Microsoft introduces the eID "eliminator"

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft introduces the eID "eliminator"

Anders Rundgren-2
https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/

It is a bit sad that the card industry never managed making card provision/initialization usable over the Web. Is FIDO the answer? In the absence of competitors, it might very well be that. It among many things also means that PKI will be less likely powering future eIDs.

Anders

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft introduces the eID "eliminator"

Andreas Schwier (ML)
On 04/13/2016 12:18 PM, Anders Rundgren wrote:
> https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/
>
> It is a bit sad that the card industry never managed making card provision/initialization usable over the Web.
Which is not true: As an example, all of our CDN users hold smart card
based credentials enrolled over the web with a very simple mechanism.
Access control is using standard technologies like TLS client
authentication or SSH public key authentication.

The problem is not technology, it's user acceptance.

Everyone is complaining about passwords, but everyone also finds reasons
why migrating to something new is not working. It's like migrating from
Windows to Linux or moving to e-Mobility.

> Is FIDO the answer? In the absence of competitors, it might very well be that.
We shall see - currently I don't see any large FIDO roll-outs.

> It among many things also means that PKI will be less likely powering future eIDs.
Possible, but FIDO does not solve the "ID" problem in eID. You still
only have an anonymous authentication token and no asserted identity
(which you have in a PKI).

>
> Anders
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft introduces the eID "eliminator"

Vincent Le Toux
Hi,
 
My opinion is quite different knowing internally how Windows is working.
 
1) For stand alone computer, passwords are still used.
The key point is that DPAPI is using a derivate of the password different than the NTLM hash.
[Note: DPAPI protects things that a local admin is not allowed to view like wifi / IE password]
The user password is encrypted and decrypted at each login.
Security is limited and other login methods like fingerprint were never deployed elsewhere
 
2) for members of active directory, the login methods are still limited
You can only use NTLM or Kerberos. Only Kerberos (via pkinit) can use cryptography.
And these cryptography relies again on password derivates (see golden ticket, ...).
When the authentication is done on Kerberos, a RPC call retrieve the password derivate to initialize DPAPI (again DPAPI !)
As a consequence, alternative login method like fingerprint relies again on the user password. Each time the user password expires, the fingerprint user has to change it.
 
I think the technology is a new layer on top of this architecture and that the password used internally is never replaced.
=> this will be a solution only for stand alone computer
 
The key point is that you cannot have a non cryptographic login way if you want to protect against the risk that a local admin can see your password. Only smart card using cryptography can replace a password.
 
regards,
Vincent

2016-04-13 12:37 GMT+02:00 Andreas Schwier <[hidden email]>:
On 04/13/2016 12:18 PM, Anders Rundgren wrote:
> https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/
>
> It is a bit sad that the card industry never managed making card provision/initialization usable over the Web.
Which is not true: As an example, all of our CDN users hold smart card
based credentials enrolled over the web with a very simple mechanism.
Access control is using standard technologies like TLS client
authentication or SSH public key authentication.

The problem is not technology, it's user acceptance.

Everyone is complaining about passwords, but everyone also finds reasons
why migrating to something new is not working. It's like migrating from
Windows to Linux or moving to e-Mobility.

> Is FIDO the answer? In the absence of competitors, it might very well be that.
We shall see - currently I don't see any large FIDO roll-outs.

> It among many things also means that PKI will be less likely powering future eIDs.
Possible, but FIDO does not solve the "ID" problem in eID. You still
only have an anonymous authentication token and no asserted identity
(which you have in a PKI).

>
> Anders
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone <a href="tel:%2B49%20571%2056149" value="+4957156149">+49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



--
--
Vincent Le Toux

My Smart Logon
www.mysmartlogon.com

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft introduces the eID "eliminator"

Anders Rundgren-2
On 2016-04-13 13:54, Vincent Le Toux wrote:

