Title: 20-771: Computer Security Lecture 11: Windows 2000 III
120-771 Computer SecurityLecture 11 Windows
2000 III
- Robert Thibadeau
- School of Computer Science
- Carnegie Mellon University
- Institute for eCommerce, Fall 2001
2This Week
- WS 11, 12
- Touretzky on Wed
3Todays lecture
- The four examples (Common Criteria, etc.)
- Seeing real access control under win 2000
- Kerberos
- Think symmetric (private) key, first is password,
second and third in tickets for pre-registered
services. - Encrypted Files
- Break (10 min)
- IPSec, Smart Cards
4Windows 2000
- Much richer (more complicated) model
- MUCH easier for Joe to take over after Sam
- Hierarchy of Hierarchies
Complexity Wins
Windows
Unix
5Bad News Good News
- Complex
- Many Hierarchies
- Lots of How-To
- Learn only MS
- Use only MS 2000
- Simple underlying model
- MMC/ Active Directory / ACLs
- Hierarchies are easy to browse/search
- Only ONE way to configure
- Good online docs, good HCI
6Some Hierarchies
What What For Objects/Attributes
File System Programs and Data Word, Run Programs, etc.
Registry (six leaves) Control LOCAL system parameters Default settings, global variables
Domains Security Management Users/Groups/ACLs
Domain Trees Enterprise Management Domain Trust, Domain Config Inheritance
System Management Console Control of All Resources Active Registry
IIS Console Control http/ftp Hierarchy of virtual directories
Frontpage Control of webs Flat hierarchy of webs
7Review
- Windows 2000 Access has to do with
- Authentication (Passwords)
- Authorization (Access Controls) Active
Directory - We also saw the considerable audit capabilities
Active Directory SACL - Privacy (secrecy)
- Came in in protecting passwords (kerberos)
- Integrity (it is what it says it is)
- Came in in service authentication (kerberos)
- PKI
- Finally, we encountered a great advance in
enterprise management through Active Directory
and MMC snap-ins
8Windows 2000Much more compelling than NT
- Known to be a rock, stable, environment
comparable to Linux/Unix. - Runs many, BUT NOT ALL, Windows applications.
- One machine in violation (e.g., its Win 98 or
MAC) violates the security model - Enterprise or Departmental Management is much
cleaner. - Intercompany Management of resources is possible
without third party software. - Implementation of full scale corporate PKI is
possible. - Web access through IE5/IIS can be made highly
secure
9What is your recommendation?
- Machines have to be 64 megabytes (about 100/per
machine) - Think domain trees.
- Inheritance
- Build a root
- Build a department
- Add in other departments
- Web Servers
- Build a root
- Build a web server
- Add in other departments
10Build a root?
- The root should include
- A top-level domain controller
- A top-level certificate server
- A top-level kerberos server
- Possibly, a top-level SQL Server
- Possibly, an exchange server (mail)
- Possibly, a DNS server
- If Intranetting an IIS server
- These servers dont have to be big-time machines
but do have to be reliable - Disk mirroring is built into NT/2000
- Offsite backup replication (IPSec)
- These machines should be under major lock and
key. - Entry should be local console although remote is
supported in Windows 2000.
11Windows 2000 IPAAA Model
12Windows 2000 IPAAA Model
File Encrypt
SMARTCARD
IPSec
13Encrypting File
- Think like SSL and others uses RSA for
authentication/authorization and Private Session
Key for actual encryption/decryption - This means system has private key that it can use
for decryption - Encrypted Data Recovery Policy (EDRP)
- Workgroup (LOCAL Domain) this is local
- In Domain, it is only with the Domain
Administrator
14One DESX Key, Many Certs
FILE OR DIRECTORY
Administrator CERT /Public Key M
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserQ CERT /Public Key Q
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserR CERT /Public Key R
Symmetric/Private/DESX/Encrypt/Decrypt Key A
Some can be certs in Data Decryption Field or
Data Recover Field
15File Encryption / Recovery Certificate
- The symmetric encrypting key is encrypted using
the public key derived from your EFS certificate.
- The resulting encrypted data, along with your
display name and a hash of the certificate, is
stored in a named stream in the file that
contains EFS metadata. - When EFS decrypts a file, it uses your private
key to decrypt the symmetric encrypting key. EFS
then uses the symmetric key to decrypt the data.
16File Encryption is DES
- Actually DESX but the idea is the same it
operates like XOR the number of bits is the
number of tries needed to guess the key brute
force (without studied cryptoanalysis). - 40 bits for International
- 56 bits for US
- 128 bits can be downloaded from MS Support
- File Encryption Key Uses a Random (40, 56 or 128
bit) Number (randomness is probably very good,
but not cypher quality) - You can bet somebody somewhere has characterized
the non-randomness already (havent seen a
publication) - This means WHAT? You should know the answer to
this!
17Process
- You right click and set property to encrypt a
file/directory - If you dont have a user public/private keypair
one is automatically generated in the
background in your domain - Done once, you are done forever.
- You can have others need management
- The private/public key pair gains access to the
session key for the file.
18When it wont work
- System bit set (system files cant be encrypted)
- Compressed files (files marked compressed).
- Read-Only files (this is because the file has to
be written, temporarily, to be read). - FAT32 or any other FS than NTFS
- Copy should be checked
- Works because the file owner is always the file
owner.
19Cipher utility
- Why would you want to encrypt an encrypted file?
Try being administrator and user. - Data Decryption Field (certs), and Data Recovery
Field (certs) - Encrypt a file as a user, and see if you can
decrypt it as somebody else (who is the default
recovery manager). - Note efsrecvr.exe as the Encrypted File System
RECoVeR program you can use. You can also do this
by right clicking and the security properties,
owner.
20Cert (X.509) EFS Solution
- Many certs can hide the SAME private/ symmetric/
session FEK (file encryption/decryption key) for
a file. - These certs are SPECIAL FILE ENCRYPTION CERTS
(using the users private/public key) - http//support.microsoft.com/support/kb/articles/Q
273/8/56.ASP - The file can have several depending on the CERT
which is user Data Decryption Field - The file can have several recovery agents can
have several depending on the CERT which is the
recovery agent user.
21User and Kernel Mode
- MS has decided to keep encryption/decryption in
Kernel Mode - This requires careful user Mode handling (NTFS
calls EFS in complete privacy) - Cryptographic Provider (right now, the Microsoft
Base defined for cryptoAPI. Could be smart
card or external code/box). - There is another secret mode (SMI) that MS
doesnt use.
22CryptoAPI EFS Components
User Mode
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel Mode
23CryptoAPI EFS Components
User Mode
BIOS Real Mode Phoenix Technologies Device
Responsibility
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel (Real) Mode
24Problems with File Encryption System
- There is no integrity checking on files (PAAA
only)? - WRONG There is, I, but only for the encryption
header not the files themselves - The symmetric key is not necessarily just yours
- You and anybody else allowed
- Recovery cert owner.
- Note, the EFS symmetric key in your local X.509
is not yours but is the file or directorys
the containers. (Uses special hidden certs) - But! A private key is used to open the certs
encrypted with the public key. You have to steal
a private key of an RSA pair. - Many attacks
- Clear text file may exist (not deleted)
- Crypto-API is in the clear (NOT kernel)
- You cant revoke the File Encryption Certificate
25File Encryption Experience
- Ease of use
- Is there a way to have truly private files here?
26Encrypting File System (EFS)
- Think like SSL and others uses RSA for
authentication/authorization and Private Session
Key for actual encryption/decryption
27Break!
28Sidebar 3000 bit encryption
- Answer Yes, but.
- It wont hurt but it probably doesnt matter.
128 bit is - 1.70141183460469e38
- 1 in 170,141,834,604,690,000,000,000,000,000,000,0
00,000 tries - Slightly better than 6 in 9999 (your PIN on your
bank account). - 86,400 seconds in a day, 31,500,000 in a year.
