L’utilisation des mots de passe pose de nombreux problèmes dans le monde de la sécurité. Le stockage des secrets (hash) et les protocoles d’authentification exposent ces secrets. Windows 10 propose un nouveau protocole (Next Generation Credential - NGC) permettant de ne pas utiliser de secret pour authentifier une ouverture de session. Il offre également une nouvelle méthode de stockage (VSM) basée sur la couche hyperviseur permettant de sécuriser l’exécution de processus ainsi que le contexte mémoire et le stockage d’informations sensibles. Cette session aborde les points techniques du protocole NGC et des mécanismes VSM tout en restant accessible par un public non spécialisé.
2. Sans Mot De Passe, c’est plus
sécurisé !
Version1.0
Albertino Matias – SR Escalation Engineer (Identity & Security)
Didier Pilon – Principal PFE (PMC)
10. Etape 0 : Enregistrement du Device
User
Device
Windows 10
Directory
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
1
2FA
2
3
4
…
User object
Account-ID
Password
UPN
Device Object
Device-ID
Cert thumprint
…
user@device
user@device
…
11. 6
Etape 1 : Enregistrement de Clés
User
Device
Windows 10
Key registration request Client sends NGC key
5
Access Token (JWT) : Login proof Token
Includes user’s UPN
Friendly Key name
Pub(Kngc) + Kngc Attestation blob
Pub(Ksrk) + Ksrk Attestation blob
AIKcert
…
NGC Key-ID
Server verifies
Access token;
AIKcert certificate chain;
Kngc using Kngc attestation blob;
Ksrk using Ksrk attestation blob;
Directory
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User object
Account ID
Password
UPN
Device object
Device ID
AIK
Ksrk
…
NGC object
NGC Key-ID
Friendly Name
Account ID
Device ID
Kngc
NGC KEY-ID : SHA256(Kngc)
Key registration response:
The
TLS Client
user@device
key for transporting the session key
certificate used for key attestation (used to sign keys)
Kngc attestation
Ksrk attestation
Attestation :
proof the key is hardware bound.
= signature based on the private key of the AIKCert
TLS secure channel
Server stores
Kngc,
Ksrk
and AIKcert
user@device
12. B
Etape 2 : Authentification utilisateur avec une clé Kngc
enregistrée
User
Device
Windows 10
(GetNonce): Client sends “Hello” request
A
encrypted current server time. Nonce is valid for 5 minutes).
NGC Key-ID
AuthN request (GetPRTWithNGC) :
Client sends NGC sign-on request (the JWT will have NGC signed assertion.)
C
AuthInfo;Username; Sign( Nonce, NGC Key-ID )Kngc
Locate user/device
pair based on
NGC key-ID
Retrieves Ksrk & Kngc
Verify Kngc signature
Verify NONCE
Builds the response…
D
AuthN response : Server replies with Primary Refresh Token and Access Token
(Empty OAuth2.0 pass grant request)
…
PRT[Account-ID, Ksk,…]; Enc(Ksk)Ksrk ; Sign(Access-Token)Ksk
Client decrypts and
imports symmetric
session key (Ksk)
into TPM
Client verifies
signature of the
Access Token
Directory
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User
Account-ID
Password
UPN
Device
Device-ID
AIK
Ksrk
…
NGC object
NGC Key-ID
Friendly Name
Account-ID
Device-ID
Kngc
…
TLS secure channel
Where :
PRT : Primary Refresh Token [Account-ID,Ksk,…]
Ksk : Symmetric Session Key encrypted with the transport key (Ksrk) : E[Ksk]Ksrk
Access Token
Access Token Signature : Sign[Access Token]Ksk
..
13. F
Etape 3 :
User
Device
Windows 10
Access Token Request : Client sends service ticket request to server
E
Access Token Response :
Ksk2
Ksk1 Ksk
Request Signature
verification
Generate Access token
Derives new signature
Ksk2 keys
from Ksk1 using Salt
Client verifies
signature
Directory
Active Directory
Azure Active Directory
Microsoft Account
Other IDP’s
User
Account ID
Password
UPN
Device
Device ID
AIK
Ksrk
…
NGC
Key ID
Friendly Name
Account ID
Device ID
Kngc
Salt1, Sign( TargetServiceName, PRT, … )Ksk1, ...
Salt2, Sign( Access Token )Ksk2, …
TLS secure channel
Ksk
Access
Token
Access Token
16. Nouveau périmètre de sécurité avec Hyper-V
Host OS
User
Kernel
Secure Mode
Normal Mode
Firmware (UEFI)
Hardware
Trust Boundary
Hypervisor
Secure LSA
SLAT, IOMMU
TPM 2,0 VT-x2
Normal
LSA
Hardened
Boundary
NGC
Containers
Guest
Physical
Address
memory
(Virtual in fact!)
Guest
Physical
to
System
Physical
memory
map
(
System
Physical
Address
memory
User Mode
Code Integrity
Virtual Infra Driver
Hyper-V Code
Integrity
VSM Platform requirements
Virtualization extensions (Intel VT-x)
Second Level Address Translation
(Intel EPT)
IOMMU (Intel VT-d)
UEFI 2.3.1
TPM v2.0
Secure boot
Trusted boot
OS Loader
Kernel
System Driver
System Files
Early Launch
Anti malware
Measured
during
secure
boot
Manages processor scheduling
& physical memory allocation
17. tech.days 2015
#mstechdays
• Authentification à base de clé asymétrique (plus de mot de passe)
• Le device est utilisé comme second facteur d’authentification
VSM • Apporte un double environnement d’exécution garanti par l’hyperviseur
• Mode normal
• Mode sécurisé
• Espace d’adressage mémoire protégé