Page 1
TPM and certificate logon
Ing. Ondřej Ševeček | GOPAS a.s. |
MCSM:Directory | MVP:Enterprise Security | CEH | CHFI | CISA |
[email protected] | www.sevecek.com |
PLATINUM PARTNER
DEVCON HALL SHOWIT HALL
GOLD PARTNER
SILVER PARTNER
GENERAL PARTNER
GLAB007 - capture the flag 1 - hackni si podnikovou síť
GLAB008 - capture the flag 2 - hackni si podnikovou síť
GOC175 - implementace bezpečnosti
GOC169 - ISO 27001
GOC172 - Kerberos troubleshooting
GOC161 - Cryptography
moje kurzy v GOPASu
Page 2
Agenda
• Why not passwords?
• Why two-factor authentication?
• What is TPM and how it is 1.5 authentication?
• AD CS installation quickly
• DC certificates
• TPM virtual smart card
• Can users obtain logon certificates by themselves?
• Registration authority for issuing TPM logon certificates
• TPM attestation
Page 3
Passwords
• Easily compromised
– hardware keyloggers
– software keyloggers
– surveillance cameras
• Very long validity
– can be used from anywhere without user knowing
– no incident investigation when compromised
• Bad quality
– lockout vs. availability vs. DoS
Page 4
Multifactor authentication
• know
– password
– PIN
• have
– card
– phone
– notebook
• be
– biometrics
Page 5
1.5 authentication
• biometrics on mobile phones
• TPM module on laptops
• must have the device
• must not allow others to the device
Page 6
Certificate logon with TPM
• bound to the device
• certificate using strong keys
• incident investigation
Page 7
Certificate logon
• Active Directory
– AD CS
– DC certificates
– user logon certificates
– RA certificates
– usage
• CTRL-ALT-DEL
• RDP
• HTTPS
• VPN
• ADFS vs. Office365
• Outlook, ActiveSync
• AAD and Office365
– CA trusted - Get-AzureADTrustedCertificateAuthority
– individual certificates mapped to user accounts in AAD
Page 8
AD CS installation
• keep it safe
– install on a DC guarantees security
• Domain Admins
• physical security
Page 9
Simplest AD CS installation
Page 10
Simplest AD CS installation
Page 11
Simplest AD CS installation
Page 12
Simplest AD CS installation
Page 13
Simplest AD CS installation
Page 14
Simplest AD CS installation
Page 15
Simplest AD CS installation
Page 16
Simplest DC certificates with auto-enrollment
Page 17
TPM virtual smart card
• TPMVSCMGR
– create /name ... /pinpolicy minlen 4 uppercase ALLOWED lowercase ALLOWED digits ALLOWED ...
/generate
• PUK
– user knows
• AdminKey
– 48 digits
– admin PIN reset by computing a challenge
Page 18
Issuing logon certificates
• Self service
– free "duplication" and renewal
– no attestation
• Attestation by workstation admins
• Attestation by TPM key hash
– machine certificates for 802.1x VPN and WiFi
Page 19
Simple user logon certificate template
Page 20
Simple user logon certificate template
Page 21
Simple user logon certificate template
Page 22
Simple user logon certificate template
Page 23
Simple user logon certificate template
Page 24
Simple user logon certificate template
Page 25
Attestation with RA
• Enrollment Agent = Registration Authority
• workstation admins issue certificates on behalf of the users
• using RA smart-card
Page 26
RA certificate for workstation admins
Page 27
RA certificate for workstation admins
Page 28
RA certificate for workstation admins
Page 29
User certificate requiring the RA signature
Page 30
TPM attestation for machine certificates
• Get-TpmEndorsementInfo -Hash sha256
• certutil.exe -setreg CA\EndorsementKeyListDirectories +"C:\TpmEndorsement"
Page 31
TPM attestation for machine certificates
Page 32
Summary
• Strong credentials bound to device
Page 33
Děkuji za pozornost
www.gopas.cz
GLAB007 - capture the flag 1 - hackni si podnikovou síť
GLAB008 - capture the flag 2 - hackni si podnikovou síť
GOC175 - implementace bezpečnosti
GOC169 - ISO 27001
GOC172 - Kerberos troubleshooting
GOC161 - Cryptography
moje kurzy v GOPASu