3,150,000,000 in 100 years. - Need 54,000, 000,000, 000,000, 000,000,000,000
Guesses a Second (div by 2) - 54 billion trillion operations per second with
the expectation that in 50 years youll get it. - On the other hand, feel free.
29IPSec Classic Network Attacks
- Snooping
- Spoofing (TCP sequence numbers)
- Password Compromise
- Denial of Service Attacks (DoS)
- TCP SYN open tons of TCP connections
- SMURF drown with ping
- Teardrop fragmentation reassembly
- Ping of Death fake fragmentation parameters
- Man-in-the-middle Attacks
- Application-Level Attacks
- Key Compromise
30IPSec is End to EndIPAxx
- Client to Client
- Transport Mode
- One Authenticates but doesnt encrypt
- One Authenticates and Encrypts
- Gateway to Gateway
- Tunnel Mode (client to client is encapsulated)
- Authenticates, Encrypts, and also hides source
and destination!
31IPA
- Integrity
- Uses a hash (called signature or fingerprint)
- Authentication
- Preshared key authentication
- Nonce to confirm shared key
- Kerberos authentication (essentially the same)
- PK certs
- Confidentiality/Privacy/Encryption
- DES (3DES, triple DES)
- CBC (Cipher Block Chaining)
- Very akin to One Time Pad philosophy
(approximates it).
32IPSec Detail
- Authentication Header (AH)
- Encapsulating Security Protocol (ESP)
- Orig IP Header AH TCP DATA (transport mode)
- Authenticates whole packet
- Orig IP Header ESP Header TCP DATA ESP
Trailer ESP Authentication (transport mode) - Authenticates whole ESP but not IP Header
- Encrypts TCP-Trailer
- New IP Header ESP Header Orig IP Header TCP
DATA ESP Trailer ESP Authentication - Authenticates whole ESP but not IP Header
- Encrypts Original IP header to ESP Trailer
33Uses Cyphersuite
- Calls it security parameters index
- Encryption DES or 3DES
- Hash SHA1 or MD5
- Session Key (not in a cyphersuite)
- Diffie-Hellman provides the method of arriving at
a shared secret to manage key exchange - Also uses RSA (see RFC)
34Three Flavors of Network Security in IPSec
- Not Secret but it is Authentic!
- Secret and Authentic Client to Server
- But Routing is KNOWN
- Secret and Authentic and Routing (Inside
Firewall/Gateway) is Secret Too. - Tunnelled through the Open Infrastructure,
Gateway-to-Gateway - Defaults include using if you can, and requiring
use (on pain of failure to communicate at all).
35NOW SMART CARD!!!
- REALLY GOOD AUTHENTICATION!
- What you know
- What you have
- Biometric
36Smart Card
- ISO 7816
- Not OK for software/reader/writer interface
- PC/SC Workgroup
- www.pcworkgroup.com
- www.microsoft.com/security/tech/smartcards -gt
- http//www.microsoft.com/technet/security/smcdtech
.asp - Dumb and Smart
- Dumb Just store info (deprecated)
- Useful in facility security but can be
counterfeited easily - Smart (ICC) have a processor, can hide a private
key, - These can act as full crypto service providers
- Very very hard to counterfeit (if actually
possible)
37Smart Card
- ISO 7816
- Not OK for software/reader/writer interface
- PC/SC Workgroup
- www.pcworkgroup.com
- www.microsoft.com/security/tech/smartcards -gt
- http//www.microsoft.com/technet/security/smcdtech
.asp - Dumb and Smart
- Dumb Just store info (deprecated)
- Useful in facility security but can be
counterfeited easily - Smart (ICC) have a processor, can hide a private
key, - These can act as full crypto service providers
- Very very hard to counterfeit (if actually
possible)
38ICC Smart Cards
- Really secure!
- Two Factor Authentication
- Both a password (PIN) and an RSA Key
- Three password tries and you are out
- Administrator
- Three password tries and he is out
- Six Tries and you have a dead card
- Even a smart card reader sniffer cant sniff
the private key operation - BUT IT CAN SNIFF THE PASSWORD (PIN)!!!
