20-771: Computer Security Lecture 11: Windows 2000 III

1
20-771 Computer SecurityLecture 11 Windows
2000 III

• Robert Thibadeau
• School of Computer Science
• Carnegie Mellon University
• Institute for eCommerce, Fall 2001

2
This Week

• WS 11, 12
• Touretzky on Wed

3
Todays lecture

• The four examples (Common Criteria, etc.)
• Seeing real access control under win 2000
• Kerberos
• Think symmetric (private) key, first is password,
  second and third in tickets for pre-registered
  services.
• Encrypted Files
• Break (10 min)
• IPSec, Smart Cards

4
Windows 2000

• Much richer (more complicated) model
• MUCH easier for Joe to take over after Sam
• Hierarchy of Hierarchies

Complexity Wins
Windows
Unix
5
Bad News Good News

• Complex
• Many Hierarchies
• Lots of How-To
• Learn only MS
• Use only MS 2000

• Simple underlying model
• MMC/ Active Directory / ACLs
• Hierarchies are easy to browse/search
• Only ONE way to configure
• Good online docs, good HCI

6
Some Hierarchies
What What For Objects/Attributes
File System Programs and Data Word, Run Programs, etc.
Registry (six leaves) Control LOCAL system parameters Default settings, global variables
Domains Security Management Users/Groups/ACLs
Domain Trees Enterprise Management Domain Trust, Domain Config Inheritance
System Management Console Control of All Resources Active Registry
IIS Console Control http/ftp Hierarchy of virtual directories
Frontpage Control of webs Flat hierarchy of webs
7
Review

• Windows 2000 Access has to do with
• Authentication (Passwords)
• Authorization (Access Controls) Active
  Directory
• We also saw the considerable audit capabilities
  Active Directory SACL
• Privacy (secrecy)
• Came in in protecting passwords (kerberos)
• Integrity (it is what it says it is)
• Came in in service authentication (kerberos)
• PKI
• Finally, we encountered a great advance in
  enterprise management through Active Directory
  and MMC snap-ins

8
Windows 2000Much more compelling than NT

• Known to be a rock, stable, environment
  comparable to Linux/Unix.
• Runs many, BUT NOT ALL, Windows applications.
• One machine in violation (e.g., its Win 98 or
  MAC) violates the security model
• Enterprise or Departmental Management is much
  cleaner.
• Intercompany Management of resources is possible
  without third party software.
• Implementation of full scale corporate PKI is
  possible.
• Web access through IE5/IIS can be made highly
  secure

9
What is your recommendation?

• Machines have to be 64 megabytes (about 100/per
  machine)
• Think domain trees.
• Inheritance
• Build a root
• Build a department
• Add in other departments
• Web Servers
• Build a root
• Build a web server
• Add in other departments

10
Build a root?

• The root should include
• A top-level domain controller
• A top-level certificate server
• A top-level kerberos server
• Possibly, a top-level SQL Server
• Possibly, an exchange server (mail)
• Possibly, a DNS server
• If Intranetting an IIS server
• These servers dont have to be big-time machines
  but do have to be reliable
• Disk mirroring is built into NT/2000
• Offsite backup replication (IPSec)
• These machines should be under major lock and
  key.
• Entry should be local console although remote is
  supported in Windows 2000.

11
Windows 2000 IPAAA Model
12
Windows 2000 IPAAA Model
File Encrypt
SMARTCARD
IPSec
13
Encrypting File

• Think like SSL and others uses RSA for
  authentication/authorization and Private Session
  Key for actual encryption/decryption
• This means system has private key that it can use
  for decryption
• Encrypted Data Recovery Policy (EDRP)
• Workgroup (LOCAL Domain) this is local
• In Domain, it is only with the Domain
  Administrator

14
One DESX Key, Many Certs
FILE OR DIRECTORY
Administrator CERT /Public Key M
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserQ CERT /Public Key Q
Symmetric/Private/DESX/Encrypt/Decrypt Key A
UserR CERT /Public Key R
Symmetric/Private/DESX/Encrypt/Decrypt Key A
Some can be certs in Data Decryption Field or
Data Recover Field
15
File Encryption / Recovery Certificate

• The symmetric encrypting key is encrypted using
  the public key derived from your EFS certificate.
  
