Page 1
ClientCer)ficates
SecurityProfessionals2012PreconferenceSeminar
8:30‐Noon,Tuesday,May15th,2012WhiteRiverBallroomB,JWMarrioE,IndianapolisIN
JoeStSauver,Ph.D.(joe@[email protected] )InCommonCerPficateProgramManagerand
Internet2NaPonwideSecurityProgramsManager
hEp://pages.uoregon.edu/joe/secprof2012/
Disclaimer:Theopinionsexpressedinthistalkrepresentthoseofitsauthor,anddonotnecessarilyrepresenttheopinionofanyotheren9ty.
Page 3
OurTimeTogetherToday
• SincethreehoursisarelaPvelylongPmeforasinglesession,we'regoingtogothroughmaterialforaboutanhourandahalf(unPlabout10:00),andthenwe'lltakeacoffeebreakoutsideofroom103forahalfhourorso.Around10:30,we'llcrankbackupandfinishtherestofthematerialwewanttogoover.
• IfyouhaveanyquesPonsatanyPme,feelfreetospeakup.WhileI'vepreparedafairlystructuredsessiongiventhenumberofaEendeesthatareexpected,I'vesPlltriedtobuildinPmefordiscussion,andIknowthatsomeofyoumayalreadybeexperiencedwihclientcertsandhavemuchtoshareyourselves.
• Finally,Ialsowanttomakesurewe'vegotPmetohelpyouactuallygetaclientcertinstalledandupandrunningonyoursystem,ifyou'dliketotrydoingthis.
• ArethereanyquesPonsatthispoint?3
Page 4
Introduc)ons
• Let'stakeaminuteortwotogoaroundtheroomandintroduceourselves.
• Pleasesay:
‐‐whoyouare‐‐whatschoolyou'rewith‐‐anythingyoursitemaycurrentlybedoingwithclientcerts‐‐whyyou'reinterestedinclientcerts/anythingyouparPcularlyhopewecovertoday
4
Page 5
StrongCryptographyandFederal/Interna)onalLaw
• Strongcryptographyiscri)caltocomputerandnetworksecurity,includingenablingsecureauthenPcaPonandonlinecommerce,protecPngpersonallyidenPfiableinformaPon(PII)storedonline,andlegiPmatelyensuringpersonalprivacyforlaw‐abidingciPzens.
• AtthesamePme,strongcryptographyissubjecttocomplexregula)oninmanycountries,includingtheUnitedStates.Why?UseofencrypPonmakesitharderfornaPonalsecurityagenciesandlawenforcementorganizaPonstolawfullyinterceptcriminalcommunicaPonsandnaPonal‐security‐relatedcommunicaPons.
• Therefore,ourgoalwhentalkingaboutstrongcryptographyistoalwaysabidebyfederallawsandinterna)onaltrea)esrela)ngtocontrolsoverstrongcryptography,andtodowhatwhatwecantoensurethatstrongcryptographydoesn'tgetmisusedinwaysthatmighteitherharmournaPonalsecurityorinterferewiththelawfulinvesPgaPonandprosecuPonofcriminals.
5
Page 6
SinceWe’llBeGivingYouStrongHardwareCryptoProducts
• Youwarrantthatyouaren’tbarredfromobtainingandusingstrongcryptoproductsorsoKware,NORareyoubarredfromreceivingtrainingonit.
• Specifically,thismeansthatyouassertthatyouareNOTaciPzen,naPonal,orresidentofBurma,Cuba,Iran,Iraq,NorthKorea,Sudan,Syria,oranyothercountryblockedfromobtainingstrongcryptographyproducts.
• YouareNOTa"deniedperson,"a"speciallydesignatednaPonal,"oranysimilarindividualforbiddentoaccessstrongcryptographybytheUSgovernment(www.bis.doc.gov/complianceandenforcement/liststocheck.htm)
• Youareneitheraterroristnoratrafficker/userofillegalcontrolledsubstances,NORareyoudirectlyorindirectlyinvolvedinthedesign,development,fabricaPonoruseofweaponsofmassdestrucPon(includingimprovisedexplosivedevices,nuclear,chemical,biological,orradiologicalweapons,normissiletechnology,see18USCChapter113B)
• YouagreeNOTtoredistributeorretransfercryptographicproductsorsofwaretoanyonewhoisinoneofthepreviouslymenPonedprohibitedcategories.
• YouunderstandandagreethattheforgoingisbywayofexampleandisnotanexhausPvedescripPonofallprohibitedenPPes,andthatthisisnotlegaladvice.ForlegaladvicerelaPngtostrongcrypto,pleaseconsultyourownaEorney. 6
Page 7
"First,DoNoHarm"
• Someofyoumaywantto“followalong”aswegothroughtoday’strainingmaterials.Ifso,that’sterrific.HoweverpleaseONLYdosoifyou’vegotarecentbackupofyoursystem,andyoursystem(ifsuppliedbyyouruniversity)isNOT"lockeddown"byyouruniversityITdepartment.
• IfyouhaveNOTbackedupyoursystemrecently,oryouruniversityITdepartmentdoesNOTwantyoutoPnkerwithyourlaptop,pleasefeelfreetowatchwewegoovertodaybutpleasedonottrytoinstallanynewsofwareorotherwisemodifyyoursystem.
• Also,ifyoualreadyhaveaclientcerPficateinstalledonyoursystem,youmaywanttorefrainfrominstallinganotherone,andinparPcularPLEASEdoNOTinten)onallydeleteanyclientcer)ficatesyoumayalreadyhaveinstalledonyoursystem!
7
Page 8
Oh,AndForThoseofYouWhoMayHaveBeenWorried,No,We'reNotGoingtoDiveIntoAnyAdvanced
Crypto‐RelatedMathema)csToday
• OurfocustodayisonhelpingyougettothepointwhereyoucanactuallyuseclientcerPficates,parPcularlyforsecureemail,andgemngyoutothepointwhereyouunderstandthepracPcallimitaPonsassociatedwiththosetechnologies.Youdon'tneedadvancedmathemaPcstodothat.
• SoifyouhatedmathemaPcswhilegoingthroughschool,relax.:‐)Virtuallyeverythingwe’regoingtotalkabouttodayshouldbenon‐mathemaPcal.
• Let’sdiverightin.We'llbeginbytalkingaboutwhyyoumightwanttouseclientcerPficates,parPcularlyforsigningandencrypPngemail.
8
Page 9
I.Mo)va)ngAnInterestinClientCer)ficates("PKI"):
SecuringEmail
9
Page 10
WhyMightWeNeedToSignand/orEncryptEmail?
• Putsimply,regularemailishorriblyinsecure.
• Emailistrivialtospoof:eventechnicallyunskilleduserscansimplyputbogusidenPtyinformaPonintothepreferencespaneloftheiremailclientandvoila,they're"Santa"(orpreEymuchanyoneelsetheywanttobe).Youjustcan'ttrustthenon‐cryptographically‐signedcontentsofemailthatyoumayreceive–itmayallbecompleterubbish.
• Mostemailisalsotrivialtosniffonthewire(orreadinthemailspool):messagesnormallyaren'tencryptedwhentransmiEedorstored,sounauthorizedparPescanreadyourcommunicaPons."Trustedinsiders"mayalsoaccessconfidenPalcommunicaPons.
• Let'stakealookatacoupleofpracPcalexamplesofthesesortofexposures.
10
Page 11
TheSimpleRoadtoSpoofingEmail:JustChangeYourPreferencesinMozillaThunderbird
11[Yes,thiswillwork.Butno,pleasedon'tactuallydothis.]
Page 12
"ButWon'tSPFand/orDKIMEliminatetheSpoofingProblem?"
• SPF(www.openspf.org)andDKIM(www.dkim.org)weremeanttohelpfixspoofing,andtheydo,butthey'renotatotalsoluPon.
• Forinstance,SPF/DKIMcannotprotectyouagainstspoofedemailthatisinjectedfromanauthorizedsource.Classicexample:‐‐Collegefacultymemberandherstudentsallhaveaccountsinthesameexample.edudomain,andallsendfrom"oncampus"‐‐Amaliciousclassmemberforgesmessagefromacampuscomputerlab,pretendingtobethefacultymember,"cancellingclass"or"assigningextrahomework"(orwhatever).SPFandDKIMaren'tdesignedtodefendagainstthissortofaEack.
• Securityfolkstendtolikebelt‐and‐suspender("defenseindepth")soluPonsanyhow,andjustbecauseyou’redoingSPForDKIM,thatdoesn'tprecludealsodoingmessagelevelcrypto,right?
12
Page 13
ASimpleExampleofHowEasyItIsToSniffTypicalPlainTextEmailUsingWireshark
• Sendasimplemailmessage...
% mailx -s "testing 123" [email protected] Joe!
I don't think this is very secure, do you?
Joe .
• IfsomeoneisusingWiresharktowatchyourtraffic,they'dsee:
13
Page 14
"ButJoe!AllOurNetworksAreSwitchedEthernet!There'dBeNoTraffictoSniff!"
• SitessomePmeshaveafalsesenseofsecuritywhenitcomestotheirvulnerabilitytosniffing.Specifically,somemaybelievethatbecausetheyuseswitchedethernet,trafficintendedforagivensystemwillONLYflowtotheappropriatesystem'sswitchport.
• Youmayalreadybeawarethatmanyswitchescanbeforcedtoactlikehubsthroughavarietyofwellknowntechniques(seeforexamplehEp://eEercap.sourceforge.net/).Thus,evenifyourinfrastructureisintendedtoisolatetrafficonaper‐portbasis,inpracPce,thatprocessmayfailtomaintaintrafficseparaPon.
• Youalsocan'tensurethattrafficwon'tbesniffedonceitleavesyourlocalnetwork.
• Therefore,youshouldassumethatanyunencryptednetworktraffic,includingmostemail,canbesniffedandread.
14
Page 15
OfCourse,IfSomeone'sGotRoot,TheyCanLookAtAnythingOnTheSystem,IncludingEmailMessages...
% suPassword: # cat /var/mail/joe From [email protected] Sun Feb 12 14:30:54 2012Return-Path: <[email protected] >Received: by canard.uoregon.edu (Postfix, from userid 501) id 5C221D537D4; Sun, 12 Feb 2012 14:30:54 -0800 (PST)To: [email protected] : Some thoughts on the insider threatMessage-Id: <[email protected] >Date: Sun, 12 Feb 2012 14:30:54 -0800 (PST)From: [email protected] (Joe St Sauver)Status: O
Hi Joe,
I wonder if a system admin with root priv could read the mail that's sitting in my mail spool? You know, I bet s/he could...
Joe 15
Page 16
BUTIfYourEmailIsEncrypted,ItMayNotMaberIfSomeoneDoesALible"Browsing:"TheFollowingIsn'tVeryInforma)ve,IsIt?
