TFS WorkstationControl White Paper

Transcription

1 White Paper Intelligent Public Key Credential Distribution and Workstation Access Control TFS Technology

2 Table of Contents Overview 3 Introduction 3 Important Concepts 4 Logon Modes 4 Password Types 4 Credential Stores 5 Extended Smart Cards 7 Functionality 7 Benefits of Extended Smart Cards 8 PKI Management 9 User Credential Storage 9 BoKS CAs and Certificates 10 Third-Party CAs and Certificates 10 Automatic Trust Management 10 Certificates for Kerberos Authentication 11 Pre-Existing User Certificates 11 Configurable Expiration Message 11 Configurable and Convenient Security Features 11 Security Policies 11 Streamlined Logon Process 12 The Lock Function and Inactivity Protection 12 About TFS Technology 13 TFS WorkstationControl / 2

3 Overview Introduction TFS WorkstationControl The TFS Technology Vision: Lead the world in providing enhancements to existing infrastructure, simplifying usage and administration with profound security using products and services that add value for the customer. The TFS WorkstationControl solution provides comprehensive protection for workstations in a domain and gives administrators complete control over who accesses those workstations. The solution provides the ability to use different protection mechanisms such as passwords, SecurID tokens, Smart Cards and USB tokens to protect user credentials. Regardless of which protection mechanism is used, legitimate users are welcomed to their workstations with the same streamlined authentication process. Individual users can be assigned different protection mechanisms, which make it possible to tailor the protection level according to each user's needs. Protection mechanisms can be exchanged over time without losing user credentials. Another strength of the TFS WorkstationControl solution is that it provides a uniform way of distributing and managing user credentials such as symmetric keys, RSA keys, certificates, and user data. TFS WorkstationControl is built on the products TFS BoKS Manager and TFS Desktop, which combine into a single, powerful security solution. TFS BoKS Manager Domain server (Microsoft or Novell) Check certificate and download encryption keys Automatic authentication call by TFS Desktop TFS Desktop Figure 1. The TFS WorkstationControl Solution TFS BoKS Manager is the central security server that holds the user database containing policies, user accounts, and user credentials. One of the most important services provided by TFS BoKS Manager in this solution is the ability to create, distribute, and revoke user certificates from a central location. TFS BoKS Manager can be deployed on all major UNIX platforms. TFS Desktop resides on each client machine and provides strong user authentication and access to the user's credentials. TFS Desktop offers streamlined logon features, such as single-sign-on capability that allows users to log on only once to access TFS Desktop and the primary network provider. It also offers additional security functionality, such as the Auto Logon feature that allows users to "train" TFS Desktop to recognize and log users on to their Windows applications without their intervention. TFS Desktop makes it possible for users to roam between machines in the domain, while always maintaining access to the same credentials. It also supports machines that roam between the protected domain and the Internet, which makes the solution suitable for installations in which laptops are used in different environments. See "TFS Desktop Technical Data and Requirements" for platform information. TFS WorkstationControl / 3

