2011-03-overview of the microsoft pki - adcs 2008 r2-v_1.02-fabien_duchene
DESCRIPTION
PKITRANSCRIPT
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 1/107
Technical overview of the
Microsoft PKI
Active Directory Certificate
Services 2008 R2
ESEC – European Secur ity Expertise Center
Fabien DUCHENEhttp://www.car-online.fr/en/spaces/fabien_duchene/
Reviewers: Jonathan BOURGAIN, Jeremy RENARD, Rida BENBRAHIM
Technical overview of theMicrosoft PKI ADCS 2008 R2
1
Certificate Services
2011-01
v.1.02
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 2/107
ESEC – European Secur ity Expertise Center
0. Table of content
1. Introduction… PKI?
2. MS PKI 2008 (R2)
foundations
3. Establishing & maintaining
4. Auditing
5. Beyond the MS PKI
6. References
Technical overview of the Microsoft PKI ADCS2008 R2
2
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 3/107
ESEC – European Secur ity Expertise Center
1. Introduction … PKI?
- Some PKI application scenarios
- Why setting up a PKI?
- asymmetric cryptography
- PKI – overview
- Certificate
- Certificate Authority
- Validation
- Revocation
Technical overview of the Microsoft PKI ADCS2008 R2
3
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 4/107
ESEC – European Secur ity Expertise Center
1.a. Some PKI application scenarios
Technical overview of the Microsoft PKI ADCS2008 R2
4
Strong
authentication
VPN Access
Secure Wireless
Websites
Terminal Services
Document encryption
Email signing
Encrypted File System
Application integritySmart
Card
EAP-TLS SSL / TLS
802.1xIPSec
Network
Access
Control
PKI
Identity store Operating system
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 5/107
ESEC – European Secur ity Expertise Center
1.b. Why setting up a PKI?
• Previous quoted applications + building TRUST
• Legal requirements (eg. EU privacy laws, CNIL, RGS)
• PKI alternatives:
Technical overview of the Microsoft PKI ADCS2008 R2
5
Alternative Issues
Password, static keys, self-
signed certificates
Management costs and security
concerns (complexity, lifetime)
Purchased certificatesCost (as certificate applications
proliferate)
Specific application
functionalities
Compliance => common
management
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 6/107
ESEC – European Secur ity Expertise Center
1.c. Before setting up a PKI …
…you should consider…
• Organizational policies: auditing, procedures
• Ongoing Costs … like any other IT application !
– Scalability, high availability (revocation)
– (plus physical security)
• Complexity
– Technical requirements: HW, netw, SW
– Training: End-Users, IT staff, Security team• Legals: key length, used algorithm, data exchanges,
PII…
Technical overview of the Microsoft PKI ADCS2008 R2
6
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 7/107ESEC – European Secur ity Expertise Center
Common mistakes: mind the gap!
• There is no need for a PKI nor a CA to performasymmetric cryptography. Eg: Web-Of-Trust (PGP), SSH
• In french:
– Encryption/enciphering = chiffrer !!crypter!! – Decryption/deciphering = déchiffrer
– Breaking an encrypted message = décrypter
• => when the user does not have access to the private key
• Not trusting a PKI does not imply the communication isnot encrypted! ( eg: https://esec.fr.sogeti.com )
Technical overview of the Microsoft PKI ADCS2008 R2
7
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 8/107ESEC – European Secur ity Expertise Center
1.d.1. PKI - definition
• PKI: Public Key Infrastructure- Hardware, software, people, policies and procedures
to manage the lifecycle of digital certificates (manage, distribute, use, store and revoke)
– It uses: asymmetric cryptography
• … and is ONE solution to associate certificates with identity
= hierarchical model
• … other models exist:
– local trust model (eg: SPKI)
– web of trust (eg: PGP)
Technical overview of the Microsoft PKI ADCS2008 R2
8
X«C» X«A» Z«B»
V
W
X
C A B
Z
Y
U
TISO3960-94/d04
U«V»
V«U»
V«W»
W«V»
W«X»
X«W»
X«Z»
Y«Z»
Z«Y»
Z«X»
V«Y»
Y«V»
Figure 4 – CA hierarchy – A hypothetical example
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 9/107ESEC – European Secur ity Expertise Center
1.d.2. PKI - components
Technical overview of the Microsoft PKI ADCS2008 R2
9
Keys and certificates
management tools, auditing… Certificate publication and
revocation distribution points
(CRL, OCSP)
Certification Authority
(CA)
Certificate(s) Requestors (computer, user)
URLs
http://
file://
ldap://
Security policy
Certificate enrollment and
Revocation policy
authentication
Identity Provider(ADDS)
Applications and services
.. able to interact with certificates
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 10/107ESEC – European Secur ity Expertise Center
1.e.1. asymmetric cryptography
• Assumptions:
– hardness to of mathematical problem: primes factoring, discrete logarithm
– limited computational power... and time is this always true? Eg.
Cloud, quantum comp.
• Basics: – Two related keys: 1 public, 1 private
– Two functions: Encrypt ; Decrypt : {message,key} -> {message}
– Properties:
• Decrypt(Encrypt(msg,E_pub),E_priv)=msg
• Decrypt(Encrypt(msg,E_priv),E_pub)=msg
• Knowing E_pub it is “computationally very hard” to find E_priv
Technical overview of the Microsoft PKI ADCS2008 R2
10
Pictures from Wikipedia – Public Key Cryptography
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 11/107ESEC – European Secur ity Expertise Center
1.e.2. asymetric cryptography - applications
• Immediate applications:
… But also Diffie-Hellman key exchange
Technical overview of the Microsoft PKI ADCS2008 R2
11
Encryption Signature
Pictures from Wikipedia – Public Key Cryptography
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 12/107
ESEC – European Secur ity Expertise Center
1.e.2. asymmetric cryptography (cont.)
• Things we can guarantee: – Identity:
• Non-Repudiation (cannot deny it did perform it) -> [uses:signature]
• Authentication [signature and encryption]
– Communication:
• Integrity (something has not been changed) [signature]
• Confidentiality (ensure only authorized entities ) [encryption]
• … assuming: – the previous mathematical assumptions
– the user private key is “well protected” (confidentiality)
Technical overview of the Microsoft PKI ADCS2008 R2
12
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 13/107
ESEC – European Secur ity Expertise Center
• Main format: X509 v1(88), v2(93), v3 (96)
• File *.crt containing: – Subject, issuer, validity window, … Subject Public Key
– …
• The information are signed bythe issuing CA
1.f. Certificate
Technical overview of the Microsoft PKI ADCS2008 R2
13
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 14/107
ESEC – European Secur ity Expertise Center
1.f. Certificate – X.509 v3
Technical overview of the Microsoft PKI ADCS2008 R2
14
• v3 (96)
CDP: where to check if that certificate is revoked?