• The resulting encrypted data, along with your
  display name and a hash of the certificate, is
  stored in a named stream in the file that
  contains EFS metadata.
• When EFS decrypts a file, it uses your private
  key to decrypt the symmetric encrypting key. EFS
  then uses the symmetric key to decrypt the data.

16
File Encryption is DES

• Actually DESX but the idea is the same it
  operates like XOR the number of bits is the
  number of tries needed to guess the key brute
  force (without studied cryptoanalysis).
• 40 bits for International
• 56 bits for US
• 128 bits can be downloaded from MS Support
• File Encryption Key Uses a Random (40, 56 or 128
  bit) Number (randomness is probably very good,
  but not cypher quality)
• You can bet somebody somewhere has characterized
  the non-randomness already (havent seen a
  publication)
• This means WHAT? You should know the answer to
  this!

17
Process

• You right click and set property to encrypt a
  file/directory
• If you dont have a user public/private keypair
  one is automatically generated in the
  background in your domain
• Done once, you are done forever.
• You can have others need management
• The private/public key pair gains access to the
  session key for the file.

18
When it wont work

• System bit set (system files cant be encrypted)
• Compressed files (files marked compressed).
• Read-Only files (this is because the file has to
  be written, temporarily, to be read).
• FAT32 or any other FS than NTFS
• Copy should be checked
• Works because the file owner is always the file
  owner.

19
Cipher utility

• Why would you want to encrypt an encrypted file?
  Try being administrator and user.
• Data Decryption Field (certs), and Data Recovery
  Field (certs)
• Encrypt a file as a user, and see if you can
  decrypt it as somebody else (who is the default
  recovery manager).
• Note efsrecvr.exe as the Encrypted File System
  RECoVeR program you can use. You can also do this
  by right clicking and the security properties,
  owner.

20
Cert (X.509) EFS Solution

• Many certs can hide the SAME private/ symmetric/
  session FEK (file encryption/decryption key) for
  a file.
• These certs are SPECIAL FILE ENCRYPTION CERTS
  (using the users private/public key)
• http//support.microsoft.com/support/kb/articles/Q
  273/8/56.ASP
• The file can have several depending on the CERT
  which is user Data Decryption Field
• The file can have several recovery agents can
  have several depending on the CERT which is the
  recovery agent user.

21
User and Kernel Mode

• MS has decided to keep encryption/decryption in
  Kernel Mode
• This requires careful user Mode handling (NTFS
  calls EFS in complete privacy)
• Cryptographic Provider (right now, the Microsoft
  Base defined for cryptoAPI. Could be smart
  card or external code/box).
• There is another secret mode (SMI) that MS
  doesnt use.

22
CryptoAPI EFS Components
User Mode
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel Mode
23
CryptoAPI EFS Components
User Mode
BIOS Real Mode Phoenix Technologies Device
Responsibility
USER APPLICATION
CryptoProvider RSA Private Key STORE
CryptoAPI
Encrypts Communication
NTFS
EFS
Msdn.microsoft.com search KSecDD Inside
Encrypting File System
Kernel (Real) Mode
24
Problems with File Encryption System

• There is no integrity checking on files (PAAA
  only)?
• WRONG There is, I, but only for the encryption
  header not the files themselves
• The symmetric key is not necessarily just yours
• You and anybody else allowed
• Recovery cert owner.
• Note, the EFS symmetric key in your local X.509
  is not yours but is the file or directorys
  the containers. (Uses special hidden certs)
• But! A private key is used to open the certs
  encrypted with the public key. You have to steal
  a private key of an RSA pair.
• Many attacks
• Clear text file may exist (not deleted)
• Crypto-API is in the clear (NOT kernel)
• You cant revoke the File Encryption Certificate

25
File Encryption Experience

• Ease of use
• Is there a way to have truly private files here?

26
Encrypting File System (EFS)

• Think like SSL and others uses RSA for
  authentication/authorization and Private Session
  Key for actual encryption/decryption

27
Break!
28
Sidebar 3000 bit encryption

• Answer Yes, but.
• It wont hurt but it probably doesnt matter.
  128 bit is
• 1.70141183460469e38
• 1 in 170,141,834,604,690,000,000,000,000,000,000,0
  00,000 tries
• Slightly better than 6 in 9999 (your PIN on your
  bank account).
• 86,400 seconds in a day, 31,500,000 in a year.
  3,150,000,000 in 100 years.
• Need 54,000, 000,000, 000,000, 000,000,000,000
  Guesses a Second (div by 2)
• 54 billion trillion operations per second with
  the expectation that in 50 years youll get it.
• On the other hand, feel free.

