+ All Categories
Home > Documents > PKI-Enabled Applications That work!

PKI-Enabled Applications That work!

Date post: 10-Jan-2016
Category:
Upload: fawzia
View: 39 times
Download: 1 times
Share this document with a friend
Description:
PKI-Enabled Applications That work!. Linda Pruss Office of Campus Information Security [email protected]. Projects. Strong VPN Authentication Administrator access to restricted data networks via VPN Laptop/desktop full disk encryption - PowerPoint PPT Presentation
Popular Tags:
22
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security [email protected]
Transcript
Page 1: PKI-Enabled Applications That work!

PKI-Enabled ApplicationsThat work!

Linda PrussOffice of Campus Information Security

[email protected]

Page 2: PKI-Enabled Applications That work!

Projects

• Strong VPN Authentication– Administrator access to restricted data networks

via VPN

• Laptop/desktop full disk encryption– Data encryption for computers storing restricted

data … the “lost” laptop problem

Page 3: PKI-Enabled Applications That work!

Strong VPN AuthN

• Passwords do not provide an adequate degree of safety for systems that process or store data elements defined as restricted.

• Password while easy to use are vulnerable to a wide variety of attacks and weaknesses including guessing, impersonation, observing, borrowing, snooping and dictionary attacks.

Page 4: PKI-Enabled Applications That work!

Strong VPN AuthN

• UW Madison adopted a modified version of the PCI DSS v 1.1 as the required security controls target for systems containing restricted data.

• PCI DSS 8.3 “Implement two factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as VPN with individual certificates”

Page 5: PKI-Enabled Applications That work!

Strong VPN AuthN

• UW Madison adopted a modified version of NIST 800-63 as best practice.

• Authentication Level of Assurance 3 (LOA3) should be used for people who have access to restricted data. – LOA3 requires 2factor authentication– Can be achieved with either soft or hard tokens

Page 6: PKI-Enabled Applications That work!

Strong VPN AuthN

• How to get beyond simple password?– Do it ourselves first • Administrators and DBAs

• How to accomplish 2 factor authentication?– One Time passwords (a la RSA SecurID)

– X.509 certificate authentication

Page 7: PKI-Enabled Applications That work!

Strong VPN AuthN

• Already had existing PKI infrastructure– Mostly used for S/MIME– No infrastructure for one time passwords

• VPN approach there is no need to re-configure individual servers and other network devices.

• Many VPNs (cisco) are pki-capable

Page 8: PKI-Enabled Applications That work!

Strong VPN AuthN

• Do-able– Admins– Limited and known population• Eases Identity proofing while we shore up

infrastructure

Page 9: PKI-Enabled Applications That work!

Strong VPN AuthN

Page 10: PKI-Enabled Applications That work!

Strong VPN AuthN Cisco ASA 5510 (server side)

Page 11: PKI-Enabled Applications That work!

Strong VPN AuthN Cisco ASA 5510 (server side)

Page 12: PKI-Enabled Applications That work!

Strong VPN AuthN

• CISCO SSL VPN Client (client side)– Integrated with Microsoft certificate store– Use IE and/or certificates MMC to manage

certificates– Clients for Windows, Macintosh and Linux– Windows works with hardware token– Using x.509 for administrative access to ASDM

management console, as well.

Page 13: PKI-Enabled Applications That work!

Strong VPN AuthN

• Certificate Issues:– Soft or hard tokens• Not all OSs support hardware token• Hardware allows

– Password enforcement and– Private key never leaves token

– Still subject to many of same attacks• Keyboard loggers• Phishing?• Weak passwords

Page 14: PKI-Enabled Applications That work!

Strong VPN AuthN

• Certificate Issues:– Using the same certificate for multiple purposes– Validity periods (too short?)– Lost token or certs …• Temporary password access

– CRLs

Page 15: PKI-Enabled Applications That work!

Strong VPN AuthN

• Non-PKI Issues:– Multi-cast– Redundancy– Performance– Usability – Politics– Process – Licensing cost

Page 16: PKI-Enabled Applications That work!

Full Disk Encryption

• Primary Objective– Research and recommend a FDE product for pilot

implementation

• Many requirements

• One Requirement of Solution– Integrate with existing PKI infrastructure

Page 17: PKI-Enabled Applications That work!

Full Disk Encryption

• Typically disk/file encryption is done with symmetric keys

• Use public keys to encrypt the symmetric key• Microsoft EFS uses public keys to encrypt the

file encryption key.• Because of the “preboot” nature of disk

encryption and performance

Page 18: PKI-Enabled Applications That work!

Full Disk Encryption

• Instead tend to support strong authentication mechanisms (tokens, smartcards)

• For effective full disk encryption, password strength is critical ie. protecting the strong with the weak.

• Use “already deployed” tokens/smartcards as a mechanism to do strong authentication i.e. two factors.

Page 19: PKI-Enabled Applications That work!

Full Disk Encryption

• Selected SafeBoot (McAfee) as the FDE product to pilot.

• Safeboot has two ways to leverage our pki infrastructure:– Use token to store user symmetric key. Token

password allows you to get to symmetric key. – Use user’s public key to encrypt user’s symmetric

key. Then use token (with private key) to decrypt symmetric key.

Page 20: PKI-Enabled Applications That work!

Full Disk Encryption

• Use as key store– Allows 2 factor authN to decrypt hard disk– Must sync token password via management

console

• Use to send encrypted symmetric key– No need to physically handle token– Must have public keys/certs available via

external source ---LDAP, AD

Page 21: PKI-Enabled Applications That work!

Common Characteristics

• Leverage existing PKI infrastructure• Protect restricted data • Provide for strong authentication– Attaining LOA3 authentication assurance

Page 22: PKI-Enabled Applications That work!

Futures

• Strong AuthN to enterprise systems- Peoplesoft signon code

- Strong AuthN to Web single signon

- Expand use of S/MIME


Recommended