orUseofS/MIME
• Therearetwobasicapproachestogemngend‐to‐endprotecPonforemailmessages:
• PreEyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*
• S/MIME(RFC5751)withpersonalcerPficates.
• PGP/GPGisprobablythemorecommonofthosetwoopPons,andonethatmanyofyoumayalreadyuse,buttodaywe'regoingtotalkaboutusingS/MIMEwithclientcerPficates,instead.
• Beforewecandigin,however,weneedaliEle"cryptobackfill"19
II.AMinisculeLibleBitofCryptographicBackfill
20
PublicKeyCryptography
• Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.
• Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).
• BothPGP/GPGandS/MIMEwithpersonalcerPficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathemaPcally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathemaPcalprocess.
21
ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...
• Well,thatmaybeaslightexaggeraPon.
• Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:
‐‐itcan'tbechangedwithoutinvalidaPngthemessagesignature(e.g.,itactsasananP‐tamperingchecksumvalue)
‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey
22
HowDoCer)ficatesFitIntoAllThis?
• Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.YoumaywonderhowcerPficatesfitintoallthis.
• TheansweristhatcerPficatesaEachanidenPtytoacryptographickeypair.
• Ifyou'relikemostfolks,whenyouhear"cerPficates"inanonlinecontext,youthinkofSSLwebservercerPficates.That'snotwhatwe'regoingtobetalkingabouttoday.ThosecerPficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.
• Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:meePnganewpersoninreallife.
23
MappingUserstoIden))esIn"RealLife"
• IfImeetyouface‐to‐face,perhapsatthehotelbar,youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaEerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertedidenPty."That'sOK.
• IfitturnsoutthatIeventuallyneedconfirmaPonofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.
• OtherPmes,forexampleifyou'reinastrangecity,orsomeone'strusPngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."(ObCheers:"Norm!")
24
MappingUsersToIden))esOnline:PGP/GPG
• Asimilarproblemexistsonline.HowdoyouknowwhichpubliclyofferedPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'scredenPals?InPGP/GPG,thisisdoneviaa"weboftrust."
• InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisofengetsdoneatPGP/GPG"keysigningparPes,"liketheonethatwillhappenat6:30PMonWednesdaynight).NormallyakeyholderwillgetsignaturesfrommulPplefriendsorcolleagues.
• Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.
• Whilethissoundsincrediblyadhocandkludgy,inpracPce,itactuallyworkspreEywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.
25
TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)
• Animportantnoteaboutthecryptographic"weboftrust:"
SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.
Completelyevilpeoplemayhavewell‐signedPGP/GPGkeys!
• Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:
‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.
Thatis,they'rebindinganiden9tytoacryptographiccreden9al.26
PersonalCer)ficates
• InthecaseofS/MIMEwithpersonalcerPficates,aweboftrustisn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").
• Thatis,apersonalcerPficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcerPficateauthority("CA"),anenPtythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingidenPPestocredenPals.
• CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(specifically,verycarefultodowhattheysaythey'regoingtodointheir"CerPficatePracPcesStatement"),becauseiftheydon't,people(includingbrowservendorsandtheCABForum)willstoptrusPngthemandthenthey'llquicklybetotallyoutofbusiness(literally).
27
'SoWhat'sthis"CABForum?"'
• No,it'snotataxicabassociaPon.• TheCerPficateandBrowserForumisaninfluenPalbodymadeup
ofCerPficateAuthoriPes(that'sthe"CA"intheirname)andBrowserVendors(that'sthe"B"intheirname).
• TheirwebsiteishEp://www.cabforum.org
• AsapracPcalmaEer,increasinglythey'reeffecPvelyestablishingthepracPces/normsthatapplytotheenPrecerPficateindustry,andFWIW,they'remakingtheshipfarmoreshipshape.:‐)
• Previously,variousindustrygroups,suchastheMozillaFoundaPon,hadalottodowithwhatwasorwasn'tacceptable:putsimply,ifyouwantedyourcerPficatestobetrustedinFirefox,youcompliedwithwhattheMozillaFoundaPonrequired.DiEoforInternetExplorerandMicrosof,etc.
28
"WhatDoesaCPSActuallyLookLike?"
• CPSdocumentsasaclassareprobablyoneofthemostwidelyignoredcategoriesofdocumentsintheworld.
• Howver,somePmesfolkswhohaveahardPmesleepingactuallywanttoreadCerPficatePracPcesStatements.Ifyou'dliketochecksomeout,youcansee,forexample,InCommon'sCerPficateServiceCPS:hEps://www.incommon.org/cert/repository/
• You'llseeseparateCPSfortheInCommonstandardSSLcerPficateoffering,theextendedvalidaPoncerPficateoffering,theclientcerPficateoffering,andthecodesigningcerPficateoffering.Thevarious"profile"documentsarealsopotenPallyquiteinformaPve.
• SimilardocumentsshouldbeavailableforanypubliccerPficateissuer.
• OneofthethingstheycoverishowidenPtygetsvalidated,andwhatexpectaPonsshouldbeforaparPculartypeofcert.
29
III.Iden))esandLevelsofAssurance
30
ARealName,orJustAnEmailAddress?
• Theremaybesomeconfusionwhenitcomestothe"idenPty"thatacryptographiccredenPalasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?
• Theansweris,“itmaydepend.”SomestandardassurancepersonalcerPficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.
• OtherclientcerPficatesmayrequiremuchmorerigorous"idenPtyproofing,"perhapsrequiringtheusertosupplygovernmentissuedidenPficaPon(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.
31
HSPD‐12andFederalCAC/PIV‐ICards
• OnAugust27th,2004,then‐PresidentGeorgeW.Bushissued"HomelandSecurityPresidenPalDirecPve12,"(seehEp://www.idmanagement.gov/documents/HSPD‐12.htm)mandaPngtheestablishmentofacommonidenPtystandardforfederalemployeesandcontractors.
• Asaresult,thefederalgovernment(andapprovedcommercialcontractorsacPngonthegovernment'sbehalf)havealreadycollecPvelyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIdenPtyVerificaPon‐Interoperable"("PIV‐I")smartcards.
• "Firstresponders"alone(asdefinedinHSPD‐8)mayulPmatelyrequireissuanceofover25.3millionsuchcards.(seehEp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)
• PartofthatprocessisidenPtyproofingthoseusers–including,inthscase,evendoingbackgroundinvesPgaPons.
32
33Source:hEp://www.idmanagement.gov/presentaPons/HSPD12_Current_Status.pdf
AnAside:CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users
• IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."ThisisarealtesPmonytothehardworkofthefederalemployeesandcontractorswhohavebeeninvolvedwiththatproject.
• Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereducaPonistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard:www.nps.edu/Technology/Security/CAC‐guide.pdf
Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.
34
WhyAreTheFedsUsingClientCerts?IfYouNeedNIST"LOA‐4",They'reBasicallyYourOnlyPrac)calOp)on
• NIST800‐63Version1.0.2(seecsrc.nist.gov/publicaPons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:
"Level4–Level4isintendedtoprovidethehighestpracPcalremotenetworkauthenPcaPonassurance.Level4authenPcaPonisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalidaPonrequirementsarestrengthened,andsubsequentcriPcaldatatransfersmustbeauthenPcatedviaakeyboundtotheauthenPcaPonprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthenPcaPonatLevel2andhigher,thislevelensuresgood,twofactorremoteauthenPcaPon."
35
AnAside....DoesHigherEd*HAVE*AnyUseCasesThatActuallyRequireLOA‐4?
