Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | britton-black |
View: | 213 times |
Download: | 1 times |
Lecture 12, 20-771: Computer Security, Fall 2002 1
20-771: Computer SecurityLecture 12: Windows - Login
Robert Thibadeau
School of Computer Science
Carnegie Mellon University
Institute for eCommerce, Fall 2002
Lecture 12, 20-771: Computer Security, Fall 2002 2
Today’s lecture
• Windows 2000 Access II• File Encryption/Decryption
• Go to http://rack4.ulib.org/certsrv and get an email certificate. Send it to two people in the class to establish encrypted and signed email. One exam question:
• What did you have to do to get encrypted email to work with a few of your classmates?
Lecture 12, 20-771: Computer Security, Fall 2002 3
This Week
• Read WS 12,13
More Windows SecurityPassword Week
Lecture 12, 20-771: Computer Security, Fall 2002 4
Windows C-2 Security ModelIt must be possible to control access to a resource by
granting or denying access to individual users or named groups of users.
Memory must be protected so that its contents cannot be read after a process frees it. Similarly, a secure file system, such as NTFS, must protect deleted files from being read.
Users must identify themselves in a unique manner, such as by password, when they log on. All auditable actions must identify the user performing the action.
System administrators must be able to audit security-related events. However, access to the security-related events audit data must be limited to authorized administrators.
The system must be protected from external interference or tampering, such as modification of the running system or of system files stored on disk.
Lecture 12, 20-771: Computer Security, Fall 2002 5
Windows 2000 IPAAA ModelWin 2000 SecurityWin 2000 Security
Files & Files & Other ObjectsOther Objects
Web SiteWeb SiteIIS – IE5IIS – IE5
ServicesServicesSome-other-time..Some-other-time..
YOU!YOU!
usernameusername
passwordpassword
certificatecertificate
kerberoskerberos
Active Directory Active Directory DACLs for DACLs for
AuthorizationAuthorization
Other MachinesOther Machines
Certs for Certs for AuthenticationAuthentication
Active DirectoryActive DirectorySACLs for AuditSACLs for Audit
Secure NetworkSecure NetworkPrivacy SSL & IPSecPrivacy SSL & IPSec
A UserA UserUser/groupsUser/groupsRights-e.g., Rights-e.g., delegationdelegation
Web VisitorWeb Visitor
Internal Privacy : File Internal Privacy : File EncryptionEncryption
Certs for Certs for IntegrityIntegrity
Lecture 12, 20-771: Computer Security, Fall 2002 6
Administrator CERT /Public Key M
One DESX Key, Many Certs
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserQ CERT /Public Key Q
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserR CERT /Public Key R
Symmetric/Private/DESX/Encrypt/Decrypt Key A
Some can be certs in Data Decryption Field or Data Recover Field
FILE OR DIRECTORY
Lecture 12, 20-771: Computer Security, Fall 2002 7
File Encryption / Recovery Certificate
• The symmetric encrypting key is encrypted using the public key derived from your EFS certificate.
• The resulting encrypted data, along with your display name and a hash of the certificate, is stored in a named stream in the file that contains EFS metadata.
• When EFS decrypts a file, it uses your private key to decrypt the symmetric encrypting key. EFS then uses the symmetric key to decrypt the data.
Lecture 12, 20-771: Computer Security, Fall 2002 8
Cipher utility
• Why would you want to encrypt an encrypted file? Try being administrator and user.
• Data Decryption Field (certs), and Data Recovery Field (certs)
• Encrypt a file as a user, and see if you can decrypt it as somebody else (who is the default recovery manager).
• Note: efsrecvr.exe as the Encrypted File System RECoVeR program you can use. You can also do this by right clicking and the security properties, owner.
Lecture 12, 20-771: Computer Security, Fall 2002 9
Cert (X.509) EFS Solution
• Many certs can hide the SAME private/ symmetric/ session FEK (file encryption/decryption key) for a file.
• These certs are SPECIAL FILE ENCRYPTION CERTS (using the user’s private/public key)
• http://support.microsoft.com/support/kb/articles/Q273/8/56.ASP
• The file can have several depending on the CERT which is user – Data Decryption Field
• The file can have several recovery agents can have several depending on the CERT which is the recovery agent user.
Lecture 12, 20-771: Computer Security, Fall 2002 10
Exam: What is a security association?
