Author: Ola Johansson

YubiHSM2 and virtual servers!

Not much blogging from my side the last 2 years, but now it´s finally time for a new post.

One of my last posts was about YubiHSM2 and the “ultra-small” form factor that provides a very useful HSM for a reasonable price. And I´ve used a number of thoose at customers that needed to increase the protection of their CA´s private keys. But all of those customers had their CA´s on dedicated hardware. And all customers with CA´s on virtual servers (VmWare and Hyper-V) have just placed their CA private keys in the file system.

But recently I´ve been in a couple of projects that needed HSM´s but were on VmWare. And network HSM´s were out of budget so to say. But according to Yubico the YubiHSM should work fine in a virtual environment. So we installed a CA with a YubiHSM2 and it simply did not work. The connector service hung every now and then when accessing the HSM. We managed to install a CA but when enrolling certificates the service hung. And talking to to Yubico´s excellent, but sometimes a little slow support (it´s free so no complaints, the paid support is quick as..), they told me it was a knows issue. And they asked me to open a support case with Vmware and promised to help out. But that was not an option in that project due to security reasons. So I decided to try another approach. I looked into network-2-USB-devices.

And I found the Silex DS-510. They stated the following on their homepage:
“The Silex DS-510 is designed to easily connect and share USB devices over a network. Printers, Scanners, Disk Drives, Card Readers, or virtually any other USB device can be now be enabled with network capability.”
I asked Yubico support and they came back and said: “Unfortunately this kind of device will not work for what you are trying to accomplish”. But since I had already ordered one (they are about 150$) I decided to have a go. And it worked perfectly!

And the thing is: It is really easy to use! Basically connect the Silex DS-510 to the network, install the driver on the dedicated server, connect your YubiHSM to the DS-510 and it will show up in the system like any other USB-device. I´ve tried it both on Vmware and Hyper-V and it works perfect! Of course more testing is needed and you have to consider the security in this device. It is on my to do list. But so far so good! And the key-material is stored on the YubiHSM2 and communication between the HSM and CA over the network is protected.

I think I have convinced Yubico to test the device as well so they can recommend from their side as well. I´ll update this post when I got more info.

At the end of the day I really have to recommend this solution. The YubiHsm2 is excellent and in combination with the Silex DS-510 we got a winnerfor Certificate Authorities in virtual enviroments!

#Yubico #YubiHSM2 #Silex #DS-510

Product review CertHat!

Have you ever managed a Microsoft CA? Then you probably know about all the limitations in the tools for administration. For example, the problem with browsing and searching in the CA database? Or keeping track of certificates about to expire? Or just a simple thing as statistics over issued, revoked failed/denied certs? And don´t get me started about the manual enrollment options.

Well a couple of weeks ago I was contacted by a company which develops an add-on software for MS CA. The asked if I could do a review of their product and provide feedback. And since I spend a lot of time in a hotel room I decided to help out.

The product is called CertHat and provided a web-service for MS CA. It consists of a Web application, a SQL database and a small agent installed on your CA servers.

My first impression is great! It provides a really nice web interface with a lot of nice features. For example, database search, statistics, notification of expiration for certs and a lot of other really nice stuff.

More information can be found on their web site; https://certhat.com/ There is a lot of info about the product. It also contains a full featured demo-site to test the product. And of course, contact info. Otherwise let me know and I´ll do my best to help out with contacts.

And just for info: I don´t get any form of payment for this blog post. I got a nice Certhat T-shirt for my testing and feedback, and that is all! I just really like the product and got a really good impression of the guys behind it. So please mention this blogpost if you decide to contact them. 🙂

Notes from the fields! SC CM certificates..

One of my brilliant colleuges called my a couple of days ago and needed some help with config manager not accepting the client certificates.

The certificate was RSA 4096 and used MS default KSP. And the certificates wasn´t accepted by the CM client.

But when he tried the same configuration in his lab it worked just fine. And the only differens he could spot was that in the lab he used the AlternateSignatureAlgorithm=1 in the CApolicy.inf and got RSASSA-PSS as signature altorithm. And the customer hade a regular sha256RSA.

After some testing we found out that using sha256RSA then you hade to use a CSP instead of a KSP. But when using RSASSA-PSS you could use either a KSP or a CSP.

Might be a valid reason for that, but we didn´t dig further in to it. And since the customer was using sha256RSA we settled with a CSP.

You should of course always use a KSP over a CSP if possible, but I definitly recommend using sha256RSA over RSASSA-PSS every day of the week. More about that on this great blogpost: https://pkisolutions.com/pkcs1v2-1rsassa-pss/

BTW: It seems like stronger keys then 2048 isn´t supported in CM but it works just fine.

YubiHSM2!