Picture from PKI and Certificate Security - Brian Komar , MS Press
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 15/107
ESEC – European Secur ity Expertise Center
1.g. Certification Authority
• A trusted party (server), as part of a PKI: – Verify the identity of a certificate requestor
– Issue certificates to requestors (users, comp)
according to the issuance policy – Manage certificate revocation*
Technical overview of the Microsoft PKI ADCS2008 R2
15
*revocation: designing a certificate as no more
valid, even if its expiration date is future.
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 16/107
ESEC – European Secur ity Expertise Center
1.h. Certificate insuance
• A Root CA self-signs its certificate
• The most common model: the requester generates theKeyPair
• Certificate template: set of parameters (key length, authentication
requirements (1/2/3 factor(s)), permissions…
16
Authenticated Certificate request
(public key, validity, certificate template…) 3
2KeyPair generation
(according to the
chosen certificate
template parameters)
0 Authentication
1
Certificate
Templates
fetching
Certificate6
Verifications
(template
parameters)
4
Certificate issuance
(see next slide)
5
Identity Provider
Certification
Authority
Certificate
Template store
Client
Technical overview of the Microsoft PKI ADCS2008 R2
Ensimag 4MMSR – Network Security – Fabien Duchene (2011)
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 17/107
ESEC – European Secur ity Expertise Center
1.h.1. Cert. Validation - AIA
• Authority Information Access – URLs where the CA certificate can be retrieved:
• Filesystem, ldap://, http://, smb://
– CA certificate:
• *.crt (certificate)
• OCSP extension
Technical overview of the Microsoft PKI ADCS2008 R2
17
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 18/107
ESEC – European Secur ity Expertise Center
Sheldon
Cooper
Kim Cameron
Issued certificate
GeekCompany
Root CA
1.g. The trust topology of the PKI model
Technical overview of the Microsoft PKI ADCS2008 R2
18
• A hierarchical trust model:
– Users/computers trust the Root CA
– Transitive trust relation till the leafs
I trust that Root CA
… thus I also trust these CA
(issued cert. by the Root CA)
… thus I also trust
the identity of thatuser/comp
(issued cert..)
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 19/107
ESEC – European Secur ity Expertise Center
1.h.2. Cert. validation – chain of trust
•Trust hierarchy: trusting the Root CA
• Signing: each CA signs all issued certificates
• … including the child PKI ones!
Technical overview of the Microsoft PKI ADCS2008 R2
19
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 20/107
ESEC – European Secur ity Expertise Center
1.h.2.2. Chain of trust - signature
Technical overview of the Microsoft PKI ADCS2008 R2
20
Clear text certificate
information
Thumbprint computation
Thumbprint signed with the issuing CA private key
* hash: function that takes a block of data and returns a fixed
size bit string. (eg: MD5, SHA-1, SHA-512…)
Cert. Signature field
h ld h “ h f ” b b k
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 21/107
ESEC – European Secur ity Expertise Center
1.h.2.3. How could the “chain of trust” be broken?
• For any certificate in that chain:
– Validity time: certificate expired?
– Subject name: the certificate information is
different to what the application expects?
(eg: loading an https website by its IP, instead of FQDN)
– Revocation: has that certificate been revoked at
the CDP?
– … and of course if the Root CA of that chain is not
trusted!
Technical overview of the Microsoft PKI ADCS2008 R2
21
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 22/107
ESEC – European Secur ity Expertise Center
• CRL (Certificate Revocation List)
– List of revocated certificates hashes periodically fetched
• OCSP (Online Certificate Status Protocol) – Real-Time web request
Certificate
hash
The certificate isnot trusted
The certificateis trusted
yes
noPeriodical CRL
download (HTTP,
SMB, LDAP…)
1.i.1 Revocation - Overview
Technical overview of the Microsoft PKI ADCS2008 R2
22
Certificate
hash
The certificate isnot trusted
The certificateis trusted
yes
no
Is the
certificate
revoked?
OCSP
RequestOCSP signed Reply
Is the hash
present in the
signed CRL?
(by the issuing CA)
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 23/107
ESEC – European Secur ity Expertise Center
1.i.2.3. CRL – Publication & expiring intervals
• These parameters are set for the whole PKI
• Publication interval: how often are the CRL published?
Technical overview of the Microsoft PKI ADCS2008 R2
23
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 24/107
ESEC – European Secur ity Expertise Center
1.i.4. CDP
• CRL Distribution Point – Filesystem (smb://, file://)
– Ldap://
– http://
Technical overview of the Microsoft PKI ADCS2008 R2
24
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 25/107
ESEC – European Secur ity Expertise Center
1.i.2.3. Revocation - CRL - problems
• Bandwidth, CRL filesize: – the more certificates are issued, the more some
are potentially revoked
• Latency: update & download frequency• Mitigation solutions:
- Delta CRL=new revoked certificates since the last base CRL publication
– Separate base CRL & delta CRL publishingfrequency
Technical overview of the Microsoft PKI ADCS2008 R2
25
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 26/107
ESEC – European Secur ity Expertise Center
1.j. Example
• Consider the following scenario:
Technical overview of the Microsoft PKI ADCS2008 R2
26
Should I trust the
customer CA
certificate, knowing Iobtained the Root CA
cert from the AIA?
0. Get the AIA information periodically
(URL, download the Root CA public key)
3. Is the Root CA cert. revoked
or expired? CRL, OCSP
1. The Customer CA ispresenting us its certificate
(…and the related chain of
trust)
2. Do I trust the Root
CA certificate?(“Trusted Root
Certification
Authorities”?)