Lecture 12, 20-771: Computer Security, Fall 2002 11
IPSec Classic Network Attacks
• Snooping
• Spoofing (TCP sequence numbers)
• Password Compromise
• Denial of Service Attacks (DoS)– TCP SYN : open tons of TCP connections
– SMURF : drown with ping
– Teardrop : fragmentation reassembly
– Ping of Death : fake fragmentation parameters
• Man-in-the-middle Attacks
• Application-Level Attacks
• Key Compromise
Lecture 12, 20-771: Computer Security, Fall 2002 12
IPSec is End to EndIPAxx
• Client – to – Client– Transport Mode
– One Authenticates but doesn’t encrypt
– One Authenticates and Encrypts
• Gateway – to – Gateway– Tunnel Mode (client to client is encapsulated)
– Authenticates, Encrypts, and also hides source and destination!
Lecture 12, 20-771: Computer Security, Fall 2002 13
IPSec Detail
• Authentication Header (AH)
• Encapsulating Security Protocol (ESP)
• Orig IP Header + AH + TCP + DATA (transport mode)– Authenticates whole packet
• Orig IP Header + ESP Header + TCP + DATA + ESP Trailer + ESP Authentication (transport mode)
– Authenticates whole ESP but not IP Header
– Encrypts TCP-Trailer
• New IP Header + ESP Header + Orig IP Header + TCP + DATA + ESP Trailer + ESP Authentication
– Authenticates whole ESP but not IP Header
– Encrypts Original IP header to ESP Trailer
Lecture 12, 20-771: Computer Security, Fall 2002 14
Denial of Service Protection
• A counter … (ignore repeats)
Lecture 12, 20-771: Computer Security, Fall 2002 15
Business of Security
• Guarding what’s Yours
• Sustainable Business Models
– Product
– Service
• Technology
• Policy
Lecture 12, 20-771: Computer Security, Fall 2002 16
Online Shopping Is The Key Appeal
Very appealing function of new PC security technology
Fairly appealing function
66%
63%
54%
26%
26%
Securely shop online
Securely store PINs
Share info w/friends
Secure chat groups
Pay-per-use services
Lecture 12, 20-771: Computer Security, Fall 2002 17
Consumers Are Willing To Pay Fair Price For A Trusted PC
Definitely interested in adding security technology to new computer
Probably interested in adding security technology
84%
71%
57%
49%
34%
$25
$50
$75
$100
$200
If it costs:
Lecture 12, 20-771: Computer Security, Fall 2002 18
Windows Authorization
Lecture 12, 20-771: Computer Security, Fall 2002 19
Features of Win 2000
• Multiple methods of authenticating internal and external users
• Protection of files through easy to use encryption• Protection across network through transparent
encryption• Per-property access control for objects (many more
detailed uses than read, write, and execute)• Smart card support for authentication and hiding
private keys• Transitive trust relationships between domains• Public Key Infrastructure (PKI – Certs handled
transparently).• Code itself is routinely authenticated as to its source
using PKI.
Lecture 12, 20-771: Computer Security, Fall 2002 20
Windows Authentication
• One, Two, Three Factor Authentication
1.What you know (Password)
2.What you have (Token)
3.Who you are (Biometric)
Lecture 12, 20-771: Computer Security, Fall 2002 21
“PASSWORD CONTROL WEEK”
Kerberos
• Why Kerberos?• How does Kerberos work
• what interdomain “trust” means
Lecture 12, 20-771: Computer Security, Fall 2002 22
Windows 2000 IPAAA ModelWin 2000 SecurityWin 2000 Security
Files & Files & Other ObjectsOther Objects
Web SiteWeb SiteIIS – IE5IIS – IE5
ServicesServicesSome-other-time..Some-other-time..
YOU!YOU!
