pki design

ALGORITHMSPKI Design

Cryptographic Algorithms

Hash algorithms no keys MD4, MD5, SHA-1, SHA-256, SHA-384,

SHA-512 Symmetric key algorithms

secret key RC4, DES, 3-DES, AES

Asymmetric key algorithms public and private key RSA, DH, EC

THOUGHTS ON HASHINGPKI Design

Hash example (not good)

Sum alphabet letter positionsHELLO = 8 + 5 + 12 + 12 + 15 = 52

Can obtain arbitrary clear-text (collision) without brute-forcing

Several similar clear-texts lead to similar output

5

Hash collisions

Pure arithmetic collisions limited exploitability

Post-signing collisions Chosen-prefix collisions

6

Post-signing collision

7

Name: Ondrej

Owes: 100 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Name: Ondrej

Owes: 1 000 000 $

Hash: 14EEDA49C1B7

To: Kamil

Signature: 3911BA85

Trash: XX349%$@#BB...

Chosen-prefix collision

8

CN: www.idtt.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 35B87AA11...

CN: www.microsoft.com

Valid: 2010

Hash: 24ECDA49C1B7

Serial #: 325

Signature: 5919BA85

Public: 4E9618C9D...

MD5 problems

Pure arithmetic in 2^112 evaluations Post-signing collisions suspected Chosen-prefix collisions

Practically proved for certificates with predictable serial numbers

2^50

9

SHA-1 problems

General brute-force attack at 2^80 as about 12 characters complex

password Some collisions found at 2^63

pure arithmetic collisions, no exploitation proved

10

ALGORITHM COMBINATIONSPKI Design

Performance considerations Asymmetric algorithms use large

keys EC is about 10 times smaller

Encryption/decryption time about 100x longer symmetric is faster

Document

Private key

Digital Signature (not good)

Document

Private key

Digital Signature

Document

Hash

Storage Encryption (slow)

Public key

Document

Public key (User A)

Storage Encryption

Symmetric encryption key (random)

Symmetric key

Document

Public key (User A)

Storage Encryption

Symmetric encryption key (random)

Symmetric key

Document

Public key (User B)

Symmetric key

Transport encryption

Client Server

Public key

Public key

Symmetric Key

Symmetric KeyData

FUN WITH RANDOM NUMBERSPKI Design

Random Number Generators

Deterministic RNG use cryptographic algorithms and keys to generate random bits attack on randomly generated

symmetric keys DNS cache poisoning

Nondeterministic RNG (true RNG) use physical source that is outside human control smart cards, tokens HSM – hardware security modules

Random Number Generators

CryptGenRandom() hashed Vista+ AES (NIST 800-900) 2003- DSS (FIPS 186-2)

Entropy from system time, process id, thread id, tick

counter, virtual/physical memory performance counters of the process and system, free disk clusters, user environment, context switches, exception count, …

STANDARDSPKI Design

US standards

FIPS – Federal Information Processing Standards provides standard algorithms

NIST – National Institute for Standards and Technology approves the algorithms for US government

non-classified but sensitive use latest NIST SP800-57, March 2007

NSA – National Security Agency Suite-B for Secure and Top Secure (2005)

Cryptoperiods (SP800-57)

Key Cryptoperiod

Private signature 1 – 3 years

Public signature verification >3 years

Symmetric authentication <= 5 years

Private authentication 1-2 years

Symmetric data encryption <= 5 years

Public key transport key 1-2 years

Private/public key agreement key 1-2 years

Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256



Security lifetimes (SP800-57 and Suite-B)

Lifetime Strength Level

2010 80 bit US Confidential

2030

112 bit US Confidential

128 bit US Secure

192 bit US Top-Secure

Beyond 2030 128 bit US Confidential

NSA Suite-B Algorithms

NSA publicly published algorithms (2005) as against Suite-A which is private

AES-128, ECDH-256, ECDSA-256, SHA-256 Secret

AES-256, ECDH-384, ECDSA-384, SHA-384 Top Secret

27

OPERATING SYSTEM SUPPORTPKI Design

Cryptographic Providers

Cryptographic Service Provider – CSP Windows 2000+ can use only V1 and V2 templates

Cryptography Next Generation – CNG Windows Vista+ require V3 templates enables use of ECC

