3

Consider the following scenario:

  • You are providing VPN access for a number of machines running Windows 10.
  • The machines are configured and hardened according to company standards.
  • You rely on machine certificates for authentication to the VPN gateway.
  • You want to prevent users (or someone impersonating a legitimate user) from extracting the certificate (and private key) from their machines and transferring it to another machine.
  • Some of your users need to have a level of permissions sufficient to extract a flat-file certificate/key pair from the machine.

What are good practices to prevent extraction of machine credentials? Approaches that come to mind:

  • Use the TPM for key storage. Questions here—does Windows support using the TPM as a key store? How much would it take to transfer the TPM hardware itself to a different machine?
  • Use a USB token for key storage. Question here—tokens are designed to be pluggable; is there an effective way of preventing it from being used on another machine?
user149408
  • 347
  • 2
  • 9
  • 2
    This seems like a "[**Don't Roll Your Own Crypto!**](https://security.stackexchange.com/q/18197/61443)" is in order. I am not a Windows admin expert, but this seems like a use-case that should be well-supported by Microsoft CAPI. – Mike Ounsworth Aug 13 '18 at 16:10

1 Answers1

1

You want to prevent users (or someone impersonating a legitimate user) from extracting the certificate (and private key) from their machines

You should use a smart card

The private key is generated by the smart card, and can never leave the smart card (there is no API to "extract" it). Encryption, decryption, signing is done by the chip on the smart card

tokens are designed to be pluggable; is there an effective way of preventing it from being used on another machine?

If old-school desktops are an option, then you simply lock the computer in a case

Some of your users need to have a level of permissions sufficient to extract a flat-file certificate/key pair from the machine

Why?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • 1
    ... I really don't see how locking the computer in a case prevents the user (or malware on that machine) from, say, emailing the private key. I feel this isn't really an answer, so much as telling the OP that their requirements are wrong. – Mike Ounsworth Aug 13 '18 at 17:48
  • 2
    @MikeOunsworth Thanks for the downvote. A smart card prevents the user from extracting the key. A locked case prevents the user from removing the smart card – Neil McGuigan Aug 13 '18 at 17:53
  • 1
    I see. I've removed my downvote, but I still don't think this answers the question; VPNs are usually used to connect from off-site, so I highly doubt that "lock it in a cabinet" is viable. (minor edit, "smartcard" != "HSM") – Mike Ounsworth Aug 13 '18 at 18:02
  • Re the permissions: of course, being able to extract keys is not a requirement per se, but some users need extended privileges which, as a side-effect, give them the ability to extract flat-file certificates from the machine. Hence the assumption that no file on disk is secure from being read by the user, and any solution needs to consider that. – user149408 Aug 13 '18 at 19:48