Dreez's
Microsoft's PKI Single Sign-On Project

Revision Control

Contact Dreez: mje@secev.com

Overview

I must come out of the closet and admit "I LOVE PKI". I love how its quirky mathematical basis in prime numbers solves a plethora of e-commerce non-repudiation problems. I love how Totient's Function eliminates difficult key management problems. I love how it integrates into all facets of the technical spectrum from physical entry systems to code signing Active-X applets. And most importantly I love how it will once and for all eliminate the need for passwords in my lifetime because as a security professional I know that weak and unmanaged passwords account of many of the security issues associated with organizational security problems.

I've been following PKI since 1988, and only in the last several years has it also started coming out of the closet and made itself useful for the common person. For example, when I go to Etrade to buy stock, I have a pretty good idea that I'm talking to Etrade and not a hacker site because the X.509 certificate is labeled Etrade (Yes Bruce Schneier, I know about URL re-direction tricks, but work with me for now). PKI ensures it's Etrade without hassling the end-user with any geeky commands or menus. Even my wife the Occupational Therapist who formerly hated computers is now able to use PKI, a statement I was not able to make several years ago.

Although we have taken a great step foreword, PKI is still in somewhat of a holding pattern. I feel there are several reasons for this holding pattern:

• Core technology: PKI is authentication and authentication is the core of networked environments. PKI cannot be bolted on as an afterthought because as applications and OS's move on to new versions, PKI has to move with it to remain compatible.

• Integration: PKI is not a standalone technology. It must integrate with every application, DNS, TCP/IP, LDAP directories, audit systems, etc. If the moons don't align perfectly, PKI won't work.

• Complexity: PKI is a very complex technology conceptually AND implementation-wise. Only certain people with certain skills know how to architect, install, debug these products. People with good PKI skills must be technical Swiss Army Knifes.

• Proprietary technology: No PKI environment  integrates cleanly with Microsoft environments. 3rd party products will always be running months to years behind Microsoft technology because Microsoft has so many products and so many versions. 3rd party products may work well under Windows NT SP 6a Outlook 20001 pre-SP1, but won't work with Outlook Express on same box.

• Ivory Tower Standards Committees: The ivory tower types just won't leave good enough alone. PKI is complex enough as is without throwing in things like V3 extension fields, key usage, policy mappings, etc. We are having a difficult enough time integrating the basic authentication portion of PKI without having to worry about the rest of the kitchen sink.

• LDAP: Where does one store your certificates? Usually in some sort of a directory. Mature directory services are common in Novell shops and Netscape/Unix intensive shops, but in Microsoft-land directory services were just invented in the year 2000. So the integration between Microsoft certificates and Microsoft directory services is still in the learning phase.

• CRLs: How does one know a certificate is valid? Using Certificate Revocation Lists (CRLs). Imagine if it took 2 minutes to open every email message you got. That's because in the background your email client is searching the world for a CRL list that will confirm/deny if the certificates associated with your email message are valid. Would this make you happy? CRLs are very complex especially when in heterogeneous environments.

Because     so much, I'm on a mission to smash these barriers and bring PKI to the masses. I feel strongly that we are on the edge of taking the big plunge for the following reasons:

• Microsoft Active Directory: Microsoft finally  has a directory that (will) cleanly integrates with 95% of the desktop world. My acid test on this is when I am in Outlook and I click on the "To" button, I quickly see a list of users that I may send encrypted messages to. In many PKI environments, you must cut/paste names/certificates or view 3rd party directory listings.

• Microsoft Standards: Microsoft will use its market muscle to push its standard of PKI into the marketplace. Vendors who want their products to work with 95% of the world will write to the Microsoft standard. The ivory tower types had their chance and built a good baseline, but now its time for the real world to take over (for the better or worse).

• GUI: Until this past year or so, getting PKI to work involved arcane intelletual excercises in frustration. The GUI is finally starting to simplify much of the complexity, therefore permitting greater market penetration.

• Passwords: I'm a security professional and I am completely guilty of every password policy ever issued. There are far too many passwords in my life so YES I have written a password down on yellow post-it notes, YES I have lent my password to my co-workers to fix my machine, YES I have changed my password from "password1" to "password2", YES YES YES. Take me out back and shoot me with all the other password criminals, but the problem is only growing worse. Besides the obvious end-user and administrative abuses, the problem with passwords is they are kept in a centralized database. If you think like a hacker for a moment, where would you attack to get all the user passwords?? No biometrics does not solve the password problem because the biometric signatures are also kept in a centralized database  (refer to Bruce Schneiers book on the evil's of passwords and biometrics). For these reasons, passwords are evil incarnate and I am on a mission to eliminate them from all our lives no matter what it takes. PKI is the ONLY alternative to passwords that make sense. 

• Availability: PKI software is coming down dramatically in cost and in some cases can be implemented at little or no cost. This makes the technology more available to developers and integrators such as myself, to test drive and of course more available to end users to actually implement.

The PKI Project Itself

My goal is to provide the integration technology to help companies move past these PKI roadblocks. In order to achieve this goal, I decided to take on a single-sign PKI environment that I've been dreaming about since 1988. Now I know that single-sign on means different things to different people, but for me I just picked the first four applications that people use 90% of the time:

1. VPN

2. Login

3. Email

4. Web/OWA

and figure that once 90% of the world is using PKI for these applications, the other applications will fall in-line. I am listing them in the anticipated order of the project.

Next, I decided to build an environment that I felt (will) models many corporate environments and integrate these four applications into the model environment with single-sign on. The environment is depicted below and is composed of:

• Microsoft Windows 2000 Server Environment based on Active Directory - Goal is for all users and certificates to reside on this machine

• Mixed Windows 98/NT/W2K internal workstations - I will support any type of Windows desktop, but prefer W2K. 

• Laptop traveling users with 98/NT/W2K- I will support any type of Windows laptop, but prefer W2K

• Microsoft Exchange 2000 Server - E2K has complete AD integration with respect to PKI, so I prefer this platform versus ducting things together with Exchange 5.5 SP3

• Exchange 2000 OWA - Remote users will have the option of using full Outlook 2000 or OWA to access the server.

• Microsoft Certificate Server CA - Not as mature as other PKI products, but theseemless integration and cost is so sweet.

• Checkpoint VPN-1 Firewall - Hey, everyone has one of these and we are a big Checkpoint shop so its only natural. Besides the management interface is pretty sweet.

• Checkpoint Secure Client VPN client - I've seen better and its a pain to install, debug and manage but there are a lot out there and I like the firewall features. 

• Gemplus   GemPC 410 smartcard readers - These are the only readers that I can get PnP to actually work with W2K so by default they win.

My design goals for this project are:

1. Limit complexity - One certificate to log into the world with, eliminate all the PKI fluff that is bogging down PKI.  

2. Functionality wins - Functionality and ease-of-use over security at all times. Just the fact that I am ridding the world of a centralized user/password database means I am winning. Forget all the other security fluff that raises the ire of users causing them to end-run security.

3. Centralized control - Centralized database within Active Directory/LDAP

4. Distributed administration - Distributed management of centralized database (e.g. VPN GUI can manage VPN users, but centralized database keeps all user info)

5. Avoiding doing CEO stuff - I'm a CEO, but with a geek habit that I have to feed

Lets Get Started

As I stated previously, I have chosen four applications:

1. VPN - Completed 3/1/2001

2. Login - Work In Progress 

3. Email - Work In Progress 

4. Web/OWA - Work In Progress

as a base for my project. VPN was my first choice because most businesses are deploying VPNs as new technology and thus is easier to integrate PKI into something new then to retrofit PKI into core applications such as login or email. An additional reason for choosing VPNs, is that I can modify the basic infrastructure (Active Directory - This was fun for LDAP wannabees, check it out) to support a new application (VPNs) without any visible impact on the organization. If I decided on implementing email first, the organization would notice the changes made to their email environment and I would be under pressure to get it right the first time. Instead by working with VPNs, the organization is oblivious to infrastructure modifications and they get the benefit of VPN connectivity.


Related Info

    1. Appendix
    2. VPN FAQ

Watch Me Have Fun

I'm having a great time doing this, and want to share that fun and experience with everyone. This project is intended as a living experiment that I will be updating as I make progress. I am hoping to have this done by June 2001, but am making no promises. 

Please feel free to contact me with your ideas and input.

Qualifications

1. I'm not very good at web pages and artsty stuff, so just enjoy the content and ignore the rest

2. I make no claims that my project will work in your environments. I assume no liability for information provided in this project.

Thanks To:

1. Dan Endrizzi, Al Berg, Chris Tobkin - Checkpoint and security gods

2. Jim Nelson - My boss that got me the hardware/software

3. My co-workers the guinea pigs

Love ya,
dreez

Home | Services | Training | Support | Contact Us | Search

Copyright 2006, Security Evolution, Inc.