2/21/2018
1
Jay Ferron
CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM…
blog.mir.net
Digital Certificates & Signatures
Spear Phishing
Spear Phishing
2/21/2018
2
Spear Phishing
What Is a PKI?
Requirement PKI solutions
Confidentiality Data encryption
Integrity Digital signatures
AuthenticityHash algorithms, message digests, digital signatures
Nonrepudiation Digital signatures, audit logs
Availability Redundancy
The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions
Components of a PKI
Certificate and CAManagement Tools
Certification Authority
Certificate and CRLDistribution Points
Certificate Template
Digital
Certificate
Certificate
Revocation List
Public Key-Enabled
Applications and Services
2/21/2018
3
PKI Tools
Category Tools
MMCCertificates console
Certificate Templates console
Certification Authority console
Command lineCertutil.exe
Certreq.exe
Resource kitKey Recovery Tool
PKI Health Tool
ProgrammaticCryptoAPI
CAPICOM
Introduction to Cryptography
• Encryption Keys
• How Does Symmetric Encryption Work?
• How Does Public Key Encryption Work?
• How Does Public Key Digital Signing Work?
Encryption Keys
Key type Description
Symmetric
Same key is used to encrypt and decrypt the data
It protects the data from interception
Asymmetric
It consists of a public and private key
The private key is protected, the public key is widely
distributed
If the private key is used to encrypt data, the public
key is used to decrypt data, and vice versa
2/21/2018
4
How Does Symmetric Encryption Work?
Original Data Cipher Text Original Data
Symmetric encryption:
Uses the same key
Is often referred to as bulk encryption
Is vulnerable if the symmetric key is obtained
How Does Public Key Encryption Work?
Requirement Process
1. The recipient’s public key is retrieved
2. The data is encrypted with a symmetric key
3. The symmetric key is encrypted with the recipient’s public key
4. The encrypted symmetric key and encrypted data are sent to the recipient
5. The recipient decrypts the symmetric key with her private key
6. The data is decrypted with the symmetric key
How Does Public Key Digital Signing Work?
Process Process
1. Data is passed through a hash algorithm, producing a hash value
2. The hash value is encrypted with the sender’s private key
3. The sender’s certificate, encrypted hash value, and original data are sent to the recipient
4. The recipient decrypts the hash value with the sender’s public key
5. Data is passed through the hash algorithm, and the hash values are compared
2/21/2018
5
Lesson: Certificates and Certification Authorities
• What Is a Digital Certificate?
• What Are Certificate Extensions?
• What Is a Certification Authority?
• Certification Authority Hierarchies
• Roles in a Certification Authority Hierarchy
• What Are Trusted Root Certificates?
A digital certificate:
Verifies the identity of a user, computer, or program
Contains information about the issuer and the subject
Is signed by a CA
What Is a Digital Certificate?
What Are Certificate Extensions?
Certificate extensions:
Provide additional information about the subject
Contain both version 1 and version 3 fields
2/21/2018
6
A certification authority:
Verifies the identity of a certificate requestor
The mode of identification depends on the type of CA
Issues certificates
The certificate template or requested certificate determines the information in the certificate
Manages certificate revocation
The CRL ensures that invalid certificates are not used
What Is a Certification Authority?
Certification Authority Hierarchies
Type of hierarchy Description
Root
Enhances security and scalability
Provides flexible administration
Supports commercial CAs
Supports most applications
Cross Certification
Provides interoperability between businesses
and between products
Joins disparate PKI domains
Assumes complete trust of a foreign CA
hierarchy
Roles in a Certification Authority Hierarchy
Root CA
Policy CA
Issuing CA
2/21/2018
7
What Are Trusted Root Certificates?
Root certificates are self-signed certificates issued to CAs
Trusted root certificates are:
Root certificates designated as trustworthy
Designated by adding them to a trusted root store
Microsoft Root
Certificate Program
AIA container in theConfiguration NC
Certification Authoritiescontainer in the
Configuration NC
Computer’s Trusted
Root CA Store
User’s Trusted Root CA Store
User’s Trusted Root CA Store
Demo : Identifying Trusted Root CAs
In this demo, you will:
• Identify trusted root stores
• Remove trusted root CAs that are not required
Lesson: Configuring Secure E-mail Messages
• Steps to Configure Secure E-mail Messages
• How to Create the Required Certificate Templates
• Steps for Configuring an Enterprise CA
• How to Deploy E-mail Certificates
• Configure Outlook 2002 for Secure E-mail Messages
2/21/2018
8
Steps to Configure Secure E-mail Messages
Create certificate templates11
Configure the enterprise CA to enable
key recovery22
Deploy the certificate using
autoenrollment settings3
Verify the Outlook configuration44
How to Create the Required Certificate Templates
Template type Steps
E-mail encryption
1. Create a certificate template based on Exchange User2. In the new certificate template:
Choose a CSP that allows private key export
Enable archival of private key
Enable strong private key protection
Publish the certificate in Active Directory3. Enable autoenrollment
E-mail signing
1. Create a certificate template based on Exchange Signature Only
2. Enable strong private key protection3. Publish the certificate in Active Directory4. Enable autoenrollment
Steps for Configuring an Enterprise CA
Enforce role separation11 Define key recovery agents22
Publish custom templates44Define certificate managers33
2/21/2018
9
How to Deploy E-mail Certificates
To deploy e-mail certificates:
Enforce high security for strong password protection
Ensure that the certificate templates require user input during enrollment and when the private key is accessed
Define permissions for the certificate templates
Publish new certificate templates at an enterprise CA
Enable autoenrollment settings for users in Group Policy
11
22
33
44
55
Encryption
Certificate
CASigning
Certificate
Configure Outlook for Secure E-mail Messages
Option Configuration choices
Signing and Encryption certificates
Any Secure Email certificate in the user’s certificate store
Hash algorithmsSHA1: StrongestMD5: Weakest
Encryption algorithms
AES3DESRC2 (128-bit or 64-bit)DESRC2 (40-bit)
Outgoing e-mail default settings
Encrypt outgoing messagesSign outgoing messagesSend plaintext signed messagesRequest secure receipts for signed messages
After installing the custom e-mail certificates, define these options:
Strongest
Weakest
Or you can buy email Certs
Provider Cost
ComodoFree for personal useFrom $12 for business use
Symantec $19.95
GeoTrust $19.95
CACert Free
2/21/2018
10
Example of process
Requesting Cert
Requesting Cert – continued
2/21/2018
11
Requesting Cert – continued
Requesting Cert – continued
Requesting Cert – continued
2/21/2018
12
Verifying cert
Verifying cert – continued
Verifying cert – continued
2/21/2018
13
Adding Cert to Outlook
The cert is now in the cert store. In IE Go to Options ~ Advanced ~ Certificates ~ View certificates ~ Select the certificate and choose to back it up to a PKCS12 File, and save the backup file in a place where you will keep it long term. Retain the backup password. This backs up the certificate signing key as well as the certificate.
Adding Cert to Outlook – continued
Open Outlook and navigate to Options ~ Trust Centre ~ Trust Centre Settings ~ Email Security ~ and Choose to import a Digital ID. Choose to import from the file you just backed up, using the email you supplied on the application form as the digital id, and the backup password. As part of this process you will be asked for a security policy level - choose medium if you can guarantee no-one else could use your account on your computer, high (and supply a password to be used whenever your certificate is requested) otherwise. Take a note of the password.
Adding Cert to Outlook – continued
Open Outlook and navigate to Options ~ Trust Centre ~ Trust Centre Settings ~ Email Security ~ and Choose to import a Digital ID. Choose to import from the file you just backed up, using the email you supplied on the application form as the digital id, and the backup password. As part of this process you will be asked for a security policy level - choose medium if you can guarantee no-one else could use your account on your computer, high (and supply a password to be used whenever your certificate is requested) otherwise. Take a note of the password.
2/21/2018
14
Adding Cert to Outlook – continued
In the same place in Outlook, look under the Heading 'Encrypted email' for 'Default setting' and choose 'Settings'. If there is no existing Default, you may need to create a new one by entering a settings name. Under 'Signing certificate' press the 'Choose' button and choose the certificate you just imported. (If unsure single click on a cert and choose to examine its properties - the email address will be under 'issued to'). In the next setting choose the Signing Hash as SHA256, Under ' Encryption certificate' press the 'Choose' button and choose the certificate you just imported, and select the 'Encryption algorithm' as AES (256 bit).
OK out of all dialogs and restart Outlook
Lesson: Recovering E-mail Private Keys
• How to Recover E-mail Private Keys
• Guidelines for Recovering E-mail Private Keys
How to Recover E-mail Private Keys
A. The certificate manager:
Determines the KRA or KRAs11
Extracts the PKCS #7 blob22
B. The KRA:
Chooses the Key Recovery Tool11
Recovers the private key22
Securely transports the private key to the user33
C. The user:
Imports the recovered private key11
Reconfigures Outlook to use the private key22
2/21/2018
15
Guidelines for Recovering E-mail Private Keys
When recovering e-mail private keys:
Separate the certificate manager and KRA roles
Revoke the certificate associated with a compromised private key before performing key recovery
Prohibit the recovery of digital signature private keys
Minimize the number of CAs that perform key archival
The Advanced, Persistent Threat
Information Privacy is the most important security concern in the enterprise, outranking malware for the first time
So how does this happen?
Percentage cause of data breachPercentage cause of data breach
Cost of Data Breach report
Ponemon Institute 2010
Estimated sources of data breachEstimated sources of data breach
Global State of Information Security Survey
PriceWaterhouseCoopers 2010
Likely Source 2008 2009 2010
Current Employee
34% 33% 32%
Former Employee 16% 29% 23%
Hacker 28% 26% 31%
Customer 8% 10% 12%
Partner/Supplier 7% 8% 11%
Unknown 42% 39% 34%
0%
20%
40%
60%
80%
100%
US DE FR DE AU
System Glitch
Negligence
MaliciousAttack
2/21/2018
16
So lets talk solution – info protection – what is it?
• Not sure what to put here, but I need to stage the idea is that its protection centric to the data itself –vs perimeter and system protection
• Importance on IT vs. User, making it automatic, low-impact, etc.
• What we’re going to talk about today are two enabling technologies – RMS and DAC, and we’ll talk about each now.
Information Protection
Discover, protect and manage confidential data throughout your business with a comprehensive solution integrated into the platform and applications
• Protect critical data wherever it goes
• Protect data whereverit resides
• Secure endpoints to reduce risk
Protect everywhere,access anywhere
• Simplify deployment and ongoing management
• Enable compliance with information security policy
Simplify security, manage compliance
• Extend confidential communication to partners
• Built into the Windows platform and Microsoft applications
Integrate and extend security
PersistentProtection
+EncryptionPolicy: Access Permissions
Use Right Permissions
AD Rights Management Services
• Provides identity-based protection for sensitive data
• Controls access to information across the information lifecycle
• Allows only authorized access based on trusted identity
• Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted
• Embeds digital usage policies (print, view, edit, expiration etc. ) into the content to help prevent misuse after delivery
2/21/2018
17
The AD RMS Process: Document Protection & Consumption
Information Author
AD RMS
Recipient
Data in Motion: Exchange and AD RMS Integration
• Exchange Server provides a single point in the organization to control the protection of e-mail messages
Automatic Content-Based Privacy:• Transport Rule action to apply AD RMS template to e-mail message
• Transport Rules support regex scanning of attachments in Exchange 2010
• Do Not Forward policy available out of box
@
@
Data at Rest: Integrating SharePoint with AD RMS
AD RMS
2/21/2018
18
Data at Rest: Generic File Protection Explorer
Dynamic Access Control 101
Access Control AuditingClassification RMS Protection
Classify Information
Modify / Create file
Determine classification
Save classification
In-box content
classifier
3rd party classificatio
n plugin
2/21/2018
19
Centralized Access to Files
USER CLAIMSUser.Department = Finance
User.Clearance = High
ACCESS POLICY
with the finance department.
ACCESS POLICYFor access to finance information that has high business impact, a user must be a finance
department employee with a high security clearance, and be using a managed device registered with the finance department.
DEVICE CLAIMSDevice.Department = Finance
Device.Managed = True
FILE PROPERTIESFile.Department = Finance
File.Impact = High
Components
Access Denied Remediation
Workflow
Access denied remediation provides a user access to a file when it has been initially denied:
1. The user attempts to read a file.
2. The server returns an “access denied” error message because the user has not been assigned the appropriate claims.
3. On a computer running Windows® 8, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access.
4. When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file.
Auditing For Compliance And Analysis
Today• Audit is all or nothing
• Not contextual information
Windows Server 2012• Expression based auditing
• Audit resource attribute changes
• Enhanced audit entries to include context
required for compliance and operational reporting
USER CLAIMSUser.Department = Finance
User.Clearance = High
AUDIT POLICYAudit Success/Fail if (File.Department==Finance) OR (File.Impact=High)
DEVICE CLAIMSDevice.Department = Finance
Device.Managed = True
FILE PROPERTIESFile.Department = Finance
File.Impact = High
2/21/2018
20
Protecting Sensitive Information
Dynamic Access Control allows sensitive information to be automatically protected using AD Rights Management Services
1. A rule is created to automatically apply RMS protection to any file that contains the word “confidential”.
2. A user creates a file with the word “confidential” in the text and saves it.
3. The RMS Dynamic Access Control classification engine, following rules set in the Central Access Policy, discovers the doc with the word “confidential” and initiates RMS protection accordingly.
4. The RMS template and encryption are applied to the document on the file server and it is classified and encrypted.
Dynamic Access Control on File Servers
File inherits classification tags from parent folder
Manual tagging by owner
Automatic tagging
Tagging by applications
Central access policies based on classification
Expression-based access conditions for user claims, device claims, and file tags
Access denied remediation
Central access policies based on classification
Expression-based access conditions for user claims, device claims, and file tags
Access denied remediation
Central audit policies can be applied across multiple file servers
Expression-based audits for user claims, device claims, and file tags
Staging audits to simulate policy changes in a real environment
Automatic Rights Management Services (RMS) protection for Microsoft Office documents
Near real-time protection when a file is tagged
Extensibility for non-Office RMS protectors
Automatic Rights Management Services (RMS) protection for Microsoft Office documents
Near real-time protection when a file is tagged
Extensibility for non-Office RMS protectors
Classification Access Control Auditing RMS Protection
Questions
Thank You
Jay Ferron
CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE,
MCT, MVP, NSA-IAM…
blog.mir.net