• WearingmyInCommonCerPficateProgramManagerhatforaminute,currentlyInCommonhasonlyoneclientcerPficateoffering,standardassuranceclientcerts.ShouldwealsohaveaclientcerPficateofferingsPedtotheInCommonAssuranceProgram(e.g.,Bronze,Silver,etc.)?
• DowehaveanyusagecasethatwouldrequireLOA‐4,orwouldLOA‐3be"goodenough"forallpotenPalhigheredusagescenarios?(LOA‐3requirestwofactor,butnotnecessarilyclientcerts).I'mstronglyinterestedinunderstandingwhatmightdriveLOA‐4adopPon...
• IfwedidofferanLOA‐3orLOA‐4compliantcertprofile,itwouldimplystrongeridenPtyproofing.WouldhighereducaPonusersbewillingtoputupwithrigorousidenPtyproofinghassles?(bywayofcomparison,wehaven'tseenatremendousnumberofextendedvalidaPonservercerPficatesrequested,eventhoughthey'reavailableatnoaddiPonalcostaspartoftheInCommonCerPficateProgram)
36
AnAside:"Iden)tyProofing"forRegularCi)zens• Ifyoutravelextensively,you'veprobablyrunintolonglinesatcustoms,
eitherwhilecomingintotheU.S.,orperhapswhiletravellingintoCanadaorMexico.Ifso,youmayhavenoPcedthatsomefolks("TrustedTravellers")canusethe"GlobalOnlineEntrySystem"("GOES")and/orNEXUS/SENTRItoavoidthoselines.Agrowingnumberofairportsalsooffer"TSAPreCheck"linesforparPcipantsinthatprogram.(seehEp://www.globalentry.gov/)."TrustedTravellers"areissuedamachinereadablehigh‐assurancecredenPal($50for5years)forthatpurpose.
• Obviously,however,itwouldbebadtoissueacredenPalofthissorttoapersonyouhadn'tthoroughlyidenPtyproofed.Therefore,ifyouapplytobeaTrustedTraveller,youridenPtyisvalidatedinmulPplewaysincludingareviewofgovernmentrecords(youdon'twanttoissueacardtoacriminal,forexample!);reviewofexisPngdocuments(suchasyourpassport);collecPonofbiometrics,e.g.,aphotograph,fingerprints,andinsomecasesapictureofiris/rePna.Youalsoneedtophysicallyappearinpersonforaninterview.Travellerswearyofbeingstalledattheborderwillputupwiththosehassles,butwouldregularhigheredusersdoso?
37
SomeFederalHighSecurityApplica)onsThatNowUseClientCertsMayBeSurprising
38
ClientCertsCanEvenBeSecureEnoughforUseinConjunc)onwithNa)onalSecuritySystems
• Seethe"NaPonalPolicyforPublicKeyInfrastructureinNaPonalSecuritySystems,"March2009(hEp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefoundaPonforNSSuses:
"(U)NSSoperaPngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSoperaPngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCerPficateAuthority(CA)operatedonbehalfofthenaPonalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."
• TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.39
Cer)ficatesAreNowAlsoBeingUsedtoSecureNa)onalCri)calInfrastructure
• Forexample,considerthenaPonalelectricalgrid.TheNorthAmericanEnergyStandardsBoard's("NAESB")2012AnnualPlanfortheWholesaleElectricQuadrantspecificallydiscussestheirplansfordeployingPKIonpages4andfollowing.(SeehEp://www.naesb.org/pdf4/weq_2012_annual_plan.docxandhEp://www.naesb.org/weq/weq_pki.asp)
• Thisisbeginingtobedeployed/madereal,too,rightnow:
‐‐"ShifSystemsIdenPfiedastheFirstNAESBAuthorizedCerPficaPonAuthority,"Feb16,2012,hEp://www.prnewswire.com/news‐releases/shif‐systems‐idenPfied‐as‐the‐first‐naesb‐authorized‐cerPficaPon‐authority‐139493283.html
‐‐"OATIwebCARESAuthorizedbyNAESBforwebRegistry,"Apr11,2012,hEp://www.prweb.com/releases/2012/4/prweb9390545.htm
‐‐"GlobalSignAnnouncesAccreditaPnasAuthorizedCerPficateAuthorityfortheNorthAmericanEnergyStandardsBoard,"Apr23,2012,hEp://www.prweb.com/releases/2012/4/prweb9431614.htm
40
And,OfCourse,SomeLargeCorpora)onsandAgenciesHaveUsedClientCer)ficatesforYears
• AniceindicaPonofinterestin/useofclientcerPficatescanbeseeninthingslikeparPcipaPoninthe"SmartCardAlliance,"see
hEp://www.smartcardalliance.org/pages/alliance‐membersincluding:AmericanExpress,BankofAmerica,BoozAllenHamilton,CapitalOne,Chase,CSC,DeloiEe&Touche,HewleE‐Packard,IngersollRand,LockheedMarPn,MasterCard,SAIC,Visa,WellsFargo,andmanyothers.
• TounderstandhowsmartcardsrelatetoclientcerPficates,notethatsmartcardsareawaytosecurelystoreclientcerPficatesonwhatlookslikeacreditcard(ifyoulookclosely,you'llseethatasmartcarddiffersfromatradiPonalcreditcardinthatithasasmallsetofflushgold‐coloredcontactsonthefront).
• ManylargecompaniesusesmartcardsasthefoundaPonfortheircorporateemployeeIDcards.
41
IV."NonAdop)on"ofClientCerts
42
SoWhyHaven'tClientCerts"TakenOff"MoreBroadly?
• Andwhatcanwedotofixthis,assumingwewantto?
• Itisn'tsimplythatclientcertsarenew...hEp://en.wikipedia.org/wiki/Public_key_infrastructure#HistoryPestheoriginofPKIto1969,withpublicdisclosureofsomeofthekeyalgorithmsdaPngto1976–that'sthirtyfiveyearsago.TheRSAPKCS("PublicKeyCryptographyStandards")documentsdateto1993–that'seighteenyearsago.ByInternetstandards,allofthisworkis"ancient"(or"wellestablished,"ifyouprefer).
• Soitisn'tsimplythatPKI'sthe"newkidontheblock."
• Thereare(ormaybe)manyotherpossiblereasonswhyclientcerPficateshavestruggledsofar....
43
Economics?AreClientCertsTooExpensive?
• "ThereareseveralreasonsPKIhasfailed,saysPeterTippeE,headoftheindustrysoluPonsandsecuritypracPceatVerizonBusiness.
"ThemainreasonorganisaPondonotusePKI,hetold aEendeesofRSAConference2011,isthatitcoststoomuch. "SpeakingonadebateontheimportanceofidenPtyto internetsecurity,hesaidveryfeworganisaPonsareableto makeabusinesscaseforspending$200to$300peruser,per year."
"WhyPublicKeyInfrastructureHasFailed",hEp://www.computerweekly.com/blogs/read‐all‐about‐it/2011/02/why‐public‐key‐infrastructure.html[emphasisadded]
HowmuchwouldYOURschoolpayperuser,peryear? 44
MyTargetCostforClientCerts:$1/user/month
• Lackingharddata,I'mgoingtosuggestanominalamountthatmightbeacceptable:$1/user/month(inclusiveofallcosts),overanormalfouryearundergraduateenrollment,or$48.00peruseroveraquadrennialperiod.
• Forcontext:(a)www.nacs.orgstatesthattheaveragepriceforanewtextbookin2009‐2010was$62.00(b)onemajoronlinevendorquotesquotes3yearRSASecurID700onePmepasswordTokens(ina5pack)@$55.60/token
• InCommonsellshardtokensfor$19.80/unittoInternet2members(seehEp://www.incommon.org/safenet/pricing.html)whichwouldleave~$6/user/yeartocoverothercosts,assumingclientcertsaregemngdeployedonUSBformathardtokens.