MIAGCSqGSIb3DQEHA6CAMIACAQAxggNbMIIBkQIBADB5MGQxCzAJBgNVBAYTAlVTMRIwEAYD VQQKEwlJbnRlcm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBT dGFuZGFyZCBBc3N1cmFuY2UgQ2xpZW50IENBAhEAowXASR0JSE0KE5HSe8RXCTANBgkqhkiG 9w0BAQEFAASCAQAphc3r5MLFw43hOcMzlb/UG9DEaFPyFtcaiN8koelnok2DVdcAtSb9wulU iKjw4jps8GwqPeonzC8o+RMyktiFwMvM/QfN4zMUbfxsJr0i7FpnveROp+V8Cyo2hDuJpa/d GjRI560cDnH2z4tnYOO9/SJBCvLIIRjfnnnuJlS12VF00kcA9sfJI23QWhauisoef0ZhvAOw
11wHi8o+4icSe6iT18rR+Sr9MDhulDdfVCfmYwDfBi4SAqzbLK1FZfSj7aIjphlcFV4JKXr3 HyEz2afYRCGYUUaGk1zjcfhh4Eqkah6TwZ8QCtWUTsYdhuZdHGHw6zbBuSUYxzRG2NiRMIIB wgIBADCBqTCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMT MENPTU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAKgC OyLlmfFLiBBlWracUfMwDQYJKoZIhvcNAQEBBQAEggEAOc1JpNLx+62m1To69oxFd3/fMEvo
UDkL1nSQe5LDhKnH3DXmH2vvTN0Q0h8vjGbkcGklCD11164VRi380QrtVYTsYCl9tB1kuHam SH+xJIIsLkNasYWnCXwzji+Uw80GiAP9/CgB/aYJhhYJt1HRQ+43S9m3xgpdK//aCOIjmKLl prFiQ1Jk5Wx3Sqm/Kkg89m9ulln1ckpIBrvTxNsikZmFwh4QGcCtz42+mTGZXcbrrn9yfT0F 4ds9xDbBm5e/Se/aq4vpfX0yi0/UP8/ywJ5+zG2ufyJw4i2h2O3vyD6WzX7PiYuzsn232RkR
[This base64 encoded file is actually a base64 encoded encrypted file] 16
Page 17
EmailIsAlsoPoten)allySubjecttoLawfulInterceptand/orCompulsory(orEvenVoluntary)Disclosure
17hEp://www.cybercrime.gov/ssmanual/ssmanual2009.pdfatpage138
Page 18
ReducingTheTransportEmailSniffingVulnerability:Opportunis)cSSL/TLSEncryp)on
• YoucanreducetheextenttowhichemailtrafficissubjecttosniffingonthewirebyenablingopportunisPcSSL/TLSencrypPon.ThismeansthatiftheMTAsonbothsidesoftheconversaPonarereadyandwillingtodoSSL/TLSencrypPon,itwillbenegoPatedandusedwheneveritcanbe.Seeforexample:
hEp://www.exim.org/exim‐html‐3.20/doc/html/spec_38.htmlhEp://www.posdix.org/TLS_README.htmlhEp://www.sendmail.org/~ca/email/starEls.html
• However,SSL/TLSwillnotprotectemailoverlinksthatdon'thaveTLS/SSLenabled,nordoesitprotectstoredmailonceithasbeenreceivedandsavedtodiskatitsdesPnaPon.Thatis,itisnot"end‐to‐end."
18
Page 19
Obtaining*End‐to‐End*Protec)onRequiresMessage‐LevelSigningandEncryp)onE.G.,UseofPGP/GPG,orUseofS/MIME
• Therearetwobasicapproachestogemngend‐to‐endprotecPonforemailmessages:
• PreEyGoodPrivacy(PGP)(orGNUPrivacyGuard(GPG)),seeRFC4880,*OR*
• S/MIME(RFC5751)withpersonalcerPficates.
• PGP/GPGisprobablythemorecommonofthosetwoopPons,andonethatmanyofyoumayalreadyuse,buttodaywe'regoingtotalkaboutusingS/MIMEwithclientcerPficates,instead.
• Beforewecandigin,however,weneedaliEle"cryptobackfill"19
Page 20
II.AMinisculeLibleBitofCryptographicBackfill
20
Page 21
PublicKeyCryptography
• Therearebasicallytwotypesofcryptography:symmetrickeycrypto,andpublickey(asymmetric)crypto.
• Insymmetrickeycryptography,amessagegetsencryptedANDdecryptedusingthesamesecretkey.Thatmeansthatbeforeyoucanshareasecretmessagewithsomeone,youneedasecretkeyyou'vebothpreviouslyagreedupon(chicken,meetegg).
• BothPGP/GPGandS/MIMEwithpersonalcerPficates,ontheotherhand,relyonpublickeycryptographytosignorencryptmessages.Inpublickeycryptography,theusercreatesapairofmathemaPcally‐relatedcryptographickeys:oneprivatekeythatonlytheuserknows,plusarelatedpublickeythatcanbefreelysharedwithanyonewho'sinterested.Havingauser'spublickeydoesn'tallowyoutoderivethatuser'scorrespondingprivatekey,butitdoesallowyoutocreateanencryptedmessageforthatuserviaa"oneway"or"trapdoor"mathemaPcalprocess.
21
Page 22
ButWait,There'sMore!PublicKeyCryptographyCanSlice,DiceandMakeJulienneFries,Too...
• Well,thatmaybeaslightexaggeraPon.
• Butpublickeycryptographydoesallowyoutodoatleastonemorecooltrick:theholderoftheprivatekeycanalsodigitallysignafilewiththeirprivatekey.Oncethatfileisdigitallysigned:
‐‐itcan'tbechangedwithoutinvalidaPngthemessagesignature(e.g.,itactsasananP‐tamperingchecksumvalue)
‐‐anyonewhohasacopyofthecorrespondingpublickeycanverifythatitwassignedbysomeonewhohadaccesstothecorrespondingprivatekey
22
Page 23
HowDoCer)ficatesFitIntoAllThis?
• Sofarwe'veonlybeentalkingaboutpublickeysandprivatekeys.YoumaywonderhowcerPficatesfitintoallthis.
• TheansweristhatcerPficatesaEachanidenPtytoacryptographickeypair.
• Ifyou'relikemostfolks,whenyouhear"cerPficates"inanonlinecontext,youthinkofSSLwebservercerPficates.That'snotwhatwe'regoingtobetalkingabouttoday.ThosecerPficatesareissuedtoservers.Thecertswe'regoingtotalkabouttodaygetissuedto*people*,instead.
• Butfirst,let'sbeginwithsomethingwe'reallfamiliarwith:meePnganewpersoninreallife.
23
Page 24
MappingUserstoIden))esIn"RealLife"
• IfImeetyouface‐to‐face,perhapsatthehotelbar,youmighttellme,"Hi,I'mRobertJones.Nicetomeetyou!"Inacasualcontextatasocialeventofthatsort,wemightsmile,shakehands,exchangecards,engageinsomechitchat,andleaveitatthat–itdoesn'treallymaEerifyouare(oraren't)whoyouclaimtobe.I'lljusttemporarilyaccept(andthenunfortunatelyprobablyquicklyforget)your"self‐assertedidenPty."That'sOK.
• IfitturnsoutthatIeventuallyneedconfirmaPonofwhoyouare,Imightasktrustedcolleagues,"Hey,seethatguyoverthere?Whoishe?"Iftheyallsay,"Oh,that'sRobertJones.I'veknownhimforyears,"thatmightgivemeconfidencethatyoureallyarehim.
• OtherPmes,forexampleifyou'reinastrangecity,orsomeone'strusPngyouwithavaluableasset(suchasarentalcar),youmightneedtoshowadriverslicenseorothergovernmentissuedIDsincenoone"knowsyourname."(ObCheers:"Norm!")
24
Page 25
MappingUsersToIden))esOnline:PGP/GPG
• Asimilarproblemexistsonline.HowdoyouknowwhichpubliclyofferedPGP/GPGkeysistherealonethataperson'sactuallyusing,andnotapretender'scredenPals?InPGP/GPG,thisisdoneviaa"weboftrust."
• InPGP/GPG,aPGP/GPGpublickeygetsdigitallysignedbyotherPGP/GPGuserswhohavepersonallyconfirmedthatperson’sID.(ThisofengetsdoneatPGP/GPG"keysigningparPes,"liketheonethatwillhappenat6:30PMonWednesdaynight).NormallyakeyholderwillgetsignaturesfrommulPplefriendsorcolleagues.
• Recursively,howdoyouknowthatyoushouldtrustthosesignatures?Well,thosesignaturesweremadewithkeysthathaveALSObeensignedbyothercolleagues,andsoonandsoforth.
• Whilethissoundsincrediblyadhocandkludgy,inpracPce,itactuallyworkspreEywell(atleastfortechnicalusers)–itreallyisasmallworldoutthere,"sixdegreesofKevinBacon"‐wise.
25
Page 26
TheWebofTrustIsForKeys(NotNecessarilyTheirOwners)
• Animportantnoteaboutthecryptographic"weboftrust:"
SomeonesigningaPGP/GPGkeyisnotsayingthatthat personwho'skeythey'vesignedisa"trustworthy"person.
Completelyevilpeoplemayhavewell‐signedPGP/GPGkeys!
• Whensomesignsanotherperson'sPGP/PGPkey,they'reonlysayingthat:
‐‐they'velookedatthatperson'sgovernmentissuedID,‐‐thatpersonindicatedthatthatthatpublickeyistheirs.
Thatis,they'rebindinganiden9tytoacryptographiccreden9al.26
Page 27
PersonalCer)ficates
• InthecaseofS/MIMEwithpersonalcerPficates,aweboftrustisn'tused.IntheS/MIMEcase,trustgetsestablishedhierarchically("topdown").
• Thatis,apersonalcerPficateistrustedbecauseithasbeenissuedbyabroadlyacceptedcerPficateauthority("CA"),anenPtythatyou(andmostotherInternetusers)acceptasreliableforthepurposeofbindingidenPPestocredenPals.
• CAstendtobeverycarefulwhenitcomestodoingwhattheysaythey'regoingtodo(specifically,verycarefultodowhattheysaythey'regoingtodointheir"CerPficatePracPcesStatement"),becauseiftheydon't,people(includingbrowservendorsandtheCABForum)willstoptrusPngthemandthenthey'llquicklybetotallyoutofbusiness(literally).
27
Page 28
'SoWhat'sthis"CABForum?"'
• No,it'snotataxicabassociaPon.• TheCerPficateandBrowserForumisaninfluenPalbodymadeup
ofCerPficateAuthoriPes(that'sthe"CA"intheirname)andBrowserVendors(that'sthe"B"intheirname).
• TheirwebsiteishEp://www.cabforum.org
• AsapracPcalmaEer,increasinglythey'reeffecPvelyestablishingthepracPces/normsthatapplytotheenPrecerPficateindustry,andFWIW,they'remakingtheshipfarmoreshipshape.:‐)
• Previously,variousindustrygroups,suchastheMozillaFoundaPon,hadalottodowithwhatwasorwasn'tacceptable:putsimply,ifyouwantedyourcerPficatestobetrustedinFirefox,youcompliedwithwhattheMozillaFoundaPonrequired.DiEoforInternetExplorerandMicrosof,etc.
28
Page 29
"WhatDoesaCPSActuallyLookLike?"
• CPSdocumentsasaclassareprobablyoneofthemostwidelyignoredcategoriesofdocumentsintheworld.
• Howver,somePmesfolkswhohaveahardPmesleepingactuallywanttoreadCerPficatePracPcesStatements.Ifyou'dliketochecksomeout,youcansee,forexample,InCommon'sCerPficateServiceCPS:hEps://www.incommon.org/cert/repository/
• You'llseeseparateCPSfortheInCommonstandardSSLcerPficateoffering,theextendedvalidaPoncerPficateoffering,theclientcerPficateoffering,andthecodesigningcerPficateoffering.Thevarious"profile"documentsarealsopotenPallyquiteinformaPve.
• SimilardocumentsshouldbeavailableforanypubliccerPficateissuer.
• OneofthethingstheycoverishowidenPtygetsvalidated,andwhatexpectaPonsshouldbeforaparPculartypeofcert.
29
Page 30
III.Iden))esandLevelsofAssurance
30
Page 31
ARealName,orJustAnEmailAddress?
• Theremaybesomeconfusionwhenitcomestothe"idenPty"thatacryptographiccredenPalasserts–isitaperson's“realname”(e.g.,asshownontheirdriver'slicenseortheirpassport),orisitsomethingmoreephemeral,suchasjusttheiremailaddress?
• Theansweris,“itmaydepend.”SomestandardassurancepersonalcerPficatesonlyvalidateauser'scontroloveranemailaddress,typicallybysendingacryptographicchallengetothataddress.That'sthesortofclientcertswe'llbeworkingwithtoday.
• OtherclientcerPficatesmayrequiremuchmorerigorous"idenPtyproofing,"perhapsrequiringtheusertosupplygovernmentissuedidenPficaPon(oreventoundergoacompletebackgroundcheck)beforetheygetissuedahigherassuranceclientcert.
31
Page 32
HSPD‐12andFederalCAC/PIV‐ICards
• OnAugust27th,2004,then‐PresidentGeorgeW.Bushissued"HomelandSecurityPresidenPalDirecPve12,"(seehEp://www.idmanagement.gov/documents/HSPD‐12.htm)mandaPngtheestablishmentofacommonidenPtystandardforfederalemployeesandcontractors.
• Asaresult,thefederalgovernment(andapprovedcommercialcontractorsacPngonthegovernment'sbehalf)havealreadycollecPvelyissuedmillionsof"CommonAccessCards"("CACs")and"PersonalIdenPtyVerificaPon‐Interoperable"("PIV‐I")smartcards.