4. Check the Ext. Pol. CAcertificate signature (parent CA)
5. 6. 7. 8. …
Picture from PKI and Certificate Security - Brian Komar , MS Press
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 27/107
ESEC – European Secur ity Expertise Center
REMINDER: Active Directory – Security basics
• Domain, Forest
• SID, access control
• Kerberos authentication
• Trust relationships
Technical overview of the Microsoft PKI ADCS2008 R2
27
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 28/107
ESEC – European Secur ity Expertise Center
REMIND.a. Domain, forest
Technical overview of the Microsoft PKI ADCS2008 R2
28
- AD Forest, domain:
In each domain:
- Domain Controllers (DC) manage:- Kerberos authentication
- LDAP directory
- DNS resolution
corp.nintendo.com
jpn usa
Domain
Forest
Child domain
Root domain
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 29/107
ESEC – European Secur ity Expertise Center
REMIND.b. Access control basics - SID
• SID (Security IDentifier):
– Statistically unique worldwide
– AD Objects that owns a SID (and that are stored in theLDAP database)
• Computer: (when the computer joins the domain)
• Domain controllers: (same above)
• User/service account (when the account is created)
• Security group (a security group can contain security groups,users, and computers)
• Thus, each security principal (user, comps, sec. grp, DC):• owns a SID: user account SID
• is member of several security groups: Group SIDs
Technical overview of the Microsoft PKI ADCS2008 R2
29
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 30/107
ESEC – European Secur ity Expertise Center
REMIND.b. – SID examples (continued)
Technical overview of the Microsoft PKI ADCS2008 R2
30
…
• SID example: (eg. domain: CORP)
User account SID
Group SIDs
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 31/107
ESEC – European Secur ity Expertise Center
REMIND.b. – Access control basics
• ACL (Access Control List): a list of ACE (E=entry):
Technical overview of the Microsoft PKI ADCS2008 R2
31
• ACE:“right/privilege/permissiongiven to a specific SID on a
specific resource” • Resource examples:
– Shared folder
– LDAP object
– certi ficate template
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 32/107
ESEC – European Secur ity Expertise Center
REMIND.c. Kerberos Authentication - overview
Technical overview of the Microsoft PKI ADCS2008 R2
32
User /
computer
Identity provider,
Authentication Server
GC
Service Server
(eg: issuing CA)
Authentication protocols in a Microsoft environment :
LM, NTLMv1, NTLMv2, Kerberos
Ticket Grantig Service
TGS
1
“I am Mossen. I
need a Ticket to Get
Tickets” (TGT)
Key Distribution Center
Here is a TGT you will only
be able to decrypt if youknow the shared secret(user/comp. pwd)
23
I want to access the
“Issuing CA” service.Here is a proof Idecrypted the TGT
4
Here is a Service Ticket containing yourinformation for accessingthe Issuing CA service
UserSID
-------------------------
GroupMembershipsSIDs
Service
Ticket5
6 Service communication
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 33/107
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 34/107
ESEC – European Secur ity Expertise Center
2. MS PKI foundations
– Active Directory basics (authentication, ACL)
– Common criteria
– ADCS Roles
– Certification authorities (& cert. issuance)
– Certificate templates
– PKI objects: ADDS location
– Autoenrollment
– Revocation (OCSP)
– Key Recovery Agent, Enrollment Agent
– Hash and public key algorithms
– What’s new in 2008/2008R2?
Technical overview of the Microsoft PKI ADCS2008 R2
34
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 35/107
ESEC – European Secur ity Expertise Center
2.a. Common criteria certifications
• Common criteria: (!check that what is built is conform to the specifications)
– EAL4 - methodically designed, tested and reviewed
• ALC_FLR.3 (Systematic Flaw Remediation)
– Windows Server 2003:
• EAL 4+ ALC_FLR.3 (2005) – Windows Server 2003 (ADCS):
• CIMC Security Level 3 Protection
• EAL 4+ ALC_FLR.3 (2005)
– Win. Vista & 2008:• EAL 4+ ALC_FLR.3 (2009)
• => includes CNG (Windows Cryptographic API)
Technical overview of the Microsoft PKI ADCS2008 R2
35
http://www.commoncriteriaportal.org/products/
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 36/107
ESEC – European Secur ity Expertise Center
2.b.1. Windows Server - ACDS- Roles
• Windows Server role: Active Directory Certificate Services
• Sub-roles:
– Certification Authority
• Requires ADDS ; clients-CA communicate via DCOM
– CA Web Enrollment:• Requires IIS, ASP ; communication: web-application
– CA Enrollment Web Service (CES)
– CA Enrollment Policy Web Service (CEP)
• Both require ADDS domain schema at level 2008_R2
• Communication via WS
Technical overview of the Microsoft PKI ADCS2008 R2
36
2000
2003
2008
R2
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 37/107
ESEC – European Secur ity Expertise Center
2.b.2. ADCS Roles - overview
Technical overview of the Microsoft PKI ADCS2008 R2
37
Certification
Authority (CA)- issue, renew, revoke
certs
Active Directory
- Enrollmentobjects
- Certificate
templates
- Users, computers
Online Responder- Certificate
revocation info
- Web proxy cache
Client- Enrollment
- Renewal
Certificate
Enrollment
WS (CES)
Legacy
Certificate
enrollment
Enroll,
autoenroll
DCOM,
HTTP app.WS
Certificate
Enrollment
Policy WS
(CEP)
Legacy(LDAP, smb)
Cert.