> Hi,
> My opinion is quite different knowing internally how Windows is working.
> 1) For stand alone computer, passwords are still used.
> The key point is that DPAPI is using a derivate of the password different than the NTLM hash.
> [Note: DPAPI protects things that a local admin is not allowed to view like wifi / IE password]
> The user password is encrypted and decrypted at each login.
> Security is limited and other login methods like fingerprint were never deployed elsewhere
> 2) for members of active directory, the login methods are still limited
> You can only use NTLM or Kerberos. Only Kerberos (via pkinit) can use cryptography.
> And these cryptography relies again on password derivates (see golden ticket, ...).
> When the authentication is done on Kerberos, a RPC call retrieve the password derivate to initialize DPAPI (again DPAPI !)
> As a consequence, alternative login method like fingerprint relies again on the user password. Each time the user password expires, the fingerprint user has to change it.
> I think the technology is a new layer on top of this architecture and that the password used internally is never replaced.
> => this will be a solution only for stand alone computer
> The key point is that you cannot have a non cryptographic login way if you want to protect against the risk that a local admin can see your password. Only smart card using cryptography can replace a password.
> regards,

This analysis is probably correct.

It seems that Windows "hello" is primarily intended (and useful) for consumers and the Web which is why it may become an eID eliminator.

Regarding what Andreas writes, this is also correct, but again there's a twist: The hello system will in reality (contrary to what many of the FIDO members believe...), only be using virtualized keys which means that the whole card-thing is gone including installation of middleware.

The mentioned "ID" problem is for real but can be dealt with using any method that the RP finds suitable.

Anders


> Vincent
>
> 2016-04-13 12:37 GMT+02:00 Andreas Schwier <[hidden email] <mailto:[hidden email]>>:
>
>     On 04/13/2016 12:18 PM, Anders Rundgren wrote:
>     >https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/
>     >
>     > It is a bit sad that the card industry never managed making card provision/initialization usable over the Web.
>     Which is not true: As an example, all of our CDN users hold smart card
>     based credentials enrolled over the web with a very simple mechanism.
>     Access control is using standard technologies like TLS client
>     authentication or SSH public key authentication.
>
>     The problem is not technology, it's user acceptance.
>
>     Everyone is complaining about passwords, but everyone also finds reasons
>     why migrating to something new is not working. It's like migrating from
>     Windows to Linux or moving to e-Mobility.
>
>     > Is FIDO the answer? In the absence of competitors, it might very well be that.
>     We shall see - currently I don't see any large FIDO roll-outs.
>
>     > It among many things also means that PKI will be less likely powering future eIDs.
>     Possible, but FIDO does not solve the "ID" problem in eID. You still
>     only have an anonymous authentication token and no asserted identity
>     (which you have in a PKI).
>
>     >
>     > Anders
>     >
>     > ------------------------------------------------------------------------------
>     > Find and fix application performance issues faster with Applications Manager
>     > Applications Manager provides deep performance insights into multiple tiers of
>     > your business applications. It resolves application problems quickly and
>     > reduces your MTTR. Get your free trial!
>     >https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>     > _______________________________________________
>     > Opensc-devel mailing list
>     >[hidden email] <mailto:[hidden email]>
>     >https://lists.sourceforge.net/lists/listinfo/opensc-devel
>     >
>
>
>     --
>
>          ---------    CardContact Systems GmbH
>         |.##> <##.|   Schülerweg 38
>         |#       #|   D-32429 Minden, Germany
>         |#       #|   Phone +49 571 56149 <tel:%2B49%20571%2056149>
>         |'##> <##'| http://www.cardcontact.de
>          ---------    Registergericht Bad Oeynhausen HRB 14880
>                       Geschäftsführer Andreas Schwier
>
>     ------------------------------------------------------------------------------
>     Find and fix application performance issues faster with Applications Manager
>     Applications Manager provides deep performance insights into multiple tiers of
>     your business applications. It resolves application problems quickly and
>     reduces your MTTR. Get your free trial!
>     https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
>
> --
> --
> Vincent Le Toux
>
> My Smart Logon
> www.mysmartlogon.com <http://www.mysmartlogon.com/>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft introduces the eID "eliminator"

Martin Paljak-4
In reply to this post by Andreas Schwier (ML)
On Wed, Apr 13, 2016 at 1:37 PM, Andreas Schwier
<[hidden email]> wrote:
> Possible, but FIDO does not solve the "ID" problem in eID. You still
> only have an anonymous authentication token and no asserted identity
> (which you have in a PKI).


And that's the "good thing, by design" according to the people behind
it. The fact that you *have* ID in the eID is a problem on "web scale"
things.

At least that's the spirit I've heard on some of the events that deal
with web security.

--
Martin
+372 515 6495

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel