This was a highly technical session going into the depths of a few new Windows 8.1 security features. The session focused on passwords, and how bad they are, and establishing trusted identity with BYOD. Virtual smart cards were also on the agenda, which are really cool.
The speaker was very knowledgeable and really explained the security features very well. If your organization is concerned about client security, then keep reading. The bottom line is that for BYOD, with Windows 8.1 you can leverage the TPM to validate the device is trusted and can connect to resources. You can also leverage virtual smart cards to provide remote two-factor authentication from tablets or other devices without having a physical smart card.
- Biometric fingerprints – Moving beyond passwords
- TPM Key attestation
- Establishing user identity on BYOD devices
- Very hard to type on touch surfaces
- Easily phishable
- Hard to remember
- Passwords are not sufficient to keep users safe
- Passwords are easily re-playable
- Passwords are symmetrical
- Users often re-use passwords
- 10,000 most common passwords would have accessed 98.1% of all accounts
Biometrics: Beyond Login
- Need low false rejection rate
- Fingerprints are the best method with today’s technology
- Goals for Windows 8.1: Ease user’s struggle to enter credentials on touch devices
- Built-in Windows experience (no third party add-ons needed)
- Introduce a new “touch” fingerprint sensors. Swipe sensors suck.
- Light up a few engaging scenarios
- Test user group loved the simplicity – very intuitive and quick. Single quick tap logs you into the system.
- Showed a demo that just by touching the sensor it logged her in to her enterprise AD account. No need to specify a profile or username. Windows knows what account the biometric is associated with.
- Touches with a different enrolled finger and shows her personal local account. Again, no need to specify an account.
- Shows that in the Windows app store it required a biometric authentication to complete a purchase.
- In-app purchase can also be biometric enabled as well
- An app (such as a banking app or tax app) can require biometric authentication before providing access
- The API only returns yes/no to the app, not any credential information
- Showed logging in with a VPN connection via a quick tap
Hardware TPM and Keys and Certs
- TPM KSP to generate certificates with keys sealed by TPM
- Admin CA templates to select TPM KSP
- Customers want to guarantee that the key or cert is actually protected by the TPM
- Customers want to limit what TPMs are trusted for BYOD
- Solution: TPM Key attestation
- Users should perform sensitive operations from trusted devices
- A strong binding between user and device hardware
TPM Key Attestation
- EK: Endorsement key – Inserted at manufacturing time. Keys can not be tampered with or exported. Very unique and can be used at geolocation information.
- EKCert: Endorsement certificate – Some TPMs ship with EK certificate that chains up to a trusted root
- AIK: Attestation identity key – An intermediate key to hide EK in protocol due to privacy concerns
- PowerShell commands to pull EK public keys so only known devices are trusted
- Certificates issued to devices have a special OID (object ID) to signify TPM key attestation
- Certificate shows three new properties showing TPM attestation
- Microsoft v4 certificate template. New tab on a CA cert “Key attestation”
- Simple Certificate Enrollment Protocol (SCEP) – Designed by management of mobile and routers/switches (10+ years old)
- Windows 8 did not support SCEP
- Most MDMs know how to provision SCEP certs for iOS devices
- Server component protocols had many security vulnerabiliites which are now addressed in Windows Server 2012 R2 servers
- Windows 8.1 will natively support SCEP
- SCEP APIs are available to any MDM software
- Modern world you can’t easily plug a smartcard reader into tables
- Two factor authentication: Virtual Smart Card
- Virtual smart cards enables devices to be used as a virtual smart card
- TPM provides three most important features of smart cards: non-exportability, isolated crypto, anti-hammering
- Not all TPMs have consistent blocking policies, so MS inserted a software layer to buffer and keep consistent blocking policies
- Virtual smart card acts and looks exactly like physical smart cards in every sense for all OS and application purposes
Virtual Smart Card
- 2 factor authentication for local and remote access
- Client authentication/mutual auth SSL
- VSC redirection for remote connections
- S/MIME email encryption
- Bitlocker keys for data volumes (e.g. drive cannot be removed from the device)
Windows 8.1 VSC
- MSIT pilot moved to production. 7K enrolled on Surfaces, 75K on x86 machines
- VSC on Surfaces enables PIN and remote access apps
- Passwords are NOT safe anymore
- With Windows 8.1 we offer several methods to fix authentication fiasco with stronger user credentials
- Rooted in hardware, based on asymmetric secrets, strong multi-factor authentication
- Biometric data is only stored on the device, and NEVER in AD or other applications.