Transcription
TFS WorkstationControlWhite PaperIntelligent Public Key Credential Distributionand Workstation Access ControlTFS Technologywww.tfstech.com
TFS WorkstationControlTable of ContentsOverview3Introduction3Important Concepts4Logon Modes4Password Types4Credential Stores5Extended Smart Cards7Functionality7Benefits of Extended Smart Cards8PKI Management9User Credential Storage9BoKS CAs and Certificates10Third-Party CAs and Certificates10Automatic Trust Management10Certificates for Kerberos Authentication11Pre-Existing User Certificates11Configurable Expiration Message11Configurable and Convenient Security Features11Security Policies11Streamlined Logon Process12The Lock Function and Inactivity Protection12About TFS Technology13TFS WorkstationControl / 2
TFS WorkstationControlThe TFS Technology Vision: “Lead the world in providing enhancements to existing infrastructure,simplifying usage and administration with profound security usingproducts and services that add value for the customer.”OverviewIntroductionThe TFS WorkstationControl solution provides comprehensive protection for workstations ina domain and gives administrators complete control over who accesses those workstations.The solution provides the ability to use different protection mechanisms such as passwords,SecurID tokens, Smart Cards and USB tokens to protect user credentials. Regardless ofwhich protection mechanism is used, legitimate users are welcomed to their workstationswith the same streamlined authentication process. Individual users can be assigned differentprotection mechanisms, which make it possible to tailor the protection level according toeach user's needs. Protection mechanisms can be exchanged over time without losing usercredentials.Another strength of the TFS WorkstationControl solution is that it provides a uniform way ofdistributing and managing user credentials such as symmetric keys, RSA keys, certificates,and user data.TFS WorkstationControl is built on the products TFS BoKS Manager and TFS Desktop, whichcombine into a single, powerful security solution.TFS BoKSManagerDomain server(Microsoft or Novell)Check certificate anddownload encryption keysAutomatic authenticationcall by TFS DesktopTFS DesktopFigure 1. The TFS WorkstationControl SolutionTFS BoKS Manager is the central security server that holds the user database containingpolicies, user accounts, and user credentials. One of the most important services providedby TFS BoKS Manager in this solution is the ability to create, distribute, and revoke usercertificates from a central location. TFS BoKS Manager can be deployed on all major UNIXplatforms.TFS Desktop resides on each client machine and provides strong user authentication andaccess to the user's credentials. TFS Desktop offers streamlined logon features, such assingle-sign-on capability that allows users to log on only once to access TFS Desktop and theprimary network provider. It also offers additional security functionality, such as the Auto Logonfeature that allows users to "train" TFS Desktop to recognize and log users on to their Windowsapplications without their intervention. TFS Desktop makes it possible for users to roambetween machines in the domain, while always maintaining access to the same credentials.It also supports machines that roam between the protected domain and the Internet, whichmakes the solution suitable for installations in which laptops are used in different environments.See "TFS Desktop Technical Data and Requirements" for platform information.TFS WorkstationControl / 3
TFS WorkstationControlImportant ConceptsLogon ModesThe solution may be set up to replace the native logon machinery of the client operatingsystem. This configuration is referred to as Integrated Logon mode. In this mode, theuser logs on to his or her machine using TFS Desktop, which automatically and transparently handles the Windows (or Novell) domain logon. If passwords are used as theprotection mechanism, it is possible to synchronize passwords between the BoKS domain andthe Windows (Novell) domain. The login sequence is as follows: The user authenticates to TFS Desktop using one of the available protectionmechanisms. The TFS Desktop communicates with TFS BoKS Manager, which authenticates theuser. If the authentication succeeds, the user's credentials are downloaded, and the user isauthenticated to his or her primary domain server.Alternatively, TFS Desktop may be used to protect specific credentials. This configuration is referred to as On Demand Logon mode. In this mode, the user logs onusing the normal Windows logon functionality. The user willbe required to authenticate to the TFS WorkstationControl Solution only when access to credentials isrequired. For example, in cases in which certificates and keys for signing are amongthe credentials, user authentication will be forced as soon as the user signs an email.Password TypesRegular PasswordsPasswords are used to cryptographically protect Virtual Cards. TFS Desktop has settings thatcan be used to enforce