- Sniff the guy, steal his card. Youre In.
- Phoenix Technologies Wave Systems Device
Responsibility to Guard Keyboard Sniffers
39Typical Smart Card Operation
Smart Card
System
Smart Card Waits to Hear its PIN to Start Talking
System Generates Nonce For Smart Card
Smart Card Demonstrates it Knows Private Key by
Encrypting Nonce
System Gets Public Key From Its Store Or Smart
Card Store CA!
System Uses Public Key to Prove Smart Card is Who
it Says it is.
Smart Card can Manufacture Certs for System as
Requested
40ICC Smart Card Programming
- To Store Data (not particularly for security but
perhaps for mobile privacy e.g., health
records). - To alter conditions for PIN or other conditions
for gaining access to RSA signing. Unclear if
this is always supported.
41Windows 2000 IPAAA Model
42Windows 2000 IPAAA Model
User Agents
DACLs
File Encrypt
Kerberos
Authenticode
SACLs
Smartcard
IPSec
43Features of Win 2000
- Multiple methods of authenticating internal and
external users - Protection of files through easy to use
encryption - Protection across network through transparent
encryption - Per-property access control for objects (many
more detailed uses than read, write, and execute) - Smart card support for authentication and hiding
private keys - Transitive trust relationships between domains
- Public Key Infrastructure (PKI Certs handled
transparently). - Code itself is routinely authenticated as to its
source using PKI.
44Cert 101
- The Cert is not encrypted but is encoded (the
only thing that is encrypted is the hash This
is technically called signed) - The signed hash can be
- Self signed the public key will immediately
open the hash allowing you to verify the text is
right. - CA signed a CA public key (and possibly your
public key in succession) will open it. This
verifies that you are you and the CA verifies you
are you.
45Encryption and Cert Based Access Control
- Cert is basically
- Housekeeping Some plain text about the version
of X.509, the cryptosuites being used, and a
certificate number - Some plain text information about the owner
- A plain text date to start and and date to expire
- A plain text public key
- Some extra plain text whatever you want
- Different certificate types define different
fields here - A signed hash of the above stuff
46Certificate Formats
- PKCS10 Format for a requestor just unsigned.
- PKCS7 Format for a signed certificate
- PKCS is at www.rsa.com/rsalabs/pkcs
47PKCS-7 Signing
- For each signer, a message digest is computed on
the content (H(M1)) - For each signer, the message digest and
associated information are encrypted with the
signers private key (E(H(M1)M2). - For each signer, the encrypted message digest and
other signer-specific information are turned into
a certificate (C(E(H(M1)M2)M3). - All the certificates are rolled up into a Signed
Data sequence - Info certificates certificaterevocations
- AltltBgtgtBltltCgtgtCltltDgtgt
- Public Key A (from CA) gives you your public key
D.
48EFS (Encrypted File System)
- A PKCS-7 can have info that can be used to send a
message to a user agent to verify that he left
the certificate. - It can hide a symmetric key encrypted with the
public key of the user.
49Minor Technicalities
- It isnt all X.509v3 (but, really, it is)
- The use of the certificate defines the content.
Any issuing authority can issue different kinds
of certificates and these are not always
compatible. - However, the principle is universal
- Sign the hash with your private key to prove its
you. - Distribute a public key
- You might encrypt the public key or other
information as is the case with the successive
unfolding of a sequence of certificates. - X.509v3 allows for recursive signing but it isnt
used.
50Using Certs
- I can prove you are you
- Smart Cards are really strong!
- They dont really need a CA!
- Register the smart card with the machine.
- It is absolutely unique and cant be
counterfeited! - Other CA opportunities
- What happened to Notaries???!!!!????
- Wouldnt it be nice if you could walk down the
hall and the exec secretary could be the legally
recognized CA? - Notaries are trained, etc.
- Alternate CA rules
- Are there other ways to prove you are who you say
you are. - To prove this software or data is who it says it
is - A master server on the net that can automatically
sign anything given to it. - The date/time/name become the master object
itself.