I´m really excited to finally got my hands on a YubiHSM2. I got a delivery message in the mailbox a couple of days ago, but being on the road for a week I couldn´t get my hands on it until today.

Really excited to test this “ultra-small” HSM and see what is´t capable of. Hopefully I´ll find time to play with it and write a review this weekend.

More info can be found @ https://www.yubico.com/products/yubihsm/

Encrypted File System – Do it right or not at all!

Some notes from the field! And it´s about EFS.. Most of my customers don´t have a clue if they are using EFS. And if they are, how to handle it!

Encrypted File system (EFS), do you want it or not? It´s really up to you to make a decision, but I´m gone give you some advice from a key management point of view.

First question: Do you want you users to encrypt files and folders with EFS?

If your answer is NO, simply disable the feature in your default domain policy (or any matching GPO) and you are done!
The setting is located here: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Is the answer YES and you belive its a good thing to use EFS? Well, then my advice is to make sure you got the infrastructure in place to use it the right way. Because there are a few pitfalls you need to be aware of. And it involves certificates and key management.

I´m not going to do a EFS deepdive here, but I´ll try to explain what might go wrong.

When a file or folder is encrypted using EFS, a key pair with a corresponding certificate, including the Enhanced Key Usage: Encrypting File system (OID – 1.3.6.1.4.1.311.10.3.4), is created. The public key of that certificate is used to encrypt the file/folder. And the private key is used to decrypt the file. (It´s actually more complex then that, but no deepdive right). So where do the certificate come from?
If a CA in the enterprise got a template with the correct EKU available to the user, it will issue the certificate. If no CA or template exists the local machine, where the encryption is initiated, will create the certificate. So if a file is encrypted on a local PC the certificate is issued locally and the keys are stored in the users profile on that computer. If a file is encrypted on a file server from a PC the certificate is also stored on the PC, not on the file server.

So what happens then if usersprofile is deleted or the PC is reinstalled? The private key is lost and the files stays encrypted. The way to solve this is to make sure you got a EFS recovery agent certificate published. If a key recovery agent certificate is available when the file is encrypted that certificate works as a “master key”. And since the public key of the key recovery agent is embedded in the encrypted file the corresponding private key can decrypt the files.

So where do you find the private EFS Recovery key then? Well it´s created in the profile of the user that does DC promo on the first DC in the domain. Do you till got access to it? Great!

So what do we need to remeber about EFS?

Use it?
NO! Disable and forget..
YES! Make sure your infastructure is set up correct!

Well that´s my 2 cents! 🙂

Azure Key Vault – The cloud based HSM!

A Hardware Security Module (HSM) is a crypto appliance for securing encryption keys (and other kind of secrets). And it´s available as a service in Azure which is really cool. Ok, we have to admit that Amazon was first with this kind of service. But Azure Key Vault seems like a smarter implementations with a much nicer price-tag.

Cloud-Encryption

So how can we use this feature? One example is to store encryption keys. Let´s say you got a web-server in Azure and got a public certificate for that web-service. Then you can store the encryption keys in the Key Vault instead of in the file system of the server. Another example is to encrypt a SQL-server using the SQL Server Connector for Key Vault. Or you can simply deploy an encrypted virtual machine with the CloundLink SecureVM and store the master key in the Key Vault.

What other nice things is there? The Key Vault uses FIPS 140-2 level 2 validated HSM from Thales and Common Criteria EAL4+ certification is pending for the HSM´s which is really nice, and you get the option to establish Vaults in multiple Azure Datacenters to make it globally redundant. And it seems possible to sync with an existing, internal HSM farm as well.

So now we are (finally) talking about some really cool Azure functions! And I must admit that I missed that it was in preview, even though I´ve heard whispers about it for a long time. But if you are into security and encryption you should definitely have a look!

More info can be found on the Azure site and on The Official Azure Key Vault Team Blog.

 

Sunset for SHA1 certificates!

It´s time to look into migration from SHA1 as signing algorithm for your certificates. The obvious reason is security and SHA1 have been considered insecure for at least 10 years by now. And in late 2013 Microsoft announced their SHA1 deprecation policy.

(http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx)

What does this actually mean then?

Code-signing certificates won´t be accepted in Microsoft products after January 1 2016 unless it got a timestamp. Then it will be ok until 14 January 2020.

For SSL certificates, Microsoft products will stop accepting SHA1 end-entity certificates by 1 January 2017. And all SSL certificates valid after that date needs to be signed with a SHA2 algorithm.

Google (Chrome) and Mozilla (Firefox) is on this as well and info can be found here:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

Digicert have a really nice SHA2 compatibility list:

https://www.digicert.com/sha-2-compatibility.htm

What have to be done?

Publicly signed certificates are in most cases signed with SHA2, but check to make sure. If you have SHA1 signed SSL-certificates valid after January 1 2017 all vendors I know of will re-sign the cert with SHA2. Contact the issuer for help.

Internally signed certificates have to be re-issued as well. First you have to prepare the CA to use SHA2 and then you will need to start to replace your certificates.

Are you unsure of your certificates? Test your site here: https://www.ssllabs.com/ssltest/index.html

ssl-labs_fb

 

Any questions? Just let me know!

 

Certificate Bulk Enrollment to PFX

Is it possible to provide certificates to industrial equipment that doesn’t have any enrollment capabilities?

That´s the challenge one of our customers gave us a couple of weeks ago. The certificates should be used for network access on an 802.1x network and authentication to a database. Me and my fantastic colleague Tomas accepted the challenge and went to work.

So we had to create a completely automatic enrollment process with as little user interaction as possible. Our goal was to provide the manufacturer with password protected pfx-files in a bulk with a password file, mapping the pfx-files to a randomly generated password for each pfx. First we started by doing a manual enrollment process.

Enrollment process – step by step

  •  The first step was to create an inf-file (request.inf) as input to the request file.

[Version]
Signature=”`$Windows NT$

[NewRequest]
Subject = CN=Test123.trustmyroot.com
Exportable = True
KeyLength = 4096
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
SMIME = False

  •  After that we used the inf-file together with certreq.exe to create a certificate request file.

Certreq.exe -new d:\request.inf d:\enroll\req\Test123.req

  •  The next step was to submit the request file to the CA and issue a certificate with certreq.exe.

Certreq.exe -submit -config “SRV001.trustmyroot.com\CA01” d:\enroll\req\Test123.req d:\enroll\cer\Test123.cer

  •  After that we imported the certificate to the certificate store on the local machine with certutil.exe

Certutil.exe -addstore -f MY d:\enroll\cer\Test123.cer

  •  Then we had to match the certificate to the private key so we would be able to export the pfx-file.

Certutil.exe -repairstore MY Test123.trustmyroot.com

  •  Next step was to export the pfx from the certificate store and set a password for the private key.

Certutil.exe -password 1q2w3e4r -exportPFX Test123.trustmyroot.com d:\enroll\pfx\Test123.pfx

  •  Then we deleted the certificate and private key from the local certificate store

certutil –privatekey –delstore MY Test123

After testing this process we gave it all to our brilliant colleague Simon, which created a powershell script with some parameters, a password generator and some other nice stuff.

GenerateCertificates.ps1

After testing and handover to the customer they were extremely  happy with the solution and it works perfect!

StartSSL – Free SSL certs!

Thought I´d write a short blog post about public certificates for test environments. By public certificates I mean certificates issued by an external CA and trusted by most platforms.

If you got a test or lab environment and want to publish an external service with SSL, for example ADFS, you need a certificate. This certificate must be trusted by all devices used by consumers of the service. OK, it´s a test environment so you can use you own CA to issue the certificates and import the RootCA certificate on all devices you are testing with. But I guess a lot of you out there isn´t that into certificate that you find that especially interesting. 🙂

So what are your options? You can of course buy a SSL cert from Digicert, Verisign or any other public CA. But I guess you don´t want to spend too much money on your testing. And there is another alternative.

Try StartSSL.com (no, I´m not getting paid for this!). They are using the StarCom Class 1 CA and issues free SSL certificates. And the best part is that the CA is trusted by almost every platform no the market.

StarComm

All you need to do is to create an account and you´re on! There are of course some restrictions. For example you can´t issue SAN (Subject Alt Name) certs for free, the validity period is only 1 year, no EV certs for free for example. But If you just are using it for test/lab your fine!  (And I rebuild my test environment a couple of times a years so I don´t see any real drawbacks!

A comparison chart of their certificates can be found here: http://www.startssl.com/?app=40

Well, that´s all for now folks! 🙂

Poodle – CVE-2014-3566

Time for the next big security flaw! This time Googles Security Team have discovered a vulenerability in SSL 3.0 and the list of targets is huge. All implementations of SSL 3.0 is vulnerable for attacks and the recommended to disable SSL 3.0 as soon as possible. (As a mather of fact, SSL 3.0 is over 15 years old, and for obvious reasons already outdated. But it´s still widely spread for compability reasons.)

But there is a lot of factors that makes an attack less likely. For example a “man-in-the-middle” to exploit, in most cases Java have to be enabled on the client side and if someone tries to attack you the can take control of your sessions, but not steal your password.

A test to see if your browser is vulnerable can be done here: https://www.poodletest.com/

More info:

http://googleonlinesecurity.blogspot.se/2014/10/this-poodle-bites-exploiting-ssl-30.html

https://technet.microsoft.com/en-us/library/security/3009008.aspx

http://blog.erratasec.com/2014/10/some-poodle-notes.html#.VD4xhPl_u-4