password policies.RSA SecurID Token PasscodesThe password strength of a Virtual Card can be greatly improved by using an RSA SecurIDtoken. This kind of token adds two-factor authentication by providing a random, time-basedpasscode. The user supplies both the passcode and a normal password when he or sheauthenticates. The information is sent to TFS BoKS Manager, which then uses an RSA ACE/Server for passcode authentication. TFS WorkstationControl comes complete with supportfor RSA SecurID with no need for extra client-side software. A working RSA ACE/Server isrequired for SecurID authentication.PIN codesPasswords used to open Smart Cards are usually referred to as PIN codes. Besides openingSmart Cards with PIN codes, TFS Desktop can be used to enter PUK codes for unlockingblocked Smart Cards and for PIN code changes. PIN codes are the entry mechanism forExtended Smart Cards, since the Smart Card component has to be opened in order to unlockthe Virtual Card.In the remainder of this document both PIN codes and regular passwords are referred to aspasswords.Domain PasswordsAn inherent weakness of password-based encryption is that an attacker may try to guess thepassword by going through a long list of possible passwords. This approach is known as adictionary attack. The TFS WorkstationControl Solution has a feature called Domain Passwords,which protects from dictionary attacks against Virtual Cards. Note that the term does not refer toa separate password type, but to a password protection feature. If the Domain Passwords feature is enabled, each Virtual Card is protected with a randomly generated password. The userpassword is not used to open the Virtual Card. Instead, when the user logs on, the userpassword is sent from TFS Desktop to TFS BoKS Manager for verification. If the userTFS WorkstationControl / 4
TFS WorkstationControlpassword is correct and the user has not previously depleted his password attempts, the randomly generated password is sent to TFS Desktop where it is used to open the Virtual Card.Credential StoresCredentials that are associated with a user must be stored in a secure and protected way.TFS Technology offers several different storage solutions built on hardware and softwareprotection methods and devices. Using TFS BoKS Manager, credential data is automaticallysynchronized. It is possible to select the degree of credential roaming allowed by allowing ordisallowing client-side caching of credentials. The following diagram illustrates some of thevariants:Figure 2. Credential Store Types and UsageTFS BoKS ManagerVirtualCard 1VirtualCard 1VirtualCard 2VirtualCard 3VirtualCard 2VirtualCard 4VirtualCard 3VirtualCard 2SmartCardOnlinelogonOnline OfflinelogonOnline OfflinelogonSmartCardOnlinelogon .VirtualCard 4Synchronizedwith serverVirtualCard 4Cashed onclientSmartCardOnline OfflinelogonSmart CardsA physical device kept in the user's possession that contains a hardware chip that canstore user credentials. In order to use a Smart Card, a reader has to be installed on the client machine. Smart Cards are very secure cryptographic containers because a PIN-codemust be entered to gain access to the credentials and data. After a predefined number offailed PIN attempts, the Smart Card locks up. This feature makes Smart Cards immune tocryptographic attacks.USB TokensUSB tokens are a relatively new class of cryptographic devices. Technically, a USB tokenis a combination of a Smart Card and a Smart Card reader in a common USB device.The advantage is that no reader installation is needed in order to roam between computers.A USB token works just as any Smart Card in conjunction with TFS Desktop.Both Smart Cards and USB tokens are referred to as Smart Cards in the remainder of thisdocument.TFS WorkstationControl / 5
TFS WorkstationControlVirtual CardsA Virtual Card is a symmetrically encrypted file that contains user credentials. As the nameindicates, a Virtual Card duplicates the functionality of a Smart Card. This means that theVirtual Card contains separate storage areas for keys, certificates, and parameters. A VirtualCard can be used to store the same kind of information as a Smart Card, but does not have thememory constraints of the hardware-based Smart Card solution.Extended Smart CardsAn Extended Smart Card is a combination of a Virtual Card and a Smart Card. PKI keys onthe Smart Card are used to protect the Virtual Card. The resulting Credential Store combinationinherits the best qualities from both storage methods. A later section describes the ExtendedSmart Card solution in greater detail.The following diagram illustrates the variants of Virtual Card protection. Please notethat SecurID protection is not shown explicitly but is included in the first example(Virtual Card 1):Figure 3. Protection Mechanisms for Virtual CardsTFS WorkstationControl / 6
TFS WorkstationControlExtended Smart CardsAn Extended Smart Card is created when a key pair from the Smart Card is used instead ofa password to encrypt the Virtual Card. As a result, the Virtual Card becomes a transparentextension of the Smart Card. The user experience remains the same as with a normal SmartCard, but the space and management problems are resolved. All data parameters and newcertificates can be placed in the Extension Virtual Card (the Virtual Card that is combined witha Smart Card to form the Extended Smart Card) for automatic data backup and storage.FunctionalityExtended Smart Card CreationCreating an Extended Smart Card in TFS WorkstationControl is a simple process: Using TFS BoKS Manager, the administrator creates a password-protected VirtualCard and ties it to a user account. Next, the administrator protects the Virtual Card with a Smart Card by importing acertificate associated with a key pair on the Smart Card. The user can now use boththe Smart Card and the password as protection mechanisms for his or her credentials.(The password protection can be removed at the discretion of the administrator.) Users can be allowed to create an Extended Smart Card directly from TFS Desktop.In this case, the administrator need only create a Virtual Card and give the passwordfor the Virtual Card and a Smart Card to the user. The user initially logs in with thepassword and then adds the Smart Card protection mechanism. In this scenario,the password protection mechanism is automatically removed to prevent unwantedpassword backdoors to the Credential Store.Managing Lost Smart Cards and Key RecoveryIf a user loses the Smart Card portion of the Extended Smart Card, the administrator canremove the Smart Card protection mechanism and provide the user with a new password.The user can use the password to access the Virtual Card, where the user's credentials arestored, and can continue to use the credentials in this way until a replacement Smart Card isavailable.Extended Smart Cards Protect Traveling UsersA user who loses his or her Smart Card while traveling may not be able to log on online toautomatically download a new Virtual Card. Administrators can prepare for this event byleaving the Virtual Card password protection mechanism activated when creating the ExtendedSmart Card. The password is not provided to the user. If the user loses the Smart Card, he orshe calls the administrator and obtains the password for the Virtual Card. This procedure allowsthe administrator to constrain the use of password authentication to emergency cases only.Extended Smart Cards Provide Stability and FlexibilityExtended Smart Cards make it possible to use different authentication methods in a seamless way. Users can be provided with different authentication solutions over time, but theirimportant credentials always stay the same. It is also possible to have users with full-featurednon-extended Smart Cards in the same context as Extended Smart Card users. This makesit possible to migrate between Smart Card solutions at your convenience without massivehardware deployments.TFS WorkstationControl / 7
TFS WorkstationControlBenefits of Extended Smart CardsTo appreciate the benefits of Extended Smart Cards, it is helpful to understand the strengthsand weaknesses of Smart Cards and Virtual Cards.ProsConsSmart CardsVirtual Cards Strong protection of data withautomatic, non-revocable locking True data roaming Personal key protected by hardware Easy, central management Automatic data backup and storage No memory limitations Cumbersome key and certificatemanagement that cannot be easilycentralized Severe memory limitations for dataand keys Risk of complete loss of data if thecard is lost Development of complete SmartCard drivers is difficult and expensive Weaker (password-based) protection Symmetric key operations insoftwareExtended Smart Cards combine desired properties from both Smart Cards and Virtual Cards: Smart Card storage limitation problems are solved. New data is stored in theExtension Virtual Card rather than on the Smart Card. Support for read-only Smart Cards. In cases in which users are prevented frommaking changes to the Smart Card, such as identity cards issued by authorities, it isimpossible to store parameters and additional keys on the Smart Card. Instead, thesecredentials can be stored on the Extension Virtual Card. Support for devices without storage capacity. Even devices such as mobiletelephones and certain USB tokens that cannot do much more than provide anRSA keypair and encryption capabilities can serve as protection devices for ExtensionVirtual Cards. Protection of Smart Card investment. The functionality of existing hardware can beextended over time without replacing all of the Smart Cards. Quick driver development. Because less is required of the Smart Card, developmentof new smart card drivers is simplified. Some existing PKCS #11 modules may evenbe used off the shelf. Support for multiple Smart Card devices with the same level of systemfunctionality. Since the Smart Card functionality is extended, it is possible for anorganization to mix different Smart Card types and manage them in a uniform way. Reduced administration. If the Smart Card is the sole way of accessing a systemand the sole bearer of the user's credentials, it causes administrative overhead whenthe user loses the Smart Card.However, if the Smart Card is used only as a key to the Extension Virtual Card, it ispossible to replace the Smart Card without losing any credential information. A newSmart Card can simply be assigned to the Extension Virtual Card, which allows theuser to continue to access systems in the enterprise and user credentials stored in theVirtual Card. Improved Virtual Card encryption protection. An Extended Smart Card is muchharder to attack cryptographically than a password-protected Virtual Card.TFS WorkstationControl / 8
