Upload
krzysztof-binkowski
View
480
Download
0
Embed Size (px)
DESCRIPTION
Krzysztof BInkowski - Metody i sposoby bezpiecznego uwierzytelnienia w Windows 7
Citation preview
Metody i sposoby bezpiecznego
uwierzytelnienia w Windows 7
Metody i sposoby bezpiecznego
uwierzytelnienia w Windows 7
Krzysztof BińkowskiTrener MCT Security/Forensics
28.04.2011
Krzysztof BińkowskiTrener MCT Security/Forensics
28.04.2011
Agenda
• o mnie słów kilka• Authentication = Uwierzytelnienie • Authentication / Authorization• Metody uwierzytelnienia 1FA/2FA/3FA• SmartCard Authentication • SmartCard + Biometric Authentication• Biometric Authentication• Face Authentication• Online Identity Integration
o mnie słów kilka
Posiadam kilka certyfikatów:
• MCT, MCSA/MCSE+Security, MCITP SA/EA
• ACE (Accessdata Certified Examiner)
• ACI (Accessdata Certified Instructor)
• Novell CNA/CNE
Na co dzień:
• Trener technologii Microsoft / security / forensic s w firmie COMPENDIUM Centrum Edukacyjne
• Specjalizacja: systemy Windows / Bezpieczeństwo / PKI / Forensics
• Specjalizuje się w informatyce śledczej
• Społeczny notariusz CA Cert / StartSSL
• Członek organizacji:• ISSA Polska, • SIIS (Stowarzyszenie
Instytut Informatyki Śledczej )
• SEClub
• Współlider grupy MSSUG
Uwierzytelnienie
• Authentication = Uwierzytelnienie
Nie ma słowa „autentykacja” w słowniku
języka polskiego
• Authorization = Autoryzacja
Authentication / Authorization?
User Resource
Who are you?
Authentication: Czy jesteś tym za kogo się podajesz ?
Are you on the list?
Authorization: Czy masz nadane uprawnienia do zasobów do których próbujesz się dostać np. ACL
What does the list say you can do?
Access: Na jakie działania pozwalają Ci nadane uprawnienia.
Authentication and Authorization Process
Windows Authentication
MethodDescription
Kerberos version 5 protocol
Used by Windows 7 clients and servers running Microsoft Windows Server 2000 or later
NTLMUsed for backward compatibility with computers running pre-Windows 2000 operating systems and some applications
Certificate mapping Certificates are used as authentication credentials
Windows authentication methods include:
SECURE AUTHENTICATION
Smart cards
& Tokens
Passwords & PINs
Biometrics
What You Know
What You Have
WhatYouAre
Convenient Two-Factor
Authentication2FA
Most Secure Three-Factor
Authentication3FA
Traditional Two-Factor
Authentication 2FA
New Authentication Features in Windows 7
New Authentication
FeaturesDescription
Smart cards
Several new authentication features are available for use with Smart cards, including:
•Kerberos support for Smart card logon
•Encrypt removable media using BitLocker and using the Smart card option to unlock the drive
•Document and e-mail signing
BiometricsWindows Biometric Framework (WBF) provides support for fingerprint biometric devices through a new set of components
Online Identity Integration
A new group policy setting is available that controls the ability of online IDs to authenticate to a computer
Karta inteligentna ? Karta elektroniczna ? Karta chipowa ? Karta kryptograficzna ? Karta mikroprocesorowa ?
Smart Card w języku polskim
Budowa Smart Card- Posiada wbudowany procesor- Jest programowalna- Dostarcza bezpieczny magazyn dla kluczy prywatnych- Oddziela krytyczne dla bezpieczeństwa operacje od komputera
Karta przechowuje:
Klucz prywatny Klucz publiczny
Powiązany certyfikat
Rodzaje kart
Karta, nie karta ?
• Czasem SMART CARD nazywamy tokenami USB
Czytniki kart
Smart Cards
Smart card-related Plug and Playü
Kerberos support for Smart card logonü
Encrypt removable media using BitLocker and using the Smart card option to unlock the driveü
Document and e-mail signingü
Used with line-of-business applications to enable certificate use with no additional middleware
ü
•DEMO• http://www.mysmartlogon.com/products/eidauthenticate.html
Gemalto .NET Bio
4 Tryby– 4 sposoby uwierzytelnienia
OK Cancel
Please swipe your finger OR enter your PINBiometric Verification
Biometric Authentication
PIN or Fingerprint Authentication
PIN
PIN Authentication
SWIPE FINGER
Select Finger
OK Cancel
Please swipe your finger on the biometric reader.Biometric Verification
Biometric Authentication
Fingerprint Authentication
SWIPE FINGER
Select Finger Click here for more information
OK Cancel
Please swipe your finger first, then enter your PINBiometric Verification
PIN and Fingerprint Authentication
Biometric Authentication
PIN
PIN Authentication
SWIPE FINGER
Select Finger Click here for more informationClick here for more information
BIOMETRIC
Biometric
Windows Biometric Framework (WBF) provides support for fingerprint biometric devices
through a new set of componentsü
A common API facilitates development of applications using biometrics
ü
Through a new Control Panel item, users can control the availability and use of biometric
devicesü
Device Manager support for managing drivers for biometric devicesü
Group Policy settings to enable, disable, or limit the use of biometric data for a local computer
or domain
ü
•DEMO
Face Authentication
•DEMO• http://luxand.com/index.php
Online Identity Integration
A new group policy setting is available that controls the ability of online IDs to authenticate
to a computerü
Online IDs can be used to identify individuals within a network
ü
Users must link their Windows user account to an online ID to facilitate authenticationü
Authentication occurs through the use of certificatesü
Does not affect domain accounts or local user accounts from logging on to the computer
ü
Online Identity Integration
• What's the benefit of linking my online IDs with my Windows user account?
• If you have an online account, such as an e‑mail account, you can link that account with your Windows user account. Linking these accounts provides the following benefits:
• People can share files with you on a homegroup using your online ID instead of having to create a Windows user account for you on their computer.
• You can use your online ID to access your information on other computers on a network, such as accessing files on a home computer from your work computer.
• Linking your account is a two-part process. First, you need to add your online ID provider, and then you need to link your online ID with your Windows user account.