0

I've seen that user certificates can be stored on the user's computer just like machine certificates would.

I understand it would be very secure if the user had placed his private key on a smart card or USB, cause then it would always be with him, like on his key-ring alongside his house and car keys. So user certificates give him the benefit of being able to log in to the network from any device by using his security token. Perhaps that's the sole point of a user certificate? Idk.

But if you're not using tokens then the user certificate will be installed on the user's computer. That's far less secure than him just using a password to get authorized to the network. He can keep the password as a memorized secret inside his head. But with certificates, he has to store it on the computer. So if someone gets access to his computer he can export the private key. Then voila, that someone can now authenticate to the network with his own device using the certificate and private key he got off someone else's device.

tl;dr: Should you deploy user certificates if you're not planning on using security tokens?

Zouzou Ibba
  • 39
  • 1
  • 2
  • 8
  • If the attacker has access to the machine and can steal the certificate he can also hijack the machine silently, wait for the user to insert the smart card and authenticate and then change the action with full user authentication. Apart from that the certificate stored on the machine could be protected with a password so no simple stealing is possible. Anyway, there is no such thing as 100% security and storing the certificate on the machine only addresses some but not all risks. – Steffen Ullrich Aug 08 '17 at 19:20
  • 1
    From "Ten Immutable Laws Of Security": `Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore`. That is, if machine is compromisted, then there is no big difference where the key is stored. Bad guy can capture PIN and use the key for his own needs. – Crypt32 Aug 08 '17 at 19:33
  • Is there any need to deploy user certificates rather than just machine certificates? Cause the private keys of machine certificates can't be exported whereas those of user certificates can. So there could be a security breach with user certificates. – Zouzou Ibba Aug 08 '17 at 19:37
  • @ZouzouIbba: It's always a decision between risk, costs, usability etc: sometimes you don't want the burden (cost, usability) of smartcards and accept the risk, sometimes the risk is too high and you accept the burden. – Steffen Ullrich Aug 08 '17 at 19:55
  • So in the case where I don't want to use smart cards, there is no need for user certificates? I should only deploy machine certificates? – Zouzou Ibba Aug 08 '17 at 19:57
  • @ZouzouIbba: I don't think so. You can employ user certificates which are protected by the need for the user to log in and maybe by additional passwords. It fully depends on what you want to achieve at the end. – Steffen Ullrich Aug 08 '17 at 20:24
  • Can't users get access to the network with just the machine certificate? – Zouzou Ibba Aug 08 '17 at 20:33
  • Generally -- no, they can't. Because remote system will be unable to differentiate users from that specific machine and check permissions. User certificates are necessary to provide user authentication and impersonation. So, the question doesn't look correct for me. – Crypt32 Aug 08 '17 at 21:18
  • Both user and machine certificates can be exported or stored in isolation. The difference is only who owns and maintains them. – eckes Aug 09 '17 at 08:57

1 Answers1

1

TL; DR - Deploy user certificates and uncheck the allow private key to be exported option when deploying them. For added security, require users add a password to the private key.

Discussion

I've seen that user certificates can be stored on the user's computer just like machine certificates would. I understand it would be very secure if the user had placed his private key on a smart card or USB, cause then it would always be with him, like on his key-ring alongside his house and car keys

If a user loses their smart card or USB stick, the certificate is compromised. It is much more likely that a user loses physical control of either of these keys, thereby compromising the key.

A USB drive has zero protection against exporting a private key. At least a smart card does not allow the private key to be exported once it has been written to the card.

But if you're not using tokens then the user certificate will be installed on the user's computer. That's far less secure than him just using a password to get authorized to the network.

Depends on the password. A 47 character randomly generated password with upper, lower, symbols and numbers is going to be pretty strong. "Monkey" on the other hand...

From a math standpoint, user certificates are orders of magnitude more secure than passwords the average user will generally use. However, this depends on your password policy and user base, I suppose.

But with certificates, he has to store it on the computer. So if someone gets access to his computer he can export the private key. Then voila, that someone can now authenticate to the network with his own device using the certificate and private key he got off someone else's device.

User certificates can be deployed in a manner that the private key is not exportable. Ensure that allow private key to be exported is unchecked.

For additional security, you can also add a password to the private key, but this lacks the convenience of automatic deploy via GPO. And, in all likelihood, you'll need to go around to each user and do this for them with domain admin and local admin privs.

DrDamnit
  • 854
  • 4
  • 12
  • I'm slightly confused about this. If you uncheck **allow private key to be exported** then won't it essentially become like a machine certificate? It seems counterintuitive to automatically enroll both user and machine certificates cause if you'll virtually have two copies of the same certificate on the user's computer. Why not just deploy machine certificates? – Zouzou Ibba Aug 09 '17 at 12:37
  • User certificates authenticate the *user* machine certs authenticate the *machine*. Its granularity. If you only use machine certs for authentication you assume "only Bob uses Bob's computer", and a non-privileged user gets physical access to a privileged machine, they can log in with their own non-privileged account and gain access to privileged resources. https://social.technet.microsoft.com/Forums/windows/en-US/cd2092ee-83c8-4caf-ade4-cb8ae11d9055/whats-the-difference-between-a-user-certificate-and-computer-certificate-in-active-directory?forum=winserversecurity – DrDamnit Aug 09 '17 at 14:19