usernameusername
passwordpassword
certificatecertificate
kerberoskerberos
Active Directory Active Directory DACLs for DACLs for
AuthorizationAuthorization
Other MachinesOther Machines
Certs for Certs for AuthenticationAuthentication
Active DirectoryActive DirectorySACLs for AuditSACLs for Audit
Secure NetworkSecure NetworkPrivacy SSL & IPSecPrivacy SSL & IPSec
A UserA UserUser/groupsUser/groupsRights-e.g., Rights-e.g., delegationdelegation
Web VisitorWeb Visitor
Internal Privacy : File Internal Privacy : File EncryptionEncryption
Certs for Certs for IntegrityIntegrity
Lecture 12, 20-771: Computer Security, Fall 2002 23
Authentication Methods
• Dialup (see MSDN for detail)– Distributed Password Authentication (DPA)
– Extensible Authentication Protocol (EAP) (RFC 2284, PPP)
– Secure Channel (Schannel) X.509
» SSL, TLS
• Network– Windows NT LAN Manager (NTLM)
» Windows “Challenge Response”
– Just didn’t work LAN/WAN-wise
» Standalone Professional/Server 2000
– Kerberos v5 (MIT, Athena Project)
Lecture 12, 20-771: Computer Security, Fall 2002 24
W2000 Security Services
Domain Logon/Kerberos
Computer
Cert Services Computer
Active Directory
Client Computer
Domain Admin/ServerComputer
Security Management
Lecture 12, 20-771: Computer Security, Fall 2002 25
Weak Link in Authentication
UsernamePassword
AuthenticationAgent
Resource Access
YOU
Obtains
Securely Obtains
Type In
Securely Delivers
Assigns
Password Attacker
Sniffer
KERBEROS
Lecture 12, 20-771: Computer Security, Fall 2002 26
WS 10. Web (HTTP) Access ControlSafe/Dangerous?
UsernamePassword
AuthenticationAgent
Resource Access
YOU
Obtains
Securely Obtains
Type In
Securely Obtains
Securely Delivers
Assigns
Password Attacker
Sniffer
KERBEROS
SSL
SSL
Lecture 12, 20-771: Computer Security, Fall 2002 27
W2000 Security Services
Domain Logon/Kerberos
Computer
Cert Services Computer
Active Directory
Client Computer
Domain Admin/ServerComputer
Security Management
HTTP Computer
Lecture 12, 20-771: Computer Security, Fall 2002 28
Why Kerberos (W2000)
• Standard includes Unix (NTLM is proprietary)– RFC 1510, 1964
• Authentication is by credentials (doesn’t require consulting the resource)
• Authenticates both Kerberos (permission) server and user client
• Basis for Transitive Trust Relationships (via a shared interrealm – interdomain – key)
• Kerberos was not RSA, now it is…to solve password problem with Smart Cards – we’ll deal with the basic Kerberos model – RSA enhancements are pretty obvious
Lecture 12, 20-771: Computer Security, Fall 2002 29
Why Kerberos (Kerberos)
• Rely on each login session to assure identity of user and rely on each resource (ACLs) to grant access.
– Problem: user may gain access to workstation and pretend to be somebody else
– May alter IP address to look like somebody
– May eavesdrop and use replay
• Require user to prove identity for each service invoked and require servers to prove identity to clients. KERBEROS
Lecture 12, 20-771: Computer Security, Fall 2002 30
Kerberos Crypto
• Private (symmetric) Key -> DES
• Authentication– Uses time stamp and shared secret
» Avoids replay attack (nonce also used)
» Man in the middle a problem
– Means if your machine has the wrong time, authentication doesn’t work!
– Get “Atomtime” (MS should have done this!)
Lecture 12, 20-771: Computer Security, Fall 2002 31
Kerberos Authenticator FieldAuthenticator Version 5
Client Realm/Domain Name
Client Name Name
Checksum CKS whole data
CUSEC Msec time
Client Time Client Time
Subkey Alternate Key (Private)
Sequence Number Opt. Number
Auth Data Auth Applications
Name of Field Contents
Lecture 12, 20-771: Computer Security, Fall 2002 32
Kerberos is REALLY complicated!
• Uses DES, symmetric Private Keys : Not Public Key – makes things complicated!
– You have to hide the private keys– Every message needs an often different private key– A LOT of the complication has to do with trying to let you
login once while keeping you secure against replay.– TICKETS
• Requires separate secure distribution of common private keys
– For user: a username/password ARGH!– For services: physical distribution (OK)
• Possibly Best Detailed Treatment is Stallings “Cryptography and Network Security”
or Schneier “Applied Cryptography”
Lecture 12, 20-771: Computer Security, Fall 2002 33
More Kerberos Jargon
• Kerberos Distribution Server (KDC)– Hides all secret keys!
• Principal – anybody/anything– Rht.user
– Rht.root
– Rht.ftp
• Realm (Domain)
• Long-term key, login session key (long term gets login session)
Lecture 12, 20-771: Computer Security, Fall 2002 34
Other Realms/Domains
Server (e.g., ftp, local system)
Client Computer
Authentication Server (AS)
Ticket Granting Server (TGS)
1. User Logs on JUST USERNAME / request service on host
2. AS verifies user access rights /Creates TGT and Session Key, encrypts with user password
3. User password to decrypt /Sends ticket and authenticator
4. TGS decrypts ticket and authenticator /Create ticket for requested server
5. Send ticket and authenticator
6. Server verifies ticket and authenticator match/Server can return an authenticator for itself.
ONCE PER LOGON SESSION
ONCE PER TYPE OF SERVICE
ONCE PER SERVICE SESSION
Lecture 12, 20-771: Computer Security, Fall 2002 35
Other Realms/Domains
Server (e.g., ftp, local system)
Client Computer
Authentication Server (AS)
Ticket Granting Server (TGS)
1. User Logs on JUST USERNAME / request service on host
2. AS verifies user access rights /Creates TGT and Session Key, encrypts with user password
3. User password to decrypt /Sends ticket and authenticator
4. TGS decrypts ticket and authenticator /Create ticket for requested server
5. Send ticket and authenticator
6. Server verifies ticket and authenticator match/Server can return an authenticator for itself.
Shared Secret is Password
Shared Secret in TGT
Shared Secret in Ticket
Shared Secret with Service
Shared Secret with other Realm
Lecture 12, 20-771: Computer Security, Fall 2002 36
Kerberos Private DES Keys
• Username/password -> generates private key– Other Kerberos Principal Keys
• Server Authentication Keys
• Login Session Keys
• Shared Application Service Keys
• Ticket Granting Service Key
• Code has to know what kind of message it is getting to know what private key to use.
Lecture 12, 20-771: Computer Security, Fall 2002 37
Kerberos Across Realm Authentication
• Across Domain
• Authenticates a Principal
• Shared “interrealm” key
• Steps1. User logs into realm 1
2. AS in realm 1 sends TGT to user
3. Requests of realm 1 TGS the session ticket in Realm 2
4. Realm 1 TGT sends client a “referral ticket”
5. User sends referral to TGS in Realm 2
6. Realm 2 TGS sends session ticket for server in Realm 2
7. Done!
Lecture 12, 20-771: Computer Security, Fall 2002 38
What is “Trust”?
• You bring up the security panel on object.
• You allow someone read/write/modify/etc access to object.
• With trust you can allow someone/some-group in another DOMAIN to have access.
the SID is permitted in the object’s ACE/ACL
• End of story.
• At DOMAIN controller I can turn on or off trust relationships (availability to see the domains in the security settings) with other DOMAINS.
• …underneath is KERBEROS AND PKI!
Lecture 12, 20-771: Computer Security, Fall 2002 39
Break!
Lecture 12, 20-771: Computer Security, Fall 2002 40
Core Password Technology
• One way hash into a code (e.g., MD5, SHA, crypt)
– Hashes are good enough that nobody tries to crack them since it is probably not necessary
– Even administrator cannot read the password
– W2000 Permits decryptable passwords as an option!
• Use a match on the code to give access– Dictionary Attacks are the way to go!
– Administrator can get access independently
– Guess of password can get access independently
• Use a match on the code to authenticate you.– Guess of password can look like you
Lecture 12, 20-771: Computer Security, Fall 2002 41
Password Length
• 1 character 4 0.1%
• 2 characters 5 0.2%
• 3 characters 66 2.0%
• 4 characters 188 5.7%
• 5 characters 317 9.5%
• 6 characters 1160 34.7%
• 7 characters 813 24.4%
• 8 characters 780 23.4%
Lecture 12, 20-771: Computer Security, Fall 2002 42
Password Guessing ReportType of Password
Size of Dictionary
Duplicates Eliminated
Search Size
# of Matches
Pct. of Total
Cost/Benefit Ratio*
