KIERAN JACOBSEN HP

Understanding PKI and Certificate Services

Gold Sponsors

Silver Sponsors

Why Should I care?Contoso RequirementsDesign Considerations

CA HierarchyCA LifespanPhysical or Virtual?Private key storageKey lengthsCertificate Revocation listsAIA and CDP LocationsStuff we missed…

Ouch! Pain PointsPowerShell to the rescue

AGENDA

Why Should I Care?There are a number of technologies which need PKI

Cloud InfrastructureFederated identity systems. E.G. ADFSHTTPS/SSLSMTPSMulti factor authentication. E.G. Smart cardsSMIMEEncrypting File System (EFS)Code signing802.1x Authentication and/or NAPRemote Desktop Services

Many organizations have legal requirements for PKI with serious financial or legal ramifications for a breach of that infrastructure!

Contoso Requirements

Contoso is developing a new web application suiteADFS to provide SSOAlmost 1million end users3rd party certificates for HTTPSPrivate certificate infrastructure for internal useNetwork is segregated into internal/corporate and perimeter networks.Certificates will be in use both in the corporate and perimeter networksUse of certificates to be extended to other applications, remote access, partners and 3rd parties at a later date.High availability and continuity planning is a must

Protecting your privates

The first rule of security in PKI, is protect the private key!Protecting private key of authorities is absolutely criticalIf a bad guy has access to your private key or can determine your private key…

CA Hierarchy

Single/One TierRoot and Issuing CA on are the sameSimple to manageHard to manage if a breach occursNot RECOMMENDED!

CA Hierarchy

Single/One TierTwo Tier

Root and Issuing CA on are the separatedSlightly more difficult to manageSecurity breach of issuing CA easy to manageHighly scalableRECOMMENDED!

CA Hierarchy

Single/One TierTwo TierThree Tier

Root, Policy and Issuing CA separatedQuite difficult to manageSecurity breach of issuing CA easy to manageVery highly scalableNot RECOMMENDED!

CA lifespan

Certificate Expiry = Date of certificate issue + Validity periodValidity period defined by:

Certificate TemplateCA PolicyExpiry Date of CA’s certificate

Certificates cannot be issued by an authority with a expiry which is after the expiry of the authorities own certificateA subordinate authority cannot have its certificate expiry to longer than its superior authority. I..E. In a two tier hierarchy, issuing CA certificates must have an expiry that is before the Offline Root CA.When an authorities certificate expires:

All certificates will have, logically, expiredCannot sign CRL files!

CA lifespan 2

Validity period factors:Deploying an authority is a lot of workCertificates issued must expire before authorities certificateSubordinate authorities must expire before superior authoritiesAre we going to renew CA certificates or replace?When are we going to start the work?

Recommended Validity PeriodsOffline Authorities: 10 to 25 yearsIssuing Authorities: 5 to 10 years

Replacement Schedule ->

Validity Period

Replace at 75% Replace at 90%

5 years 3 years, 9 months 4 years, 6 months

10 years 7 years, 6 months 9 years

15 years 11 years, 3 months 13 years, 6 months

20 years 15 years 18 years25 years 18 years, 9 months 22 years, 6

months

Physical or Virtualized Hardware

Physical Hardware Virtualized

Hardware dependent Hardware Independent

Strong private key protection Weaker private key protection

Hard to replicate Easy to replicate

Hard to make highly available Highly available by nature

Additional key protection options available

Only encryption available as an additional layer of protection

Private key storage

By default, private keys are stored in Local Certificate StoreLocal Certificate Store is vulnerable to:

Security vulnerability in software API controlling accessCan bypass API with physical access to storage/server

Risk mitigation by :Encrypting Operating System disk with Bit LockerStoring physical disk media in a safeStoring Private keys in USB Tokens, Smart cardsUltimate security: Hardware Security Module (HSM)

Key Length

Offline authorities (root and policy): 4096 bitsIssuing authorities: 2048 bitsCertificates: 2048 bitsAvoid using keys of 1024 bits and 512bits.

Certificate Revocation Lists

CRL: Certificate Revocation ListA list of all the certificates clients should not trustSigned by a the certificate authority which issued the listEach authority will maintain its own listReleased on a regular time, generally hourly, daily, weekly, monthly, 6 monthly or yearly. Valid for a limit period of time. The time period is slightly longer than release scheduleDelta files can be used

AIA & CDP

AIA: Authority Information Access -> used to help validate a certificate is trustedCDP: CRL Distribution Point -> Used to determine a certificates revocation statusProtocols allowed: LDAP, HTTP, FTP and UNC Paths

Placement of locationsCorporate NetworkDMZ/PermiterExternal? Cloud?

How to we ensure locations are highly available?

AIA & CDP at Contoso

LDAPLDAP location based off corporate domain, contoso.localOnly systems in corporate network will have access

HTTPHTTP location based of certs.contosocorporation.comServer to be in perimeter networkAll locations internally have access to this locationExternal access easily made available at a later date

Other things to consider

Use Sensible namesDefine corporate policy:

Certificate Policy (CP)Certificate Practice Statement (CPS)

Auto EnrollmentOnline Certificate Status Protocol (OCSP)Key Archival

Deployment summary

Hierarchy: 2 Tier – Offline Root and Single IssuingCA Lifespan:

Offline: 25 years, to be replaced in 22 ½ yearsIssuing: 5 years, to be replaced in 4 ½ years

Private Key/Hardware: All VirtualKey Lengths:

Offline: 4096bitsIssuing: 2048bits

CRL: Offline: Every 6 MonthsIssuing: Base Weekly, Delta Daily

AIA/CDP Locations:LDAP: Contoso.local corporate ADHTTP: certs.contosocorporation.com

OUCH!! Pain points!

CA hashing algorithmsLDAP for a CRL and AIA distribution pointADFS requires specific CA Template versionsAIA specification bug

PowerShell to the rescue

CRL Monitoring and validationBackupsPrivate Key backupsCRL Publishing

question and answer time

useful links

My Website: http://aperturescience.su

PowerShell CRL Copy by PKI Blog:http://bit.ly/v5Buuf

Designing and Implementing a PKI by Directory Services Team:http://bit.ly/tuf0T6

Gold Sponsors

Silver Sponsors

PRIZES

Submit your feedback to WIN.

$2650 worth of training from

Voyager PRO UC headset.

20% off all books @ MSPress Code

ISBRIS

WI

N

WI

N