51Using Certs 2 Non-repudiable Agreements
- Certs (typically two) can represent an agreement.
- Here is the text of the agreement
- Here is the date and time of the agreement
- Here is your signed digest of the content.
- Here is my signed digest of the content.
- We both have copies.
- Now, you say you didnt agree, but I bring out
your signed certificate to prove you did. - Now, I say I didnt agree, but you bring out my
signed certificate to prove that I did. - The proof is irrefutable. I could not
manufacture your certificate.
52Using Certs 3 Anonymizing
- A different use of certs.
- I wont tell you who I am.
- I just give you a signed authorization to spend
200 or to log into the computer as John Smith. - The signer guarantees or vouches for me.
- The X.509v3 lets you do this.
53 Privacy Services
AGENT
INTERACTION
CONTROL
VALIDATION
NEGOTIATION
Personal Information
USAGE
INDIVIDUAL ACCESS
Policy
AUDIT
PROCESS CERTIFICATION
ENFORCEMENT RECOURSE
LOG
54Anonymizing Smart Cards
- A smart card that can sign for an authority and
also sign for an individual. - This could be a recursive sign
- This way the authority cannot be held responsible
unless he knows the person who put him at risk. - Alternatively, a third party anonymizer that
provides the anonymous certificate (this is a
valuable web sitestopped before Sept 21, 2000 by
RSA!).
55Anonymous Smart Cards
- Anonymous Certs could provide special mailing
information - Contact me at mrpepper_at_hotmail.com
- It could provide anonymous profiling
- I am 50 years old. White. Worth X dollars, send
mail to me at mrpepper_at_hotmail.com, but you cant
find out who I really am. - Microsoft Smart Cards, Inc., will attest to this.
56Agents
- Converse side of CA
- You sign to give your agent rights
- The agent can now bind you
57Certs on/from Objects
- EFS
- Prove the owner has the right. User object has
to decrypt the symmetric key that decrypts the
object. - Authenticode
- Prove the code is the code because the cert on it
hashes the code to prove its integrity and the
hash is signed to prove that it came from who it
is said to be from. - You have to trust Microsoft Corporation
- This means that the certificate simply said
Microsoft Corporation, Inc. but what if it had
said Microsoft Inc. (of Zimbabwe, Africa)?
58PKI
- You should learn that Microsoft has implemented
what you already learned about PKI and
Cryptography - They have integrated this into the OS (making it
easy and transparent) - Look at Hierarchical Certification (a parent Cert
unlocks many children, and each of them can
unlock many children) - Look at types of Certs (people, code, things)
- Types and Hierarchy of authority basis for
corporate PKI and Win 2000 PKI.
59PKI works with two mechanisms
- Using the CA public key to unfold the signing
to your public key (typically, the CA signs your
PK cert). - He vouches for you in a way that cannot be denied
- Key compromise
- Key revocation is a problem
- A file or resource has access granted by the
demonstration that the requestor can privately
encode that the resource can publicly decode (or
that the resource can publicly encode that the
requestor can privately decode). - You can have MORE than one PK on a file or
resource - Example was revocation list
- User (not group) is a owner of a private/public
key - Can let Windows Base Crypto Services or Smart
Card.
60Features of Win 2000
- Multiple methods of authenticating internal and
external users - Protection of files through easy to use
encryption - Protection across network through transparent
encryption - Per-property access control for objects (many
more detailed uses than read, write, and execute) - Smart card support for authentication and hiding
private keys - Transitive trust relationships between domains
- Public Key Infrastructure (PKI Certs handled
transparently). - Code itself is routinely authenticated as to its
source using PKI.
61End of Windows 2000 SecurityRemember Planning!
- Security group strategies
- Local, Global (Domain), and Universal (new)
- Group policies
- Access Control, Auditing, (security policy)
- Network logon Authentication
- Info Security (encryption)
- Primary Domain Controller First then Backups
- You cant back out You cant add new (old) NT
into system in Win 2000