Hybrid Keys Vst

0 views
Skip to first unread message

Curtis Boykins

unread,
Aug 3, 2024, 11:10:24 AM8/3/24
to candverlosuc

Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the key trust model. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.

Key trust deployments don't need client-issued certificates for on-premises authentication. Microsoft Entra Connect Sync configures Active Directory user accounts for public key mapping, by synchronizing the public key of the Windows Hello for Business credential to an attribute on the user's Active Directory object (msDS-KeyCredentialLink attribute).

This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server Active Directory Certificate Services role.
If you don't have an existing PKI, review Certification Authority Guidance to properly design your infrastructure. Then, consult the Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy for instructions on how to configure your PKI using the information from your design session.

Clients must trust the domain controllers, and the best way to enable the trust is to ensure that each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the enterprise certification authority.

Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. The certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.

By default, the Active Directory CA provides and publishes the Kerberos Authentication certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.

Inclusion of the KDC Authentication OID in domain controller certificate is not required for Microsoft Entra hybrid joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Microsoft Entra joined devices.

The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called domain controller certificate. Later releases of Windows Server provided a new certificate template called domain controller authentication certificate. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.

The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.
The autoenrollment feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the Kerberos Authentication certificate template.

The certificate template is configured to supersede all the certificate templates provided in the superseded templates list.
However, the certificate template and the superseding of certificate templates isn't active until the template is published to one or more certificate authorities.

The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a non-Microsoft CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.To see all certificates in the NTAuth store, use the following command:

The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue, including the pre-published templates from the role installation and any superseded templates.

The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.

A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.

If you plan to deploy Microsoft Entra joined devices, and require single sign-on (SSO) to on-premises resources when signing in with Windows Hello for Business, follow the procedures to update your CA to include an http-based CRL distribution point.

Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.

Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful deployment is to validate phases of work prior to moving to the next phase.

Certificates superseded by your new domain controller certificate generate an archive event in the Event Log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.

You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use certlm.msc to view certificate in the local computers certificate stores. Expand the Personal store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.

You can use certutil.exe command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run the following command:

Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.

This blog will review the second PQ VPN component based on two additional standards - RFC 9242 Intermediate Key Exchange and RFC 9370 IETF Multi-key Implementation in IKEv2. With these technologies, customers can create crypto profiles to allow the firewall and its peer to negotiate up to 8 (1 IKEv2 default/classic KEM and an additional 7 PQ KEMs) rounds of key exchange to produce a hybrid key.

In this example, we use classic DH Group 21 to ensure the key is resistant to any of today's (pre-QC) attacks. The hybrid key is created by adding three additional KEM rounds with ML-KEM (Crystals-Kyber), BIKE-L1, and HQC, one after the other. The result is a key based on three PQ KEM and DH technologies.

For a quantum attack to succeed, all KEMs used in the hybrid key exchange would need to fall to a vulnerability. Using at least 3 KEM methods would ensure a relatively robust hybrid key that can be used for symmetric encryption with AES-256. Customers can select which PQ KEMs are used and quickly switch out weak or vulnerable KEMs with crypto-agility capabilities.

Block IKEv2 if Vulnerable Cipher is Used: If enabled (checked), the NGFW performs a lookup in its vulnerable cipher list and blocks vulnerable ciphers from being used in any new IKEv2 negotiations. The blocked cipher is logged to allow administrators to see the reason why an IKEv2 peering failed. Existing IKEv2 peerings are allowed to continue operating to prevent disruptions to the network, and event messages are logged to inform the administrator of the compromised PQCs being used.

Best Practice Tip If a vulnerable cipher is allowed, the resulting key may be broken by a QC in the future with a harvesting attack. The best practice is to replace all vulnerable ciphers as soon as possible and to not use the affected cipher in any new IKEv2 peerings. You can replace the vulnerable cipher by unselecting it and substituting it with a good cipher from the crypto list in each of the negotiation rounds.

With the addition of hybrid key support, you can also select a supported PQ KEM as the first IKEv2 KEM in the DH GROUP selection list and omit the classic exchange. If you decide to only use PQ KEMs in the first (default) key exchange, IKEv2 creates a hybrid key without any classic DH key exchanges, allowing you to move to a pure PQ KEM IKEv2 peering environment.

You can also elect not to use any additional KEM rounds after the default IKEv2 key exchange, which allows you to perform a 1:1 substitution of the classic DH KEM for a PQ KEM. For example, you can migrate from classic Diffie-Hellman to Crystals-Kyber directly without using a hybrid key as a transition strategy.

In our example, Round 1 tries to negotiate one of the ML-KEM (Kyber-768) with the responder to create a hybrid key. If the responder can also support one of the Crystals-Kyber ciphers, the resulting key is created using DH Group 19 and Crystals-Kyber.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages