1 / 12

Smart Card and Certificate Logon

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@ sevecek.com | www.sevecek.com |. Smart Card and Certificate Logon. Smart card logon. Motivation Kerberos smart card logon vs. TLS client certificate authentication CA requirements

milt
Download Presentation

Smart Card and Certificate Logon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com | Smart Card and Certificate Logon

  2. Smart card logon • Motivation • Kerberos smart card logon vs. TLS client certificate authentication • CA requirements • Certificate requirements • Enrollment agents

  3. Motivation • Passwords shorter than 12 chars are insecure • Can be cracked from • AD, local databases, password caches, NLTM and Kerberos traffic, LDAP simple bind, stored passwords, … • Windows passwords are MD4 • Certificates are SHA-1 or SHA2 • random keys, not transported easily without smart cards

  4. SHA-1 problems • General brute-force attack at 2^80

  5. Windows passwords • 8 characters password? • 80^8 possible passwords • 2^x = 80^8 ?? • x * log 2 = 8 * log 80 • x = 8 * log 80 / log 2 • x ~= 51 • 10 characters ~= 2^63 • 12 characters ~= 2^76

  6. Kerberos vs. TLS • Kerberos TGT generation • password • PKINIT with certificate • TLS client certificate logon • require client certificate • prevents before-authentication attacks

  7. CA requirements • Trusted • NTAuth trusted • CRL/OCSP available

  8. Certificate Requirements • Domain Controllers • name of the domain • Smart Card Logon + Kerberos Authentication • User certificates • Kerberos PKINIT: Smart Card Logon • TLS client certificate auth: Client Authentication

  9. Domain TLS User with RSA

  10. DomainSC User with RSA

  11. Enrollment Agent • aka Registration Authority (RA) • Generates requests signed by its own RA certificate • AD CS can apply more granular policies

  12. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com | Smart card and certificate logon Thank you!

More Related