Strong and Alternative Authentication
Rafał Łukawiecki
Strategic Consultant, Project Botticelli Ltd
rafal@projectbotticelli.co.uk
www.projectbotticelli.co.uk
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all
information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in
File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the
“Introductions” presentation for acknowledgments.
2
Objectives
Revisit the foundation of IAM from the
perspective of modern, strong and specialised
authentication mechanisms
Explain ways of integrating them within a
Microsoft framework containing heterogeneous
systems
Highlight some remaining issues and
opportunities
3
Session Agenda
Public Key Infrastructure
Smartcards and Alacris
OTPs and SecurID
Biometrics
4
Microsoft’s Identity Management
Directory (Store)
Services
Access
Management
Identity
Lifecycle
Management
Active
Directory & ADAM
Active Directory
Federation Services
Identity Integration
Server
Extended Directory
Services
Authorization
Manager
BizTalk
PKI / CA
Enterprise
Single Sign On
Audit Collection
Services
Services for Unix /
Services for Netware
ISA
Server
SQL Server
Reporting
5
Public Key Infrastructure
6
PKI
Infrastructure for practical use of cryptographic
mechanisms for authentication and authorisation
purposes
Not new! Very well tested and based on sound
principles.
Unfortunately, too complex from a today’s typical
user’s perspective
7
Strong Authentication
Unlike most password systems, PKI-based
authentication relies on certificates and
protocols that provide highest level of strength in
terms of veracity of authentication
No secrets are exchanged in open
No reusable data is sent away
Man-in-the-middle is usually not possible
Scientific edge to understanding strength
Protection of certificates requires additional
devices, and, perhaps, passwords
8
Microsoft Certificate Authority in
Windows Server 2003
Standards Supported:
RFC 2459 Support (CRLs and Certificate Profiles)
X.509 v3, v4
RFC 2797 (CMC)
SCEP (Simple Certificate Enrollment Protocol)
PKCS #1,7,8,10,12
RFCs 2311, 2312, 2313, 2527, 2587, 2631, 2632, 2632, 2633,
2634
RFC 2560 (OCSP – Online Certificate Status Protocol)
Supports Auto enrollment, Client Certificate Distribution
Built into the OS, API/CLI/Web Interface
9
Windows as CA
Windows consumes and provides PKI and CA
services
This is referred to as one of three “Extended
Certificate Services” in terms of IAM
The other two being: Smartcard Management and
Information Rights Management
Apart from replacing passwords, this leads to a
very powerful form of Single Sign-On
Interoperability depends on mutual recognition of
CA roots and certificate claims
10
Modular Architecture
Windows OS uses multiple, user-selectable,
Cryptographic Services Providers (CSPs) to implement
core functionality, such as encryption etc.
Communication with CSPs is achieved through a number of
APIs, of which the most fundamental is CryptoAPI (CAPI,
CAPICOM)
CSPs vary widely, which can compromise security
Microsoft has recently (Dec 05) shipped a generic CSP that
can be used where custom ones are not economical
If this is of interest to you, please review significant new
mechanisms and APIs in Windows Vista
11
Cryptography Recommendation
At present (December 2005), consider using the following
cryptographic mechanisms available in Windows in preference to
others:
AES-128 (or AES-192, or AES-256)
RSA 2048 (or longer)
“SHA-2” (i.e. SHA-256, or SHA-512)
DSA
Avoid the following, if possible:
3DES (speed)
RC2 (superseded but generally fine)
RC4 (issues, but can be overcome)
DESX (esoteric)
Do not use at all:
DES (strength)
12
Cryptography Tomorrow
US NSA and NIST recommendation as of Feb
2005 is to implement “Suite-B” protocols
This is very rarely done in today’s software
Good news: Microsoft announced support for
Suite-B in Windows Vista (and Longhorn Server)
14
Smartcards/Tokens and
Alacris
15
Why Smartcards?
Smartcards are physical devices that protect a
private cryptographic key from being copied or
used without additional authentication
Basically:
Do not store a private key on the computer itself if
possible
If you do, ensure it is well protected, e.g. using Windows
default Protected Storage service, DPAPI etc.
16
Form Factors
Smartcards are not always “cards”, so they are
sometimes referred to as Tokens
USB devices
Bluetooth devices
Incl.: Mobile Phones
Active RFIDs (Radio Frequency Identifiers)
On-board silicone chips, sometimes being part of
other chips (Trusted Platform Modules, such as
TPM v1.2)
Note: this is a future direction being adopted by forms of
“Trusted Computing Base/Infrastructure”
17
Secondary Authentication
(Optional)
Smartcards usually do not provide their services, or any
access to the private key, unless a secondary
authentication succeeds:
PINs and passwords
Not sent across networks, this is locally processed on board of
the card
Biometrics (see later)
Co-presence of other devices
RFIDs
Note: the authenticator may be on board of the “card”
reader (more secure), or may be a function of the PC or
host computer (less secure or less trustworthy)
18
Smartcard Compatibility with Windows
Entirely dependent on the presence of a suitable CSP
(Cryptographic Service Provider)
Typically installed when hardware “reader” device is installed
Many providers exist
Microsoft promotes a .NET-based smartcard through
Axalto consortium
Windows Vista allows a broader range of smartcards to
be supported, including:
Card Communication Modules
Common CSPs
CNG (Open Cryptographic Interface for Windows)
19
Word About Smartcards
Some smartcards are “dumb”, i.e. they are only a
memory chip, so key can be easily stolen
Not recommended, not approved to Common Criteria (FIPS140-2)
Not all smartcards are equal
Not all have an on-board RNG (Random Number Generator)
Some cannot generate keys and rely on the reader or the host
Self-destruct is possible on some
20
Smartcard Lifecycle - idNexus
Users will, of course, lose smartcards
They will expire
Need for:
Provisioning, maintenance etc.
Lifecycle management of smartcards has not
been a function of Windows, but is implemented
in Alacris’ idNexus
Alacris has been acquired by Microsoft on 19 Sept
2005
21
idNexus (Alacris)
Identity Assurance Management System
Integrates with:
Windows 2003 PKI
Entrust (CA)
Supports:
Lifecycle Management (incl. Provisioning)
Smartcard Logon
OCSP through Alacris Identity Validation System
Client and server for Online Certificate Status Protocol
Used by IIS, IE, Outlook and many others
Common Criteria certified
22
OTPs and SecurID
23
One Time Passwords (OTPs)
Usually: hardware that generates a single-use value that
functions as a password
Trust between the device and the remote system is
implemented as physical relationship
E.g. precise clock synchronisation, as in RSA SecurID
As with smartcards, secondary authentication is possible
(PIN, biometrics etc.)
OTP devices are frequently called Security Tokens, or
Tokens
A bit confusing, as some smartcards are also known as
tokens, e.g. Aladdin Token)
24
OTP or Smartcard?
Effective functionality and security strengths are
surprisingly similar, however:
Ease of initial deployment:
OTPs have an advantage, as most smartcard systems require
presence of PKI first
Extensibility
Both are similar, though OTPs have an incremental cost for
each additional system being interconnected
Universal Integration
Smartcards and PKI, being based on standards, tend to have
a more universal appeal (as long as PKI is compatible, which
usually is the case) than OTPs
25
RSA SecurID
Probably the best known OTP system
Like most OTPs, it functions as a client-based
Single Sign-On system
Requires additional servers/services
Integrates very well with Microsoft IAM
Unlike smartcards, requires no readers
With web-based thin-client applications, even no
additional client software is needed
26
Client SSOs in IAM
Novell
User
UNIX/Linux
User
Remote Access
Strong Authentication
Remote Windows
Browser
User
User
Windows
User
Web-Admin
Client SSO
Integration
Intranet
Access
Access Gateway
Remote Access
Central Role Management
Account
Management
Console
Extr. Directory
DMZ
Smard Card Management
Central Web Authentication
Central PW-Reset
Central Web Policy Management
Central Directory
& Yellow Pages
Central Self-Service
Desktop SSO
Web SSO
Fed. SSO
Auditing & Reporting
Service Registry
S
Infrastructure
Directory
S
S
S
PKI, eID, DS
IPSec, Netw.-Sec.
ERP
UNIX
Sun
Linux
DB2
S
S
S
Services
S
S
S
S
S
Workflow
S
Provisioning
Backend SSO
Synchronization
Process Integration
Password Synch.
