Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
A review of Vegas
March 31, 2008
I recently completed my first stay at the Wynn hotel in Las Vegas
(http://www.wynnlasvegas.com/#home), and I must say that it did not live
up to its buzz. I remember reading somewhere that it’s five-star,
five-diamonds, but only after having stayed there did I realize that
those ratings only apply to the “tower suites” and not to the main part
of the hotel. The thing is, at those prices, I should be excused for not
realizing the difference. In the future, I’ll stay elsewhere on the
strip.
The trip definitely had highlights, though, not the least of which were
the nickel slot machines which offer wild-card poker (which the Wynn
didn’t have). Endless fun!
And here’s a little secret for drinking on the cheap: once you’ve gotten
the attention of the cocktail waitress, which admittedly can be somewhat
difficult when you’re in the low-rent part of the casino, tip her well -
at least a $5 bill per visit. Duh! Then she’ll magically reappear every
time your drink is getting low. I saw so many people make this mistake.
Either just being cheap or forgetting how expensive drinks are now in
Vegas (at least $10, unless you’re drinking domestic macro-brew, in
which case who cares), they stiff the cocktail waitress on the casino
floor. Makes no sense!
Saw the “Ka” show from Cirque du Soleil (man, it’s painful just typing
that)
(http://www.cirquedusoleil.com/CirqueDuSoleil/en/showstickets/ka/home/in
tro.htm) at the MGM. That was pretty cool. Though, honestly, we decided
to splurge a little and sit way up front, we were actually too close.
It’s one thing to be able to see the looks on their faces, but it’s
another when you can’t take in the whole scene, you know?
Aside from nickel slots, the real come-from-behind winner activity was
Phantom of the Opera at the Venetian (http://www.phantomlasvegas.com), a
last-minute decision on our part. It’s a classic musical staged for the
SportsCenter generation, which is to say it’s short and fast-paced. If
you have any tolerance whatsoever for the soundtrack, I guarantee you’ll
like it. We sat really close again for this one, and way off to one side
even, and it worked out great except for one scene where the Phantom was
behind a prop for a minute, only visible from farther back in the
theatre. My one additional complaint: I think Christine was being
played by an understudy (at least I hope so). She hit all of the held
notes beautifully, but flatted some of the shorter ’stepping-stone’
ones. Either tired or inexperience I guess. The guy playing the Phantom
was a certified badass, though.
To everyone who was hoping to catch my talk at CanSecWest
(http://cansecwest.com/agenda.html) in Vancouver this past weekend: my
apologies for not being present. A few hours before I was to board the
plane for Vancouver, I got really ill, and decided I had better not
travel.
In retrospect, that ended up being the right decision. What I originally
thought was a stomach flu was probably food poisoning, and was severe.
In fact, there’s evidence that it was an intentional attempt at
silencing me before giving that talk!
Ok, just kidding 
Actually, the only other conclusion is that I had
better not eat at Chili’s any more.
Note - I gave the same talk at ShmooCon earlier this year, and there are
DVDs available (from the same guys who do them for ToorCon as well,
however I can’t seem to find a link).
When is a credential provider not enough?
March 14, 2008
Wanted to blog about a recent question relating to custom multi-factor authentication solutions on Vista (and subsequent versions, including Server 2008). The question basically boils down to what you can do by implementing a credential provider (credprov), versus implementing both a credprov and a custom SSPI package.
The interface between credprov and winlogon is such that the latter is expecting to receive SSPI authentication information from the former. In other words, whatever you return has to be digestible by LsaLogonUser (or whatever the latest variant of that function is called).
So in order to add new authentication mechanisms, I’m aware of the following two approaches:
The first is to create a separate credential store consumed by the plug-in credprov. The purpose of the store is to map the proprietary credential into a username/password (and maybe domain name). Thus the user enters a custom cred into the credprov, the credprov verifies it, maps it to a standard Windows password (which, on the plus side, can be long/complex), and returns the password info to winlogon.