29
IPSec Classic Network Attacks

• Snooping
• Spoofing (TCP sequence numbers)
• Password Compromise
• Denial of Service Attacks (DoS)
• TCP SYN open tons of TCP connections
• SMURF drown with ping
• Teardrop fragmentation reassembly
• Ping of Death fake fragmentation parameters
• Man-in-the-middle Attacks
• Application-Level Attacks
• Key Compromise

30
IPSec is End to EndIPAxx

• Client to Client
• Transport Mode
• One Authenticates but doesnt encrypt
• One Authenticates and Encrypts
• Gateway to Gateway
• Tunnel Mode (client to client is encapsulated)
• Authenticates, Encrypts, and also hides source
  and destination!

31
IPA

• Integrity
• Uses a hash (called signature or fingerprint)
• Authentication
• Preshared key authentication
• Nonce to confirm shared key
• Kerberos authentication (essentially the same)
• PK certs
• Confidentiality/Privacy/Encryption
• DES (3DES, triple DES)
• CBC (Cipher Block Chaining)
• Very akin to One Time Pad philosophy
  (approximates it).

32
IPSec Detail

• Authentication Header (AH)
• Encapsulating Security Protocol (ESP)
• Orig IP Header AH TCP DATA (transport mode)
• Authenticates whole packet
• Orig IP Header ESP Header TCP DATA ESP
  Trailer ESP Authentication (transport mode)
• Authenticates whole ESP but not IP Header
• Encrypts TCP-Trailer
• New IP Header ESP Header Orig IP Header TCP
  DATA ESP Trailer ESP Authentication
• Authenticates whole ESP but not IP Header
• Encrypts Original IP header to ESP Trailer

33
Uses Cyphersuite

• Calls it security parameters index
• Encryption DES or 3DES
• Hash SHA1 or MD5
• Session Key (not in a cyphersuite)
• Diffie-Hellman provides the method of arriving at
  a shared secret to manage key exchange
• Also uses RSA (see RFC)

34
Three Flavors of Network Security in IPSec

• Not Secret but it is Authentic!
• Secret and Authentic Client to Server
• But Routing is KNOWN
• Secret and Authentic and Routing (Inside
  Firewall/Gateway) is Secret Too.
• Tunnelled through the Open Infrastructure,
  Gateway-to-Gateway
• Defaults include using if you can, and requiring
  use (on pain of failure to communicate at all).

35
NOW SMART CARD!!!

• REALLY GOOD AUTHENTICATION!
• What you know
• What you have
• Biometric

36
Smart Card

• ISO 7816
• Not OK for software/reader/writer interface
• PC/SC Workgroup
• www.pcworkgroup.com
• www.microsoft.com/security/tech/smartcards -gt
• http//www.microsoft.com/technet/security/smcdtech
  .asp
• Dumb and Smart
• Dumb Just store info (deprecated)
• Useful in facility security but can be
  counterfeited easily
• Smart (ICC) have a processor, can hide a private
  key,
• These can act as full crypto service providers
• Very very hard to counterfeit (if actually
  possible)

37
Smart Card

• ISO 7816
• Not OK for software/reader/writer interface
• PC/SC Workgroup
• www.pcworkgroup.com
• www.microsoft.com/security/tech/smartcards -gt
• http//www.microsoft.com/technet/security/smcdtech
  .asp
• Dumb and Smart
• Dumb Just store info (deprecated)
• Useful in facility security but can be
  counterfeited easily
• Smart (ICC) have a processor, can hide a private
  key,
• These can act as full crypto service providers
• Very very hard to counterfeit (if actually
  possible)