templates
Revocation
check (OCSP)
Revocation
check (CRL)
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 38/107
ESEC – European Secur ity Expertise Center
2.c.1. REMIND: Certification Authorities
• Servers aiming at 3 main goals: – Verify the identity of a certificate requestor
• Active Directory, Kerberos authentication
– Issue certificates to requestors (users, comp)according to the issuance policy
• Root CA, Policy CA, Issuing CA
– Manage certificate revocation
• CDP, OCSP
Technical overview of the Microsoft PKI ADCS2008 R2
38
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 39/107
ESEC – European Secur ity Expertise Center
2.c.2. Certification Authorities - levels
• Root CA: 1 self-signed cert. (which is trusted by entities)
• Intermediate CA
• Policy CA: issues cert. to CAs
• Issuing CA: issues cert. to requestors (eg: Americas CA)
Technical overview of the Microsoft PKI ADCS2008 R2
39
Picture from PKI and Certificate Security - Brian Komar , MS Press
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 40/107
ESEC – European Secur ity Expertise Center
2.c.3. Certification autorities - types
• Two types of MS PKI CA: – Standalone (eg: for Root CAs)
• Ideal for Offline CAs
– Enterprise (eg: policies or issuing CA)
• Integrate into an ADDS environment
• Certificate templates support
Technical overview of the Microsoft PKI ADCS2008 R2
40
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 41/107
ESEC – European Secur ity Expertise Center
2.c.4. Issuing CA Components
Technical overview of the Microsoft PKI ADCS2008 R2
41
Active Directory
lientsClientsClients
CA ServiceCertsrv.exe
Policy
Module
Exit
Module(s)
Certificate
database
- Inspect cert. requests- Issue them according
to permissions and
issuance policy
Writes to DB:- certs
- information
Receive the
certificate matching
its keypair
Wait for the
information to be
written
Certificate
generation andsignature
Cert request
(Pub. Key)
Authentication,Template reading
d f l
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 42/107
ESEC – European Secur ity Expertise Center
2.d. Certificate templates
• Certificate models: – Validity, renewal (frequency, new key?), publication
– Request (prompt user, allow private key export…)
– Cryptography (min. key length, algo, CSP)
– Certificate information (email, FQDN …)
– Issuance policies (under which conditions…)
– Key usage (eg. Digital signature)
– Application policies
– Permissions (read, write, enroll, autoenroll)
Technical overview of the Microsoft PKI ADCS2008 R2
42
2 d C ifi l
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 43/107
ESEC – European Secur ity Expertise Center
2.d. Certificate templates
Technical overview of the Microsoft PKI ADCS2008 R2
43
d h l b l
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 44/107
ESEC – European Secur ity Expertise Center
Enrollment services
objects (one per CA)- CA Name
- CA Cert
- CA template list
- Enrollment URL (CES)
2.d. The relation btwn CA & Cert. templates
Technical overview of the Microsoft PKI ADCS2008 R2
44
CA 2 /
CES
CA 1
Templates container
(Forest wide)- Permissions
- Enrollment requirements
- Cert content
- Renewal
AD objects
ClientsClientsClients
2 PKI bj t ADDS l ti
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 45/107
ESEC – European Secur ity Expertise Center
2.e. PKI objects: ADDS location
Technical overview of the Microsoft PKI ADCS2008 R2
45
Root & intermediate CA certs
Foreach issuing CA, where do they
publish their CRL?
Issuing CA certs
Templates
CA hierarchy (parent CA)
Key Recovery Agents (private key)
Object IDentifiers (MIB):
- newly created Cert Templates- newly created Application Policies- Issuance policies
Configuration Naming Context (Forest-wide replication)
Thus: Template permissions on Universal or Global security groups
2 f A t E ll t i
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 46/107
ESEC – European Secur ity Expertise Center
2.f. AutoEnrollment - overview
• One of the best features of the MS PKI (WS2003, x.509 v2 & v3)
Technical overview of the Microsoft PKI ADCS2008 R2
46
CA 1
Client (user / comp.)
Template cont.Enrollment cont.GPO
CEP
URLS
CEP,
ADDS
container
ADDS ldap
or ADWS: https
CEP
CES(url2) CA 2
4. Enrollment Template / Policy Cache
Template 3: ?Template 19: ?
Template / Policy Cache
Template 3: CA1(DCOM)Template 19:
CA1(DCOM), url2(CES)
LDAP
WS (https)
2. On which templates
is the entity allowed toautoenroll ? (ACE)
3. Which CA(s) can issue
that template(s)?
Foreach CA:
- The templates it issues
- Enrollment URL (CES)
Brian Komar , deploying a PKI solution with ADCS
2 f AutoEnrollment zoom on the client store
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 47/107
ESEC – European Secur ity Expertise Center
2.f. AutoEnrollment – zoom on the client store
Technical overview of the Microsoft PKI ADCS2008 R2
47
Client (User / comp.)
Trusted
Root CA
Intermediate
CA
2 R ti (OCSP i l t ti )
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 48/107
ESEC – European Secur ity Expertise Center
2.g. Revocation (OCSP implementation)
• ~ HTTP proxy for CRL ; Fault-tolerance
Technical overview of the Microsoft PKI ADCS2008 R2
48
RFC: http://www.ietf.org/rfc/rfc2560.txt?number=2560
DNS-
Round-Robin
eventually
NLB
Clients
Online Revocation Array
Online resp. 1
ocspsvc.exeNetwork Service
Online Resp. 2
...
OCSP
web proxy 1ApplicationPool
--
Default IIS
website: /ocsp
OCSP web
proxy 2
OCSP web proxy(request decoding,
response caching)
Certificate with application
policy: “OCSP signing”
OID 1.3.6.1.5.5.7.3.9
Signing
Auditing
Microsoft Online Responder
CA_1
CA_N...
Revocation providers
CRL
2 h K R A t
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 49/107
ESEC – European Secur ity Expertise Center
2.h. Key Recovery Agent
Technical overview of the Microsoft PKI ADCS2008 R2 49
• Each private key issued could also be archived and
accessible for one or several recovery agents
One or several CA
cert mgrs validate the request
The corresponding
issuing CA(s) areconfigured toarchive future
issued keys withthe KRA(s)
certificate(s)
Each time a new
certificate with Key Archival enabled is
request, the user
private key isarchived with the
KRA(s) publickey(s)
A key recovery
agent certificate is
requested
2 h Ke Archi al KRA
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 50/107
ESEC – European Secur ity Expertise Center
• Ability to recover a client private key
• Involves: Certificate Manager(s), Key recovery agent(s), issuers, CA
• CA Exchange template: automatically issued if
available, for a short period of time (1 week validity, 1 day renewal)
2.h. Key Archival - KRA
50
Certsrv
Cert. DB
2 CA Exchange cert. request
AD
3 CA Exchange return
1 Authentication,
template reading
CRL,
OCSP
4
Revocation
Check
(CA Exch.)
5Keypair
generation
6
Cert request (Client pub. key),Client Priv. key encrypted by the
CA exchange pub key
Policy,
issuance…
7
Cert storage+ client private key each
time encrypted with 1
KRA public keys
=encrypted PKCS #7 BLOB
8
ClientsClientsClients
2 i Enrollment agent
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 51/107
ESEC – European Secur ity Expertise Center
2.i. Enrollment agent
• Enroll certificate on behalf of another user.
– Trust in the application/person (potential private key access)
– Eg: FIM 2010 CM / CLM 2007:
Technical overview of the Microsoft PKI ADCS2008 R2 51
Rida requests
An enrollment
agent certificate
Cert mgrs:request
validation
Alejandro’s
managerrequests a
smart card for
Alejandro
Alejandro
Rida provisions a
smart card with acertificate foranother user
and gives the SC to Alejandro
Alejandro
reinitates theSC user pin. And is now
able to use theSC.
2.j. Microsoft CSP - Supported hash and public
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 52/107
ESEC – European Secur ity Expertise Center
j pp pkeys algorithms
•Since Windows Vista & Server 2008:
Technical overview of the Microsoft PKI ADCS2008 R2 52
Hash algorithms
MD2
MD4MD5
SHA1
SHA256
SHA384SHA512
Public key algorithms
ECDH_P256
ECDH_P384ECDH_P521
RSA (KSP max: 16384 bits)
2 k What’s new in ADCS 2008 & 2008 R2?
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 53/107
ESEC – European Secur ity Expertise Center
2.k. What’s new in ADCS 2008 & 2008 R2?
• ADCS 2008
– OCSP
– CNG support
– SCEP
• ADCS 2008 R2 – Certificate enrollment web service
– Cross forest enrollment
– CA support on Server Core
– "Database-less“ CA
Technical overview of the Microsoft PKI ADCS2008 R2 53
2 k 1 Cryptography Next Generation
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 54/107
ESEC – European Secur ity Expertise Center
2.k.1 Cryptography Next Generation
•Replacement for CryptoAPI. Windows Vista.
• Auditing: KSP
• Certification & compliance
• Cryptographic agility: negotiation• Kernel mode support (ex: IPSec, TLS)
• Key Storage
• Key isolation: not in application (eg: TPM)
Technical overview of the Microsoft PKI ADCS2008 R2 54
2 k 1 2 Windows cryptography system overview
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 55/107
ESEC – European Secur ity Expertise Center
2.k.1.2. Windows cryptography system overview
• Vista
Technical overview of the Microsoft PKI ADCS2008 R2 55
2 k 1 3 Private key storage
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 56/107
ESEC – European Secur ity Expertise Center
2.k.1.3 – Private key storage
Technical overview of the Microsoft PKI ADCS2008 R2 56
Key type CNG dir.
User private %appdata%\Microsoft\Crypto\Keys
Local system private %allusersprofile%\Application
Data\Microsoft\Crypto\SystemKeys
NetworkSvc /
LocalSvc private
%windir%\ServiceProfiles\
{LocalService,NetworkService}
Shared private %allusersprofile%\Application
Data\Microsoft\Crypto\Keys
Private keys publishingto the FileSystem
2.k.2. ADCS Role: Network Device Enrollment Svc:
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 57/107
ESEC – European Secur ity Expertise Center
Simple Cisco Enrollment Protocol
• WS 2003 (add-on) ; WS 2008 CS: integrated
• Application: deploy certificate on non-domain
joined computers (eg: Cisco switches, routers, Apple iPad!)
Technical overview of the Microsoft PKI ADCS2008 R2 57
1 Keypair creation
Device Admin
Device
NDES
CA - ADCS
DC - ADDS
2.A Password request
2.B Permissions
check
3 Set password 5 RA request
4 Cert request
6 Issue cert
7 Return cert
2.k.3. Certificate Web-Services: cross forest
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 58/107
ESEC – European Secur ity Expertise Center
enrollment
• Why?• Enrollment Web Service
• Cross-Forest enrollment
Technical overview of the Microsoft PKI ADCS2008 R2 58
2 k 3 1 Cert WS - Why?
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 59/107
ESEC – European Secur ity Expertise Center
2.k.3.1. Cert. WS - Why?
• Corporates merging:
• “how to extend PKI trust outside the AD forest?”
– Deploy the other Root CA cert. in the Trusted Root CA store
– Allow firewall flows:
•revocation (SMB, LDAP, HTTP)
• enroll (.. DCOM!)
– Permissions: grant the other users the ability to enroll
– Problems: firewall traffic block, corporate:
security=network
• Another solution: ADCS Cert. WS
Technical overview of the Microsoft PKI ADCS2008 R2 59
2 k 3 2 CA Enrollment WS –protocols
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 60/107
ESEC – European Secur ity Expertise Center
2.k.3.2. CA Enrollment WS –protocols
Technical overview of the Microsoft PKI ADCS2008 R2 60
CES
Act ive Directory Cert i f icat ion Author i ty
User Computer
HTTPS with Kerberos authentication
LDAP
Get policy
Enrolment
WS
Policy
WS
DCOM
Request certs
2 k 3 3 – Cross forest enrollment
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 61/107
ESEC – European Secur ity Expertise Center
2.k.3.3 Cross forest enrollment
• Ability to issue cert beyond the forest
• Requires: ADDS domain schema: 2008R2
Technical overview of the Microsoft PKI ADCS2008 R2 61
Act ive Directory
Root CA
Act ive Directory
Domain level: 2008R2Trust
relationship
ADCS WES, WEP
Ressource Forest Forest
Issue
certificates
2 k 4 Database less CA
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 62/107
ESEC – European Secur ity Expertise Center
2.k.4. Database less CA
• Some issued certificates are not stored in theCA DB
• Why? Eg: Network Access Control for 90.000
computers with 15 min. IPSec cert. validity:
= 90.000x(1/15)=6000 issued certs/min.• => To Reduce the storage and processing overhead.
• Configurable for each v2 & v3 certificate template:
Technical overview of the Microsoft PKI ADCS2008 R2 62
3 Establishing a MS PKI and maintaining it!
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 63/107
ESEC – European Secur ity Expertise Center
3. Establishing a MS PKI … and maintaining it!
- Conception
- Deployment
- Maintaining in operational conditions
Technical overview of the Microsoft PKI ADCS2008 R2 63
3 a Conception
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 64/107
ESEC – European Secur ity Expertise Center
3.a. Conception
• CA (hierarchy, geography, dimensioning, key escrow(HSM))
• Disaster recovery (key archival)
• Role separation• Policies: security, certificate, CPS
• Identify: applications, ACL
• Revocation• Training: IT administrators
Technical overview of the Microsoft PKI ADCS2008 R2 64
3 a 1 CAs infrastructure
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 65/107
ESEC – European Secur ity Expertise Center
3.a.1. CAs infrastructure
• Tier: Two or Three? (Root, policy, issuing)
• Type: Standalone / Enterprise?