• "Firstresponders"alone(asdefinedinHSPD‐8)mayulPmatelyrequireissuanceofover25.3millionsuchcards.(seehEp://www.dhs.gov/xlibrary/assets/Partnership_Program_Benefits_Tax_Payers_Public_and_Private_Sector.pdf)
• PartofthatprocessisidenPtyproofingthoseusers–including,inthscase,evendoingbackgroundinvesPgaPons.
32
Page 33
33Source:hEp://www.idmanagement.gov/presentaPons/HSPD12_Current_Status.pdf
Page 34
AnAside:CAC/PIVIsA"ProofByExample"ThatCertsAreUsableBy"MereMortal"End‐Users
• IfitwastoohardtoissueoruseaCAC/PIVcard,millionsoffederalemployeesandcontractorswouldbehavingtroubledoingso.Butthey'renot.Forthemostpart,PKIonhardtokensorsmartcardsnow"justworks."ThisisarealtesPmonytothehardworkofthefederalemployeesandcontractorswhohavebeeninvolvedwiththatproject.
• Thisisnottosaythattherearen't*some*intricaciesthatmayneedtobeexplained.Onesitethat'sdoneaterrificjobofusereducaPonistheNavalPostgraduateSchool.Checkouttheiroutstandingtri‐foldbrochureexplaininghowtouseamilitaryCACcard:www.nps.edu/Technology/Security/CAC‐guide.pdf
Withthehelpofthatguide,IthinkmostfolkswouldbeabletofigureouthowtodobasicCAC/PIVtasks.
34
Page 35
WhyAreTheFedsUsingClientCerts?IfYouNeedNIST"LOA‐4",They'reBasicallyYourOnlyPrac)calOp)on
• NIST800‐63Version1.0.2(seecsrc.nist.gov/publicaPons/nistpubs/800‐63/SP800‐63V1_0_2.pdf)says:
"Level4–Level4isintendedtoprovidethehighestpracPcalremotenetworkauthenPcaPonassurance.Level4authenPcaPonisbasedonproofofpossessionofakeythroughacryptographicprotocol.Level4issimilartoLevel3exceptthatonly“hard”cryptographictokensareallowed,FIPS140‐2cryptographicmodulevalidaPonrequirementsarestrengthened,andsubsequentcriPcaldatatransfersmustbeauthenPcatedviaakeyboundtotheauthenPcaPonprocess.ThetokenshallbeahardwarecryptographicmodulevalidatedatFIPS140‐2Level2orhigheroverallwithatleastFIPS140‐2Level3physicalsecurity.Byrequiringaphysicaltoken,whichcannotreadilybecopiedandsinceFIPS140‐2requiresoperatorauthenPcaPonatLevel2andhigher,thislevelensuresgood,twofactorremoteauthenPcaPon."
35
Page 36
AnAside....DoesHigherEd*HAVE*AnyUseCasesThatActuallyRequireLOA‐4?
• WearingmyInCommonCerPficateProgramManagerhatforaminute,currentlyInCommonhasonlyoneclientcerPficateoffering,standardassuranceclientcerts.ShouldwealsohaveaclientcerPficateofferingsPedtotheInCommonAssuranceProgram(e.g.,Bronze,Silver,etc.)?
• DowehaveanyusagecasethatwouldrequireLOA‐4,orwouldLOA‐3be"goodenough"forallpotenPalhigheredusagescenarios?(LOA‐3requirestwofactor,butnotnecessarilyclientcerts).I'mstronglyinterestedinunderstandingwhatmightdriveLOA‐4adopPon...
• IfwedidofferanLOA‐3orLOA‐4compliantcertprofile,itwouldimplystrongeridenPtyproofing.WouldhighereducaPonusersbewillingtoputupwithrigorousidenPtyproofinghassles?(bywayofcomparison,wehaven'tseenatremendousnumberofextendedvalidaPonservercerPficatesrequested,eventhoughthey'reavailableatnoaddiPonalcostaspartoftheInCommonCerPficateProgram)
36
Page 37
AnAside:"Iden)tyProofing"forRegularCi)zens• Ifyoutravelextensively,you'veprobablyrunintolonglinesatcustoms,
eitherwhilecomingintotheU.S.,orperhapswhiletravellingintoCanadaorMexico.Ifso,youmayhavenoPcedthatsomefolks("TrustedTravellers")canusethe"GlobalOnlineEntrySystem"("GOES")and/orNEXUS/SENTRItoavoidthoselines.Agrowingnumberofairportsalsooffer"TSAPreCheck"linesforparPcipantsinthatprogram.(seehEp://www.globalentry.gov/)."TrustedTravellers"areissuedamachinereadablehigh‐assurancecredenPal($50for5years)forthatpurpose.
• Obviously,however,itwouldbebadtoissueacredenPalofthissorttoapersonyouhadn'tthoroughlyidenPtyproofed.Therefore,ifyouapplytobeaTrustedTraveller,youridenPtyisvalidatedinmulPplewaysincludingareviewofgovernmentrecords(youdon'twanttoissueacardtoacriminal,forexample!);reviewofexisPngdocuments(suchasyourpassport);collecPonofbiometrics,e.g.,aphotograph,fingerprints,andinsomecasesapictureofiris/rePna.Youalsoneedtophysicallyappearinpersonforaninterview.Travellerswearyofbeingstalledattheborderwillputupwiththosehassles,butwouldregularhigheredusersdoso?
37
Page 38
SomeFederalHighSecurityApplica)onsThatNowUseClientCertsMayBeSurprising
38
Page 39
ClientCertsCanEvenBeSecureEnoughforUseinConjunc)onwithNa)onalSecuritySystems
• Seethe"NaPonalPolicyforPublicKeyInfrastructureinNaPonalSecuritySystems,"March2009(hEp://www.cnss.gov/Assets/pdf/CNSSP‐25.pdf)makesitclearthatclientcertsevenformthefoundaPonforNSSuses:
"(U)NSSoperaPngattheunclassifiedlevelshallobtainPKIsupportfromtheestablishedFederalPKIArchitecture."(U)NSSoperaPngattheSecretlevelshallobtainPKIsupportfromtheNSS‐PKI."(U)TheNSS‐PKIhierarchyshallrestonaRootCerPficateAuthority(CA)operatedonbehalfofthenaPonalsecuritycommunityinaccordancewithpoliciesestablishedbytheCNSSPKIMemberGoverningBody.TheNSS‐PKIRootCAshallserveastheanchoroftrustfortheNSS‐PKI."
• TS/SCI("JWICS")counterpartoftheNSS‐PKI?IC‐PKI.39
Page 40
Cer)ficatesAreNowAlsoBeingUsedtoSecureNa)onalCri)calInfrastructure
• Forexample,considerthenaPonalelectricalgrid.TheNorthAmericanEnergyStandardsBoard's("NAESB")2012AnnualPlanfortheWholesaleElectricQuadrantspecificallydiscussestheirplansfordeployingPKIonpages4andfollowing.(SeehEp://www.naesb.org/pdf4/weq_2012_annual_plan.docxandhEp://www.naesb.org/weq/weq_pki.asp)
• Thisisbeginingtobedeployed/madereal,too,rightnow:
‐‐"ShifSystemsIdenPfiedastheFirstNAESBAuthorizedCerPficaPonAuthority,"Feb16,2012,hEp://www.prnewswire.com/news‐releases/shif‐systems‐idenPfied‐as‐the‐first‐naesb‐authorized‐cerPficaPon‐authority‐139493283.html
‐‐"OATIwebCARESAuthorizedbyNAESBforwebRegistry,"Apr11,2012,hEp://www.prweb.com/releases/2012/4/prweb9390545.htm
‐‐"GlobalSignAnnouncesAccreditaPnasAuthorizedCerPficateAuthorityfortheNorthAmericanEnergyStandardsBoard,"Apr23,2012,hEp://www.prweb.com/releases/2012/4/prweb9431614.htm
40
Page 41
And,OfCourse,SomeLargeCorpora)onsandAgenciesHaveUsedClientCer)ficatesforYears
• AniceindicaPonofinterestin/useofclientcerPficatescanbeseeninthingslikeparPcipaPoninthe"SmartCardAlliance,"see
hEp://www.smartcardalliance.org/pages/alliance‐membersincluding:AmericanExpress,BankofAmerica,BoozAllenHamilton,CapitalOne,Chase,CSC,DeloiEe&Touche,HewleE‐Packard,IngersollRand,LockheedMarPn,MasterCard,SAIC,Visa,WellsFargo,andmanyothers.
• TounderstandhowsmartcardsrelatetoclientcerPficates,notethatsmartcardsareawaytosecurelystoreclientcerPficatesonwhatlookslikeacreditcard(ifyoulookclosely,you'llseethatasmartcarddiffersfromatradiPonalcreditcardinthatithasasmallsetofflushgold‐coloredcontactsonthefront).
• ManylargecompaniesusesmartcardsasthefoundaPonfortheircorporateemployeeIDcards.
41
Page 42
IV."NonAdop)on"ofClientCerts
42
Page 43
SoWhyHaven'tClientCerts"TakenOff"MoreBroadly?
• Andwhatcanwedotofixthis,assumingwewantto?
• Itisn'tsimplythatclientcertsarenew...hEp://en.wikipedia.org/wiki/Public_key_infrastructure#HistoryPestheoriginofPKIto1969,withpublicdisclosureofsomeofthekeyalgorithmsdaPngto1976–that'sthirtyfiveyearsago.TheRSAPKCS("PublicKeyCryptographyStandards")documentsdateto1993–that'seighteenyearsago.ByInternetstandards,allofthisworkis"ancient"(or"wellestablished,"ifyouprefer).
• Soitisn'tsimplythatPKI'sthe"newkidontheblock."
• Thereare(ormaybe)manyotherpossiblereasonswhyclientcerPficateshavestruggledsofar....
43
Page 44
Economics?AreClientCertsTooExpensive?
• "ThereareseveralreasonsPKIhasfailed,saysPeterTippeE,headoftheindustrysoluPonsandsecuritypracPceatVerizonBusiness.
"ThemainreasonorganisaPondonotusePKI,hetold aEendeesofRSAConference2011,isthatitcoststoomuch. "SpeakingonadebateontheimportanceofidenPtyto internetsecurity,hesaidveryfeworganisaPonsareableto makeabusinesscaseforspending$200to$300peruser,per year."
"WhyPublicKeyInfrastructureHasFailed",hEp://www.computerweekly.com/blogs/read‐all‐about‐it/2011/02/why‐public‐key‐infrastructure.html[emphasisadded]
HowmuchwouldYOURschoolpayperuser,peryear? 44
Page 45
MyTargetCostforClientCerts:$1/user/month
• Lackingharddata,I'mgoingtosuggestanominalamountthatmightbeacceptable:$1/user/month(inclusiveofallcosts),overanormalfouryearundergraduateenrollment,or$48.00peruseroveraquadrennialperiod.
• Forcontext:(a)www.nacs.orgstatesthattheaveragepriceforanewtextbookin2009‐2010was$62.00(b)onemajoronlinevendorquotesquotes3yearRSASecurID700onePmepasswordTokens(ina5pack)@$55.60/token
• InCommonsellshardtokensfor$19.80/unittoInternet2members(seehEp://www.incommon.org/safenet/pricing.html)whichwouldleave~$6/user/yeartocoverothercosts,assumingclientcertsaregemngdeployedonUSBformathardtokens.
45
Page 46
InSomeCases,TheClientCertsThemselvesAre"Free"
• Ifyou'vesigneduptoparPcipateintheInCommonCerPficateprogram,yougetthebundledabilitytoissueclientcertsatnoaddiPonalcost,andevenifyourschooldoesn'tparPcipateintheInCommonCerPficateprogram,individualscansPllgetfreeclientcerPficatesforpersonal/homeuse,see:
www.comodo.com/home/email‐security/free‐email‐cerPficate.php
• Thatsaid,obviouslythecostofthecertsthemselvesarenottheonlycostsassociatedwithrollingoutclientcerts(forexample,ontheprecedingpage,wetalkedabouthardtokencosts).
• Sowhatothernon‐technicalexplanaPons,otherthancost,dopeopleofferforclientcerPficatenon‐deployment?
46
Page 47
IsUsabilityActuallyTheProblem?
• "Despitemanyyearsofeffort,PKItechnologyhasfailedtotakeoffexceptinafewnicheareas.Reasonsforthisabound[…]Probablytheprimaryfactorattheuserlevel[…]isthehighlevelofdifficultyinvolvedindeployingandusingaPKI.Thereisconsiderableevidencefrommailinglists,Usenetnewsgroupsandwebforums,anddirectlyfromtheusersthemselves,thatacquiringacerPficateisthesinglebiggesthurdlefacedbyusers.Forexamplevarioususercommentsindicatethatittakesaskilledtechnicaluserbetween30minutesand4hoursworktoobtainacerPficatefromapublicCAthatperformsliEletonoverificaPon[...][A]setofhighlytechnicalusers,mostwithPhDsincomputerscience,tookovertwohourstosetupacerPficatefortheirownuseandrateditasthemostdifficultcomputertaskthatthey’deverbeenaskedtoperform."
PeterGutmann,UniversityofAuckland,Usenix'03,hEp://dl.acm.org/citaPon.cfm?id=1251353.1251357
47
Page 48
ThingsHaveComeALongWay,Usability‐Wise
• Forexample,thesedays,theprocessforobtainingaclientcerPficatecanbeassimpleas:‐‐Completeashortonlinesecurewebform‐‐ClickonalinksenttoyoubyemailtodownloadyourclientcerPficateintoyourbrowser.Don'tbelieveit?We'llhaveeveryonetrygemngtheirownclientcertlaterinthissession.(Wemightalsotalkaboutwhetherthishasswungtoofarinthe"tooeasy"direcPon,Isuppose)
• TheremaysPllbesomeuglybitstodoafergemngyourcert(dependingonhowyouwanttouseit),butatleastsomeedusiteshavedevelopedlocalscriptsthatmaketheinstallaPonprocesspreEypainlessfortheirusers.
• Internet2/InCommonis/soonwillbeworkingonofferingagenerallyavailablecerPficateinstallaPontool,basedon/modeledaferthosesite‐specificinstallaPontools.
48
Page 49
OrIsTheProblemThatOtherSolu)onsHaveUsurpedPKI'sMarketNiche(s)?
• Ifyou'vegotPGP(orGNUPrivacyGuard)tosignorencryptemail,doyoualsoneedPKIclientcertsandS/MIMEforsigned/encryptedemail?
• IfyoursiteisusingonePmepassword(OTP)cryptofobs(oryouusesshwithpresharedkeys),doyousPllneedclientcertsforauthtosensiPvesystems?(Andwhatabouta2ndchannelsoluPonleveragingsmartphones,suchasInCommon'snewofferingwithDuoSecurity,seehEp://www.incommon.org/duo/index.html)
• HasthesuccessofInCommon(andotherfederatedauthenPcaPonefforts)eliminatedtheneedforPKI‐basedcross‐enPtycredenPals?FederaPonseemstobethedirecPonthattheNaPonalStrategyforTrustedIdenPPesinCyberspace(NSTIC)isgoing,anditmaybeworthnoPngthatsomehavealwaysworriedabouttheprivacyimplicaPonsofPKI‐style"naPonalIDcards"online...
49
Page 50
"IsNSTICaplantointroduceana)onalIDcardoraninternetdriver'slicense?DoIhavetogetone?"
"No.ThegovernmentwillnotrequirethatyougetatrustedID.Ifyouwanttogetone,youwillbeabletochooseamongmulPpleidenPtyproviders—bothprivateandpublic—andamongmulPpledigitalcredenPals.SuchamarketplacewillensurethatnosinglecredenPalorcentralizeddatabasecanemerge.EvenifyoudochoosetogetacredenPalfromanIDprovider,youwouldsPllbeabletosurftheWeb,writeablog,visitchatrooms,ordootherthingsonlineanonymouslyorunderapseudonym".[FAQitemresponseconPnueshere]
*hEp://www.nist.gov/nsPc/faqs.html
.
50
Page 51
AHumorousComment(WithAnUnderlyingGrainofTruth?):ThePKIDeLorean*Hypothesis
• "[M]aybethepossiblefutureinwhicheverythingisPKI‐enabledanddigitalcerPficatesareubiquitousissohorrendousthatitactuallysentripplesofbadluckbackthroughPmethatsabotagedthedevelopmentanddeploymentofPKItechnology.Somethingsactuallyseemtomakealotofsensefromthispointofview."
"WhyPKIFailed,"LutherMarPn,29October2009,hEp://superconductor.voltage.com/2009/10/why‐pki‐failed.html[ablogaboutsecurity,cryptographyandusability]
*C.F.hEp://en.wikipedia.org/wiki/Back_to_the_Future
51
Page 52
"FixingPKI"–ACobageIndustryofItsOwn
• PKIhasbeensuccessfulinone(quiteperverseway):ithassucceededininspiringhundredsofpapersandtalksaEempPngtoexplainpreciselywhyPKIhasfailedsofar.
• Oneauthorevenwentsofarastosay,
'[I]tseemsariteofpassagefortheserioussecurity researchertowriteapaperwithaPtlesuchas "ImprovingPKI..."Neverinthefieldofsecurity researchhassomuchbeenwriEenbysomany,to bereadbysofew.' hEp://iang.org/ssl/pki_considered_harmful.html
52
Page 53
OrAreSomeFundamentalTechnicalBitsSoBrokenThatTheyMakeSanePeopleRunAwayFromPKI?
• Forexample,whataboutrevokingorcancellingclientcerPficates?
• HypothePcallyimaginethatyou'reamanagerandyou'refiringanemployee.Aspartofdoingthat,youcollecttheirdoorkeyandcompanycreditcard(oryouhavethelockschangedandthecreditcardcancelledifthey'vebeen"lost").
• ButwhataboutrevokingaclientcerPficatetheymighthavebeenissued?(Fornow,let'sassumethatitwasn'tissuedinnon‐exportableformonasmartcardorPKIhardtoken)
• Howwouldyoucancelorrevokeit?53
Page 54
RevokingAClientCert
• Unfortunately,unlike"takingback"aphysicaldoorkeyorcumngupacreditcard,it'sharderto"takeback"anelectroniccredenPal.
• CRLs("cerPficaterevocaPonlists",seeRFC3280andRFC5280)weremeanttohandlethisproblem,muchlikethoseprintedbooksofstolenorrevokedcreditcardnumbersthatstoresusedtogetfromthebankcardcompaniesbankintheolddays.MostCAscurrentlypublishaCRLonceaday.SomeusersmaycheckordownloadthosedailyCRLs,butmostdon't.Andifyou'reaCA,oryou'reauserwithacompromisedcert,youreallydon'twanttohavetowaitupto24hourstosort‐of‐revokeacompromisedcredenPal,nordoyoureallywantmillionsofusertohavetopotenPallydownloadahugefilelisPngpilesofrevokedcerts!
• OCSP("onlinecerPficatestatusprotocol",RFC2560)wasmeanttohandlethisissuemuchmoredirectly,andinteracPvely,butmanybrowsersandemailclientsdon'tcheckacert'sOCSPstatus.Ugh.
54
Page 55
LocallyImpor)ngaCRL
• AnexampleofaCRLis:hEp://crl.usertrust.com/AddTrustExternalCARoot.crl
• IfyouvisitthatURL,itwillbeimportedintoyourbrowser.• YoucanalsoscheduletheCRLtobeautomaPcallyupdated,if
you'dliketodoso...
• But,andthisiscriPcalifyoubelievescalabilityisimportant:youshouldn'tneedtodownloadanevergrowinglistofkilledcerts.
55
Page 56
CRLs:The"hosts"FileofPKI
• NotethateachCAwillofferoneormoreCRLs,andtherearehundredsofCAsoutthere!NormallyyouwouldNOTwanttorouPnelyimportallthoseCRLsallthePmeoneachsystem!Thissimplydoesn'tscaletoInternet‐sizeaudiences.
• Inmanyways,thisremindsmestronglyof"hosts"filesintheoldpre‐DNSdays–youknow,peoplewouldcopyaroundstaPcfileswithmappingsofhostnamestoIPaddresses.
• Doyoureallythinkwe'dhavethesizeInternetwehavetoday,ifthatsortofthingsPllhadtohappen?Clearly,no.
56
Page 57
SoWhatAboutOCSP?
• YoucanchecktoseehowOCSPisconfiguredinFirefoxbygoingtoabout:configandthenfilteringforocsp.Forexample(enlargedforeaseofviewing):
• NotethatOCSPischeckedbutisNOTREQUIREDbydefaultinFirefox.Youcanchangeittoberequiredifyouwantto,butindoingso,you'llbreakaccesstosomeSSL/TLS‐securedsites.
57
Page 58
Chicken/EggInterac)onsandInsis)ngonOCSP
• Assumeyou'reconnecPngviaacapPveportal,andthecapPveportalblocksallexternalaccessbydefaultunPlyou'veloggedintoanSSL/TLS‐securedpages.
• NowassumethatyouareusingabrowserthatstrictlyrequiresOCSPvalidaPon...butOCSPvalidaPonrequirestheabilitytoconnecttotheOCSPresponder,andthatrequirestheabilitytoresolvetheDNSname,andtoconnecttothathost...butthatrequiresnetworkaccess...Nicecirculardeadlock,eh?
• MypointindwellingonCRLsandOCSPsearlyintoday'ssessionistogiveyouaheadsupthattherearesomearchitecturalandsecuritycomplexiPesthatdoexist,andthatmaybenecessaryto"resolve"ifyouwantcertstoworkinsomeenvironments...butthosedon'tneedtobe"showstoppers"inmyopinion.
• ClearlycertrevocaPonis(orcanpotenPallybe)tricky.Thisiswhy,whenitreallymaEers,browservendorsissuepatchestokillcerts
58
Page 59
AListofSomeFirefoxSecurityAdvisories
59
Page 60
ExampleofOneofThoseSpecificAdvisories
60
Page 61
I'veRambledEnough...
• Wecouldtalkforhourswhenitcomestoprovidingcryptobackground,butlet'sseehowthisallactuallyworks...let'sgetaclientcertandgetsetuptosendandreceivesecureemail.
• Thenextpartoftoday'ssessionthuslookslike:
‐‐applyingforaclientcert‐‐successfullydownloading/installingitinFirefox‐‐backingitup‐‐installingthecertinThunderbird‐‐configuringThunderbirdtodoS/MIME
61
Page 62
V.GelngAFreeS/MIMEClientCer)ficate
62
Page 63
GelngaFreeClientCertforS/MIMEWithFirefox
• TodoS/MIME,you’llneedanemailaccountandaclientcert.We’llassumeyoualreadyhaveanemailaccountyoucanuse,andwe’llgetourfree‐for‐personal‐useclientcerPficatefromComodo.Thankyou,Comodo!Togetit,goto:hEp://Pnyurl.com/free‐cert(hEp://www.comodo.com/home/email‐security/free‐email‐cerPficate.php)
• We’regoingtouseFirefoxtoapplyforanddownloadourcertfromComodo.WhileyoucanusepreEymuchanypopularbrowserwithclientcerts,forthepurposeofthistraining,ifyou'refollowingalong,aswegothroughthis,pleaseONLYuseFirefox.Ifyoudon’talreadyhaveFirefox,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/firefox/fx/
• Macvs.PCorLinux:Althoughwe’llbeusingFirefoxonaMacintheseslides,FirefoxonMicrosofWindowsorLinuxwillbevirtuallyidenPcal.
63
Page 64
Comodo’sFreeSecureEmailCer)ficateWebSite
64
Page 65
TheApplica)onFormYou’llComplete
65
Page 66
SuccessfulApplica)on…
66
Atthispoint,folks,pleasecheckyouremailfromComodo.You’llneedtogototheweblinkthatthey’vesentyou…
Page 67
Collec)ngYourCer)ficate
67
Tocollectyourcer9ficate,usingtheSAMEBROWSERontheSAMESYSTEMyouusedtoapplyforyourcer9ficate,gototheURLyouweresentinemailandpluginyouremailaddressandtheuniquepasswordthattheyprovided
Page 68
SuccessfulCer)ficateDownload…
68
Page 69
"WhereElseCanIGetClientCerts?"