TFS WorkstationControlPKI ManagementTFS WorkstationControl uses certificate-based authentication as the ultimate guarantor of auser's identity and provides tools to facilitate the creation and management of user certificates.The TFS WorkstationControl Solution provides various options for setting up the CA hierarchy,as well as straightforward GUIs and clear instructions for managing the CAs and the certificatesthey sign.User Credential StorageAll users must have a place to store credentials. In TFS WorkstationControl, the storagepoint is called the Credential Store. All elements necessary for enabling users to log on toTFS Desktop and use its security features are kept in the Credential Store. Credential Storeshold both public and private security information, including: RSA key-pairs and x.509 v3 certificatesThe user's primary network operating system logon information (Windows or NetWare)The user's symmetric file encryption keysSecure storage spaceTFS WorkstationControl supports completely hardware-based Credential Stores, where allcredentials reside on Smart Cards (or USB Tokens). The solution also supports completelysoftware-based storage where all credentials reside in Virtual Cards. A third alternative is thecombination of both Smart Cards and Virtual Cards (referred to as Extended Smart Cards).The type of Credential Store that is best suited varies between installations. If absolute securityis required, a Smart Card-based solution may be needed. Virtual Cards, on the other hand,are more cost-effective since central management is simplified and no hardware is required.Extended Smart Cards offer a combination of the advantages of Smart Cards and VirtualCards.TFS BoKS ManagerAll user accounts are created in TFS BoKS Manager. (This may be done by importing froman LDAP user directory, for example.) The next step is to associate the user account to aCredential Store. This may be a Virtual Card, a Smart Card or an Extended Smart Card. VirtualCards are created by TFS BoKS Manager and tied to accounts simultaneously. Smart Cardsare tied to user accounts by using data from a certificate that resides on the Smart Card or byusing the certificate itself.Throughout the lifespan of the user account, TFS BoKS Manager can be used to manageCredential Store ties to users and other managerial tasks. Examples of this are Virtual Cardpassword change, certificate replacement and user blocking.TFS BoKS Manager is installed on a UNIX server, but the management interface is Web basedand can be run from any browser.TFS DesktopTFS Desktop contains a utility called the Credential Store Manager. This is an easy-to-useGUI-based utility that allows users to view information about their certificates, delete obsoletecertificates, and select which certificates are to be used as the default signing and encryptioncertificates within the TFS WorkstationControl Solution.Two of the certificates in the Credential Store are of particular importance to TFS Desktop. Thefirst is used to establish the user's identity and is referred to as the "signing certificate." Thesecond is used for encryption operations such as key negotiations and is referred to as the"encryption certificate." A single certificate (a so-called multipurpose certificate) can be usedfor both purposes. TFS Desktop provides easy life cycle management of these certificates byproviding automatic rule-based certificate selection.TFS WorkstationControl / 9
TFS WorkstationControlBoKS CAs and CertificatesWith TFS WorkstationControl, you can generate an internal BoKS CA hierarchy, which isrequired to use TFS BoKS Manager as an authentication server for users logging in usingTFS Desktop. Once you generate the BoKS CA hierarchy, you can use it to createVirtual Cards containing certificates signed by the BoKS CA to allow users secure system access.The following are key concepts of BoKS CA management: CAs can be classified to determine what the certificates they issue can be used for inthe BoKS environment. CAs and certificates are most often digitally signed by another CA to prove theirlegitimacy. The exception to this are self-signed CAs, which are not signed by anotherCA. Root CAs, the top CA in the chain, or hierarchy, are self-signed. When a CA issues a certificate, it signs the certificate with its private key. In this way,anyone with the CA's public key can