45
InSomeCases,TheClientCertsThemselvesAre"Free"
• Ifyou'vesigneduptoparPcipateintheInCommonCerPficateprogram,yougetthebundledabilitytoissueclientcertsatnoaddiPonalcost,andevenifyourschooldoesn'tparPcipateintheInCommonCerPficateprogram,individualscansPllgetfreeclientcerPficatesforpersonal/homeuse,see:
www.comodo.com/home/email‐security/free‐email‐cerPficate.php
• Thatsaid,obviouslythecostofthecertsthemselvesarenottheonlycostsassociatedwithrollingoutclientcerts(forexample,ontheprecedingpage,wetalkedabouthardtokencosts).
• Sowhatothernon‐technicalexplanaPons,otherthancost,dopeopleofferforclientcerPficatenon‐deployment?
46
IsUsabilityActuallyTheProblem?
• "Despitemanyyearsofeffort,PKItechnologyhasfailedtotakeoffexceptinafewnicheareas.Reasonsforthisabound[…]Probablytheprimaryfactorattheuserlevel[…]isthehighlevelofdifficultyinvolvedindeployingandusingaPKI.Thereisconsiderableevidencefrommailinglists,Usenetnewsgroupsandwebforums,anddirectlyfromtheusersthemselves,thatacquiringacerPficateisthesinglebiggesthurdlefacedbyusers.Forexamplevarioususercommentsindicatethatittakesaskilledtechnicaluserbetween30minutesand4hoursworktoobtainacerPficatefromapublicCAthatperformsliEletonoverificaPon[...][A]setofhighlytechnicalusers,mostwithPhDsincomputerscience,tookovertwohourstosetupacerPficatefortheirownuseandrateditasthemostdifficultcomputertaskthatthey’deverbeenaskedtoperform."
PeterGutmann,UniversityofAuckland,Usenix'03,hEp://dl.acm.org/citaPon.cfm?id=1251353.1251357
47
ThingsHaveComeALongWay,Usability‐Wise
• Forexample,thesedays,theprocessforobtainingaclientcerPficatecanbeassimpleas:‐‐Completeashortonlinesecurewebform‐‐ClickonalinksenttoyoubyemailtodownloadyourclientcerPficateintoyourbrowser.Don'tbelieveit?We'llhaveeveryonetrygemngtheirownclientcertlaterinthissession.(Wemightalsotalkaboutwhetherthishasswungtoofarinthe"tooeasy"direcPon,Isuppose)
• TheremaysPllbesomeuglybitstodoafergemngyourcert(dependingonhowyouwanttouseit),butatleastsomeedusiteshavedevelopedlocalscriptsthatmaketheinstallaPonprocesspreEypainlessfortheirusers.
• Internet2/InCommonis/soonwillbeworkingonofferingagenerallyavailablecerPficateinstallaPontool,basedon/modeledaferthosesite‐specificinstallaPontools.
48
OrIsTheProblemThatOtherSolu)onsHaveUsurpedPKI'sMarketNiche(s)?
• Ifyou'vegotPGP(orGNUPrivacyGuard)tosignorencryptemail,doyoualsoneedPKIclientcertsandS/MIMEforsigned/encryptedemail?
• IfyoursiteisusingonePmepassword(OTP)cryptofobs(oryouusesshwithpresharedkeys),doyousPllneedclientcertsforauthtosensiPvesystems?(Andwhatabouta2ndchannelsoluPonleveragingsmartphones,suchasInCommon'snewofferingwithDuoSecurity,seehEp://www.incommon.org/duo/index.html)
• HasthesuccessofInCommon(andotherfederatedauthenPcaPonefforts)eliminatedtheneedforPKI‐basedcross‐enPtycredenPals?FederaPonseemstobethedirecPonthattheNaPonalStrategyforTrustedIdenPPesinCyberspace(NSTIC)isgoing,anditmaybeworthnoPngthatsomehavealwaysworriedabouttheprivacyimplicaPonsofPKI‐style"naPonalIDcards"online...
49
"IsNSTICaplantointroduceana)onalIDcardoraninternetdriver'slicense?DoIhavetogetone?"
"No.ThegovernmentwillnotrequirethatyougetatrustedID.Ifyouwanttogetone,youwillbeabletochooseamongmulPpleidenPtyproviders—bothprivateandpublic—andamongmulPpledigitalcredenPals.SuchamarketplacewillensurethatnosinglecredenPalorcentralizeddatabasecanemerge.EvenifyoudochoosetogetacredenPalfromanIDprovider,youwouldsPllbeabletosurftheWeb,writeablog,visitchatrooms,ordootherthingsonlineanonymouslyorunderapseudonym".[FAQitemresponseconPnueshere]
*hEp://www.nist.gov/nsPc/faqs.html
.
50
AHumorousComment(WithAnUnderlyingGrainofTruth?):ThePKIDeLorean*Hypothesis
• "[M]aybethepossiblefutureinwhicheverythingisPKI‐enabledanddigitalcerPficatesareubiquitousissohorrendousthatitactuallysentripplesofbadluckbackthroughPmethatsabotagedthedevelopmentanddeploymentofPKItechnology.Somethingsactuallyseemtomakealotofsensefromthispointofview."
"WhyPKIFailed,"LutherMarPn,29October2009,hEp://superconductor.voltage.com/2009/10/why‐pki‐failed.html[ablogaboutsecurity,cryptographyandusability]
*C.F.hEp://en.wikipedia.org/wiki/Back_to_the_Future
51
"FixingPKI"–ACobageIndustryofItsOwn
• PKIhasbeensuccessfulinone(quiteperverseway):ithassucceededininspiringhundredsofpapersandtalksaEempPngtoexplainpreciselywhyPKIhasfailedsofar.
• Oneauthorevenwentsofarastosay,
'[I]tseemsariteofpassagefortheserioussecurity researchertowriteapaperwithaPtlesuchas "ImprovingPKI..."Neverinthefieldofsecurity researchhassomuchbeenwriEenbysomany,to bereadbysofew.' hEp://iang.org/ssl/pki_considered_harmful.html
52
OrAreSomeFundamentalTechnicalBitsSoBrokenThatTheyMakeSanePeopleRunAwayFromPKI?
• Forexample,whataboutrevokingorcancellingclientcerPficates?
• HypothePcallyimaginethatyou'reamanagerandyou'refiringanemployee.Aspartofdoingthat,youcollecttheirdoorkeyandcompanycreditcard(oryouhavethelockschangedandthecreditcardcancelledifthey'vebeen"lost").
• ButwhataboutrevokingaclientcerPficatetheymighthavebeenissued?(Fornow,let'sassumethatitwasn'tissuedinnon‐exportableformonasmartcardorPKIhardtoken)
• Howwouldyoucancelorrevokeit?53
RevokingAClientCert
• Unfortunately,unlike"takingback"aphysicaldoorkeyorcumngupacreditcard,it'sharderto"takeback"anelectroniccredenPal.
• CRLs("cerPficaterevocaPonlists",seeRFC3280andRFC5280)weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthatstoresusedtogetfromthebankcardcompaniesbankintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaycheckordownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstosort‐of‐revokeacompromisedcredenPal,nordoyoureallywantmillionsofusertohavetopotenPallydownloadahugefilelisPngpilesofrevokedcerts!
• OCSP("onlinecerPficatestatusprotocol",RFC2560)wasmeanttohandlethisissuemuchmoredirectly,andinteracPvely,butmanybrowsersandemailclientsdon'tcheckacert'sOCSPstatus.Ugh.