38
ICC Smart Cards

• Really secure!
• Two Factor Authentication
• Both a password (PIN) and an RSA Key
• Three password tries and you are out
• Administrator
• Three password tries and he is out
• Six Tries and you have a dead card
• Even a smart card reader sniffer cant sniff
  the private key operation
• BUT IT CAN SNIFF THE PASSWORD (PIN)!!!
• Sniff the guy, steal his card. Youre In.
• Phoenix Technologies Wave Systems Device
  Responsibility to Guard Keyboard Sniffers

39
Typical Smart Card Operation
Smart Card
System
Smart Card Waits to Hear its PIN to Start Talking
System Generates Nonce For Smart Card
Smart Card Demonstrates it Knows Private Key by
Encrypting Nonce
System Gets Public Key From Its Store Or Smart
Card Store CA!
System Uses Public Key to Prove Smart Card is Who
it Says it is.
Smart Card can Manufacture Certs for System as
Requested
40
ICC Smart Card Programming

• To Store Data (not particularly for security but
  perhaps for mobile privacy e.g., health
  records).
• To alter conditions for PIN or other conditions
  for gaining access to RSA signing. Unclear if
  this is always supported.

41
Windows 2000 IPAAA Model
42
Windows 2000 IPAAA Model
User Agents
DACLs
File Encrypt
Kerberos
Authenticode
SACLs
Smartcard
IPSec
43
Features of Win 2000

• Multiple methods of authenticating internal and
  external users
• Protection of files through easy to use
  encryption
• Protection across network through transparent
  encryption
• Per-property access control for objects (many
  more detailed uses than read, write, and execute)
• Smart card support for authentication and hiding
  private keys
• Transitive trust relationships between domains
• Public Key Infrastructure (PKI Certs handled
  transparently).
• Code itself is routinely authenticated as to its
  source using PKI.

44
Cert 101

• The Cert is not encrypted but is encoded (the
  only thing that is encrypted is the hash This
  is technically called signed)
• The signed hash can be
• Self signed the public key will immediately
  open the hash allowing you to verify the text is
  right.
• CA signed a CA public key (and possibly your
  public key in succession) will open it. This
  verifies that you are you and the CA verifies you
  are you.

45
Encryption and Cert Based Access Control

• Cert is basically
• Housekeeping Some plain text about the version
  of X.509, the cryptosuites being used, and a
  certificate number
• Some plain text information about the owner
• A plain text date to start and and date to expire
• A plain text public key
• Some extra plain text whatever you want
• Different certificate types define different
  fields here
• A signed hash of the above stuff

46
Certificate Formats

• PKCS10 Format for a requestor just unsigned.
• PKCS7 Format for a signed certificate
• PKCS is at www.rsa.com/rsalabs/pkcs

47
PKCS-7 Signing

1. For each signer, a message digest is computed on
   the content (H(M1))
2. For each signer, the message digest and
   associated information are encrypted with the
   signers private key (E(H(M1)M2).
3. For each signer, the encrypted message digest and
   other signer-specific information are turned into
   a certificate (C(E(H(M1)M2)M3).
4. All the certificates are rolled up into a Signed
   Data sequence
5. Info certificates certificaterevocations
6. AltltBgtgtBltltCgtgtCltltDgtgt
7. Public Key A (from CA) gives you your public key
   D.

48
EFS (Encrypted File System)

• A PKCS-7 can have info that can be used to send a
  message to a user agent to verify that he left
  the certificate.
• It can hide a symmetric key encrypted with the
  public key of the user.

49
Minor Technicalities

• It isnt all X.509v3 (but, really, it is)
• The use of the certificate defines the content.
  Any issuing authority can issue different kinds
  of certificates and these are not always
  compatible.
• However, the principle is universal
• Sign the hash with your private key to prove its
  you.
• Distribute a public key
• You might encrypt the public key or other
  information as is the case with the successive
  unfolding of a sequence of certificates.
• X.509v3 allows for recursive signing but it isnt
  used.

50
Using Certs

• I can prove you are you
• Smart Cards are really strong!
• They dont really need a CA!
• Register the smart card with the machine.
• It is absolutely unique and cant be
  counterfeited!
• Other CA opportunities
• What happened to Notaries???!!!!????
• Wouldnt it be nice if you could walk down the
  hall and the exec secretary could be the legally
  recognized CA?
• Notaries are trained, etc.
• Alternate CA rules
• Are there other ways to prove you are who you say
  you are.
• To prove this software or data is who it says it
  is
• A master server on the net that can automatically
  sign anything given to it.
• The date/time/name become the master object
  itself.