• Whilewe'reonlygoingtoshowuseofthefreeoneyearComodoclientcertforpersonaluseinthistraining,youcanalsogetapaidclientcertfromComodo's"EnterpriseSSL"division,andfreeorpaidclientcertsfromothervendors.See,forexample:
‐‐hEp://www.enterprisessl.com/ssl‐cerPficate‐products/addsupport/secure‐email‐cerPficates.html
‐‐hEp://www.globalsign.com/authenPcaPon‐secure‐email/digital‐id/compare‐digital‐id.html
‐‐hEp://www.symantec.com/verisign/digital‐id/buy
‐‐hEp://www.trustcenter.de/en/products/tc_personal_id.htm
69
Page 70
InCommon'sClientCer)ficateProgram
• BecausethisisahighereducaPonaudience,I'llalsonotethatifyousignupforInCommon'sClientCerPficateService(seehEp://www.incommon.org/cert/),InCommonincludestheabilityforyoutoissueclientcerPficatesaswellastradiPonalSSL/TLSservercerPficatesatnoextracharge.
• AlsonotethatifyouparPcipateinInCommon'sCerPficateProgram,youcanissuecertsbothviaawebinterface(the"ComodoCerPficateManager")andviaaprogrammableAPIwithsynchronousclientcertissuancewithinfiveseconds.
• SeehEps://www.incommon.org/cert/repository/fortheInCommonCerPficateManager(CM)Guide,theEndUserGuideforClientCerPficates,andtheCerPficateManager(CM)SMIMEEnrollAPIGuideformoreinformaPon.
70
Page 71
VI.ExaminingandBackingUpYourNewClientCer)ficate
71
Page 72
"Okay,I'veGotMyClientCert.WhatDoIDoNow?"
• WhenComodogaveyouyourclientcert,rememberthattheyrecommendedthatyoubackitup.
• Weagreethat'sagoodidea.
• Youalsoneedto"backupyourcerPficate"inordertobeabletogetitintoThunderbirdforuseinemail.
• Therefore,launchFirefoxifyouaren'talreadyrunningit.
72
Page 73
InFirefox,GotoFirefox‐‐>Preferences…
73
Page 74
TheFirefoxCer)ficateManager
74
Notes:Selectthe“YourCerPficates”tabontheCerPficateManagerpanel.Ifnecessary,hitthetriangulararrowtoexpandthelistofComodocerPficates.You’llprobablyonlyseeonecerPficate,theoneyoujustgotfromComodo.ButjustasamaEerofform,let’sconfirmthatitreallyisyours…
Page 75
TheGeneralTabTellsUsWhenTheCertExpires
75
Page 76
TheDetails"ViewCert"TabWillLetUsSeeTheEmailAddressAssociatedWithOurNewCert
76[Closethe“ViewCer)ficate”boxwhenyou’redonelookingatit]
Page 77
Okay,We'vePickedThe"RightOne,"SoLet'sBackItUp…
77
Page 78
The"NameYourBackup"DialogBox
78
PickanameforyourcerPficatebackupfile.Itshouldendwitha.p12fileextension.Forexample,youmightcallthisfilemycertbackup.p12BesureyousaveitasaPKCS12typefile.
Page 79
TheFirefoxCertManagerBackup‐PasswordDialogBox
79
Pickastrongpasswordtosecureyourcertbackupfile.
PLEASEDONOTFORGETTHATPASSWORD!YOUWILLNEEDIT!
Page 80
BackupSuccessful…
80
NotethatyoushouldsaveacopyofyourbackuptoaCD,athumbdrive,orsomeexternaldevicejustincaseyouloseyoursystem,yourdrivecrashes,etc.
Page 81
VII.Impor)ngYourCer)ficateIntoThunderbird
81
Page 82
We'reNowGoingToImportOurNewCer)ficateIntoThunderbird
• Whiletherearemanydifferentpopularemailclients,we’regoingtoshowyouhowtoimportyourclientcertintoThunderbird.(Laterwe’llalsoexplainhowtouseOutlook,andhowtouseclientcertsinGmailwebemailwithPenango,butfornow,we’regoingtofocusonThunderbird)
• Ifyoudon’talreadyhaveThunderbird,andyou’dliketogetandinstallitnow,youcangetitforfreefrom:hEp://www.mozilla.org/en‐US/thunderbird/
• NotethatThunderbirdhasanautomatedinstallaPonwizardthatshouldbeabletocorrectlyconfigureitselfinmostcases.Acau)ontoanynon‐technicalpersonlookingattheseslideslater:inselngupyouraccount,chooseIMAP(and*NOT*POP)foryouraccounttype!IfyouselectPOP,youmaydownload(andthendelete)allthemailthatyou'vehadstoredonyouraccount!
82
Page 83
"WhyCan'tThunderbirdJustUseTheCertThatI’veAlreadyGotInstalledinFirefox?
They'reBothMozillaApplica)ons,Aren'tThey?"
• Yes,bothFirefoxandThunderbirdAREfromMozilla.
• WhilesomeapplicaPonsrelyoncerPficatesstoredcentrallyinasingleoperaPng‐system‐providedcerPficatestore(e.g.,inthe“keychain”ontheMac),FirefoxandThunderbirddoNOTdothis.
• FirefoxandThunderbirduseseparateper‐applicaPoncerPficatestores,instead.ThisgivesuserstheflexibilitytotailorwhatcertsgetpotenPallyshowntoeachsuchapplicaPon,butthedownsideisaslightlymorecomplicatediniPalsetup(youneedtoinstallyournewcerPficateinmulPplelocaPons)
• Forwhatitmaybeworth,atleastThunderbird’spreferencesshouldlookveryfamiliartoyouaferlookingatFirefox’s
83
Page 84
InThunderbird,GotoThunderbird‐‐>Preferences…
84
Page 85
InTheCer)ficateManager,"YourCer)ficates"Tab,ClickonImport
85
Page 86
SelectThe.p12BackupFileYouWantToImport
86
Page 87
SupplythePasswordYouUsedforTheCertBackup
87
Page 88
SuccessfulImporta)onofTheCertIntoThunderbird
88
Page 89
VIII.InThunderbird,AssociateYourCer)ficateWithYourEmailAccountAnd
ConfigureThunderbirdToDoDigitalSigning
89
Page 90
Thunderbird:Tools‐‐>AccountSelngs
90
Page 92
SelectTheCertYouWantToUseForDigitalSigning
92
Page 93
ConfirmThatYouWantToAlsoUseThatSameCertforEncryp)ng/Decryp)ngMessages
93
Page 94
MakeSureYou’reSetToDigitallySignYourMessagesByDefault
94
Page 95
ThunderbirdConfigura)onIsNowComplete…
• Thehardpartisover!YouarenowsettoautomaPcallydigitallysignyourThunderbirdemailmessagesbydefault.
• Andthegoodpartisthatnowthatyou’vegotyourselfsuccessfullyconfigured,youwon’thavetoscrewaroundwithanyofthisforroughlyayear(e.g.,unPljustbeforeyourfreeComodopersonalcerPficateisclosetoexpiring)
• Huzzah!
95
Page 96
IX.DigitallySigningAMessageInThunderbird
96
Page 97
StartWri)ngAMessageTheWayYouNormallyWould
97NOTETHE“DIGITALLYSIGNED”SEALATTHEBOTTOMRIGHTCORNER!
Page 98
Op)onal:ConfirmThatTheMessageWillBeSigned
98
ClickOnThePadlockIconOnTheBarOrTheLiQleRedSealInTheBoQomRightCornerIfYouEverWantToDoubleCheck!
Page 99
ProceedtoSendYourMessage
• …justlikeyounormallywould.ItwillautomaPcallybedigitallysignedwithyourcerPficate.
• Yourrecipientswillseeyournormalmessage,plusanaddiPonal“p7s”aEachmentthatwillhaveyourpublickey/cerPficate.(no,that'snotmalware:‐))
• Ifyourcorrespondent’semailclientsupportsS/MIME,itwillautomaPcallycheckandvalidateyourdigitalsignature.
• Ifyourcorrespondent’semailclientdoesn’tsupportS/MIME,theycanjustsafelyignoretheextrap7saEachment.
99
Page 100
X.Encryp)ngAMessageInThunderbird
100
Page 101
Signingvs.Encryp)ng
• Digitallysignedmessagesestablishwhopreparedthebodyofthemessage,butanyonecansPllreadthatmessage:it’scryptographicallysigned,it’snotencrypted.
• IfthebodyofyourmessageissensiPve,youmayalsowanttoconsiderencrypPngitsothatonlytheintendedrecipient(orsomeonewithaccesstohisprivatekey)canreadit.
• Oh,anditgoeswithoutsayingthatamessagecanbebothsignedANDencrypted,ifthat'sappropriate.
101
Page 102
GelngThePublicKeyofYourCorrespondent
• Toencryptamessageyou’llneedyourcorrespondent’spublickey.
• Buthowwillyougethispublickey?Answer:you’llhavetherecipientsendyouadigitallysignedmessage,first.
• YouremailclientwillautomaPcallyextractthepublickeyandcertitneedsfromthatdigitallysignedmessageyoureceivedfromhim.
• Ifdigitalcertsaredeployedthroughoutyourenterprise,youmayalsobeabletogetpublickeysandclientcertsforyourcorrespondentsfromyourenterprisedirectory,butthatmodelfallsapartwhenyouaEempttoextenditInternet‐wide.
102
Page 103
AMetaQues)on:ShouldIEncryptTheMailISend?
• Maybeyes,maybeno.
• Firstofall,notethatyouusuallywon’tbeabletoencryptunlessyourcolleagueisALSOsetuptodoS/MIME,andyourcorrespondenthasalreadysentyouatleastonesignedmessage(sothatyou’llhavehispublickeyandcert)
• Ifthecontentofyouremailisn’tsensiPve,youprobablydon’tneedtoencryptit.Itmaybe“cool”toencryptallthemessagesyoucan,butifyoudon’tneedto,youmightwanttoskipit.Why?– Well,ifyoureceiveencryptedcontent,youwon’tbeabletosubsequently
easilysearchthosemessages.
– And,ifyouhappentoloseyourprivatekey,youwillbeS‐O‐Lunlessyouhaveyourkeybackedup(andyoucanrememberitspassword!),oryourkeyhasbeenescrowed.Ifyourkeyisn'tbackeduporescrowed,canyoureallyaffordtopotenPallyloseallthecontentencryptedwiththatkey?
– You'lldrivecommandlineemailclientusersnuts.103
Page 104
AndSomeArgumentsInFavorofRou)neEncryp)on
• What'snotsensiPvetome,mightbesensiPvetosomeoneelse.Likewise,itmightnotbesensiPveNOW,butitmightbesensiPveLATER.
• IfyouonlyencryptsensiPvemessages,thatsuremakesthemstandsout,doesn'tit?Wouldn'titbeniceifthosemessageswerejustpartofalargervolumeofrouPnelyencryptedmessages?
• It'srelaPvelyeasytoforgettoenableencrypPon,andtoaccidentallysendoutasensiPvemessageincleartext.IfyourouPnelyencrypt,thatwon'thappen.
• Ifyouwantpeopletosecuretheiremail,youneedtosettheexampleandnudgethemalong.Iftheygetsetuptodoencryptedemail,butthennevergetany,theymayfeellikethey'rewasPngtheirPme.
• Finally,it*is*sortofcool/funtodoso.:‐)104
Page 105
HedgingTheRiskofDataLoss:KeyEscrow• Let'spretendthatyouhaveafacultymemberwho'sdoing
absolutelycriPcal(andhighlysensiPve)workforyourschool,andyouwantthemtorouPnelyencryptasaresult.AtthesamePme,assumethatpersonisoverweight,hashighbloodpressure,drinksandsmokes,crossesthestreetwhiledistracted,driveswithoutaseatbeltandlivesinaganginfestedneighborhood.Frankly,youworrythatcriPcalfacultypersonwilldieorbekilled,ormaybejustquitandstartabusinessmakinghome‐madepremiumsoapsomeday.Ifthathappens,howwillyougetatalltheirencryptedworkmessagesandfiles?Willallthatworkproductbelost?