54
LocallyImpor)ngaCRL
• AnexampleofaCRLis:hEp://crl.usertrust.com/AddTrustExternalCARoot.crl
• IfyouvisitthatURL,itwillbeimportedintoyourbrowser.• YoucanalsoscheduletheCRLtobeautomaPcallyupdated,if
you'dliketodoso...
• But,andthisiscriPcalifyoubelievescalabilityisimportant:youshouldn'tneedtodownloadanevergrowinglistofkilledcerts.
55
CRLs:The"hosts"FileofPKI
• NotethateachCAwillofferoneormoreCRLs,andtherearehundredsofCAsoutthere!NormallyyouwouldNOTwanttorouPnelyimportallthoseCRLsallthePmeoneachsystem!Thissimplydoesn'tscaletoInternet‐sizeaudiences.
• Inmanyways,thisremindsmestronglyof"hosts"filesintheoldpre‐DNSdays–youknow,peoplewouldcopyaroundstaPcfileswithmappingsofhostnamestoIPaddresses.
• Doyoureallythinkwe'dhavethesizeInternetwehavetoday,ifthatsortofthingsPllhadtohappen?Clearly,no.
56
SoWhatAboutOCSP?
• YoucanchecktoseehowOCSPisconfiguredinFirefoxbygoingtoabout:configandthenfilteringforocsp.Forexample(enlargedforeaseofviewing):
• NotethatOCSPischeckedbutisNOTREQUIREDbydefaultinFirefox.Youcanchangeittoberequiredifyouwantto,butindoingso,you'llbreakaccesstosomeSSL/TLS‐securedsites.
57
Chicken/EggInterac)onsandInsis)ngonOCSP
• Assumeyou'reconnecPngviaacapPveportal,andthecapPveportalblocksallexternalaccessbydefaultunPlyou'veloggedintoanSSL/TLS‐securedpages.
• NowassumethatyouareusingabrowserthatstrictlyrequiresOCSPvalidaPon...butOCSPvalidaPonrequirestheabilitytoconnecttotheOCSPresponder,andthatrequirestheabilitytoresolvetheDNSname,andtoconnecttothathost...butthatrequiresnetworkaccess...Nicecirculardeadlock,eh?
• MypointindwellingonCRLsandOCSPsearlyintoday'ssessionistogiveyouaheadsupthattherearesomearchitecturalandsecuritycomplexiPesthatdoexist,andthatmaybenecessaryto"resolve"ifyouwantcertstoworkinsomeenvironments...butthosedon'tneedtobe"showstoppers"inmyopinion.
• ClearlycertrevocaPonis(orcanpotenPallybe)tricky.Thisiswhy,whenitreallymaEers,browservendorsissuepatchestokillcerts
58
AListofSomeFirefoxSecurityAdvisories
59
ExampleofOneofThoseSpecificAdvisories
60
I'veRambledEnough...
• Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sseehowthisallactuallyworks...let'sgetaclientcertandgetsetuptosendandreceivesecureemail.
• Thenextpartoftoday'ssessionthuslookslike:
‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME
61
V.GelngAFreeS/MIMEClientCer)ficate
62
GelngaFreeClientCertforS/MIMEWithFirefox
• TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcerPficatefromComodo.Thankyou,Comodo!Togetit,goto:hEp://Pnyurl.com/free‐cert(hEp://www.comodo.com/home/email‐security/free‐email‐cerPficate.php)
• We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanusepreEymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/firefox/fx/
• Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosofWindowsorLinuxwillbevirtuallyidenPcal.
63
Comodo’sFreeSecureEmailCer)ficateWebSite
64
TheApplica)onFormYou’llComplete
65
SuccessfulApplica)on…
66
Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…
Collec)ngYourCer)ficate
67
Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided
SuccessfulCer)ficateDownload…
68
"WhereElseCanIGetClientCerts?"
• Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:
‐‐hEp://www.enterprisessl.com/ssl‐cerPficate‐products/addsupport/secure‐email‐cerPficates.html
‐‐hEp://www.globalsign.com/authenPcaPon‐secure‐email/digital‐id/compare‐digital‐id.html
‐‐hEp://www.symantec.com/verisign/digital‐id/buy
‐‐hEp://www.trustcenter.de/en/products/tc_personal_id.htm
69
InCommon'sClientCer)ficateProgram
• BecausethisisahighereducaPonaudience,I'llalsonotethatifyousignupforInCommon'sClientCerPficateService(seehEp://www.incommon.org/cert/),InCommonincludestheabilityforyoutoissueclientcerPficatesaswellastradiPonalSSL/TLSservercerPficatesatnoextracharge.
• AlsonotethatifyouparPcipateinInCommon'sCerPficateProgram,youcanissuecertsbothviaawebinterface(the"ComodoCerPficateManager")andviaaprogrammableAPIwithsynchronousclientcertissuancewithinfiveseconds.
• SeehEps://www.incommon.org/cert/repository/fortheInCommonCerPficateManager(CM)Guide,theEndUserGuideforClientCerPficates,andtheCerPficateManager(CM)SMIMEEnrollAPIGuideformoreinformaPon.
70
VI.ExaminingandBackingUpYourNewClientCer)ficate
71
"Okay,I'veGotMyClientCert.WhatDoIDoNow?"
• WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.
• Weagreethat'sagoodidea.
• Youalsoneedto"backupyourcerPficate"inordertobeabletogetitintoThunderbirdforuseinemail.
• Therefore,launchFirefoxifyouaren'talreadyrunningit.
72
InFirefox,GotoFirefox‐‐>Preferences…
73
TheFirefoxCer)ficateManager
74
Notes:Selectthe“YourCerPficates”tabontheCerPficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocerPficates.You’llprobablyonlyseeonecerPficate,theoneyoujustgotfromComodo.ButjustasamaEerofform,let’sconfirmthatitreallyisyours…
TheGeneralTabTellsUsWhenTheCertExpires
75
TheDetails"ViewCert"TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert
76[Closethe“ViewCer)ficate”boxwhenyou’redonelookingatit]
Okay,We'vePickedThe"RightOne,"SoLet'sBackItUp…
77
The"NameYourBackup"DialogBox
78
PickanameforyourcerPficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.
TheFirefoxCertManagerBackup‐PasswordDialogBox
79
Pickastrongpasswordtosecureyourcertbackupfile.
PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!
BackupSuccessful…
80
NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.
VII.Impor)ngYourCer)ficateIntoThunderbird
81
We'reNowGoingToImportOurNewCer)ficateIntoThunderbird
• Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)
• Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/thunderbird/
• NotethatThunderbirdhasanautomatedinstallaPonwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Acau)ontoanynon‐technicalpersonlookingattheseslideslater:inselngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!
82
"WhyCan'tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?
They'reBothMozillaApplica)ons,Aren'tThey?"
• Yes,bothFirefoxandThunderbirdAREfromMozilla.
• WhilesomeapplicaPonsrelyoncerPficatesstoredcentrallyinasingleoperaPng‐system‐providedcerPficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.
• FirefoxandThunderbirduseseparateper‐applicaPoncerPficatestores,instead.ThisgivesuserstheflexibilitytotailorwhatcertsgetpotenPallyshowntoeachsuchapplicaPon,butthedownsideisaslightlymorecomplicatediniPalsetup(youneedtoinstallyournewcerPficateinmulPplelocaPons)
• Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaferlookingatFirefox’s
83
InThunderbird,GotoThunderbird‐‐>Preferences…
84
InTheCer)ficateManager,"YourCer)ficates"Tab,ClickonImport
85
SelectThe.p12BackupFileYouWantToImport
86
SupplythePasswordYouUsedforTheCertBackup
87
SuccessfulImporta)onofTheCertIntoThunderbird
88
VIII.InThunderbird,AssociateYourCer)ficateWithYourEmailAccountAnd
ConfigureThunderbirdToDoDigitalSigning
89
Thunderbird:Tools‐‐>AccountSelngs
90
Security
91
SelectTheCertYouWantToUseForDigitalSigning
92
ConfirmThatYouWantToAlsoUseThatSameCertforEncryp)ng/Decryp)ngMessages
93
MakeSureYou’reSetToDigitallySignYourMessagesByDefault
94
ThunderbirdConfigura)onIsNowComplete…
• Thehardpartisover!YouarenowsettoautomaPcallydigitallysignyourThunderbirdemailmessagesbydefault.
• Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,unPljustbeforeyourfreeComodopersonalcerPficateisclosetoexpiring)
• Huzzah!
95
IX.DigitallySigningAMessageInThunderbird
96
StartWri)ngAMessageTheWayYouNormallyWould
97NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!
Op)onal:ConfirmThatTheMessageWillBeSigned
98
ClickOnThePadlockIconOnTheBarOrTheLiQleRedSealInTheBoQomRightCornerIfYouEverWantToDoubleCheck!
ProceedtoSendYourMessage
• …justlikeyounormallywould.ItwillautomaPcallybedigitallysignedwithyourcerPficate.
• Yourrecipientswillseeyournormalmessage,plusanaddiPonal“p7s”aEachmentthatwillhaveyourpublickey/cerPficate.(no,that'snotmalware:‐))
• Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautomaPcallycheckandvalidateyourdigitalsignature.
• Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saEachment.
99
X.Encryp)ngAMessageInThunderbird
100
Signingvs.Encryp)ng
• Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecansPllreadthatmessage:it’scryptographicallysigned,it’snotencrypted.
• IfthebodyofyourmessageissensiPve,youmayalsowanttoconsiderencrypPngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.
• Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.
101
GelngThePublicKeyofYourCorrespondent
• Toencryptamessageyou’llneedyourcorrespondent’spublickey.
• Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.
• YouremailclientwillautomaPcallyextractthepublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.
• Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaEempttoextenditInternet‐wide.
102
AMetaQues)on:ShouldIEncryptTheMailISend?
• Maybeyes,maybeno.
• Firstofall,notethatyouusuallywon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(sothatyou’llhavehispublickeyandcert)
• Ifthecontentofyouremailisn’tsensiPve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?– Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently
easilysearchthosemessages.
– And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopotenPallyloseallthecontentencryptedwiththatkey?
– You'lldrivecommandlineemailclientusersnuts.103
AndSomeArgumentsInFavorofRou)neEncryp)on
• What'snotsensiPvetome,mightbesensiPvetosomeoneelse.Likewise,itmightnotbesensiPveNOW,butitmightbesensiPveLATER.
• IfyouonlyencryptsensiPvemessages,thatsuremakesthemstandsout,doesn'tit?Wouldn'titbeniceifthosemessageswerejustpartofalargervolumeofrouPnelyencryptedmessages?
• It'srelaPvelyeasytoforgettoenableencrypPon,andtoaccidentallysendoutasensiPvemessageincleartext.IfyourouPnelyencrypt,thatwon'thappen.
• Ifyouwantpeopletosecuretheiremail,youneedtosettheexampleandnudgethemalong.Iftheygetsetuptodoencryptedemail,butthennevergetany,theymayfeellikethey'rewasPngtheirPme.
• Finally,it*is*sortofcool/funtodoso.:‐)104
HedgingTheRiskofDataLoss:KeyEscrow• Let'spretendthatyouhaveafacultymemberwho'sdoing
absolutelycriPcal(andhighlysensiPve)workforyourschool,andyouwantthemtorouPnelyencryptasaresult.AtthesamePme,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcriPcalfacultypersonwilldieorbekilled,ormaybejustquitandstartabusinessmakinghome‐madepremiumsoapsomeday.Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?
• EscrowingencrypPonkeysallowsyoutogetacopyofotherwiseunavailableencrypPonkeysinavarietyofcarefullypredefinedemergencysituaPons.Companiesnormallypayextraforthis"insurance."KeysrecoveredviaescrowmayhavetheassociatedcertrevokedatthesamePme.
105
"ItISWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"
106
"WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?"
107
WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)
108
AnExampleofUsingaNon‐MatchingCert
109
Addi)onalImportantS/MIMECaveats
• S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,DONOTputanythingthatneedstobekeptconfidenPalintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpumngANYTHINGintothesubjectlineofencryptedmessages.
• EncryptedmessagebodiescannotbeautomaPcallyscannedonthenetworkforvirusesorothermalware.
• SomemailinglistprogramsmaytamperwithmessagesbydoingthingslikeaddingfootersorrewriPnglinksorstrippingaEachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailingliststhatdothesesortofthings,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.
110
XI.WhatIfIWantToUseOutlookInsteadofThunderbird?
111
OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt
112
Can’tfindKeychainAccess?CheckApplicaPons‐‐>UPliPes
Impor)ngOurKey/Cert
113
SuccessImpor)ngOurKeyandCert
114
Nowwe’rereadytolaunchOutlook…
Outlook’sOpeningScreen…
115
Outlook‐‐>Preferences…
116
Accounts
117
AdvancedBubon…
118
PickingACertontheAccountSecurityTab
119
120
WhatTheSenderSeesWhenSendingASignedMessageinOutlook
121
OutlookAsksForConfirma)onTheFirstTimeItUsesYourPrivateKey/Cer)ficate
122
[Note:ifyou'reparPcularlysecurityconscious,youmayjustwanttoclick"Allow"ratherthan"AlwaysAllow"]
WhatTheRecipientSeesInOutlookWhenGelngAMessageThat’sSigned
123
WhatIfWeWantToEncryptAMessage?
124
XII."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"
125
GmailDoesNOTNa)velySupportS/MIME
• YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)
• However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletonaPvelyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvacaPontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).
• Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)
• Warning:PenangoiscloselyintegratedwithFirefox,andonlysupportssomeversions.Checktheversionyou'reusing!
126
127
OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox
128
PlugInYourGmailAddress
129[someaccountdetailselidedabove]
Uncheck"Automa)callyencryptnewmessages"
130[someaccountdetailselidedabove]
ComposingaSignedGmailMsgWithPenango
131
[someaccountdetailselidedabove]
SomePenango‐RelatedSendingIdiosyncrasies
• WhenyousendasignedorencryptedmessageusingPenango,themessagegetssubmiEed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.
• Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.
• TheIPofthehandoffhostdoesappearintheGmailheaders.
• Thebodyofthemessagemaybebase64encodedevenifthemessageyou'resigningisplain‐text‐only.Penangoalsousesalong/uglynameforthe.p7saEachment
• Speakingof,somemessagetext/messageformamngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.
132
XIII.HardTokens/SmartCards
133
Alterna)vesToStoringYourKeysandCertsOnYourDesktoporLaptop
• InhighereducaPon,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.
• Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircerPficatesonboththosesystems,butmightnotwanttoleavetheircredenPalsstoredonmulPplesystemsiftheydon'thaveto.
• Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.ObviouslyitwouldbebadforthatusertodownloadandinstalltheircredenPalsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenextPmetheyvisitthelab.
• WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.
134
HardTokens/SmartCardsAdvantages
• UserscanuseonesetofPKIcredenPalseverywhere.• UserscancarrytheircredenPalswiththemwherevertheygo(it's
justanotherblobonyourkeychain,oranother"creditcard"inyourwalletorpurse)
• Theuser'sprivate/publickeypaircanpotenPally*begeneratedon‐token(oron‐smartcard),withtheprivatekeyneverleavingthedevice
• Theusercaninsertandunlocktheirtokenorsmartcardonlywhentheyneedit,keepingthatcredenPaloffline(andshelteredfromonlineaEack)therestofthePme
• Clientcertissuancecanmimicotherwellestablishedcreden)alissuanceprocesses(suchasthoseforIDcardsordoorkeys);diboforclientcertuseprocesses.
* NotcurrentlypossibleforInCommonclientcerPficates. 135
GeTngAnIns)tu)onalID(orDoorKey)
GemngauniversityIDcardora doorkeyusuallyinvolves:‐‐ObtainingproofofauthorizaPon,suchasaleEerofadmissionorasignedcontract(oracompletedkeyauthform)‐‐Takingyourpaperworkandadriverslicenseorpassport,andvisiPngthecampuscardoffice(oradistributedcredenPaldistribuPonsite,perhapslocatedinthestudenthousingofficeorpersonneldepartment)‐‐PaperworkandcurrentproofofidenPtygetreviewedandOK’d‐‐One'sphotogetstaken(fortheIDcard)oradepositgetscollectedforakey,anditgetsissuedwhile‐you‐wait.
Thisworks.Notpainless,butnothorrible,andit'srelaPvelysecure.NowvisualizetheIDcardasactuallyasmartcard(withaclientcertonit),orthe"key"actuallybeingaUSBformatPKIhardtoken...wouldthatprocessneedtobemateriallydifferentthanthecurrentprocessofissuingIDcardsordoorkeys?No...
136
UsingAnIns)tu)onalID(orDoorKey)
EveryoneknowshowtousetheirIDcard(orkeys):
‐‐Carryitwithyou,soyouhaveitwithyouwhenyouneedit‐‐Whenneeded,allowyourcardtobescannedorinspected(orsPckyourkeyinthelockandturnittoopenthedoor);thisissimple,sotrainingisnotrequired.
‐‐IfyouloseyourIDoryourkey(s),youreportitsoyoucangetareplacement,andsoyouroldonecanbemarkedasinvalid(orsoanylocksassociatedwiththelostkeycanbepotenPallychanged)‐‐Ifyourkeydoesn'tgetyouintoaspaceyouneedtoaccess,you'llbegivenanotherone(repeatthe"gemngakey"process).‐‐YourIDcardorkeysgetcollectedifyouleaveorarekickedout.
UsingclientcertsneedstobeaseasyasusinganIDcardordoorkey,andcanbeifhardtokens/smartcardsareused.
137
USB‐FormatPKIHardTokens
• USB‐formatPKIhardtokenslookalotlikearegularUSBthumbdrive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.
• Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessorwithintegratedsecurestorage.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcerPficate,butwithoutpumngthosecredenPalsatriskofbeing"harvested"/stolen.Thesedays,withallthecredenPalharvesPngmalwarethat'soutthere,that'sapreEycoolthing.
• Infact,USB‐formatPKIhardtokenshavetheabilitytopotenPallygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession(andinfactthat'salsonotsupportedforInCommonClientCerPficates)
138
SafeneteTokenPRO72K
• ThroughthegenerosityofChenArbelatSafenet,we'reabletoprovideeachSecurityProfessionalsclientcerttrainingparPcipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversofwareanddocumentaPon.Thankyou,ChenandSafenet!
• Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereducaPon,andisparPcularlyniceifyouworkinacrosspla�ormenvironmentsinceitissupportedunderMicrosofWindows,MacOSX,andLinux.
Imagecredit:hEp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg139
"ThanksforOne,ButINeedABunchofThem!"
• USB‐formatPKIhardtokensareavailablefrommanymajorITchannels.Forexample,CDW‐GcurrentlyofferstheSafenete‐TokenProfor$38.89/each(qty1‐100),andtheSAC(requiredsofwaredrivers)costs$18.94.IfyouthrowononeoftheliEleprotecPveshells(liketheoneweprovidedforyoutoday),that'sanothercouplebucksfromCDW‐G,bringingthepricerightuptoaround$60.00/unit.Naturally,while~$60/unitisn'tabigdealforasmallnumberofusers,itaddsuppreEyquicklyifyouwanttoissuehardtokenstoawholecampus,parPcularlyiftherearecompePngtwofactorauthsoluPonsthatmaybe~$5/user.
• Fortunately,InCommonhasarrangedtobeabletoselldeeplydiscountedSafeNetPKIhardtokenstoInCommonhighereducaPonsubscribers.FormoreinformaPon,seehEp://www.incommon.org/safenet/index.html(note:aminimumorderoftwohundredunitsapplies)
140
"ButIOnlyWantToOrderADozenTokens!"
• If you're only buying a small number of tokens for a test deployment, you can already get those on the open market. Internet2/InCommon doesn't need to get involved in order for that to be practical. Our goal is explicitly not to make small-scale test PKI deployments cheap(er).
• On the other hand, if the community is trying to deploy thousands, tens of thousands, hundreds of thousands, or even millions of client certificates, THAT's the sort of process we want to facilitate, and where central coordination may be critical.
• Put another way, Internet2/InCommon is, and should be, all about facilitating "deployment at scale."
• This is an important principle that Randy Frank deserves special acknowledgement for correctly emphasizing.
141
SafenetDrivers,LocalTokenManagementSoKware,AndDocumenta)on
• MostsystemswillrequiretheinstallaPonoftokendriversand/orlocaltokenmanagementsofware(soyoucanloadyourexisPngcerPficateontothetoken).WithSafenet'spermissionwearemakingthatsofwareanddocumentaPonforthisproduct,availabletoyouforinstallaPonviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoKware:pleasedoNOTredistributeit!
• Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b
142
InstallingtheSACOntheMac
• InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveUPlity,Stuffit,orwhateverapplicaPonyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"DocumentaPon"and"MacInstaller."
• READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar)cular,readtheAdministrator'sGuideandreadtheReadMefile,par)cularly"KnownIssues/Limita)ons"
• Really,Ikidyounot,readthedangdocumenta)on,please!
• ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthenPcaPonClient.8.1.0.5.dmg
• Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthenPcaPonClient8.1.mpkg
• Installit.You'llneedtorebootwhenitfinishes143
FirefoxSecurityModule
• AsmenPonedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthenPcaPonClient,itdoesn'tautomaPcallyinstallthesecuritymoduleinFirefox.Youneedtodothatmanually.
• Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK
• RepeatthisprocessforThunderbird,too.
144
"ButI'mUsingWindows,NotAMac!"
• WindowsusersshouldseeAppendixIattheendoftheseslides.
IthasinstrucPonsforsemngupyourSafeNethardtokenwithaWindows7box.
• We'dhavebundledtheminhere,inline,butwedidn'twanttointerruptthings/confusetheMacusers.
145
NowLaunchtheSafeNetAuthen)ca)onTools
146
GoToTheGearMenu("Advanced")
147
Select"ViewTokenInforma)on,"ThenIni)alizeIt
148
EnterYourNewPasswordsandThenGoToTheAdvancedScreen
149DO*NOT*FORGETTHESECRITICALPASSWORDS!
BeSureToAskfor2048bitkeysupport
150
NowActuallyIni)alizeTheHardToken...
151
LoginToTheHardToken
152
You'llNeedToEnterYourPasswordForIt
153
GoToTheImportCertScreen
154
ImportOurCer)ficate
155
Pickthep12backupfilewesavedearlier.
Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.
BeSureToIncludetheCACertsOnTheToken,Too
156
ViewOurCertOnTheHardToken
157
AnAside:What'sThat"UnknownPurpose"Note?
158
Butcomingbacktoactuallyusingourhardtoken...
TellingThunderbirdToUseTheHardToken(WeNeedToUnlockTheToken,First)
159
We'reThenShownTheTokenandItsCert
160
NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse
161
AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!
162
XI.DoingAllThis"AtScale"
163
GetALibleExperience,First• It'ssomePmestempPngto"swingforthebleachers,"tryingtohita
grandslamthefirstPmeyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.
• I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensiPvesystems,tofirstspendaliElePmejustexperimenPngwithclientcerts.
• Getafreeclientcertforyourself,andforyourteammembers.
• UsethemforrelaPvelylowimpactacPviPes,suchassigningyouremail,whileyougainfamiliaritywiththem.
• Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.
164
ClientCertDeploymentScale:Test,Departmental,Site‐Wide,edu‐Wide?
• Wecanimaginefourdifferent"scales"ofclientcertdeployment:‐‐Testdeployment(maybehalfadozenoradozenclientcerts,perhapsissuedonlytohighlytechnicalsystemsorsecuritystaff)‐‐Departmental‐scaledeployment(hundredsoreventhousandsofcerts,perhapsissuedtoallauthorizedadministraPvecompuPngusersortoallauthorizedhighperformancecompuPngusersatasite)‐‐Site‐widedeploymentto"everyone"(allfaculty/staff,allstudents,andpotenPallyeventoall"other"users)‐‐Ormaybeevenbroadedu‐wide(cross‐realm)deployment?
• Theseareradicallydifferentanimals.IfweDON'Tneedtodothecross‐realmcase,wemightevenbeabletogetalongwithlocallyissuedclientcerts.Doyouthinkthat'sonereasonwhyemail,aclassicinter‐realmapp,hasleadtoclientcertsofenbeingcalled'S/MIMEcerts?'(Ifyou'reonlyissuingclientcertsforintra‐realmuse,atthesamePmeyouissueacert,youcouldjustpushalocalrootcert).
165
SmallDeployments?==>TargetedBenefitsLargerDeployments?==>BroadAcceptance
• WhileIdon'tmeantoimplythatthere'snobenefittofolksdoingPKItesPng,orevensmallscaledeploymentsforacarefullydefinedlocalcommunity,thosesortofprojectsdeliveradifferentsortofbenefitthanmorebroadlyadoptedefforts.Hasthe)mecomeforustoconsiderabroadlyacceptedcross‐ins)tu)onalclientcerteffort?
• Contrastalocally‐issuedlibrarycardwithapassport:‐‐Alocally‐issuedlibrarycardisterrificallyusefulifIwanttocheckoutsomebooks,butunfortunatelynooneexceptmylibrary,e.g.,theonethatissuedit,willrecognizeoracceptit‐‐Apassport,ontheotherhand,whilenotadocumentthatwillbeacceptedforthepurposeofcheckingoutlibrarymaterials,isuniversallyacceptedasaproofofpersonalidenPty(includingbeingpotenPallyusedorthingslikegeUngalocallibrarycard)
166
TimeForAStandardizedHigher‐Ed‐WideIDCard?
• Oneofthereasonspassportsareusefulisthatthey'restandardized.CurrentlyeachuniversityissuesitsownuniquetypeofIDcard,withliEleinthewayofformalhighered‐widestandardizaPon.Mosthaveaname,anumber(hopefullynotaSSN!)andapicture.Mostalsohaveamagswipestrip,abarcode,andmaybeanRFIDtag.
• Hasthe)mecomeforcollegeanduniversityIDcardstoalsohavesmartcardfunc)onalityandaclientcert?Infact,shouldhigheredbestrivingtoestablishacommunity‐widegeneralstandardforcollegeanduniversityIDcards?(arguably,there'salreadyconsiderabledefactostandardiza)on)
• Note:Iexplicitlyhavenodesiretosteponcardoffice"turf"atschoolsallacrossthecountrybyinnocentlyaskingthoseques9ons!Idoalsorecognizethattherearea*lot*ofsubtleissuesthatareraisedjustbyaskingthosetwoques9ons.
167
WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands
• Theprocessesyousawearlierinthissession,whichcanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.
• Forexample,ifyou'regoingtoinstallcerPficatesdirectlyonusersystems,youneedabeEerwaytodropcerPficatesonthosesystems,andabeEerwaytoconfiguretheuser'sapplicaPonstoknowaboutandusethem(InCommonisworkingonthis).
• Similarly,ifyou'regoingtousehardwaretokens,instead,youlikelyneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriEenlocally.
• Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyopPon.
168
Smartcards?
• TheUSBformatPKIhardtokensyoureceivedarebasicallyasmartcardwithanintegratedsmartcardreader(withabuilt‐inUSBinterface).Thatcanbeveryconvenient–it's"allinone."
• However,smartcardstendtobesomewhatcheaperthanUSBformattokens(e.g.,$15.13vs.$19.80),whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)
• AdisPnctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaEedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecerPficatestore.Thismaybethebestofallpossibleworlds.
• Butwhatwillyoudoformobiledevices,suchassmartphonesortablets?
169
Slick‐SidedMobileDevicesandHardTokens
• Mobiledevicesareincreasinglyimportantoncampus,soweshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.
• Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaEer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.
• ThesoluPon?YoucantryBluetooth‐connectedsmartcardreaders(somePmesalsoknownas"CACsleds"),buttheyaren'tcheapandtheydon'tsupportalldevicesorallsmartcards.
• Inthefuture,itmaybepossibletostoreclientcertssecurelybystoringpartoftheclientcertdirectlyonthedevice,whilestoringtherestoftheclientcertinthecloud,usingthresholdcryptographytoreconsPtutetheclientcertsecurely.
170
WhatAboutDirectories
• Oneofthesubtlethingsthatcanreallymakelifeeasierifyou'redeployingclientcerPficatesatscaleisadirectoryofallthepublickeysandcerPficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).
• TradiPonalkeydistribuPonalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencrypPon.YouneedanalternaPvesourceforkeysinthatcase.
• Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.EvendeployingadirectoryforanenPtyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysoluPonthatwouldworktoholdclientcerPficatesforallInternetusers(assumingeveryonehadthem).
171
SomeDirectoryComplica)ons
• Organiza)onaldirectoriesareforlocalcorrespondents:Ifallmyemailislocal,andmysiteisdoingclientcerts,Icanprobablyjustcheckmylocaldirectory,butthesedays,manyusersexchangemoreemailoff‐sitethanon.AndwhatifI'man"isolatedadopter,"andthere'snotevenanorganizaPonaldirectoryformetoevenuse?
• Organiza)onaldirectories(distributed,Internet‐wide):HowdoIfindtherightdirectorytousetolookupsomeoneelse'sS/MIMEcreds?There'scurrentlyno"directoryofdirectories"(nordoIthinkthere'smomentum/communitysupporttocreatesuchananimal,givenspamproblemsandsecurityworries–manysitesmaybereluctanttoallowunfeEeredpublicdirectoryaccessduetopotenPalharvesPngissues).
• Whataboutacentralized/consolidateInternet‐widedirectorythatlists"everyone?"Um,no.Peoplejustwon'twanttocontributetheirdata,itwouldbeimpossibletokeepcurrent,andthereareO(20million)usersinUShighered!WeneedtotakealessonfromDNS.ThearchitectsofDNSdidadistributedmodelforgoodreasons!
172!
PGP/GPG‐ishS/MIMEKeyservers?
• ThereisonealternaPvecryptographicdirectorymodelthatseemstohaveworkedpreEywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendtheirkeydirectly.