HOST
Mail
RAS
Oracle
SQL
Novell
XYZ
27
RSA SecurID in Microsoft IAM
RSA Strong AuthenticationRemote
SecurIDAccess
UNIX/Linux
User
Windows
User
Remote Windows
User
Web-Admin
RSA Sign-On Manager
Quest
+
Centrify
Intranet
Access
Alacris
ADFS + AzMan
Sharepoint
3rd Party
SQL Server
Rep. Tools
Active Directory
ADAM
/ AD+UDDI)
/ UDDI
(+ADAM,
S
AD
S
S
S
Windows
Server
PKI/IPSec
Windows
CA or
Keon
+
Active Directory
Sun
DMZ
Sharepoint
++
MIIS + MOM
Kerberos
+
AD Groups
UNIX
ADAM
RSA ClearTrust
ISA
Central Role Management, 3rd Party
WebAdmin, 3rd Party
ERP
Browser
User
Linux
DB2
S
SQL Server, ACS, MIIS
S
S
Services
S
S
S
S
S
BizTalk
S
ESSO
MIIS
MIIS
BizTalk
MIIS
HOST
Mail
RAS
Oracle
SQL
Novell
XYZ
28
Biometrics
29
Biometrics
Identification (rather than authentication) of a human
subject by means of scanning their physical
characteristics, such as:
Image (face, iris, retina, hands, papillary lines)
Sound (voice print identification, footsteps)
Movement (writing characteristics, facial ticks)
Chemical (body odour, breath, hair composition, possibly even
DNA analysis)
Physiology (pulse, blood pressure, temperature, blood oxygen
content, intraoccular fluid pressure)
These are typically secondary verifiers to avoid inanimate
objects being used to fool the scanner
30
Biometrics
Generally, an over-hyped area: be careful and sceptical
Useful as a secondary protection of a private key on a
smartcard in a controlled environment
Advantage:
Simple and works in some environs, e.g. immigration
Weakness:
Not useful for at-home, remote etc. applications as no way to
ensure it is your real fingerprint, iris, retina etc. being scanned
Biometric data can be stolen and can be used to fake identity
– no way to change it later
Still many positive and negative false matches
31
Controlled Environments
Presence of a Trusted Observer – Guard, Officer, Witness…
Trustworthiness of biometrics relies on the trust in the
scanner/reader and trust in the correct application of the
scan procedure
Scanner Trust:
There must be no easy way of “replaying” the biometric
sequence, bypassing the device
In reality, this means device must have construction that cannot
be easily compromised, and must have a pre-arranged, trusted
and confidential connection to the Relying Party
Today, this requires a controlled environment
Procedure Trust:
Ensuring that it is a real fingerprint/iris/retina being scanned,
rather than a replica
32
Meaningless Application
Example:
Using a keyboard-based fingerprint scanner to allow a home
user to log into an online banking site
Problems:
Copies of fingerprints will be readily available on the keyboard.
What if the keyboard is stolen?
What if someone breaks into the room and uses your
keyboard?
How does the bank know it is really a finger being scanned?
Future:
Perhaps devices will exist that can overcome these issues, but
that is not likely to happen very soon
33
False Negatives/Positives
Today’s biometrics still suffers from a large pool
of false matches
According to UK Home Office 2005 research, it
would be necessary to scan one iris/retina and
fingers of both hands to reduce the mismatches
to an acceptable level
Future? Very bright, as we overcome this
problem.
34
Role of Biometrics
Mainly: secondary authentication for a
smartcards/token/OTP device
Also
Primary identification in controlled environments
Simplified authentication for low-security
applications
But: that is not strong authentication
35
Summary
36
Summary
Strong authentication removes the need for
user-managed passwords
Most today’s solutions are based either on
smartcards or OTP tokens, and require some
client-specific integration
Biometrics is an interesting enhancement of
identification and, perhaps, authentication but
has limited applications at present
www.microsoft.com/idm & www.microsoft.com/itsshowtime & www.microsoft.com/technet
37
Special Thanks
This seminar was prepared with the help of:
Oxford Computer Group Ltd
Expertise in Identity and Access
Management (Microsoft Partner)
IT Service Delivery and Training
www.oxfordcomputergroup.com
Microsoft, with special thanks to:
Daniel Meyer – thanks for many
slides
Steven Adler, Ronny Bjones, Olga
Londer – planning and reviewing
Philippe Lemmens, Detlef Eckert
– Sponsorship
Bas Paumen & NGN - feedback
38
Q&A
Please complete evaluation forms when you receive them – thank you.
Read more about IAM at: www.microsoft.com/idm
Watch other seminars at: www.microsoft.com/itsshowtime
Find all IT Pro technical information at: www.microsoft.com/technet