• EscrowingencrypPonkeysallowsyoutogetacopyofotherwiseunavailableencrypPonkeysinavarietyofcarefullypredefinedemergencysituaPons.Companiesnormallypayextraforthis"insurance."KeysrecoveredviaescrowmayhavetheassociatedcertrevokedatthesamePme.
105
Page 106
"ItISWorthIt.IDOWantToEncryptMyMessage‐‐HowDoIDoThatInThunderbird?"
106
Page 107
"WhenIGetASignedandEncryptedMessage,WhatWillItLookLike?"
107
Page 108
WhoSignedThatMessage?(Note:ItMayNotBeThePersonWhoSentTheMessage)
108
Page 109
AnExampleofUsingaNon‐MatchingCert
109
Page 110
Addi)onalImportantS/MIMECaveats
• S/MIMEencryptstheBODYofthemessage,ONLY.S/MIMEDOESNOTENCRYPTTHESUBJECTHEADER(oranyothermessageheader).Therefore,DONOTputanythingthatneedstobekeptconfidenPalintheSubjectofanencryptedmessage.Infact,youmaywanttogetinthehabitofneverpumngANYTHINGintothesubjectlineofencryptedmessages.
• EncryptedmessagebodiescannotbeautomaPcallyscannedonthenetworkforvirusesorothermalware.
• SomemailinglistprogramsmaytamperwithmessagesbydoingthingslikeaddingfootersorrewriPnglinksorstrippingaEachments(includingp7sdigitalsignatures).Ifthathappens,yoursignaturewon’tvalidate.Ifyousendmessagestomailingliststhatdothesesortofthings,youmaywanttomanuallydisabledigitalsigningformessagestothoselists.
110
Page 111
XI.WhatIfIWantToUseOutlookInsteadofThunderbird?
111
Page 112
OutlookOnAppleOSXUsestheAppleKeychain;ToDoS/MIMEwithOutlook,WeNeedToGetOurCertIntoIt
112
Can’tfindKeychainAccess?CheckApplicaPons‐‐>UPliPes
Page 113
Impor)ngOurKey/Cert
113
Page 114
SuccessImpor)ngOurKeyandCert
114
Nowwe’rereadytolaunchOutlook…
Page 115
Outlook’sOpeningScreen…
115
Page 116
Outlook‐‐>Preferences…
116
Page 118
AdvancedBubon…
118
Page 119
PickingACertontheAccountSecurityTab
119
Page 121
WhatTheSenderSeesWhenSendingASignedMessageinOutlook
121
Page 122
OutlookAsksForConfirma)onTheFirstTimeItUsesYourPrivateKey/Cer)ficate
122
[Note:ifyou'reparPcularlysecurityconscious,youmayjustwanttoclick"Allow"ratherthan"AlwaysAllow"]
Page 123
WhatTheRecipientSeesInOutlookWhenGelngAMessageThat’sSigned
123
Page 124
WhatIfWeWantToEncryptAMessage?
124
Page 125
XII."WhatIfIUseGmailWebEmailAndIWanttoDoS/MIME?"
125
Page 126
GmailDoesNOTNa)velySupportS/MIME
• YouCANdoS/MIMEwithaGmailaccountifyoureadyourGmailviaadedicatedmailclient(suchasThunderbirdorOutlook)
• However,ifyoureadyourGmailviaGmail’swebemailinterface,youwon’tbeabletonaPvelyS/MIMEsignorencryptyourmailtraffic.Why?Well,rememberthatGmail’sbusinessmodelisbasedaroundsellingcontextualads(e.g.,ifyousendanemailmessagetalkingaboutgoingonvacaPontoHonolulu,don’tbesurprisedifyousuddenlystarttoseeGmailadsforairfaretoOahuordiscounthotelroomsoverlookingAlaMoana).
• Fortunately,youcangetathirdpartybrowserplugin,Penango,thatwillhelp.PenangoisfreeforfreeGmailaccounts.ThankyouPenango!(clickonthe“Pricing”linktorequestadownloadlink)
• Warning:PenangoiscloselyintegratedwithFirefox,andonlysupportssomeversions.Checktheversionyou'reusing!
126
Page 128
OnceYouHavePenangoInstalled,OpenPenango’sPreferencesinFirefox
128
Page 129
PlugInYourGmailAddress
129[someaccountdetailselidedabove]
Page 130
Uncheck"Automa)callyencryptnewmessages"
130[someaccountdetailselidedabove]
Page 131
ComposingaSignedGmailMsgWithPenango
131
[someaccountdetailselidedabove]
Page 132
SomePenango‐RelatedSendingIdiosyncrasies
• WhenyousendasignedorencryptedmessageusingPenango,themessagegetssubmiEed“outside”ofGmail'swebinterface(e.g.,viaSMTPStosmtp.gmail.com).ItdoesNOTgetsentwithintheGmailwebinterface.ThisisnecessarybecausePenangoneedstosetthetop‐levelmessageContent‐TypeappropriatelyforS/MIME.
• Theysubmitviaport465(grr!)andnotSTARTTLSonport587;ifproxiesareinuse,Penangowillendeavortousethem,too.
• TheIPofthehandoffhostdoesappearintheGmailheaders.
• Thebodyofthemessagemaybebase64encodedevenifthemessageyou'resigningisplain‐text‐only.Penangoalsousesalong/uglynameforthe.p7saEachment
• Speakingof,somemessagetext/messageformamngmaymakeitappearasifyoumustusePenangotoprocessaPenango‐generatedS/MIMEmessage.That'sanincorrectimpression.
132
Page 133
XIII.HardTokens/SmartCards
133
Page 134
Alterna)vesToStoringYourKeysandCertsOnYourDesktoporLaptop
• InhighereducaPon,manyusersdon'thaveacleanone‐to‐onemappingofuserstosystems.
• Forexample,asecurityconscioususermighthavebothadesktopandalaptop,andmightwanttousetheircerPficatesonboththosesystems,butmightnotwanttoleavetheircredenPalsstoredonmulPplesystemsiftheydon'thaveto.
• Alesswell‐offusermightnothaveasystemoftheirown,workingfromsharedsystemsinacampuscomputerlab,instead.ObviouslyitwouldbebadforthatusertodownloadandinstalltheircredenPalsonasharedsysteminthatlabifthatsystemwillsoonbeusedbysomeoneelse,oriftheymaybeassignedtousesomeothersystemthenextPmetheyvisitthelab.
• WhatwereallyneedisawayforuserstosaveandcarrytheirS/MIMEcertswiththemwherevertheygo.
134
Page 135
HardTokens/SmartCardsAdvantages
• UserscanuseonesetofPKIcredenPalseverywhere.• UserscancarrytheircredenPalswiththemwherevertheygo(it's
justanotherblobonyourkeychain,oranother"creditcard"inyourwalletorpurse)
• Theuser'sprivate/publickeypaircanpotenPally*begeneratedon‐token(oron‐smartcard),withtheprivatekeyneverleavingthedevice
• Theusercaninsertandunlocktheirtokenorsmartcardonlywhentheyneedit,keepingthatcredenPaloffline(andshelteredfromonlineaEack)therestofthePme
• Clientcertissuancecanmimicotherwellestablishedcreden)alissuanceprocesses(suchasthoseforIDcardsordoorkeys);diboforclientcertuseprocesses.
* NotcurrentlypossibleforInCommonclientcerPficates. 135
Page 136
GeTngAnIns)tu)onalID(orDoorKey)
GemngauniversityIDcardora doorkeyusuallyinvolves:‐‐ObtainingproofofauthorizaPon,suchasaleEerofadmissionorasignedcontract(oracompletedkeyauthform)‐‐Takingyourpaperworkandadriverslicenseorpassport,andvisiPngthecampuscardoffice(oradistributedcredenPaldistribuPonsite,perhapslocatedinthestudenthousingofficeorpersonneldepartment)‐‐PaperworkandcurrentproofofidenPtygetreviewedandOK’d‐‐One'sphotogetstaken(fortheIDcard)oradepositgetscollectedforakey,anditgetsissuedwhile‐you‐wait.
Thisworks.Notpainless,butnothorrible,andit'srelaPvelysecure.NowvisualizetheIDcardasactuallyasmartcard(withaclientcertonit),orthe"key"actuallybeingaUSBformatPKIhardtoken...wouldthatprocessneedtobemateriallydifferentthanthecurrentprocessofissuingIDcardsordoorkeys?No...
136
Page 137
UsingAnIns)tu)onalID(orDoorKey)
EveryoneknowshowtousetheirIDcard(orkeys):
‐‐Carryitwithyou,soyouhaveitwithyouwhenyouneedit‐‐Whenneeded,allowyourcardtobescannedorinspected(orsPckyourkeyinthelockandturnittoopenthedoor);thisissimple,sotrainingisnotrequired.
‐‐IfyouloseyourIDoryourkey(s),youreportitsoyoucangetareplacement,andsoyouroldonecanbemarkedasinvalid(orsoanylocksassociatedwiththelostkeycanbepotenPallychanged)‐‐Ifyourkeydoesn'tgetyouintoaspaceyouneedtoaccess,you'llbegivenanotherone(repeatthe"gemngakey"process).‐‐YourIDcardorkeysgetcollectedifyouleaveorarekickedout.
UsingclientcertsneedstobeaseasyasusinganIDcardordoorkey,andcanbeifhardtokens/smartcardsareused.
137
Page 138
USB‐FormatPKIHardTokens
• USB‐formatPKIhardtokenslookalotlikearegularUSBthumbdrive,butaUSB‐formatPKIhardtokenisactuallyacompletelydifferentanimalthatjustcoincidentallylookslikeathumbdrive.
• Specifically,aUSB‐formatPKIhardtokenisactuallyahighlyspecializedsecurecryptographicprocessorwithintegratedsecurestorage.Correctlyconfigured,itallowsyoutosaveandUSEyourS/MIMEkeysandcerPficate,butwithoutpumngthosecredenPalsatriskofbeing"harvested"/stolen.Thesedays,withallthecredenPalharvesPngmalwarethat'soutthere,that'sapreEycoolthing.
• Infact,USB‐formatPKIhardtokenshavetheabilitytopotenPallygenerateprivate/publickeypairs*onthetokenitself*,sothattheprivatekeyNEVERleavesthetoken,althoughwewillnotbetakingadvantageofthatcapabilityduringtoday'ssession(andinfactthat'salsonotsupportedforInCommonClientCerPficates)
138
Page 139
SafeneteTokenPRO72K
• ThroughthegenerosityofChenArbelatSafenet,we'reabletoprovideeachSecurityProfessionalsclientcerttrainingparPcipantwithafreeUSBformatPKIhardtokentoday,theSafeneteTokenPRO72K,aswellasthedriversofwareanddocumentaPon.Thankyou,ChenandSafenet!
• Thistoken,formerlymarketedbyAladdin,isthemostpopularUSBformatPKIhardtokenusedinhighereducaPon,andisparPcularlyniceifyouworkinacrosspla�ormenvironmentsinceitissupportedunderMicrosofWindows,MacOSX,andLinux.
Imagecredit:hEp://commons.wikimedia.org/wiki/File:EToken_PRO_USB.jpg139
Page 140
"ThanksforOne,ButINeedABunchofThem!"
• USB‐formatPKIhardtokensareavailablefrommanymajorITchannels.Forexample,CDW‐GcurrentlyofferstheSafenete‐TokenProfor$38.89/each(qty1‐100),andtheSAC(requiredsofwaredrivers)costs$18.94.IfyouthrowononeoftheliEleprotecPveshells(liketheoneweprovidedforyoutoday),that'sanothercouplebucksfromCDW‐G,bringingthepricerightuptoaround$60.00/unit.Naturally,while~$60/unitisn'tabigdealforasmallnumberofusers,itaddsuppreEyquicklyifyouwanttoissuehardtokenstoawholecampus,parPcularlyiftherearecompePngtwofactorauthsoluPonsthatmaybe~$5/user.
• Fortunately,InCommonhasarrangedtobeabletoselldeeplydiscountedSafeNetPKIhardtokenstoInCommonhighereducaPonsubscribers.FormoreinformaPon,seehEp://www.incommon.org/safenet/index.html(note:aminimumorderoftwohundredunitsapplies)
140
Page 141
"ButIOnlyWantToOrderADozenTokens!"