The second is to extend SSPI to handle a new credential type. This is the most work, but also the most powerful, since it allows you to actually manage accounts directly from a custom repository (e.g. other than Active Directory or the local SAM).
For example, the biometric solutions currently on the market integrate with AD. They also typically include some sort of provisioning console. So when you enroll a new user via that console, it not only creates the account in the fingerprint database, but also the account in AD with a big random password. Thus, once enrolled in the system, a user can logon to any machine joined to that domain. But they don’t require a custom SSP package (there are exceptions).
If you choose the more complex route, note that the association between the user credential, the credprov, and the SSP package starts with whichever credential tile the user chooses. If they chose one labeled “Dan’s Custom Provider,” the data gets routed to my credprov. My credprov knows the credential format recognized by my SSP. The rest is handled by the Negotiate provider in SSP; it queries the other providers until it finds one that recognizes that cred blob.
Smart card logon in Vista is a “partial” example of the above, since there is a smart card credential provider plug-in that ships with Vista. However, smart card logon requests are handled by the Kerberos SSP.
Permalink | Comments (2)I started playing D&D back when it was still considered dangerous and counter-culture! And it wasn’t long after I’d started playing the classic text-based adventure game on my father’s Morrow Designs pre-PC. That was long before I wrote my first line of code, but I can’t help thinking that it’s all connected in some way. Anyway, thank you, Gary.
http://en.wikipedia.org/wiki/Gary_Gygax
http://en.wikipedia.org/wiki/Morrow_Designs
http://www.old-computers.com/museum/computer.asp?c=613
http://www.rickadams.org/adventure/
Check out the article posted just minutes ago about my upcoming CanSecWest talk: Hacking Vista’s Smart Cards.
Permalink | Comments (0)Look mom, I’m on Hak5!
March 7, 2008
Check out the latest Hak5 episode (http://www.hak5.org/archives/232) consisting of their Shmoocon 2008 interviews. I’m one of them, hyping my “Hacking Windows Vista Security” tools!
Permalink | Comments (0)Props to GoDaddy for their current SSL site certificate promotion. You can protect a single domain for $29.99 per year, cheaper if you do multiple domains and/or multiple years. Any site that includes a password form should consider that mandatory, although most other Certificate Authority vendors will gouge you for the privilege.
And by the way - the GoDaddy root certificate is trusted by default in Vista - I just checked.
https://www.godaddy.com/gdshop/ssl/ssl.asp?isc=hak01a&ci=9173
Permalink | Comments (0)Using kernel debugging to test a CSP
March 5, 2008
A recent question about this newsgroup thread (http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2006-04/msg00074.html) prompts me to share my recommendations about how to test new Cryptographic Service Providers (CSPs) for Crypto API (CAPI), without having to get them signed by Microsoft.
That thread alludes to the problem: you have to have a “real” kernel debugger (kd) hooked up and live, and the debuggee must be booted with /DEBUG. Once you’ve got that, a kd check in CryptAcquireContext in advapi32.dll will let unsigned CSPs load.
The thread mentions SoftIce as a work-around: it’s indeed possible that SoftIce lets you skip the whole serial cable business in hooking up a kd. But note that simply running a user-mode debugger won’t cause the signature check to be skipped.
My recommendation? Use a virtual machine. For example, setting up a kd with VMware (I usually use windbg.exe as the host debugger) is really easy. Then you can use the VM to test your CSP, which isn’t a bad idea anyway, in case something gets really screwed up by your testing.
The only drawback is if you’re building a CSP for special hardware that can’t be exposed to the VM. In that case, I recommend using a separate physical debuggee machine and serial cable.
And note that when it comes time to actually deploy the CSP into production, you’ve still got to get it signed. The only plus is that the new Crypto API: Next Generation (CNG) has no signing requirement, so at least there’s a light at the end of the tunnel …
Permalink | Comments (0)