always determine whether or not a certificateattributed to it is valid. Certificates can be revoked. The revocation status of certificates issued by a CA iscontrolled using Certificate Revocation Lists (CRLs). These are lists of revokedcertificates maintained by the CA. Only certificates issued by that CA appear on theCRL. If a certificate does not appear on the appropriate CRL, it is considered valid.For third-party CA certificates, TFS BoKS Manager can be configured to downloadCRLs. Certificates have a pre-determined lifespan. When a CA root certificate becomesinvalid, all certificates below it in the certificate chain automatically become invalidas well.Third-Party CAs and CertificatesIf your organization requires certificates that are trusted outside of the BoKS system,TFS BoKS Manager provides the option to use third-party CAs and certificates issued by theseCAs instead of the BoKS CAs. You can import third-party CAs into TFS BoKS Manager andperform a number of operations on the CA, including: Defining one or more LDAP URL(s) for the CA from which to download CRLs Downloading CRLs from the CA manually Blocking the third-party CA and certificates issued by that CA from use within theBoKS domainIssuance, revocation, and renewal of third-party certificates must be performed using thethird-party CA software.Automatic Trust ManagementOne of the challenges of a PKI deployment is to manage trust. It is simple enough to add orremove intermediate and root CA certificates on a server, but in order to take advantage of trustmanagement it is important to be able to push the list of trusted CA certificates on to individualusers. TFS WorkstationControl handles automatic and transparent downloading of CA trustlists from TFS BoKS Manager to each TFS Desktop. If a CA certificate is added to the list oftrusted certificates on the server, the trust will automatically be pushed to all client machines.The individual TFS Desktops will then automatically publish the trust list through Microsoft'sstandard interface. This means that all applications that rely on PKI authentication can usethe CA certificates. Examples of such applications are email clients and various encryptionapplications. If a CA certificate is removed from the trust list on the server, it will automaticallybe removed from TFS Desktop machines.Certificates for Kerberos AuthenticationIn addition to BoKS and third-party certificates, the Credential Store can store the certificatesrequired to allow users to log on to Windows 2000/XP clients running in a Windows 2000domain using Kerberos certificate-based authentication.TFS WorkstationControl / 10
TFS WorkstationControlPre-Existing User CertificatesIf your organization already has user certificates in place, TFS WorkstationControl protects thisinvestment by providing the TFS Desktop PKCS #12 import utility. The utility can be used toimport certificates and key pairs into the Credential Store. Netscape and Microsoft applicationsuse the PKCS #12 file format as their credential import/export file format. For security reasons,TFS Desktop requires that the PKCS #12 files are password encrypted.Configurable Expiration MessageThis TFS Desktop feature allows administrators to define a warning message thatdisplays a specified number of days before the expiration of the certificate that is used toauthenticate the user. The message window can also be configured to contain a link to anenrollment web page. With this feature, administrators and users need not track certificateexpiration information manually, and administrators are spared the task of communicatingcertificate expiration information to users individually.Configurable andConvenient Security FeaturesSecurity PoliciesTFS Desktop provides convenient, easy-to-use configuration modules in which administratorscan customize the solution's security features to enforce and support the security policies of theorganization. The configurable policies are Password, Logon, and Certificate.Using Password policy settings, the administrator can define: Minimum password length and minimum number of digits it must containWhether users can reuse the same password when changing passwordsWhether users can unlock their own Credential StoresWhether the current password is entered automatically in the Change Passworddialog box A TFS Desktop password management policy for managing users' Windows, network,and TFS Desktop passwordsUsing Logon policy settings, the administrator can define: Which users can log on to TFS Desktop based on information in the user certificateHow many logon attempts users are allowed in logging on to TFS DesktopLogon permissions for administrator-defined user categoriesWhether a user can shut down his or her PC without logging on to TFS DesktopWhether users are automatically logged on offline or online depending onTFS BoKS Manager availability Whether users can create their own Extended Smart Cards Whether a specific user category is allowed to log a previous user off Whether a screen saver is integrated with the lock functionUsing Certificate policy settings, the administrator can define: The order of the prioritization criteria for selection of a logon certificate When to warn users that a certificate is about to expire A link to a CA enrollment screen, from which users can obtain new user certificatesThe administrator performs the above customizations on just one installation of thesolution, which is called the reference installation. Once the administrator is satisfied withthe configuration, he or she deploys that installation to users by means of Microsoft SMS orActive Directory. It is also possible to allow users to install the configuration file themselves byplacing user machines in Elevated Privileges mode (Windows 2000/XP only).If the security policies of the organization change, the administrator can easily reconfigure andredeploy the security policy settings.TFS WorkstationControl / 11
TFS WorkstationControlStreamlined Logon ProcessTFS Desktop offers two intelligently designed features that streamline the logon process:Integrated Logon mode and Auto Logon.Integrated Logon modeWhen configured in Integrated Logon mode, TFS Desktop provides single sign-on to the user'sTFS Desktop and primary network provider. The logon information is securely encrypted in theuser's Credential Store.The first time the user logs on, the software detects that the primary logon information is notpresent inside the Credential Store. TFS Desktop prompts the user for this information and logsthe user on to the network. The logon information is then stored securely inside the CredentialStore and used for future logons by that user.If the user supplies inaccurate network authentication information, he or she is re-prompted forthe correct information.Auto LogonIn addition to storing network logon information, users can also store logon information fortheir various Windows applications using TFS Desktop's Auto Logon feature. Using the simpleLearn Wizard utility, the user "teaches" Auto Logon the information it needs to log the user onto Windows applications without his or her intervention.As with the network logon information, Windows application logon data is stored securely inthe Credential Store. When the software detects a user opening a Windows application, it fillsin the logon dialog box with the appropriate information. The user does nothing except wait forthe short interval it takes for the application to open.In addition to capturing logon information, Auto Logon allows users to view, edit, or delete thestored logon information.The Lock Function and Inactivity ProtectionA TFS Desktop-protected workstation is easily locked when a user steps away from his or herdesk. Virtual Card users double-click the TFS Desktop icon in the Windows system tray. SmartCard and Extended Smart Card users simply remove the Smart Card from the reader. Oncethe system is locked, users must re-authenticate to gain access to the system.Although TFS Desktop does not include automatic inactivity protection, it can be configured tointegrate a screen saver with the lock function. When the screen saver is activated, the usermust re-authenticate to continue using the workstation.TFS WorkstationControl / 12
TFS WorkstationControlOne System, Many SolutionsTFS Technology achieves synergy between its different solutions because they are all partof the same standards-based system that protects critical applications while complying withenterprise-wide security policies. Its central component, TFS BoKS Manager, providesnot only central administration, but also a central point of security information for otherapplications.A number of solutions are available in the system including UNIX administration, fileencryption, secure messaging, email directory synchronization, and many more.TFS currently offers subsets of these services as individual licenses.About TFS TechnologyTFS Technology is an international award-winning provider of solutions that simplify usageand administration of existing infrastructure while providing profound security for today'ssuccessful businesses. With solutions adopted in more than 1,000 organizations spanning 30countries, TFS Technology leads the world in providing value-added products and services tothe customer.The history of the company goes back to 1992 when the development work of theTFS product family was initiated within the TenFour organization. In 2001, TFS Technology wasestablished as a separate entity focusing strictly on product development of email security andconnectivity solutions. In 2002, TFS acquired key management and file encryption productsfrom RSA Security Inc., strategically positioning TFS as a comprehensi
The password strength of a Virtual Card can be greatly improved by using an RSA SecurID token. This kind of token adds two-factor authentication by providing a random, time-based passcode. The user supplies both the passcode and a normal password when he or she authenticates. The information is sent to TFS BoKS Manager, which then uses an RSA ACE/
