Versions Compared

Old Version 5

changes.mady.by.user Ann West (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Ann West (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

#

Comment

Submitter

Date

Notes

1

- "4.1.2 Interpretation of IAP requirement, Section 4.2.3.4 - Stored
   Authentication Secrets"

   "We interpret this requirement to mean that encryption software that
   decrypts disk sectors (and not just individual Authentication Secrets)
   as they are accessed would meet the requirement of "only decrypt(ing)
   the needed Secret when immediately required for authentication" as
   spelled out in this section, presuming such software uses Approved
   Algorithms for the encryption process."

   As written, this would be overbroad, e.g., decrypting a needed secret
   for one individual might result in the decryption of MULTIPLE
   secrets, e.g., the one for that individual AND ones used by others.

   As such, that would violate the requirement that passwords must
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="661012af-894f-4124-86c1-3bc9b0e3c753"><ac:plain-text-body><![CDATA[    "only [be] decrypted when immediately required for authentication"
]]></ac:plain-text-body></ac:structured-macro>
   because you're also potentially decrypting OTHER passwords that are
   not needed at all. This would represent a failure to meet the
   requirement, at least from my POV.

   In the extreme case, imagine a person proposing to use boot time
   whole disk decryption: while off, the disk may be encrypted with an
   Approved Algorithm, but upon boot, the entire disk is decrypted,
   including the password store, which is then "immediately" (and
   intermittently) used until the system is eventually shut down. Would
   that be satisfactory/sufficient to meet the requirement? I don't
   think so.

   Remember that presumably the goal is to limit the exposure of
   passwords to unauthorized access or misuse. If the passwords are
   routinely held in non-encrypted form whenever the system is "live",
   except briefly during boot time when the system is coming up, it
   isn't clear to me that the encryption protects against any exposure
   except theft of the disk from a quiescent system. Any attack against
   the password store while the system is live would not require the
   attacker to decrypt the password store if the password store is
   routinely decrypted at boot time.

   Thus, I explicitly reject the argument advanced in 5.1.1 later in
   the document.

-- "5.1.2 Remove Insecure (LMHASH) Stored Secrets"

   Good to see you recommend removing LMHASH'd passwords. However,
   unfortunately, you ALSO insist that NTLM ALSO not be used,
   consistent with:

   http://msdn.microsoft.com/en-us/library/cc236715.aspx

   http://technet.microsoft.com/en-us/library/dd560653%28WS.10%29.aspx

   Note that you will run into issues if you have an environment that
   uses antique versions of Windows (Vista, 2008, XP, etc.), but those
   systems should be getting upgraded or taken off the wire anyhow.

   If you can't break use of NTLM entirely, at least break NTLMv1, see
   http://support.microsoft.com/kb/2793313
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="603f3d11-9e3c-4111-82ff-c6bfe5bfbb98"><ac:plain-text-body><![CDATA[
   [Oh! I see that you talk about this in 5.3.2, as well... but you
]]></ac:plain-text-body></ac:structured-macro>
   imply that NTLMv2 is "reasonably secure" -- it isn't]

-- "5.2.1 Transmission of Authentication Secrets Between Credential
   Stores"

   In the bulleted item, the text current reads "select one of the AES
   options"

   There are only two options: AES128_HMAC_SHA1 and AES256_HMAC_SHA1

   Of the two, AES256_HMAC_SHA1 would be preferable, but it still uses
   SHA1 which is deprecated/will be deprecated as the document itself
   notes at 2.3 in bold text.

   This section also requires use of LDAPS (TLS/SSL), but more
   specificity is needed when it comes to explaining what constitutes
   an acceptable version of TLS (e.g., is TLS 1.0 good enough? It
   shouldn't be treated as such). Require TLS 1.2 with an appropriate
   cipher suite (that should be a whole section of its own)

   The Microsoft references in document section 5.3.1 ("Section 4.2.3.6.2
   requirements") really don't clear this up, either.

-- 5.3.4

   How would a "temporarily compromised" account be rehabilitated? If an
   account is every "temporarily compromised," it would need to have a
   thorough security audit before being re-enabled, but my worry is that
   in some cases folks may just require a password change, and that
   obviously wouldn't be enough to ensure that a "temporarily
   compromised" account has been restored to a trustworthy state.

   Trivial example: assume that while "temporarily compromised" a
   backdoor was installed, or access controls were weakened, allowing
   persistent access and abuse, even if the password's changed.

   Also, this doesn't treat the possibility of a privileged account
   being "temporarily compromised", in which case the entire system
   (or even multiple systems, in the case of transitive trust
   relationships) may need to be audited and remediated.

-- 6. "Alternate Controls and Alternative Means Statements"

   When I try to access the link in this part, I get an access failure.

-- 7.1

   Repeats the unsatisfactory use of a full disk encryption tool
   approach. Still not okay.

-- 7.3

   is the bold text "need to validate algorithm to see if this is
   good enough" an author's note that was meant to be resolved prior
   to publication?

   I also have a concern about the 72 hour window mentioned in the
   last paragraph of that section. 72 hours is an eternity for an
   attacker, and might as well be six months if you're going to make
   it 72 hours.

   As suspected, too, I note that the "temporarily compromised"
   account is just required to have credentials reset. That's not
   enough, as previously discussed.

-- 7.4

   Practical attacks against NTLMv2 exist.

   Example.

   Repeats the unacceptable "temporarily compromised" language.

   (yes, Zack is in the running for one of the top 10 most annoying
   presenters of all time, but still)

-- 7.6

   If a persistent password is used, how does it preclude a replay
   attack? The persistent password is the same thing this time, and
   next time, and the time after that, etc.

   A replay-resistent credential would be something like a one-time
   crypto fob -- you can't replay that credential because it's different
   every time you use it...

-- Appendix A

   Recommend removal/decommissioning of all Windows XP systems.

-- Appendix B

   Has the Cisco issue been filed with Cisco Security Intelligence
   Operations? If not, a case should be opened. See
   http://tools.cisco.com/security/center/home.x

Joe St Sauver

Oct 2, 2013

6. FIXED