User/account name** 130 - 130 368 2.70% 2.83Character sequences 866 0 866 22 0.20% 0.025Numbers 450 23 427 9 0.10% 0.021Chinese*** 398 6 392 56 0.40% 0.143Place names 665 37 628 82 0.60% 0.131Common names 2268 29 2239 548 4.00% 0.245Female names 4955 675 4280 161 1.20% 0.038Male names 3901 1035 2866 140 1.00% 0.049Uncommon names 5559 604 4955 130 0.90% 0.026Myths & legends 1357 111 1246 66 0.50% 0.053Shakespearean 650 177 473 11 0.10% 0.023Sports terms 247 9 238 32 0.20% 0.134Science fiction 772 81 691 59 0.40% 0.085Movies and actors 118 19 99 12 0.10% 0.121Cartoons 133 41 92 9 0.10% 0.098Famous people 509 219 290 55 0.40% 0.19Phrases and patterns 998 65 933 253 1.80% 0.271Surnames 160 127 33 9 0.10% 0.273Biology 59 1 58 1 0.00% 0.017/usr/dict/words 24474 4791 19683 1027 7.40% 0.052Machine names 12983 3965 9018 132 1.00% 0.015Mnemonics 14 0 14 2 0.00% 0.143King James bible 13062 5537 7525 83 0.60% 0.011Miscellaneous words 8146 4934 3212 54 0.40% 0.017Yiddish words 69 13 56 0 0.00% 0Asteroids 3459 1052 2407 19 0.10% 0.007Total 86280 23553 62727 3340 24.20% 0.053Passwords cracked from a sample set of 13,797 accountsDan Klein, SEI, 1992
Lecture 12, 20-771: Computer Security, Fall 2002 43
Dan Klein Article
• http://www.klein.com/dvk/publications/passwd.pdf
• http://yuan.ecom.cmu.edu/security02/passwordsactual.htm
Lecture 12, 20-771: Computer Security, Fall 2002 44
www.authenticator.com
• Shows Good Passwords
• Random Generation
• Password Changing Regimens
• Problems– Impossible to remember
• Best Login– Amazon : email and password
– Problem : easy to impersonate
Lecture 12, 20-771: Computer Security, Fall 2002 45
Methods to keep track of passwords
• anagrams “the flock of 7 geese flew 3 miles” tfo7Gf3m”
• cycles : if it was, then now it should be …
• download software that does password management – some examples
– http://www.ijen.net/passman.htm
– http://www.execpc.com/~sbd/PassKeep.html
– http://www.keyscreen.com/KeyScreen(s)4/passpls.htm
– http://www.m-tech.ab.ca/index.html
Lecture 12, 20-771: Computer Security, Fall 2002 46
Win 2000
• Remote administration is very strong
• If you an crack it (using older versions of Windows, Unix, Macs on the Network), you may gain access to the strong system
• Result, you can suck the blood out without getting caught (e.g., you can completely encrypt data on the disk that only you can see!).
• Problem: Passwords can be guessed
• Problem: In RAM things are NOT PROTECTED! This is for Windows 2004.
Lecture 12, 20-771: Computer Security, Fall 2002 47
WS 9. Configuring Win NT Web Server
• Know how to set one up (what to expect from IIS)
• Windows 2000 is IIS 5
• Security Scanner http://security1.norton.com
Lecture 12, 20-771: Computer Security, Fall 2002 48
IIS
• Microsoft Internet Information Server– Like Apache and all others Has Own Layer of
Authorization and Authentication– Apache is completely separate (see .htaccess)– IIS is/can be completely integrated into the Domain
» Including trust among domains
• Front Page– Yet another access/authorization layer permitting
authoring but no other access in domain– Careful! FP uses “.htaccess” type files peppered around
the active directory giving FP access (not integrated into the ACLS!)
– DO NOT APPLY GLOBAL ACCESS CHANGES ON FP DIRECTORIES WITHOUT USING FP! (You may need a special FP administration tool to re-set all the access controls).
Lecture 12, 20-771: Computer Security, Fall 2002 49
IIS
• Standard HTTP Server– Can basically behave exactly like one that utilizes all the
features of HTTP and related protocols (e.g., SSL, CGI, virtual hosting).
– Very easy to manage (right click and look).
– Since users/groups in and between domains are the same as in Active Directory, use “security” (not sharing) to set up Web Access.
– Creating the user “WebServer” for the web server (p. 230 Stein) is probably still good. Note this is the creator-owner of the server and has to have local login rights.
Lecture 12, 20-771: Computer Security, Fall 2002 50
Access RightsGroup Admin
ToolsLogs Scripts Documents
Web Masters R R RW RW
Web Developers - - RW RW
Web Authors - - R RW
Guests - - R R
Don’t make yourself a web author and web master – you’ll wind up being a web author!
Lecture 12, 20-771: Computer Security, Fall 2002 51
Web Access Control
• Basic Access– Response to 401– Send Base64 MIME plaintext username and password!– This is in the clear unless SSL protected!
• Digest Authentication– Server sends “nonce”– Client Send MD5 password
» Put digest, url, nonce inside digest to give integrity– Server checks hashed password, not the plaintext
password– Replay attack fails (except for the page in question).
• NT Challenge-Response (same as NTLM)• IE 5.0 and IIS5 incorporate good security
together.
Lecture 12, 20-771: Computer Security, Fall 2002 52
WS 10. Web Access Control
• Apache has a separate user/group system layered on top on Unix.
• IIS uses the user/group access system built into the MS Windows OS.
• Principles of these systems are largely universal. Always do a security check out to “tighten down” access as much as possible
– Lincoln Stein is right : define special, highly limited, groups if you expose parts of your machine to the Internet.
Lecture 12, 20-771: Computer Security, Fall 2002 53
Smart Card• ISO 7816
– Not OK for software/reader/writer interface
• PC/SC Workgroup– www.pcworkgroup.com
– www.microsoft.com/security/tech/smartcards ->
– http://www.microsoft.com/technet/security/smcdtech.asp
• Dumb and Smart– Dumb : Just store info (deprecated)
» Useful in facility security but can be counterfeited easily
– Smart (ICC): have a processor, can hide a private key,
» These can act as full crypto service providers
» Very very hard to counterfeit (if actually possible)
Lecture 12, 20-771: Computer Security, Fall 2002 54
ICC Smart Cards
• Really secure!
• Two Factor Authentication
• Both a password (PIN) and an RSA Key– Three password tries and you are out
– Administrator
» Three password tries and he is out
– Six Tries and you have a dead card
• Even a “smart card reader sniffer” can’t sniff the private key operation
• BUT IT CAN SNIFF THE PASSWORD (PIN)!!!
• Sniff the guy, steal his card. You’re In.
• Phoenix Technologies : Device Responsibility to Guard Keyboard Sniffers
Lecture 12, 20-771: Computer Security, Fall 2002 55
Typical Smart Card Operation
Smart Card
System Gets Public Key From Its StoreOr Smart Card Store
System Generates Nonce/Challenge For Smart Card
Smart Card Demonstrates it Knows Secret Private Key by Encrypting Nonce
System Uses Public Key to Prove Smart Card is Who it Says it is.
Smart Card Waits to Hear it’s PIN to Start Talking
System
Smart Card can Manufacture Certs for System as Requested
Lecture 12, 20-771: Computer Security, Fall 2002 56
Windows Core Security
Lecture 12, 20-771: Computer Security, Fall 2002 57
Encryption and Cert Based Access Control
• Cert is basically
1. Housekeeping: Some plain text about the version of X.509, the cryptosuites being used, and a certificate number
2. Some plain text information about the owner
3. A plain text date to start and and date to expire
4. A plain text public key which is the owners public key
5. Some extra plain text … whatever you want1. Different certificate types define different fields here
6. A signed hash of the above stuff
Lecture 12, 20-771: Computer Security, Fall 2002 58
Cert 101
• The Cert is not encrypted but is encoded (the only thing that is “encrypted” is the hash – This is technically called “signed”)
• The signed hash can be– Self signed – the public key will immediately open the
hash allowing you to verify the text is right.
– CA signed – a CA public key (and possibly your public key in succession) will open it. This verifies that you are you and the CA verifies you are you.
Lecture 12, 20-771: Computer Security, Fall 2002 59
Certificate Formats
• PKCS10 : Format for a requestor : this is what we have shown you.
• PKCS7 : Format for a signed certificate
• PKCS is at www.rsa.com/rsalabs/pkcs
Lecture 12, 20-771: Computer Security, Fall 2002 60
PKCS-7 Signing
1. For each signer, a message digest is computed on the content (H(M1))
2. For each signer, the message digest and associated information are encrypted with the signers private key (E(H(M1)+M2).
3. For each signer, the encrypted message digest and other signer-specific information are turned into a certificate (C(E(H(M1)+M2)+M3).
4. All the certificates are rolled up into a “Signed Data” sequence:1. Info + certificates + certificaterevocations2. A<<B>>B<<C>>C<<D>> 3. Public Key A (from CA) gives you your public key D.
Lecture 12, 20-771: Computer Security, Fall 2002 61
EFS (Encrypted File System)
• A PKCS-7 can have info that can be used to send a message to a user agent to verify that he left the certificate.
• It can hide a symmetric key encrypted with the public key of the user.