• Model examples:
Technical overview of the Microsoft PKI ADCS
2008 R2 65
Geographical
/ NetworkBusiness Unit Subscriber types Certificate use
Defense Banking… MADRID SYDNEY… Computers Users… WPA2 S/MIME…
Root
Policy
Brian Komar , deploying a PKI solution with ADCS
3.a.1. CA infrastructure
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 66/107
ESEC – European Secur ity Expertise Center
3.a.1. CA infrastructure
• Dimensioning:
– Estimate the workload (cert. template: issuing, renewal
frequency, population, key length: keypair generation
duration, network, other servers load (eg: authentication))
– CPU workload pic goal: 80% ; 90%
– RAM, Fast storage (SSD, iSCSCI, SCSI 10K RPM)
Technical overview of the Microsoft PKI ADCS
2008 R2 66
At least X secrets on Y to access the CA
private key, stored on the HSM
• Key escrow: HSM
http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx
3.a.1. CA infrastructure - dependencies
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 67/107
ESEC – European Secur ity Expertise Center
3.a.1. CA infrastructure dependencies
• ! A MS PKI relies on:
– Computer naming system: DNS
– Identity provider: ADDS
• => High availability of these services
• Key exchange:
– CSP, KSP: which Windows version?
Technical overview of the Microsoft PKI ADCS
2008 R2 67
3.a.2. Role separation
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 68/107
ESEC – European Secur ity Expertise Center
3.a.2. Role separation
• Common criteria roles CMIC L4:
– CA administrator: assign CA roles, configure auditing, delete a
record, start/stop certsrv.exe, define CA admins
– Certificate manager: approve/deny cert. reqs, extract
archived private keys, determine KRA
– Backup operator: CA config, DB, and keypair backup – Auditor: review event log
• Enforce role separation:
!! If a person owns two or more roles: Certsrv.exe will not start !!
Technical overview of the Microsoft PKI ADCS
2008 R2 68
certutil -setreg CA\RoleSeparationEnabled 1
3.a.3. Disaster Recovery (REMIND: KRA)
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 69/107
ESEC – European Secur ity Expertise Center
3.a.3. Disaster Recovery (REMIND: KRA)
Technical overview of the Microsoft PKI ADCS
2008 R2 69
• Each private key issued could also be archived and
accessible for one or several recovery agents
One or several CA
cert mgrs validate the request
The corresponding
issuing CA(s) areconfigured toarchive future
issued keys withthe KRA(s)
certificate(s)
Each time a new
keypair isgenerated, the new
private key is
archived with theKRA(s) public
key(s) A key recovery
agent certificate is
requested
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 70/107
3.a.4. Policies: security, certificate, CPS
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 71/107
ESEC – European Secur ity Expertise Center
3 a o c es secu ty, ce t cate, S
Technical overview of the Microsoft PKI ADCS
2008 R2 71
Security policy
Certificate policy
Certification Practice Statement (CPS)
- RFC 3647: CERTIFICATE MANAGEMENT
- Regroup certificate templates in classes,
segregated by:- identity validation
- allowed transactions/operations
- private key storage
- How to address the corporate risks?
- eg ISO 27002 measures
- RFC 3647: CA MANAGEMENT
- How CA are managed to ensure the assurance levels
defined in the certificate policy
=Public rules that govern a PKI
3.a.5. Identity: applications, ACL
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 72/107
ESEC – European Secur ity Expertise Center
y pp ,
• Which applications will rely on the PKI?
– Which kind of Application Policy (OID)?
– Key usage
– Issuing requirements
– Related to the Certificate Policy!
• To whom will we issue such certificate?
– Template ACL
Technical overview of the Microsoft PKI ADCS
2008 R2 72
3.a.6. Planning revocation
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 73/107
ESEC – European Secur ity Expertise Center
g
• Make revocation check accessible from outside the company!
• BEFORE issuing certificates!
• =>In case a smart card / valuable cert. is stolen/lost.
• Conceive procedures, train the actors
• Whom to alert? – logical access team
– user manager• How fast to react?
– It depends of the protected assets criticality
• How to react? – Revoke certificate
– Force delta CRL publishing
– [Eventually] force CRL refreshing on computers
– [Eventually] recover the user encrypted documents, use KRA
– Generate a new smart card & keypair, for the userTechnical overview of the Microsoft PKI ADCS
2008 R2 73
3.a.7. Training: IT administrators
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 74/107
ESEC – European Secur ity Expertise Center
g
• What is a PKI?
• Which applications rely on the PKI?
• Who endorse which roles?
• How to manage the CA(s)?• ! Revocation !
• Temporary SC: prevent end-user from using 2 SC!
Technical overview of the Microsoft PKI ADCS
2008 R2 74
3.b. Deployment
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 75/107
ESEC – European Secur ity Expertise Center
p y
• The Root Key Ceremony• Training: end-users
• Issuing certificates
Technical overview of the Microsoft PKI ADCS
2008 R2 75
3.b.1. The Root Key ceremony
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 76/107
ESEC – European Secur ity Expertise Center
y y
• Depending on the Certificate Policy:
– Notarization, legal representation, witnesses
– “Key holders”
• = start of the customer PKI!
• Issuing “policy CA” certificates• Offline, physically secured (!VM)
Technical overview of the Microsoft PKI ADCS
2008 R2 76
The Root CA private key is generated, storedinto the HSM, and protected by a SPLIT secret.
At least X key holders on Y have to be present with
their secret to decrypt the private key.
(eg : Shamir’s polynomial ; Blake’s hyperplane)
3.b.2. Training: end-users
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 77/107
ESEC – European Secur ity Expertise Center
g
• Legal stakes (eg: digital signature)
• (Technical basics … for usage!)
• Process:
– Do not ignore certificate warning! – Do not store the SC PIN with your SC!
– Tell quickly when you loose your SC!
– Do not use your temporary SC & your permanent one!
– Protect your private keys and do not store them onunencrypted media!
Technical overview of the Microsoft PKI ADCS
2008 R2 77
3.b.3. Issuing certificates
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 78/107
ESEC – European Secur ity Expertise Center
g
• Client configuration: – Enrollment policy locations: GPO
– Auto-Enrollment: GPO
• Communicating processes:
– CPS (link within issued cert.)
– eg: smart card issuance, smart card loose
• … Maintaining the infrastructure
Technical overview of the Microsoft PKI ADCS
2008 R2 78
3.c. Maintaining
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 79/107
ESEC – European Secur ity Expertise Center
- Certificate renewal
- Events monitoring
- Disaster recovery (see 3.a.iii.)
- Revocating certificate (see 3.a.vi.)
Technical overview of the Microsoft PKI ADCS
2008 R2 79
3.c.1. Certificate renewal – two problems
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 80/107
ESEC – European Secur ity Expertise Center
• A. Keypair renewal
–eg: OCSP response signing or IPSec communication
Technical overview of the Microsoft PKI ADCS
2008 R2 80
Validity PeriodRenewal period
OCSP request,
with K1-public-key
encrypted nonce
OCSP response, with
… K2-private-key
encrypted nonce
Unable to
decrypt theanswer!
The problem:
CA – with OCSP
User willing to
check the revocation
of a cert.
• Some strategies: – closing the connection with the old keypair & reopening it with the new one
– responding with the previous K1 keypair … until when? (expiration?)
– using the same keypair when renewing
3.c.1. Cert. Renewal – Lifetime expiration
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 81/107
ESEC – European Secur ity Expertise Center
Technical overview of the Microsoft PKI ADCS
2008 R2 81
• B. Lifetime expiration
– Eg: issuing CA – Issuing CA cert. validity period has to be greater than the longest
validity period of the cert. templates issued by that CA
– Renewal period has to be shorter … but not too much! (potential lo
and errors increase)
• Why renewing?
– Computational power increase => hash & private private keysubject to collision, brute-force attacks
• Parameters specific to each certificate template!
3.c.2. Events monitoring
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 82/107
ESEC – European Secur ity Expertise Center
• Centralize, aggregate, and perform pro-active
monitoring on PKI logs: – CA: issuing, revocation, template, permission, backup,
roles, recovery …
– Active Directory: authentication, DNS
– Client: key usage, missing private key
• Ideally integrate it into a SIEM.
– Management packs do exists for SCOM 2007, 2010
• Useful for forensics• Standard windows events. See 4.d. and
http://technet.microsoft.com/en-us/library/cc731523(WS.10).aspx
Technical overview of the Microsoft PKI ADCS
2008 R2 82
4. Auditing a PKI
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 83/107
ESEC – European Secur ity Expertise Center
- Why & when auditing a PKI?
- Useful documents
- Some threats (process, implementations, services,
operations, cryptography)
- Obtaining technical proofs
Technical overview of the Microsoft PKI ADCS
2008 R2 83
4.a.1. WHY auditing a PKI?
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 84/107
ESEC – European Secur ity Expertise Center
• Justify the trust to the PKI:
– For insurers, regulators: law compliance (EU SignatureDirective, EU Data Privacy Directive, France: CNIL,Payment: PCI DSS, SAS70)
– For superior CA: prove compliance
– For subscribers/customers/users: may request it
=> Show that operations are performed according to theCPS, and are done in accordance of the Certificate Policy
• Corporate image, marketing argument
– ISO 27002 - compliancy, chapter 12
Technical overview of the Microsoft PKI ADCS
2008 R2 84
4.a.2. WHEN auditing a PKI?
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 85/107
ESEC – European Secur ity Expertise Center
• During/straight after the Root KeyCeremony
• Periodically, according to the CP & CPS
• In case of a major change (CA mod, new solution)
• When a disaster happens
Technical overview of the Microsoft PKI ADCS
2008 R2 85
4.b. Useful documents
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 86/107
ESEC – European Secur ity Expertise Center
• You should request the customer for:
– Threat & Risks Assessment
– The Root Key Generation process
– Certificate Policy
– Certification Practice Statement
• Interesting reading material:
– PAG, PKI Assessment Guidelines
– PKIX IETF Working group: RFCs
Technical overview of the Microsoft PKI ADCS
2008 R2 86
4.c. Some threats
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 87/107
ESEC – European Secur ity Expertise Center
- Process
- Certificate implementations
- Services
- Operations
- Cryptography
Technical overview of the Microsoft PKI ADCS
2008 R2 87
4.c.1. Threats - Process
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 88/107
ESEC – European Secur ity Expertise Center
• Private key protection: Root CA, each CA
– Physical security (virtual machine? Offline server?)
– How many people are needed to decrypt it? (HSM?)
• Role separation:
– Enabled? Administrator, Cert Mgrs, Backup, auditor +• Key Recovery Manager: approval process
• Enrollment Agent: how is that account secured?
• Revocation: is it performed? (alert, execution, spreading)
• Training users: not to ignore cert. errors, if possible
technical enforcement
Technical overview of the Microsoft PKI ADCS
2008 R2 88
4.c.2. Threats – Certificate implementations
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 89/107
ESEC – European Secur ity Expertise Center
• ASN.1/DER parsing: certificates, CRL => fuzzing
• PKCS #x API vulnerability?• Revocation implementation: reachable? Up to date?
• Templates design: (is the CP secured regarding the criticalityof issued certs?)
– Asymmetric algorithms + key length, signature algo – ACL
• Private keys: Key cloning, key encryption? (Backup, duplication)
• Client design & configuration:
– does it respect the template? – does it check correctly the revocation? – what happens if there is a revocation error?
Technical overview of the Microsoft PKI ADCS
2008 R2 89
- Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf
4.c.3. Threats – Certificate services
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 90/107
ESEC – European Secur ity Expertise Center
• Revocation:
– availability: OCSP, CRL
– integrity:
• OCSP replay attack => nonce protection
• time attacks (cert. expiration date, revocation)
• Corrupted DNS: service location often relies on it!
• Dimensioning of issuing CAs: Computational & storage cost
• "classic" Windows Server security
• Client security: trusted Root CA store, private key storage
Technical overview of the Microsoft PKI ADCS
2008 R2 90
4.c.3 Threats – Cert. operations
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 91/107
ESEC – European Secur ity Expertise Center
• Private key:
– Theft: revocation speed, propagation, check? – Storage: export, storing on unencrypted medium, valuable key
protected by an easier to crack secret (eg: weak password policy)
• CA management: conform to CPS?
– Backup, administration …
• Client management: encrypted FS, private key ACL, cacheon FS storing smart card private key?
• Weak hash func. used: md5 collisions O(2 ) ; SHA-1: O(2 )
Technical overview of the Microsoft PKI ADCS
2008 R2 91
21 51
4.c.4. Threats - Cryptography
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 92/107
ESEC – European Secur ity Expertise Center
• Assumption: “hardness of a specific mathematical
problem” (eg: prime factoring, discrete logarithm…)
– Asymmetric crypto: what is the impact of• mathematical discoveries in computational number theory?
• the way of computing such problems? (eg: quantum comp.)
• Increase of computing power (cloud, botnet)
• Hash functions: similar fears
– (eg: preimage attack, collision, second preimage attack)
• Random Number Generation: is the entropy good enough?- time, temp. sensors, mouse …
Technical overview of the Microsoft PKI ADCS
2008 R2 92
Stephane Manuel, Classification and Generation of Disturbance Vectors for Col lision Attacks against SHA -1
4.d. Obtaining technical proofs
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 93/107
ESEC – European Secur ity Expertise Center
• Services: health, web bindings• Windows events
Technical overview of the Microsoft PKI ADCS
2008 R2 93
4.d.1.1. Services - Health
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 94/107
ESEC – European Secur ity Expertise Center
• Basic services configuration errors
• PKIView.msc
Technical overview of the Microsoft PKI ADCS
2008 R2 94
4.d.1.2. Services / web bindings
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 95/107
ESEC – European Secur ity Expertise Center
Technical overview of the Microsoft PKI ADCS
2008 R2 95
Role Host Service /
process
Default
identity
Dependencies
ADCS service Certsrv.exe Local system NO/NO
OCSP service Ocspsvc.exe Network Svc NO/NO
Web
enrollment
IIS default
website
/certsrv ApplicationPoo
lIdentity
CEP IIS default
website
/ADPolicyProvi
der_CEP_Usern
amePassword
ApplicationPoo
lIdentity
CES IIS default
website
/%CA_NAME%
_CES_Usernam
ePassword
ApplicationPoo
lIdentity
• Default configuration:
4.d.2.1. Proofs - events - graphically
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 96/107
ESEC – European Secur ity Expertise Center
• Eventvwr.msc• Default custom view:
• Examples:
Technical overview of the Microsoft PKI ADCS
2008 R2 97
4.d.2.2. Audit – events – under the hood
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 97/107
ESEC – European Secur ity Expertise Center
• Mainly stored in the "Application" log
• ADCS filter:
Technical overview of the Microsoft PKI ADCS
2008 R2 98
4.d.2.2. Audit – events – under the hood 2
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 98/107
ESEC – European Secur ity Expertise Center
• Interesting logs: Applications, Security
• Required rights: Read permission onHKLM\SYSTEM\CurrentControlSet\services\eventlog\Applications
• Default permissions:
Technical overview of the Microsoft PKI ADCS
2008 R2 99
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 99/107
4.d.2.3. Audit-Events – command line
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 100/107
ESEC – European Secur ity Expertise Center
• Examples (continued)
• Example using XML filter
Technical overview of the Microsoft PKI ADCS
2008 R2 101
4.d.4. Auditing Key Storage Provider events
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 101/107
ESEC – European Secur ity Expertise Center
On a CA, as a local system administrator:
- Then restart ADCS
Technical overview of the Microsoft PKI ADCS
2008 R2 102
auditpol /set /subcategory:"other system events"
/success:enable /failure:enable
5. Beyond the Microsoft PKI
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 102/107
ESEC – European Secur ity Expertise Center
• PKI challenges• Other commonly used PKI
• Beyond the PKI model
Technical overview of the Microsoft PKI ADCS
2008 R2 103
5.a. PKI challenges
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 103/107
ESEC – European Secur ity Expertise Center
• Education: user, trainer, IT Pro
• Legal, patents and national security (eg. BitLocker, US gov)
– Privacy compromises: PII, PKI & biometrics?
• Technical :
– Revocation: CRL (bandwidth), OCSP (latency) – private key protection (eg: single factor authentication mechanism,
weak password…)
– intense computations
– assumptions: computational number theory, namingcontext, computational power!
• Management costs: … PKI as a service? (eg. Verisign)
Technical overview of the Microsoft PKI ADCS
2008 R2 104
5.b. Other commonly used PKI
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 104/107
ESEC – European Secur ity Expertise Center
PKI systems
• OpenSSL
• OpenTrust
• OpenCA
• PGP Cert. server
• Entrust
• RSA• Digital trust
• Cybertrust
• Spyrus
• Centrify (Mac OS X)• Red-Hat cert. systems
• IBM (z/OS)
• … Technical overview of the Microsoft PKI ADCS
2008 R2 105
PKI services
• Verisign
• Globalsign
• Verizon
• …
5.c. Beyond the PKI model?
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 105/107
ESEC – European Secur ity Expertise Center
• A major problem:
– “user click fatigue”: Too many Root CA + Difficulty to push them
… while “focus on the user and all else will follow”, Google
• X.509 v3 supports additional trust topologies:
– Bridges (trust the nodes which the peers I trust do trust)
(~ to social networks trust)
– Meshes (trust dynamically a selected subset of nodes): PGP
• Concept: An object (cert.) integrity is protected by a
separate object (signature): how to mix them in one?
Technical overview of the Microsoft PKI ADCS
2008 R2 106
6. References
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 106/107
ESEC – European Secur ity Expertise Center
- Windows Server 2008, PKI and Certificate Security, Brian Komar, MS Press
- Technet: http://technet.microsoft.com - Wikipedia
- MCTS 70-640, Active Directory, MS Press
- PKI Enhancements in Windows 7 and WS2008R2, John Morello
- PKI in practical use http://kenya.connect-soft.com/PKI%20in%20practical%20use.pdf
- http://www.verisign.com/authentication/information-center/authentication-resources/whitepaper-cost-effective-pki.pdf
- Attacking Certificate infrastructures www.canola-jones.com/material/candj-rsa050218.pdf
- http://blogs.technet.com/b/pki/archive/2010/01/12/windows-ca-performance-numbers.aspx
- PAG, PKI Assessment Guidelines,
Technical overview of the Microsoft PKI ADCS
2008 R2 107
Thanks for your attention!
7/21/2019 2011-03-Overview of the Microsoft PKI - ADCS 2008 R2-V_1.02-Fabien_Duchene
http://slidepdf.com/reader/full/2011-03-overview-of-the-microsoft-pki-adcs-2008-r2-v102-fabienduchene 107/107
Thanks for your attention!
http://esec.fr.sogeti.com