The Windows Hello Internals: a Protocol Perspective Obaid Farooqi What Is Windows Hello
Total Page:16
File Type:pdf, Size:1020Kb
The Windows Hello Internals: A Protocol Perspective Obaid Farooqi What is Windows Hello A new way of logging in to your device Uses PIN or Gesture (Finger Prints, Face Recognition) instead of Password Uses Asymmetric keys for Authentication PIN or Gesture unlocks the keys Container Uses Two-factor authentication. Keys are different on different hardware and only work on one machine. Uses TPM for storing Private key. Even the OS does not know Private key. Domain controllers have only knowledge of Public key. If DC gets compromised, all hacker gets is public keys Three Different Types of Deployments Cloud Everything is in Azure Hybrid All provisioning happens in Azure and then Public Key is replicated to on- premises DC. On-Premises All provisioning happens on-premises (except MFA) Two Trust Modes Key Trust Uses Key-pair for Authentication No Client or User Certificates needed (CA still needed for Server Certificate) Certificate Trust Uses Certificates for Authentication (like Smart Card) Protocol Flow for Key-Trust ADFS 2016 Windows 10 Domain Controller Key Registration MFA Server MFA Authentication MFA Authentication Perform MFA MFA Success MFA Claim Create PIN Create Key Key Registration Check MFA Claim Write Public Key Success Success Protocol Flow for Certificate-Trust ADFS 2016 Windows 10 Domain Controller Certificate RA MFA Server Certificate authority Protocol Flow for Key-Trust (previous slide) Send Certificate Request Check MFA Claim LDAP Request for Public Key LDAP User Public Key Sign Certificate Request With RA Certificate Send Certificate Request Check RA Signature Issue Certificate Send certificate Send certificate Documents updated for Windows Hello [MS-KPP]: Key Provisioning Protocol [MS-OAPX]: OAuth 2.0 Protocol Extensions [MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients [MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions Mapping of Documents to Protocol flow MFA Authentication HTTP is used between Windows 10 Client and ADFS 2016 Key Registration MS-KPP Writing Public Key to AD Lightweight Directory Access Protocol Certification Request from Windows 10 to ADFS 2016 OpenID Connect (OAUTH 2.0): MS-OAPX, MS-OAPXBC, MS-OIDCE Authentication For Hybrid Deployment: OpenID Connect when authenticating against Azure AD Kerberos when authenticating against AD For On-Premises Kerberos Documents updated for Authentication [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol For Certificate-Trust: The protocol flow is same as Smart Card Authentication For Key-Trust: WS2016 is required. A section for Key-Trust is added in MS-PKCA User sends Public Key in the AS-REQ and Server matches that with one in User object (stored in msDS-KeyMaterial attribute of User object) Thank You! Questions?.