Lecture 12, 20-771: Computer Security, Fall 2002 62
Minor Technicalities
• It isn’t all X.509v3 (but, really, it is)
• The use of the certificate defines the content. Any issuing authority can issue different kinds of certificates and these are not always compatible.
• However, the principle is universal– Sign the hash with your private key to prove it’s you.
– Distribute a public key
– You might encrypt the public key or other information as is the case with the successive unfolding of a sequence of certificates.
– X.509v3 allows for recursive signing but it isn’t used.
Lecture 12, 20-771: Computer Security, Fall 2002 63
Using Certs
• I can prove you are you– Smart Cards are really strong!
– They don’t really need a CA!
» Register the smart card with the machine.
» It is absolutely unique and can’t be counterfeited!
• Other CA opportunities– What happened to Notaries???!!!!????
– Wouldn’t it be nice if you could walk down the hall and the exec secretary could be the legally recognized CA?
– Notaries are trained, etc.
• Alternate CA rules– Are there other ways to prove you are who you say you are.
– To prove this software or data is who it says it is
» A master server on the net that can automatically sign anything given to it.
» The date/time/name become the master object itself.
Lecture 12, 20-771: Computer Security, Fall 2002 64
Using Certs 2 : Non-repudiable Agreements
• Certs (typically two) can represent an agreement.
• Here is the text of the agreement
• Here is the date and time of the agreement
• Here is your signed digest of the content.
• Here is my signed digest of the content.
• We both have copies.
• Now, you say you didn’t agree, but I bring out your signed certificate to prove you did.
• Now, I say I didn’t agree, but you bring out my signed certificate to prove that I did.
• The proof is irrefutable. I could not manufacture your certificate.
Lecture 12, 20-771: Computer Security, Fall 2002 65
Using Certs 3 : Anonymizing
• A different use of certs.
• I won’t tell you who I am.
• I just give you a signed authorization to spend $200 or to log into the computer as John Smith.
• The signer guarantees or vouches for me.
• The X.509v3 lets you do this.
Lecture 12, 20-771: Computer Security, Fall 2002 66
Privacy Services
Policy
LOG
Personal
Information
CONTROL
AUDIT PROCESS
CERTIFICATION
ENFORCEMENT
RECOURSE
AGENT INTERACTION
VALIDATION
NEGOTIATION
USAGE
INDIVIDUAL ACCESS
Lecture 12, 20-771: Computer Security, Fall 2002 67
Anonymizing Smart Cards
• A smart card that can sign for an authority and also sign for an individual.
• This could be a recursive sign – This way the authority cannot be held responsible unless
he knows the person who put him at risk.
• Alternatively, a third party anonymizer that provides the anonymous certificate (this is a valuable web site…stopped before Sept 21, 2000 by RSA!).
Lecture 12, 20-771: Computer Security, Fall 2002 68
Anonymous Smart Cards
• Anonymous Certs could provide special mailing information
– “Contact me at [email protected]”
– It could provide anonymous profiling
» “I am 50 years old. White. Worth X dollars”, send mail to me at [email protected], but you can’t find out who I really am.
» Microsoft Smart Cards, Inc., will attest to this.
Lecture 12, 20-771: Computer Security, Fall 2002 69
Agents
• Converse side of CA
• You sign to give your agent rights
• The agent can now bind you
Lecture 12, 20-771: Computer Security, Fall 2002 70
Certs on/from Objects
• EFS: – Prove the owner has the right. User object has to
decrypt the symmetric key that decrypts the object.
• Authenticode:– Prove the code is the code because the cert on it hashes
the code to prove it’s integrity and the hash is signed to prove that it came from who it is said to be from.
– You have to “trust Microsoft Corporation”
» This means that the certificate simply said “Microsoft Corporation, Inc.” but what if it had said “Microsoft Inc.” (of Zimbabwe, Africa)?
Lecture 12, 20-771: Computer Security, Fall 2002 71
PKI works with two mechanisms
• Using the CA public key to unfold [the signing] to your public key (typically, the CA signs your PK cert).
– He vouches for you in a way that cannot be denied
– Key compromise
» Key revocation is a problem
• A file or resource has access granted by the demonstration that the requestor can privately encode that the resource can publicly decode (or that the resource can publicly encode that the requestor can privately decode).
– You can have MORE than one PK on a file or resource
– Example was revocation list
– User (not group) is a owner of a private/public key
– Can let Windows Base Crypto Services or Smart Card.