Monday, December 13, 2010

Microsoft Online Demo Solutions

Update 8/10/2011: Unfortunately Microsoft decided to stop the demo.

Microsoft Online Demo Solutions

If you are looking for a demo ready environment with fast and hassle free installation have a look for the Business Ready Security demo from Microsoft. There is a only demo, just start it or schedule it for 1 to 6 hours, perfect for a customer demo, quick look into the products or configurations, or download a set of HyperV VMs and run it on your own host. The HyperV VMs are trial versions but you can install additional software or connect to your mail system as you want.
The Online Demos can save a lot of time! So try the online demo today and if that is great for you, download and run it in your iron.

Just a few installed products: ADFS, AD, UAG, TMG, Office, Sharepoint, Exchange, RMS, RSA DLP, FIM IdM


Tuesday, August 31, 2010

ISSA International Conference Atlanta, GA - Sep 16 2010

Don't miss the ISSA International Conference

Looking forward to see you there.

Wednesday, July 7, 2010

Key recovery agent certificate for a Windows CA

You might know that there is the key archival option included only in the Windows Enterprise editions on 2003, 2003 R2, 2008 and 2008 R2.
It is used to have a backup of each user certificate in the case that the user lost her certificate or she left the company. Make sure that you follow all legal procedures. But back to the technical part. If you follow the standard procedures in all Microsoft documents you have to deal with certificate templates, publish the template, deal with access permissions, log on as a user and request a key recovery agent (KRA) certificate and the private key is stored on a windows machine.

With openssl you can create private key and certificate on a secured standalone machine, Windows or Unix does not matter. For example copy the KRA certificates to Smart Cards and only copy the public part of the certificate to the CA.

Howto:
- add in openssl.cnf NEW_OIDS section the line
KEY_RECOVERY_AGENT=1.3.6.1.4.1.311.21.6
- add in openssl.cnf v3_ca section two lines
keyUsage=keyEncipherment
extendedKeyUsage=KEY_RECOVERY_AGENT
- remove or comment line basicConstraints = CA:true
- generate a new RSA key
openssl genrsa -aes256 -out kra1.key 2048
- generate a self signed certificate for x days, x can max to the CA cert validity
openssl req -new -x509 -days 365 -key kra1.key -config openssl.cnf -out kra1.cer
- copy only ht kra1.cer to the CA and add import it also to the Root CA store to make it valid for the CA service. To add it to the Root CA store is only necessary on the CA itself, there is no need to do so on any other servers or clients in your environment.
- Configure the KRA1 certificate in the CA.

Certutil -f -enterprise -addstore KRA KRA1.cer
Certutil -f -enterprise -addstore Root KRA1.cer

Go through the same procedure for a KRA2.

If you wanna have that as a PFX file:
openssl pkcs12 -export -in kra1.cer -inkey kra1.key -out kra1.pfx

Best practise:
- Never copy the private key to the CA itself
- Secure your KRA with password or move it to a set of smart cards
- Have at least 2 KRA installed and set the CA to use all!!
- Use at least a 2048 bit key
- Verify access to KRA on a regular basis, e.g. every 12 months
- Have a approved process for key escrow and data recovery

Check for new email via TLS secured IMAP or POP

You can check POP and IMAP with telnet, e.g. telnet mail.domain.com 143. But how to do this with TLS? Run it with openssl.exe and dont forget the CRLF (carriage return line feed) parameter.

c:\openssl\openssl.exe s_client -crlf -connect mail.domain.com:995
* OK The POP3 service is ready.

Then you can use USER and PASS commands to authenticate to the POP server. LIST will show you the mailbox content. To retrieve a message call RETR .


Saturday, July 3, 2010

Copy & paste error on certificate serial number or thumbprint

It is often useful to copy a certificate serial number or thumbprint to the clipboard. Both information, especially the thumbprint, can be used to securely identify a certificate, e.g. for certificate based authentication or accepting only request from a specific agent.
You can easily mark the the serial number or thumbprint with the mouse and a left click and than a Ctrl+C to copy it to the clipboard. So the strange thing is on the left before the hex numbers. If you paste it into notepad you will not see that extra character. On command line or pspad there is a question mark, e.g.
?‎14 c4 ff ce 00 01 00 00 00 14

In FIM2010 policy modules or in your application you have just to delete the first one or two numbers of your serial and type it again.
Seen on Windows XP, 2003 and Windows 2008 R2

Monday, June 28, 2010

Outlook 2010 weak email encryption


For unknown reason Microsoft has changed the behavior of Outlook 2010 on the encryption method. If there is no SMIME capabilities attribute in the user certificate Outlook will use an RC2 40bit encryption without any warning to the sender or recipient.
In Outlook 2003 and 2007 the fallback encryption mechanism is 3DES 168bit, on 2002 (XP) was it also RC2 40bit.



Monday, March 29, 2010

Easy certificate export from IE internet options

If you were ever wondering why the export of certificates from Internet Explorer's internet options is so hard, check out this easy method with drag&drop.
btw: export as DER encoded binary is fine for Windows systems and to add a user certificate to one of your outlook contacts; base64 encoded is perfect for openssl-based applications or if you need to transfer a certificate via clipboard from your local host into a RDP-session or vice versa; export as PKCS#7 (p7b) is good if you need to export a user or machine certificate with the complete certificate chain. The exported p7b file is in binary format.




Friday, February 5, 2010

What is really encrypted in a S/MIME protected e-mail?

I was wondering what is protected in a S/MIME e-mail and what is in plain text?
So sender's address and recipient's address is readable, also the subject. And all SMTP headers, e.g. the gateway dns name or ip address from where I got the e-mail. So far so good, I cannot deny that I got an e-mail or that I sent an e-mail. I should be also careful on my e-mail subjects.
Also good is that attachment file names are encrypted as well and even on BBC mails the encryption is done per recipient, so you cannot see the other recipients e.g. on the list of used encryption certificates serials.


c:\temp>certutil.exe smime.p7m

....
No Signer
Recipient Count: 2

Recipient Info[0]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: 169ad538
Issuer: CN=Verified Email, O=TrustedRoot.org

Recipient Info[1]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: 9d71
Issuer: CN=StartCom Class 1 Primary Intermediate Client CA, OU=Secure Digita
l Certificate Signing, O=StartCom Ltd., C=IL

No Certificates
No CRLs
CertUtil: -dump command completed successfully.

Tuesday, January 26, 2010

Hire and fire

Managing digital identities is on open field. Some users are more then one identity, others getting a new surname after marriage, and of course some users changing the company. So no mystery, just the life of a human.
But let us have a look as we need it as an corporate manager for the identity management. Our company hires people and often they leave the company after a while. Others a happy and can retire. I see two points in this: 1. People come and go, but 2 persons can have the same name. 2. When they leave what do we do with data and the left digital identities.
1.) E.g. Bob Drake is a new employee with userid bobdr and email bob.drake@org.com. So what will happen when Bob leaves the company and 2 months later another Bob Drake gets hired. Is your identity management ready for this? what will be the userid and email for Bob #2? Do you have an underlying global unique identifier? Is every of your applications ready to see the different identities? Can you deal with that?
2.) In our Org.com we run an PKI system with key recovery as an backup/recovery solution if the primary certificate is lost. When Alice, another employee of the great Org.com, leaves for how long do we keep the data and for how do we keep the certificates for recovery? For example if you have to keep all company papers written by Alice for at least 10 years by law, for how long do you store the certificates?