51
Using Certs 2 Non-repudiable Agreements

• Certs (typically two) can represent an agreement.
• Here is the text of the agreement
• Here is the date and time of the agreement
• Here is your signed digest of the content.
• Here is my signed digest of the content.
• We both have copies.
• Now, you say you didnt agree, but I bring out
  your signed certificate to prove you did.
• Now, I say I didnt agree, but you bring out my
  signed certificate to prove that I did.
• The proof is irrefutable. I could not
  manufacture your certificate.

52
Using Certs 3 Anonymizing

• A different use of certs.
• I wont tell you who I am.
• I just give you a signed authorization to spend
  200 or to log into the computer as John Smith.
• The signer guarantees or vouches for me.
• The X.509v3 lets you do this.

53
Privacy Services
AGENT
INTERACTION
CONTROL
VALIDATION
NEGOTIATION
Personal Information
USAGE
INDIVIDUAL ACCESS
Policy
AUDIT
PROCESS CERTIFICATION
ENFORCEMENT RECOURSE
LOG
54
Anonymizing Smart Cards

• A smart card that can sign for an authority and
  also sign for an individual.
• This could be a recursive sign
• This way the authority cannot be held responsible
  unless he knows the person who put him at risk.
• Alternatively, a third party anonymizer that
  provides the anonymous certificate (this is a
  valuable web sitestopped before Sept 21, 2000 by
  RSA!).

55
Anonymous Smart Cards

• Anonymous Certs could provide special mailing
  information
• Contact me at mrpepper_at_hotmail.com
• It could provide anonymous profiling
• I am 50 years old. White. Worth X dollars, send
  mail to me at mrpepper_at_hotmail.com, but you cant
  find out who I really am.
• Microsoft Smart Cards, Inc., will attest to this.

56
Agents

• Converse side of CA
• You sign to give your agent rights
• The agent can now bind you

57
Certs on/from Objects

• EFS
• Prove the owner has the right. User object has
  to decrypt the symmetric key that decrypts the
  object.
• Authenticode
• Prove the code is the code because the cert on it
  hashes the code to prove its integrity and the
  hash is signed to prove that it came from who it
  is said to be from.
• You have to trust Microsoft Corporation
• This means that the certificate simply said
  Microsoft Corporation, Inc. but what if it had
  said Microsoft Inc. (of Zimbabwe, Africa)?

58
PKI

• You should learn that Microsoft has implemented
  what you already learned about PKI and
  Cryptography
• They have integrated this into the OS (making it
  easy and transparent)
• Look at Hierarchical Certification (a parent Cert
  unlocks many children, and each of them can
  unlock many children)
• Look at types of Certs (people, code, things)
• Types and Hierarchy of authority basis for
  corporate PKI and Win 2000 PKI.

59
PKI works with two mechanisms

• Using the CA public key to unfold the signing
  to your public key (typically, the CA signs your
  PK cert).
• He vouches for you in a way that cannot be denied
• Key compromise
• Key revocation is a problem
• A file or resource has access granted by the
  demonstration that the requestor can privately
  encode that the resource can publicly decode (or
  that the resource can publicly encode that the
  requestor can privately decode).
• You can have MORE than one PK on a file or
  resource
• Example was revocation list
• User (not group) is a owner of a private/public
  key
• Can let Windows Base Crypto Services or Smart
  Card.

60
Features of Win 2000

• Multiple methods of authenticating internal and
  external users
• Protection of files through easy to use
  encryption
• Protection across network through transparent
  encryption
• Per-property access control for objects (many
  more detailed uses than read, write, and execute)
• Smart card support for authentication and hiding
  private keys
• Transitive trust relationships between domains
• Public Key Infrastructure (PKI Certs handled
  transparently).
• Code itself is routinely authenticated as to its
  source using PKI.

61
End of Windows 2000 SecurityRemember Planning!

• Security group strategies
• Local, Global (Domain), and Universal (new)
• Group policies
• Access Control, Auditing, (security policy)
• Network logon Authentication
• Info Security (encryption)
• Primary Domain Controller First then Backups
• You cant back out You cant add new (old) NT
  into system in Win 2000