• If you're only buying a small number of tokens for a test deployment, you can already get those on the open market. Internet2/InCommon doesn't need to get involved in order for that to be practical. Our goal is explicitly not to make small-scale test PKI deployments cheap(er).
• On the other hand, if the community is trying to deploy thousands, tens of thousands, hundreds of thousands, or even millions of client certificates, THAT's the sort of process we want to facilitate, and where central coordination may be critical.
• Put another way, Internet2/InCommon is, and should be, all about facilitating "deployment at scale."
• This is an important principle that Randy Frank deserves special acknowledgement for correctly emphasizing.
141
Page 142
SafenetDrivers,LocalTokenManagementSoKware,AndDocumenta)on
• MostsystemswillrequiretheinstallaPonoftokendriversand/orlocaltokenmanagementsofware(soyoucanloadyourexisPngcerPficateontothetoken).WithSafenet'spermissionwearemakingthatsofwareanddocumentaPonforthisproduct,availabletoyouforinstallaPonviaCD‐ROM.WeaskthatyourespectthiscopyrightedsoKware:pleasedoNOTredistributeit!
• Youshouldseethreefiles:‐‐SAC8_1SP1.zip(Windows) 206.9MBMD5sum=55876842e6e13e6c8ee6cdf9dd16986a‐‐610‐011815‐002_SAC_Linux_v8.1.zip 42.2MBMD5sum=d66c9ff919f3b35180dba137857eb88c‐‐610‐001816‐002_SAC8.1Mac.zip 18.2MBMD5sum=c2e9e9b0e2706ffab310538574cf009b
142
Page 143
InstallingtheSACOntheMac
• InserttheCD‐ROManddragthe610‐011816‐002_SAC8.1Mac.zipfiletoyourdesktop.UnzipitwiththeArchiveUPlity,Stuffit,orwhateverapplicaPonyounormallyusetounzipfiles.Youshouldendupwithafoldercalled"SAC8.1.0.5"withtwosubfolders:"DocumentaPon"and"MacInstaller."
• READTHEDOCUMENTATIONINTHEDOCUMENTATIONFOLDER!Inpar)cular,readtheAdministrator'sGuideandreadtheReadMefile,par)cularly"KnownIssues/Limita)ons"
• Really,Ikidyounot,readthedangdocumenta)on,please!
• ThengototheMacInstallerfolder,andruntheinstallerthat'sinthere:SafeNetAuthenPcaPonClient.8.1.0.5.dmg
• Whenyoumountthatdmgfile,youwillseeInstallSafeNetAuthenPcaPonClient8.1.mpkg
• Installit.You'llneedtorebootwhenitfinishes143
Page 144
FirefoxSecurityModule
• AsmenPonedinthedocument(whichyouAREgoingtoread,right?)whenyouinstalltheSafenetAuthenPcaPonClient,itdoesn'tautomaPcallyinstallthesecuritymoduleinFirefox.Youneedtodothatmanually.
• Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,Modulefilename,enter:/usr/local/lib/libeTPkcs11.dylibIntheConfirmwindow,clickOK
• RepeatthisprocessforThunderbird,too.
144
Page 145
"ButI'mUsingWindows,NotAMac!"
• WindowsusersshouldseeAppendixIattheendoftheseslides.
IthasinstrucPonsforsemngupyourSafeNethardtokenwithaWindows7box.
• We'dhavebundledtheminhere,inline,butwedidn'twanttointerruptthings/confusetheMacusers.
145
Page 146
NowLaunchtheSafeNetAuthen)ca)onTools
146
Page 147
GoToTheGearMenu("Advanced")
147
Page 148
Select"ViewTokenInforma)on,"ThenIni)alizeIt
148
Page 149
EnterYourNewPasswordsandThenGoToTheAdvancedScreen
149DO*NOT*FORGETTHESECRITICALPASSWORDS!
Page 150
BeSureToAskfor2048bitkeysupport
150
Page 151
NowActuallyIni)alizeTheHardToken...
151
Page 152
LoginToTheHardToken
152
Page 153
You'llNeedToEnterYourPasswordForIt
153
Page 154
GoToTheImportCertScreen
154
Page 155
ImportOurCer)ficate
155
Pickthep12backupfilewesavedearlier.
Notethatyou'llneedtoprovidethepasswordforthatbackupfileinordertoloaditontothetoken.
Page 156
BeSureToIncludetheCACertsOnTheToken,Too
156
Page 157
ViewOurCertOnTheHardToken
157
Page 158
AnAside:What'sThat"UnknownPurpose"Note?
158
Butcomingbacktoactuallyusingourhardtoken...
Page 159
TellingThunderbirdToUseTheHardToken(WeNeedToUnlockTheToken,First)
159
Page 160
We'reThenShownTheTokenandItsCert
160
Page 161
NowWeGoToThunderbirdAccounts‐‐>Security,AndSelectTheHardTokenToUse
161
Page 162
AndAtThatPointWe'reGoodToGoUsingTheHardTokenForOurCert...Huzzah!
162
Page 163
XI.DoingAllThis"AtScale"
163
Page 164
GetALibleExperience,First• It'ssomePmestempPngto"swingforthebleachers,"tryingtohita
grandslamthefirstPmeyou'reuptobat,wheninfacttheprudentthingmightbetomakesureyoujustgetonbase.Thisistrueforclientcerts,asforbaseball.
• I'dliketourgeyou,beforeyouembarkonabigprojectinvolvingclientcerts,orevenapilotscaleprojectthatmightinvolvesomeofyourmostsensiPvesystems,tofirstspendaliElePmejustexperimenPngwithclientcerts.
• Getafreeclientcertforyourself,andforyourteammembers.
• UsethemforrelaPvelylowimpactacPviPes,suchassigningyouremail,whileyougainfamiliaritywiththem.
• Trypurchasingandusinghardwaretokensorsmartcards.Whatworks?Whatdoesn'tworkonyourdevicesorinyourenvironment?Inanexperimentalenvironment,you'vegotthefreedomtopushtheenvelopewithoutworryingtoomuch.
164
Page 165
ClientCertDeploymentScale:Test,Departmental,Site‐Wide,edu‐Wide?
• Wecanimaginefourdifferent"scales"ofclientcertdeployment:‐‐Testdeployment(maybehalfadozenoradozenclientcerts,perhapsissuedonlytohighlytechnicalsystemsorsecuritystaff)‐‐Departmental‐scaledeployment(hundredsoreventhousandsofcerts,perhapsissuedtoallauthorizedadministraPvecompuPngusersortoallauthorizedhighperformancecompuPngusersatasite)‐‐Site‐widedeploymentto"everyone"(allfaculty/staff,allstudents,andpotenPallyeventoall"other"users)‐‐Ormaybeevenbroadedu‐wide(cross‐realm)deployment?
• Theseareradicallydifferentanimals.IfweDON'Tneedtodothecross‐realmcase,wemightevenbeabletogetalongwithlocallyissuedclientcerts.Doyouthinkthat'sonereasonwhyemail,aclassicinter‐realmapp,hasleadtoclientcertsofenbeingcalled'S/MIMEcerts?'(Ifyou'reonlyissuingclientcertsforintra‐realmuse,atthesamePmeyouissueacert,youcouldjustpushalocalrootcert).
165
Page 166
SmallDeployments?==>TargetedBenefitsLargerDeployments?==>BroadAcceptance
• WhileIdon'tmeantoimplythatthere'snobenefittofolksdoingPKItesPng,orevensmallscaledeploymentsforacarefullydefinedlocalcommunity,thosesortofprojectsdeliveradifferentsortofbenefitthanmorebroadlyadoptedefforts.Hasthe)mecomeforustoconsiderabroadlyacceptedcross‐ins)tu)onalclientcerteffort?
• Contrastalocally‐issuedlibrarycardwithapassport:‐‐Alocally‐issuedlibrarycardisterrificallyusefulifIwanttocheckoutsomebooks,butunfortunatelynooneexceptmylibrary,e.g.,theonethatissuedit,willrecognizeoracceptit‐‐Apassport,ontheotherhand,whilenotadocumentthatwillbeacceptedforthepurposeofcheckingoutlibrarymaterials,isuniversallyacceptedasaproofofpersonalidenPty(includingbeingpotenPallyusedorthingslikegeUngalocallibrarycard)
166
Page 167
TimeForAStandardizedHigher‐Ed‐WideIDCard?
• Oneofthereasonspassportsareusefulisthatthey'restandardized.CurrentlyeachuniversityissuesitsownuniquetypeofIDcard,withliEleinthewayofformalhighered‐widestandardizaPon.Mosthaveaname,anumber(hopefullynotaSSN!)andapicture.Mostalsohaveamagswipestrip,abarcode,andmaybeanRFIDtag.
• Hasthe)mecomeforcollegeanduniversityIDcardstoalsohavesmartcardfunc)onalityandaclientcert?Infact,shouldhigheredbestrivingtoestablishacommunity‐widegeneralstandardforcollegeanduniversityIDcards?(arguably,there'salreadyconsiderabledefactostandardiza)on)
• Note:Iexplicitlyhavenodesiretosteponcardoffice"turf"atschoolsallacrossthecountrybyinnocentlyaskingthoseques9ons!Idoalsorecognizethattherearea*lot*ofsubtleissuesthatareraisedjustbyaskingthosetwoques9ons.
167
Page 168
WhatWorksForOnesie‐TwosieWon'tWorkForTensofThousands
• Theprocessesyousawearlierinthissession,whichcanbemadetoworkforasmallnumberoftechnicallysavvyusers,won'tworkifyou'retryingto"cookforthousands"(ortensofthousands)ofusers.Amorescalableapproachisneeded.
• Forexample,ifyou'regoingtoinstallcerPficatesdirectlyonusersystems,youneedabeEerwaytodropcerPficatesonthosesystems,andabeEerwaytoconfiguretheuser'sapplicaPonstoknowaboutandusethem(InCommonisworkingonthis).
• Similarly,ifyou'regoingtousehardwaretokens,instead,youlikelyneedenterprisegradetoolstoprovisionandmanagethosedevices.Thosetoolscanbepurchased,ormaybewriEenlocally.
• Heck,ifwe'rethinkingaboutabigdeployment,weevenneedtocarefullyconsiderwhatSORTofhardwaretokenswemightwanttouse...USBformatPKIhardtokensareNOTtheonlyopPon.
168
Page 169
Smartcards?
• TheUSBformatPKIhardtokensyoureceivedarebasicallyasmartcardwithanintegratedsmartcardreader(withabuilt‐inUSBinterface).Thatcanbeveryconvenient–it's"allinone."
• However,smartcardstendtobesomewhatcheaperthanUSBformattokens(e.g.,$15.13vs.$19.80),whichcanbeimportantifyou'rebuyingthousandsofthem.Ontheotherhand,theydoneedsmartcardreaderswhereverthecardsaregoingtobeused(fortunatelysmartcardreadersneednotbeveryexpensive)
• AdisPnctadvantageofsmartcardsisthattheycanbeusedasanemployeebadgeorIDcard,formaEedtoincludethingsliketheemployee'snameandpicture,amagstripeandoneormorebarcodes,whileALSOcontainingasmartcardinasecurecerPficatestore.Thismaybethebestofallpossibleworlds.
• Butwhatwillyoudoformobiledevices,suchassmartphonesortablets?
169
Page 170
Slick‐SidedMobileDevicesandHardTokens
• Mobiledevicesareincreasinglyimportantoncampus,soweshouldbesuretothinkabouthowwe'llintegratehardtokensorsmartcardswithmobiledevicesthatyourusersmayhave,suchastheiPad,theiPhone,Androiddevices,Blackberries,etc.
• Theproblemisthatmosthardtokens,andmostsmartcardreadersforthatmaEer,connectviaUSB.SomeportabledevicesmaynothaveareadilyaccessibleUSBportintowhichyoucanplugahardtokenorsmartcardreader.
• ThesoluPon?YoucantryBluetooth‐connectedsmartcardreaders(somePmesalsoknownas"CACsleds"),buttheyaren'tcheapandtheydon'tsupportalldevicesorallsmartcards.
• Inthefuture,itmaybepossibletostoreclientcertssecurelybystoringpartoftheclientcertdirectlyonthedevice,whilestoringtherestoftheclientcertinthecloud,usingthresholdcryptographytoreconsPtutetheclientcertsecurely.