CERTUTIL -CSPLIST

29

Cryptographic Providers

30

Type Operating System Algos Template

CSP Windows 2000Windows 2003

AES, SHA-1, RSA v1, v2

CSP Windows XP SP3Windows 2003 KB938397

AES, SHA-1, RSA, SHA-2 v1, v2

CNG Windows Vista AES, SHA-1, RSA, SHA-2, EC

v3

SHA-2 Support

Windows XP Windows 2003 + KB 938397 Windows Phone 7 AD CS on Windows 2008+ Autoenrollment on XP with KB TMG 2010 with KB in the future

Cryptography support

32

System DES3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1

SHA-256SHA-384SHA-512

ECDSAECDH

Windows 2000

yes no yes yes no no

Windows XP yes yes yes yes yes noWindows 2003

yes yes yes yes non-public updateyes

no

Windows Vista/2008

yes yes yes yes yes yes

Windows 7/2008 R2


Cryptography support

33

System DES3DESRC2RC4

AES 128 AES 192 AES 256

MD2MD5HMAC

SHA-1

SHA-256SHA-384SHA-512

ECDSAECDH

Windows Mobile 6.5

yes yes yes yes no no

Windows Mobile 7


TMG 2010 yes yes noSCCM 2007 yes no noSCOM 2007 yes yes no

EncryptionEFS BitLock

er IPSec Kerberos NTLM RDP

DES 2000 + 2000 + 2000 +

LM password hash, NTLM

3DES 2000 + 2000 + 2000 +

RC4 2000 + 2000 +

AES 2003 + Vista + Vista + Vista +

DH 2000 + 2000 +

RSA 2000 + Seven + 2000 + 2000 + 2003 +

ECC Seven + Vista + Seven +

Hashing

35

MD4 MD5 SHA-1 SHA-2

NT password

hashNT4 +

Digest password

hash2003 +

IPSec 2000 + 2000 + Seven +

NTLM NTLMv2

MS-CHAP MS-CHAPv2

CNG (v3) Not Supported

EFS Windows 2008/Vista-

VPN/WiFi Client (EAPTLS, PEAP Client) Windows 2008/7- user or computer certificate authentication

TMG 2010 server certificates on web listeners

Outlook 2003 user email certificates for signatures or encryption

Kerberos Windows 2008/Vista- DC certificates

System Center Operations Manager 2007 R2System Center Configuration Manager 2007 R2

SQL Server 2008 R2- Forefront Identity Manager 2010 (Certificate Management)

CA HIERARCHYPKI Design

CA Hierarchy

IDTT Root CA

IDTT London CA IDTT Paris CAIDTT Roma

CA

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

Leaf certificateLeaf

certificateLeaf certificateLeaf

certificateLeaf certificate

Offline Root

Root CA cannot be revoked if compromised

Making new RootCA trusted may be difficult

Delegation of administration Must issue CRLs

the more frequent the more secure, but more “costly”

Active Directory

Group Policy every 120 minutes by default

Trusted Root CAs Untrusted CAs NTAuth CA issues logon certificates

AD CS FEATURESPKI Design

SKU Features

43

Windows Server

Certificate

Templates

Autoenrollment

Key Archival

SMTP Exit Module

Role Separation

Cross-forest

Enrollment

2008 R2 Standard V1, V2, V3 Yes Yes No2008 R2

Enterprise V1, V2, V3 Yes Yes Yes

2008 Standard V1 No No No

2008 Enterprise V1, V2, V3 Yes Yes No

2003 Standard V1 No No No

2003 Enterprise V1, V2 Yes Yes No

SKU Features

44

Windows Server

Web Enrollment

Enrollment Web

ServicesOCSP

ResponderSCEP

Enrollment

2008 R2 Standard yes yes no no

2008 R2 Enterprise yes yes yes yes

2008 Standard yes no no no

2008 Enterprise yes no yes yes

2003 Standard yes no no no

2003 Enterprise yes no no no

Role Separation

Enrollment Agent = Registration Authority sign cert request

Certificate Managers approve cert requests

Different groups of EA/CM approve requests for different groups of Enrollees

PUBLIC CERTIFICATESPKI Design

SSL Certificate prices

Verisign – 1999 300$ year

Thawte – 2003 150$ year

Go Daddy – 2005 60$ year

GlobalSign – 2006 250$ year

StartCom – 2009 free

EV Certificate prices

Verisign – 1999 1500$ year

Thawte – 2003 600$ year

Go Daddy – 2005 100$ year

GlobalSign – 2006 900$ year

StartCom – 2009 50$ year

Support for SAN and wildcards

49

Application Supports * Supports SAN

Internet Explorer 4.0 and older no noInternet Explorer 5.0 and newer yes yes

Internet Explorer 7.0 yes yes, if SAN present Subject is ignored

Windows Pocket PC 3.0 a 4.0 no noWindows Mobile 5.0 no yesWindows Mobile 6.0 and newer yes yesOutlook 2003 and newer yes yesRDP/TS proxy yes yes, if SAN present Subject is

ignoredISA Server firewall certificate yes yesISA Server 2000 and 2004 published server certificate no no

ISA Server 2006 published server certificate yes yes, only the first SAN name

OCSP and Delta CRL

50

System Checks OCSP Delta CRLWindows 2000 and older no noWindows XP and older no yesWindows Vista and newer yes, preffered yesWindows Pocket PC 4.0 and older

no no

Windows Mobile 5.0 no yesWindows Mobile 6.0 no yesWindows Mobile 6.1 and newer

yes, preffered yes

ISA Server 2006 and older no yesTMG 2010 and newer yes, preffered yes

CRL checks in Internet Explorer

51

Version CRL and OSCP checking

4.0 and older no checks

5.0 and newer

can check CRL, disabled by default

7.0 and newer

can check OCSP (if supported by OS) and CRL, enabled by default

Windows Mobile 2003 and 5.0 trusted CAs

52

Company Certificate Name Windows Mobile

Cybertrust GlobalSign Root CA 2003 and 5.0Cybertrust GTE CyberTrust Global Root 2003 and 5.0Cybertrust GTE CyberTrust Root 2003 and 5.0

Verisign Class 2 Public Primary Certification Authority 2003 and 5.0

Verisign Thawte Premium Server CA 2003 and 5.0Verisign Thawte Server CA 2003 and 5.0Verisign Secure Server Certification Authority 2003 and 5.0

Verisign Class 3 Public Primary Certification Authority 2003 and 5.0

Entrust Entrust.net Certification Authority (2048) 2003 and 5.0

Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0

Geotrust Equifax Secure Certificate Authority 2003 and 5.0Godaddy http://www.valicert.com/ 5.0

Windows Mobile 6.0 trusted CAs

53

Comodo AAA Certificate ServicesComodo AddTrust External CA Root

Cybertrust Baltimore CyberTrust RootCybertrust GlobalSign Root CACybertrust GTE CyberTrust Global Root

Verisign Class 2 Public Primary Certification AuthorityVerisign Thawte Premium Server CAVerisign Thawte Server CAVerisign Secure Server Certification AuthorityVerisign Class 3 Public Primary Certification AuthorityEntrust Entrust.net Certification Authority (2048)Entrust Entrust.net Secure Server Certification Authority

Geotrust Equifax Secure Certificate AuthorityGeotrust GeoTrust Global CAGodaddy Go Daddy Class 2 Certification AuthorityGodaddy http://www.valicert.com/Godaddy Starfield Class 2 Certification Authority

RSA 2048 browser support

54

Browser First VersionInternet Explorer 5.01Mozila Firefox 1.0Opera 6.1Apple Safari 1.0Google ChromeAOL 5Netscape Communicator

4.51

Rad Hat Linux KonquerorApple iPhoneWindows Mobile 2003Windows CE 4.0RIM Blackberry 4.3.0PalmOS 5Sony Playstation PortableSony Playstation 3Nintendo Wii

Extended Validation browsers

55

Browser First VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0

S/MIME RSA 2048 client support

56

Browser First VersionMicrosoft Outlook 99Mozila Thunderbird 1.0Qualcomm Eudora 6.2Lotus Notes 6Netscape Communicator

4.51

Mulberry MailApple MailWindows MailThe Bat

DOTAZNÍKWWW.TECHED.CZGOPASTECHED

GOPASTECHED 2012

http://www.teched.cz/

pki design

Documents

user environment

process id

enterprise security

md5 problemspure arithmetic

prefix collision8cn

thread id

random bitsattack

sensitive uselatest