4 Important Concepts Logon Modes The solution may be set up to replace the native logon machinery of the client operating system. This configuration is referred to as Integrated Logon mode. In this mode, the user logs on to his or her machine using TFS Desktop, which automatically and transparently handles the Windows (or Novell) domain logon. If passwords are used as the protection mechanism, it is possible to synchronize passwords between the BoKS domain and the Windows (Novell) domain. The login sequence is as follows: The user authenticates to TFS Desktop using one of the available protection mechanisms. The TFS Desktop communicates with TFS BoKS Manager, which authenticates the user. If the authentication succeeds, the user's credentials are downloaded, and the user is authenticated to his or her primary domain server. Alternatively, TFS Desktop may be used to protect specific credentials. This configuration is referred to as On Demand Logon mode. In this mode, the user logs on using the normal Windows logon functionality. The user willbe required to authenticate to the TFS WorkstationControl Solution only when access to credentials is required. For example, in cases in which certificates and keys for signing are among the credentials, user authentication will be forced as soon as the user signs an . Password Types Regular Passwords Passwords are used to cryptographically protect Cards. TFS Desktop has settings that can be used to enforce password policies. RSA SecurID Token Passcodes The password strength of a Card can be greatly improved by using an RSA SecurID token. This kind of token adds two-factor authentication by providing a random, time-based passcode. The user supplies both the passcode and a normal password when he or she authenticates. The information is sent to TFS BoKS Manager, which then uses an RSA ACE/ Server for passcode authentication. TFS WorkstationControl comes complete with support for RSA SecurID with no need for extra client-side software. A working RSA ACE/Server is required for SecurID authentication. PIN codes Passwords used to open Smart Cards are usually referred to as PIN codes. Besides opening Smart Cards with PIN codes, TFS Desktop can be used to enter PUK codes for unlocking blocked Smart Cards and for PIN code changes. PIN codes are the entry mechanism for Extended Smart Cards, since the Smart Card component has to be opened in order to unlock the Card. In the remainder of this document both PIN codes and regular passwords are referred to as passwords. Domain Passwords An inherent weakness of password-based encryption is that an attacker may try to guess the password by going through a long list of possible passwords. This approach is known as a dictionary attack. The TFS WorkstationControl Solution has a feature called Domain Passwords, which protects from dictionary attacks against Cards. Note that the term does not refer to a separate password type, but to a password protection feature. If the Domain Passwords feature is enabled, each Card is protected with a randomly generated password. The user password is not used to open the Card. Instead, when the user logs on, the user password is sent from TFS Desktop to TFS BoKS Manager for verification. If the user TFS WorkstationControl / 4

5 password is correct and the user has not previously depleted his password attempts, the randomly generated password is sent to TFS Desktop where it is used to open the Card. Credential Stores Credentials that are associated with a user must be stored in a secure and protected way. TFS Technology offers several different storage solutions built on hardware and software protection methods and devices. Using TFS BoKS Manager, credential data is automatically synchronized. It is possible to select the degree of credential roaming allowed by allowing or disallowing client-side caching of credentials. The following diagram illustrates some of the variants: Figure 2. Credential Store Types and Usage TFS BoKS Manager Card 1 Card 2 Card 3 Card 4.. Card 1 Card 2 Card 3 Card 4 Synchronized with server Card 2 Card 4 Cashed on client Smart Card Smart Card Smart Card Online logon Online + Offline logon Online + Offline logon Online logon Online + Offline logon Smart Cards A physical device kept in the user's possession that contains a hardware chip that can store user credentials. In order to use a Smart Card, a reader has to be installed on the client machine. Smart Cards are very secure cryptographic containers because a PIN-code must be entered to gain access to the credentials and data. After a predefined number of failed PIN attempts, the Smart Card locks up. This feature makes Smart Cards immune to cryptographic attacks. USB Tokens USB tokens are a relatively new class of cryptographic devices. Technically, a USB token is a combination of a Smart Card and a Smart Card reader in a common USB device. The advantage is that no reader installation is needed in order to roam between computers. A USB token works just as any Smart Card in conjunction with TFS Desktop. Both Smart Cards and USB tokens are referred to as Smart Cards in the remainder of this document. TFS WorkstationControl / 5

6 Cards A Card is a symmetrically encrypted file that contains user credentials. As the name indicates, a Card duplicates the functionality of a Smart Card. This means that the Card contains separate storage areas for keys, certificates, and parameters. A Card can be used to store the same kind of information as a Smart Card, but does not have the memory constraints of the hardware-based Smart Card solution. Extended Smart Cards An Extended Smart Card is a combination of a Card and a Smart Card. PKI keys on the Smart Card are used to protect the Card. The resulting Credential Store combination inherits the best qualities from both storage methods. A later section describes the Extended Smart Card solution in greater detail. The following diagram illustrates the variants of Card protection. Please note that SecurID protection is not shown explicitly but is included in the first example ( Card 1): Figure 3. Protection Mechanisms for Cards TFS WorkstationControl / 6

7 Extended Smart Cards An Extended Smart Card is created when a key pair from the Smart Card is used instead of a password to encrypt the Card. As a result, the Card becomes a transparent extension of the Smart Card. The user experience remains the same as with a normal Smart Card, but the space and management problems are resolved. All data parameters and new certificates can be placed in the Extension Card (the Card that is combined with a Smart Card to form the Extended Smart Card) for automatic data backup and storage. Functionality Extended Smart Card Creation Creating an Extended Smart Card in TFS WorkstationControl is a simple process: Using TFS BoKS Manager, the administrator creates a password-protected Card and ties it to a user account. Next, the administrator protects the Card with a Smart Card by importing a certificate associated with a key pair on the Smart Card. The user can now use both the Smart Card and the password as protection mechanisms for his or her credentials. (The password protection can be removed at the discretion of the administrator.) Users can be allowed to create an Extended Smart Card directly from TFS Desktop. In this case, the administrator need only create a Card and give the password for the Card and a Smart Card to the user. The user initially logs in with the password and then adds the Smart Card protection mechanism. In this scenario, the password protection mechanism is automatically removed to prevent unwanted password backdoors to the Credential Store. Managing Lost Smart Cards and Key Recovery If a user loses the Smart Card portion of the Extended Smart Card, the administrator can remove the Smart Card protection mechanism and provide the user with a new password. The user can use the password to access the Card, where the user's credentials are stored, and can continue to use the credentials in this way until a replacement Smart Card is available. Extended Smart Cards Protect Traveling Users A user who loses his or her Smart Card while traveling may not be able to log on online to automatically download a new Card. Administrators can prepare for this event by leaving the Card password protection mechanism activated when creating the Extended Smart Card. The password is not provided to the user. If the user loses the Smart Card, he or she calls the administrator and obtains the password for the Card. This procedure allows the administrator to constrain the use of password authentication to emergency cases only. Extended Smart Cards Provide Stability and Flexibility Extended Smart Cards make it possible to use different authentication methods in a seamless way. Users can be provided with different authentication solutions over time, but their important credentials always stay the same. It is also possible to have users with full-featured non-extended Smart Cards in the same context as Extended Smart Card users. This makes it possible to migrate between Smart Card solutions at your convenience without massive hardware deployments. TFS WorkstationControl / 7

8 Benefits of Extended Smart Cards To appreciate the benefits of Extended Smart Cards, it is helpful to understand the strengths and weaknesses of Smart Cards and Cards. Pros Smart Cards Strong protection of data with automatic, non-revocable locking True data roaming Personal key protected by hardware Cards Easy, central management Automatic data backup and storage No memory limitations Cons Cumbersome key and certificate management that cannot be easily centralized Severe memory limitations for data and keys Risk of complete loss of data if the card is lost Development of complete Smart Card drivers is difficult and expensive Weaker (password-based) protection Symmetric key operations in software Extended Smart Cards combine desired properties from both Smart Cards and Cards: Smart Card storage limitation problems are solved. New data is stored in the Extension Card rather than on the Smart Card. Support for read-only Smart Cards. In cases in which users are prevented from making changes to the Smart Card, such as identity cards issued by authorities, it is impossible to store parameters and additional keys on the Smart Card. Instead, these credentials can be stored on the Extension Card. Support for devices without storage capacity. Even devices such as mobile telephones and certain USB tokens that cannot do much more than provide an RSA keypair and encryption capabilities can serve as protection devices for Extension Cards. Protection of Smart Card investment. The functionality of existing hardware can be extended over time without replacing all of the Smart Cards. Quick driver development. Because less is required of the Smart Card, development of new smart card drivers is simplified. Some existing PKCS #11 modules may even be used off the shelf. Support for multiple Smart Card devices with the same level of system functionality. Since the Smart Card functionality is extended, it is possible for an organization to mix different Smart Card types and manage them in a uniform way. Reduced administration. If the Smart Card is the sole way of accessing a system and the sole bearer of the user's credentials, it causes administrative overhead when the user loses the Smart Card. However, if the Smart Card is used only as a key to the Extension Card, it is possible to replace the Smart Card without losing any credential information. A new Smart Card can simply be assigned to the Extension Card, which allows the user to continue to access systems in the enterprise and user credentials stored in the Card. Improved Card encryption protection. An Extended Smart Card is much harder to attack cryptographically than a password-protected Card. TFS WorkstationControl / 8

9 PKI Management TFS WorkstationControl uses certificate-based authentication as the ultimate guarantor of a user's identity and provides tools to facilitate the creation and management of user certificates. The TFS WorkstationControl Solution provides various options for setting up the CA hierarchy, as well as straightforward GUIs and clear instructions for managing the CAs and the certificates they sign. User Credential Storage All users must have a place to store credentials. In TFS WorkstationControl, the storage point is called the Credential Store. All elements necessary for enabling users to log on to TFS Desktop and use its security features are kept in the Credential Store. Credential Stores hold both public and private security information, including: RSA key-pairs and x.509 v3 certificates The user's primary network operating system logon information (Windows or NetWare) The user's symmetric file encryption keys Secure storage space TFS WorkstationControl supports completely hardware-based Credential Stores, where all credentials reside on Smart Cards (or USB Tokens). The solution also supports completely software-based storage where all credentials reside in Cards. A third alternative is the combination of both Smart Cards and Cards (referred to as Extended Smart Cards). The type of Credential Store that is best suited varies between installations. If absolute security is required, a Smart Card-based solution may be needed. Cards, on the other hand, are more cost-effective since central management is simplified and no hardware is required. Extended Smart Cards offer a combination of the advantages of Smart Cards and Cards. TFS BoKS Manager All user accounts are created in TFS BoKS Manager. (This may be done by importing from an LDAP user directory, for example.) The next step is to associate the user account to a Credential Store. This may be a Card, a Smart Card or an Extended Smart Card. Cards are created by TFS BoKS Manager and tied to accounts simultaneously. Smart Cards are tied to user accounts by using data from a certificate that resides on the Smart Card or by using the certificate itself. Throughout the lifespan of the user account, TFS BoKS Manager can be used to manage Credential Store ties to users and other managerial tasks. Examples of this are Card password change, certificate replacement and user blocking. TFS BoKS Manager is installed on a UNIX server, but the management interface is Web based and can be run from any browser. TFS Desktop TFS Desktop contains a utility called the Credential Store Manager. This is an easy-to-use GUI-based utility that allows users to view information about their certificates, delete obsolete certificates, and select which certificates are to be used as the default signing and encryption certificates within the TFS WorkstationControl Solution. Two of the certificates in the Credential Store are of particular importance to TFS Desktop. The first is used to establish the user's identity and is referred to as the "signing certificate." The second is used for encryption operations such as key negotiations and is referred to as the "encryption certificate." A single certificate (a so-called multipurpose certificate) can be used for both purposes. TFS Desktop provides easy life cycle management of these certificates by providing automatic rule-based certificate selection. TFS WorkstationControl / 9

10 BoKS CAs and Certificates With TFS WorkstationControl, you can generate an internal BoKS CA hierarchy, which is required to use TFS BoKS Manager as an authentication server for users logging in using TFS Desktop. Once you generate the BoKS CA hierarchy, you can use it to create Cards containing certificates signed by the BoKS CA to allow users secure system access. The following are key concepts of BoKS CA management: CAs can be classified to determine what the certificates they issue can be used for in the BoKS environment. CAs and certificates are most often digitally signed by another CA to prove their legitimacy. The exception to this are self-signed CAs, which are not signed by another CA. Root CAs, the top CA in the chain, or hierarchy, are self-signed. When a CA issues a certificate, it signs the certificate with its private key. In this way, anyone with the CA's public key can always determine whether or not a certificate attributed to it is valid. Certificates can be revoked. The revocation status of certificates issued by a CA is controlled using Certificate Revocation Lists (CRLs). These are lists of revoked certificates maintained by the CA. Only certificates issued by that CA appear on the CRL. If a certificate does not appear on the appropriate CRL, it is considered valid. For third-party CA certificates, TFS BoKS Manager can be configured to download CRLs. Certificates have a pre-determined lifespan. When a CA root certificate becomes invalid, all certificates below it in the certificate chain automatically become invalid as well. Third-Party CAs and Certificates If your organization requires certificates that are trusted outside of the BoKS system, TFS BoKS Manager provides the option to use third-party CAs and certificates issued by these CAs instead of the BoKS CAs. You can import third-party CAs into TFS BoKS Manager and perform a number of operations on the CA, including: Defining one or more LDAP URL(s) for the CA from which to download CRLs Downloading CRLs from the CA manually Blocking the third-party CA and certificates issued by that CA from use within the BoKS domain Issuance, revocation, and renewal of third-party certificates must be performed using the third-party CA software. Automatic Trust Management One of the challenges of a PKI deployment is to manage trust. It is simple enough to add or remove intermediate and root CA certificates on a server, but in order to take advantage of trust management it is important to be able to push the list of trusted CA certificates on to individual users. TFS WorkstationControl handles automatic and transparent downloading of CA trust lists from TFS BoKS Manager to each TFS Desktop. If a CA certificate is added to the list of trusted certificates on the server, the trust will automatically be pushed to all client machines. The individual TFS Desktops will then automatically publish the trust list through Microsoft's standard interface. This means that all applications that rely on PKI authentication can use the CA certificates. Examples of such applications are clients and various encryption applications. If a CA certificate is removed from the trust list on the server, it will automatically be removed from TFS Desktop machines. Certificates for Kerberos Authentication In addition to BoKS and third-party certificates, the Credential Store can store the certificates required to allow users to log on to Windows 2000/XP clients running in a Windows 2000 domain using Kerberos certificate-based authentication. TFS WorkstationControl / 10

11 Pre-Existing User Certificates If your organization already has user certificates in place, TFS WorkstationControl protects this investment by providing the TFS Desktop PKCS #12 import utility. The utility can be used to import certificates and key pairs into the Credential Store. Netscape and Microsoft applications use the PKCS #12 file format as their credential import/export file format. For security reasons, TFS Desktop requires that the PKCS #12 files are password encrypted. Configurable Expiration Message This TFS Desktop feature allows administrators to define a warning message that displays a specified number of days before the expiration of the certificate that is used to authenticate the user. The message window can also be configured to contain a link to an enrollment web page. With this feature, administrators and users need not track certificate expiration information manually, and administrators are spared the task of communicating certificate expiration information to users individually. Configurable and Convenient Security Features Security Policies TFS Desktop provides convenient, easy-to-use configuration modules in which administrators can customize the solution's security features to enforce and support the security policies of the organization. The configurable policies are Password, Logon, and Certificate. Using Password policy settings, the administrator can define: Minimum password length and minimum number of digits it must contain Whether users can reuse the same password when changing passwords Whether users can unlock their own Credential Stores Whether the current password is entered automatically in the Change Password dialog box A TFS Desktop password management policy for managing users' Windows, network, and TFS Desktop passwords Using Logon policy settings, the administrator can define: Which users can log on to TFS Desktop based on information in the user certificate How many logon attempts users are allowed in logging on to TFS Desktop Logon permissions for administrator-defined user categories Whether a user can shut down his or her PC without logging on to TFS Desktop Whether users are automatically logged on offline or online depending on TFS BoKS Manager availability Whether users can create their own Extended Smart Cards Whether a specific user category is allowed to log a previous user off Whether a screen saver is integrated with the lock function Using Certificate policy settings, the administrator can define: The order of the prioritization criteria for selection of a logon certificate When to warn users that a certificate is about to expire A link to a CA enrollment screen, from which users can obtain new user certificates The administrator performs the above customizations on just one installation of the solution, which is called the reference installation. Once the administrator is satisfied with the configuration, he or she deploys that installation to users by means of Microsoft SMS or Active Directory. It is also possible to allow users to install the configuration file themselves by placing user machines in Elevated Privileges mode (Windows 2000/XP only). If the security policies of the organization change, the administrator can easily reconfigure and redeploy the security policy settings. TFS WorkstationControl / 11

12 Streamlined Logon Process TFS Desktop offers two intelligently designed features that streamline the logon process: Integrated Logon mode and Auto Logon. Integrated Logon mode When configured in Integrated Logon mode, TFS Desktop provides single sign-on to the user's TFS Desktop and primary network provider. The logon information is securely encrypted in the user's Credential Store. The first time the user logs on, the software detects that the primary logon information is not present inside the Credential Store. TFS Desktop prompts the user for this information and logs the user on to the network. The logon information is then stored securely inside the Credential Store and used for future logons by that user. If the user supplies inaccurate network authentication information, he or she is re-prompted for the correct information. Auto Logon In addition to storing network logon information, users can also store logon information for their various Windows applications using TFS Desktop's Auto Logon feature. Using the simple Learn Wizard utility, the user "teaches" Auto Logon the information it needs to log the user on to Windows applications without his or her intervention. As with the network logon information, Windows application logon data is stored securely in the Credential Store. When the software detects a user opening a Windows application, it fills in the logon dialog box with the appropriate information. The user does nothing except wait for the short interval it takes for the application to open. In addition to capturing logon information, Auto Logon allows users to view, edit, or delete the stored logon information. The Lock Function and Inactivity Protection A TFS Desktop-protected workstation is easily locked when a user steps away from his or her desk. Card users double-click the TFS Desktop icon in the Windows system tray. Smart Card and Extended Smart Card users simply remove the Smart Card from the reader. Once the system is locked, users must re-authenticate to gain access to the system. Although TFS Desktop does not include automatic inactivity protection, it can be configured to integrate a screen saver with the lock function. When the screen saver is activated, the user must re-authenticate to continue using the workstation. TFS WorkstationControl / 12

13 One System, Many Solutions TFS Technology achieves synergy between its different solutions because they are all part of the same standards-based system that protects critical applications while complying with enterprise-wide security policies. Its central component, TFS BoKS Manager, provides not only central administration, but also a central point of security information for other applications. A number of solutions are available in the system including UNIX administration, file encryption, secure messaging, directory synchronization, and many more. TFS currently offers subsets of these services as individual licenses. About TFS Technology TFS Technology is an international award-winning provider of solutions that simplify usage and administration of existing infrastructure while providing profound security for today's successful businesses. With solutions adopted in more than 1,000 organizations spanning 30 countries, TFS Technology leads the world in providing value-added products and services to the customer. The history of the company goes back to 1992 when the development work of the TFS product family was initiated within the TenFour organization. In 2001, TFS Technology was established as a separate entity focusing strictly on product development of security and connectivity solutions. In 2002, TFS acquired key management and file encryption products from RSA Security Inc., strategically positioning TFS as a comprehensive provider of e-security solutions. Today, TFS Technology's management team consists of the original inventors and developers of both successful product families, and is dedicated to continuing their strong product reputation of developing easy-to-use solutions. TFS Technology US Inc. info@tfstech.com TFS Technology Sweden AB info@tfstech.com TFS Technology UK Ltd. info@tfstech.com Copyright 2004 TFS Technology. All rights reserved. WCWP 03/04