170
Page 171
WhatAboutDirectories
• Oneofthesubtlethingsthatcanreallymakelifeeasierifyou'redeployingclientcerPficatesatscaleisadirectoryofallthepublickeysandcerPficatesfortheusersyoumightneedtocommunicatewith(thatmeansthatpeopledon'tfirstneedtoexchangesignedemailmessagesbeforetheycanexchangeencryptedemailmessages).
• TradiPonalkeydistribuPonalsobreaksdownifyouneednon‐repudiablekeysfordigitalsigning,butescrowedkeysforencrypPon.YouneedanalternaPvesourceforkeysinthatcase.
• Whenitcomestodeployingadirectory,deployingoneforyourcompanyisonething.EvendeployingadirectoryforanenPtyasbigasthefederalgovernmentissomethingthat'sdoable(heck,they'vedoneit!).Butit'snotcleartomethatthere'sascalableInternet‐widedirectorysoluPonthatwouldworktoholdclientcerPficatesforallInternetusers(assumingeveryonehadthem).
171
Page 172
SomeDirectoryComplica)ons
• Organiza)onaldirectoriesareforlocalcorrespondents:Ifallmyemailislocal,andmysiteisdoingclientcerts,Icanprobablyjustcheckmylocaldirectory,butthesedays,manyusersexchangemoreemailoff‐sitethanon.AndwhatifI'man"isolatedadopter,"andthere'snotevenanorganizaPonaldirectoryformetoevenuse?
• Organiza)onaldirectories(distributed,Internet‐wide):HowdoIfindtherightdirectorytousetolookupsomeoneelse'sS/MIMEcreds?There'scurrentlyno"directoryofdirectories"(nordoIthinkthere'smomentum/communitysupporttocreatesuchananimal,givenspamproblemsandsecurityworries–manysitesmaybereluctanttoallowunfeEeredpublicdirectoryaccessduetopotenPalharvesPngissues).
• Whataboutacentralized/consolidateInternet‐widedirectorythatlists"everyone?"Um,no.Peoplejustwon'twanttocontributetheirdata,itwouldbeimpossibletokeepcurrent,andthereareO(20million)usersinUShighered!WeneedtotakealessonfromDNS.ThearchitectsofDNSdidadistributedmodelforgoodreasons!
172!
Page 173
PGP/GPG‐ishS/MIMEKeyservers?
• ThereisonealternaPvecryptographicdirectorymodelthatseemstohaveworkedpreEywellto‐date,andthat'sthePGP/GPGmodel.Userscansubmittheirkeysiftheywantto.Otheruserscanlookforkeysinthosedirectoriesiftheywantto.Ifyoucan'tfindtheoneyouneed,youcanalwaysfallbackonoldstandbyapproaches,likeaskinguserstosendtheirkeydirectly.
• I'vedevelopedaveryroughprototypeserverthatdemonstratesthatitisatleastconceptuallypossibletoconstructaPGP/GPG‐likekeyserverforS/MIME.Ifyou'reinterested,seehEp://pages.uoregon.edu/joe/simple‐keyserver/foradetaileddescripPonofwhatIhaveinmind.
173
Page 174
S/MIMEIsn'tTheOnlyUseforClientCerts
• ClientcerPficatescanbeusedforabunchofthingsotherthanjustsigningorencrypPngemail.
• Forexample,clientcerPficatescanalsobeusedtosigndocuments,orforauthenPcaPon,orasabuildingentrycredenPal.(Notethatifyou'reheadedinthe"authenPcaPon"or"buildingaccesscontrol"direcPon,youwillprobablyneedatradiPonalenterprisePKIdirectorytosupportthatapplicaPon)
• Onceyouhaveclientcertsdeployed,youmightbesurprisedathowmanydifferentwaystheycanactuallybeused.
• NOTE:Clientcertsshouldonlybeusedforpurposesconsistentwiththeirapproveduses.Forexample,theclientcertwedownloadedearlierspecifiedthatitwasforuseinconjunc)onwithsecureemail.However,manyapplicaPonsdoNOTstrictlycheck/enforcetheObjectIDs("OIDs")associatedwithacert,soyoumaybeabletouseagivencertforotherpurposes,too.
174
Page 175
SigningStuff(OtherThanJustS/MIMESigning)
• SigningMicrosoKWorddocuments(Windowsonly),seehEp://pages.uoregon.edu/joe/signing‐a‐word‐document/
• NeedtosigndocumentsonaMac?TryOpenOffice:hEp://Pnyurl.com/openoffice‐signing
• AdobehasanextensiveguidetosecuringPDFs,includinguseofdigitalcerPficatesforsigningPDFs,see:hEp://Pnyurl.com/adobe‐signing(PDF,114pages)
NotethatthisisdifferentthanAdobe's"CerPfiedDocumentServices"programwhichalsoinvolvesdigitalsignatures,butismoreexpensive(andnotsupportedbyComodo/InCommonclientcertsatthisPme)
175
Page 176
Encryp)onUsingClientCerts(OtherThanS/MIME)
• PGPWholeDiskEncryp)on(seethedatasheetlinkedfromhEp://www.symantec.com/business/whole‐disk‐encrypPon)
• MicrosoKWindowsEncryptedFileSystemhEp://technet.microsof.com/en‐us/library/bb457116.aspx
• IPsecVPNs(MostIPsecVPNsaredeployedwithoutuseofclientcerPficates,howeveratleastsomeVPNscanbeconfiguredtouseclientcerPficatesifdesired—see,forexample,hEp://www.strongswan.org/andhEp://www.cisco.com/en/US/docs/soluPons/Enterprise/Security/DCertPKI.html)
176
Page 177
Authen)ca)onUsingSmartCards/ClientCerts
• RedHatEnterpriseLinuxSmartCardLoginSeehEp://Pnyurl.com/redhat‐smartcards
• WindowsAc)veDirectoryLoginwithSmartCardsSeehEp://support.microsof.com/kb/281245
• OpenSSHauthen)ca)on(viathirdpartyX.509patches)hEp://roumenpetrov.info/openssh/
• MacOSXhasbeengoingthroughsomechangeswhenitcomestonaPvesupportforsmartcards,butseehEp://smartcardservices.macosforge.org/andhEp://www.thursby.com/mac‐enterprise‐management‐high‐security‐smart‐cards.html
177
Page 178
Authen)ca)onUsingClientCerts(cont.)
• ControllingaccesstowebcontentservedbyApache:www.dwheeler.com/essays/apache‐cac‐configuraPon.html(it'smuchmorehelpfulthanthemoregeneralpageathEpd.apache.org/docs/2.5/mod/mod_ssl.html#sslrequire)
• ControllingaccesstowebcontentservedbyMicrosoKIIS7hEp://technet.microsof.com/en‐us/library/cc732996%28v=ws.10%29.aspx
• ControllingaccesstowirelessnetworksviaEAP‐TLS,includingconfiguringEduroam.See
hEp://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtmland
hEp://www.internet2.edu/presentaPons/jt2011summer/20110710‐hagley‐eduroamtutorial.pdf
178
Page 179
ClientCer)ficatesCanEvenPoten)allyBeUsedForBuildingAccessControlPurposes
179
Page 180
XII.Don'tForgetAboutPolicies,GovernanceAndPoten)alLegalIssues
180
Page 181
ClientCerts(TheTechnology)NeedtoBeSupportedByAppropriatePoliciesandGovernanceStructures
• Inlookingatsuccessfuldeploymentsofclientcerts,suchasthefederalgovernment'sHSPD‐12CAC/PIVcardproject,oneofthethingsthat'shardtomissisthatitssuccessisnotjustatechnologicalthing,it'sasignthatappropriatepoliciesweredevelopedbytheissuingandrelyingcommuniPes.
• Ifyou'replanningondoingamajorclientcertproject,pleasebesureyouarealsoconsideringthepolicyimplicaPonsofmovingtoclientcerts,notjustthetechnologyissues.
• Forexample,whataboutprivacy?Doesuseofclientcertshaveanyimpactonuserprivacy?Maybe...
• Whatifyouremailclientcheckedadirectoryforapublickey/certforeveryemailcorrespondentyouexchangedemailwith?
• OrhowaboutthisliEleexposure...seethenextslide...181
Page 182
AnyWebSiteCanAskForYourBrowser'sClientCertAndThusPoten)allyGetYourName/EmailAddress
182
Page 183
AnotherPrivacyThreat:ClientCertsAreNowBeingTargetedByMalware
• UserswhoemployedclientcertsfortwofactorauthenPcaPonhavelongenjoyedfeelingrelaPvely"abovethefray"whenitcametohacker/crackeraEacks.However,in2012,itbecameclearthatatleastonemalwarefamily,Sykipot,hasbeguntospecificallytargetfederalCAC/PIVclientcerPficatecredenPals.See,forexample:hEp://labs.alienvault.com/labs/index.php/2012/when‐the‐apt‐owns‐your‐smart‐cards‐and‐certs
• BecauseclientcertcredenPalsaretypically"nonexportable"fromsmartcards,malwaretargePngclientcertswillnormallyaEempttoexecutea"maninthebrowser"or"maninthemachine"aEack:‐‐intercepttheuser'ssmartcardPIN,‐‐usetheclientcert"in‐situ,"proxyingrequestsforresourcescontrolledbycertsthroughthecompromisedmachineitself,then‐‐exfiltratethesurrepPPouslyaccessedmaterialsoffsite.
• ConscienPouspatchingandaggressivemeasurestocontrolmalware,remainextremelyimportant,evenif(especiallyif?)you'reusingclientcerPficatestocontrolaccesstosensiPvecontent.
183!
Page 184
KeepYourLawyersInTheLoop,Too
• Why?Well,letmegiveyouoneclosingexample...strongcryptographyisexportcontrolledbytheU.S.BureauofIndustryandSecurity,includingbeingsubjecttothe"deemedexport"rule.
IfyouplantoissueclientcerPficatestoallyouremployeesrememberthatsomeusers,asmenPonedatthebeginningofthistalk,maynotbeeligibleforaccesstostrongcryptographictechnologies,includingpotenPallyclientcerPficates.Formoreonthispoint,pleaseconsultwithyouraEorneyregardingtheprovisionsofthe"DeemedExport"rule.AsastarPngpoint,seehEp://www.bis.doc.gov/deemedexports/deemedexportsfaqs.html
• IncreaseduseofencrypPonforofficialrecords,mayalsoraiselongtermrecordmanagementandaccessissues.
184
Page 185
ThanksfortheChanceToTalkToday!
• ArethereanyquesPons?
185
Page 186
AppendixI:UsingTheSafeNetHardTokenonWindows7
186
Page 187
"I'mUsingWindows,NotAMac!"
• There'saversionoftheSACforWindows7ontheCDwegaveyou,too.
• DragtheSAC8_1SP1zippedarchivefromtheCDtoyourdesktop.Doubleclickonit,thenselecttheSAC8_1SP1folder.
• Gotothe32X64Installerfolder.DragtheapplicaPonyou’llseethereontoyourdesktop.
• Assumingyou'rerunningWindows7,rightclickontheinstallerandselectRunasAdministrator.
• Youshouldseethengothroughaseriesofscreenswherethedefaultanswerswillusuallyfine...seethenextslides.
187
Page 188
TheCD'sContents
188
Page 191
PlugInYourToken
• Whenyoudo,itmayautomaPcallydownloadaddiPonaldriversfromWindowsUpdate.ThefirstPme,whenitfinishes,itwillpromptyoutochangeyourtoken'spassword.Thedefaultpasswordis1234567890asmenPonedinthedocumentaPon.
191
Page 192
ThunderbirdCan'tSeeTheSafeNetHardTokens?
• IniPally,Thunderbird(andpotenPallyFirefox)maynot"see"theSafeNethardtoken.Ifyouexperiencethat,you'llneedtomanuallyloadtheeTPKCS11.dllfilefromeither
c:\Windows\System32\eTPKCS11.dll (32bit)orc:\Windows\SysWOW64\eTPKCS11.dll (64bit)
Firefox‐‐>Preferences...‐‐>AdvancedIntheEncrypPontab,clickonSecurityDevicesIntheDeviceManagerwindow,clickLoadIntheLoadPKCS#11Devicewindow,underModulefilename,entertheappropriatefilename(asshownabove)IntheConfirmwindow,clickOK
192