• I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehEp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescripPonofwhatIhaveinmind.
173
S/MIMEIsn'tTheOnlyUseforClientCerts
• ClientcerPficatescanbeusedforabunchofthingsotherthanjustsigningorencrypPngemail.
• Forexample,clientcerPficatescanalsobeusedtosigndocuments,orforauthenPcaPon,orasabuildingentrycredenPal.(Notethatifyou'reheadedinthe"authenPcaPon"or"buildingaccesscontrol"direcPon,youwillprobablyneedatradiPonalenterprisePKIdirectorytosupportthatapplicaPon)
• Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.
• NOTE:Clientcertsshouldonlybeusedforpurposesconsistentwiththeirapproveduses.Forexample,theclientcertwedownloadedearlierspecifiedthatitwasforuseinconjunc)onwithsecureemail.However,manyapplicaPonsdoNOTstrictlycheck/enforcetheObjectIDs("OIDs")associatedwithacert,soyoumaybeabletouseagivencertforotherpurposes,too.
174
SigningStuff(OtherThanJustS/MIMESigning)
• SigningMicrosoKWorddocuments(Windowsonly),seehEp://pages.uoregon.edu/joe/signing‐a‐word‐document/
• NeedtosigndocumentsonaMac?TryOpenOffice:hEp://Pnyurl.com/openoffice‐signing
• AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcerPficatesforsigningPDFs,see:hEp://Pnyurl.com/adobe‐signing(PDF,114pages)
NotethatthisisdifferentthanAdobe's"CerPfiedDocumentServices"programwhichalsoinvolvesdigitalsignatures,butismoreexpensive(andnotsupportedbyComodo/InCommonclientcertsatthisPme)
175
Encryp)onUsingClientCerts(OtherThanS/MIME)
• PGPWholeDiskEncryp)on(seethedatasheetlinkedfromhEp://www.symantec.com/business/whole‐disk‐encrypPon)
• MicrosoKWindowsEncryptedFileSystemhEp://technet.microsof.com/en‐us/library/bb457116.aspx
• IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcerPficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcerPficatesifdesired—see,forexample,hEp://www.strongswan.org/andhEp://www.cisco.com/en/US/docs/soluPons/Enterprise/Security/DCertPKI.html)
176
Authen)ca)onUsingSmartCards/ClientCerts
• RedHatEnterpriseLinuxSmartCardLoginSeehEp://Pnyurl.com/redhat‐smartcards
• WindowsAc)veDirectoryLoginwithSmartCardsSeehEp://support.microsof.com/kb/281245
• OpenSSHauthen)ca)on(viathirdpartyX.509patches)hEp://roumenpetrov.info/openssh/
• MacOSXhasbeengoingthroughsomechangeswhenitcomestonaPvesupportforsmartcards,butseehEp://smartcardservices.macosforge.org/andhEp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html
177
Authen)ca)onUsingClientCerts(cont.)
• ControllingaccesstowebcontentservedbyApache:www.dwheeler.com/essays/apache‐cac‐configuraPon.html(it'smuchmorehelpfulthanthemoregeneralpageathEpd.apache.org/docs/2.5/mod/mod_ssl.html#sslrequire)
• ControllingaccesstowebcontentservedbyMicrosoKIIS7hEp://technet.microsof.com/en‐us/library/cc732996%28v=ws.10%29.aspx
• ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See
hEp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland
hEp://www.internet2.edu/presentaPons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf
178
ClientCer)ficatesCanEvenPoten)allyBeUsedForBuildingAccessControlPurposes
179
XII.Don'tForgetAboutPolicies,GovernanceAndPoten)alLegalIssues
180
ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures
• Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsthat'shardtomissisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbytheissuingandrelyingcommuniPes.
• Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplicaPonsofmovingtoclientcerts,notjustthetechnologyissues.
• Forexample,whataboutprivacy?Doesuseofclientcertshaveanyimpactonuserprivacy?Maybe...
• Whatifyouremailclientcheckedadirectoryforapublickey/certforeveryemailcorrespondentyouexchangedemailwith?
• OrhowaboutthisliEleexposure...seethenextslide...181
AnyWebSiteCanAskForYourBrowser'sClientCertAndThusPoten)allyGetYourName/EmailAddress
182
AnotherPrivacyThreat:ClientCertsAreNowBeingTargetedByMalware
• UserswhoemployedclientcertsfortwofactorauthenPcaPonhavelongenjoyedfeelingrelaPvely"abovethefray"whenitcametohacker/crackeraEacks.However,in2012,itbecameclearthatatleastonemalwarefamily,Sykipot,hasbeguntospecificallytargetfederalCAC/PIVclientcerPficatecredenPals.See,forexample:hEp://labs.alienvault.com/labs/index.php/2012/when‐the‐apt‐owns‐your‐smart‐cards‐and‐certs
• BecauseclientcertcredenPalsaretypically"nonexportable"fromsmartcards,malwaretargePngclientcertswillnormallyaEempttoexecutea"maninthebrowser"or"maninthemachine"aEack:‐‐intercepttheuser'ssmartcardPIN,‐‐usetheclientcert"in‐situ,"proxyingrequestsforresourcescontrolledbycertsthroughthecompromisedmachineitself,then‐‐exfiltratethesurrepPPouslyaccessedmaterialsoffsite.
• ConscienPouspatchingandaggressivemeasurestocontrolmalware,remainextremelyimportant,evenif(especiallyif?)you'reusingclientcerPficatestocontrolaccesstosensiPvecontent.
183!
KeepYourLawyersInTheLoop,Too
• Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.
IfyouplantoissueclientcerPficatestoallyouremployeesrememberthatsomeusers,asmenPonedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpotenPallyclientcerPficates.Formoreonthispoint,pleaseconsultwithyouraEorneyregardingtheprovisionsofthe"DeemedExport"rule.AsastarPngpoint,seehEp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html
• IncreaseduseofencrypPonforofficialrecords,mayalsoraiselongtermrecordmanagementandaccessissues.
184
ThanksfortheChanceToTalkToday!
• ArethereanyquesPons?
185
AppendixI:UsingTheSafeNetHardTokenonWindows7
186
"I'mUsingWindows,NotAMac!"
• There'saversionoftheSACforWindows7ontheCDwegaveyou,too.
• DragtheSAC8_1SP1zippedarchivefromtheCDtoyourdesktop.Doubleclickonit,thenselecttheSAC8_1SP1folder.
• Gotothe32X64Installerfolder.DragtheapplicaPonyou’llseethereontoyourdesktop.
• Assumingyou'rerunningWindows7,rightclickontheinstallerandselectRunasAdministrator.
• Youshouldseethengothroughaseriesofscreenswherethedefaultanswerswillusuallyfine...seethenextslides.
187
TheCD'sContents
188
189
190
PlugInYourToken
• Whenyoudo,itmayautomaPcallydownloadaddiPonaldriversfromWindowsUpdate.ThefirstPme,whenitfinishes,itwillpromptyoutochangeyourtoken'spassword.Thedefaultpasswordis1234567890asmenPonedinthedocumentaPon.
191
ThunderbirdCan'tSeeTheSafeNetHardTokens?
• IniPally,Thunderbird(andpotenPallyFirefox)maynot"see"theSafeNethardtoken.Ifyouexperiencethat,you'llneedtomanuallyloadtheeTPKCS11.dllfilefromeither
c:\Windows\System32\eTPKCS11.dll (32bit)orc:\Windows\SysWOW64\eTPKCS11.dll (64bit)
Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,underModulefilename,entertheappropriatefilename(asshownabove)IntheConfirmwindow,clickOK
192
