Microsoft Devices Security, Virtual Smart Cards Part 1: Introduction and Trusted Platform Module (Updated 11/26/2014)

Given the recent breaches on companies both large and small, there has been an increased focus on security and secure authentication. This combined with the adoption of mobile devices to increase the productivity of the mobile worker has left many organizations looking for a way to secure authentication for mobile devices. For mobile devices such as Surface, Windows Phone, Windows Laptops and Windows Tablets there is already a solution that was first introduced in Windows 8, called Virtual Smart Card.

In Windows, we have a number of ways that users can logon to Windows. These enterprise type options available are Password, Fingerprint, Smart Card, and Virtual Smart Card. Most mobile devices such as tablets and phones do not possess a Smart Card reader or a Fingerprint reader, so those options are not typically available. Of course, the user can long in with their domain password, but if you want to increase the security of the authentication, you can use Virtual Smart Card.

Virtual Smart Card leverages the secure storage and cryptographic capabilities of the Trusted Platform Module (TPM) to create a Virtual Smart Card in the TPM that securely stores the private key of the Smart Card Logon certificate to enable login via Virtual Smart Card.

When a user has Smart Card Logon configured, they simply select Security Device from the list of login options, and enter their PIN, much like they would do with a physical Smart Card. This logs them onto Windows and potentially the domain using the certificate stored in the TPM.

As you can see this gives users on mobile phones and tablets a convenient way to login securely to the device and the corporate network.

So, how does it work?

Virtual Smart Card logon is similar to Smart Card Logon in that it uses PKINIT to use a certificate to authenticate the user to a domain controller via Kerberos.

The following diagram illustrates the logon with a Virtual Smart Card

PKINIT

1. User Selects Security Device at login, and enters their PIN for the virtual smart card.

2. Client generates a PA_PK_AS_REQ. The request includes a copy of the Smart Card Logon certificate, User Principle Name, and Time Stamp. Information included in the request such as User Principle Name and Time Stamp are signed with the Private Key associated with the Smart Card logon certificate. The PA_PK_AS_REQ is submitted to the Domain Controller (Key Distribution Center).

3. KDC validates the request by validating the signature in the request with public key included in the request. The KDC then maps the request to the associated user account.

4. KDC generates a Ticket Granting Ticket (TGT) and sends a PA_PK_AS_REQ back to the client. The PA_PK_AS_REQ includes a session key that is encrypted with the public key from the users's smart card logon certificates.

5. The client can now use the TGT to request service tickets to access resources.

Trusted Platform Module

First, we need to discuss the Trusted Platform Module, since the TPM is the device that makes Virtual Smart Card technology possible.

What is a Trusted Platform Module

Trusted Platform Module is a cryptographic device that is attached at the chip level to a PC, Laptop, Tablet, or Mobile Phone. The TPM securely stores measurements of various states of the computer, OS, and applications. These measurements are used to ensure the integrity of the system and software running on that system. The TPM can also be used to generate and store cryptographic keys. Additionally, cryptographic operations using these keys take place on the TPM preventing the private keys of certificates from being accessed outside the TPM.

TPM Keys

Endorsement Key (EK) : Key embedded in the TPM by manufacturer. Private key is embedded in the TPM and cannot be extracted from the TPM. The public key is contained in a certificate. The use of the EK is limited to prevent privacy abuses where an organization could discover the owner of a device by repeated use of the EK. Instead, Attestation Identity Keys are generated to be used in place of the EK. Endorsement Keys are signed by a Trusted Platform Module Entity or TPME, which can be thought of as a type of "Root CA" for TPM Endorsement Keys.

Storage Root Key (SRK) : Generated when ownership is taken of the TPM. Storage Root Key is stored locally on the TPM and protects storage on the TPM.

Attestation Identity Key (AIK) : Keys generated by the TPM that are linked to the Endorsement Key. These keys are used to prove the identity of the TPM and hence the device.

TPM and Identity

Later on, we will take a look at Key Attestation. Since each TPM has an Endorsement Key that is “burned in” to the TPM and time of manufacture it is possible to associate a device with an Endorsement Key or an Attestation Identity Key. This allows an organization to add additional security based on the identity of the device via the TPM.

Taking Ownership of TPM

1. User takes ownership of the TPM

2. Shared Secret is established between the User and the TPM

clip_image006

3. EK is requested and shared secret is protected by the EK. The Shared Secret is stored in the TPM. The user also has knowledge of this Shared Secret. The Shared Secret is often referred to as “owner authorization data”.

clip_image007

4. The final phase of taking ownership results in the Storage Root Key (SRK) being created within the HSM.

TPM Management via Group Policy

Some aspects of the TPM can be managed via Group Policy. Group Policies related to the TPM can be located at the following location within the Group Policy Editor: \Computer Configuration\Administrative Templates\System\Trusted Platform Module Services.

The following settings are available via Group Policy:

· Turn on TPM backup to Active Directory Domain Services

· Configure the list of blocked TPM commands

· Ignore the default list of blocked TPM commands

· Ignore the local list of blocked TPM commands

· Configure the level of TPM owner authorization information available to the operating system

· Standard user Lockout Duration

· Standard User Individual Lockout Threshold

· Standard User Total Lockout Threshold

Turn on TPM backup to Active Directory Domain Services

This setting configures the machine to backup TPM owner authorization data to Active Directory. The TPM owner authorization data is required in order to perform a number of functions on the TPM. In order to use this setting the Domain Controllers must be Windows Server 2012. If the domain controllers are Windows Server 2008 R2, there are schema extensions that must first be applied to Active Directory. Additional information on the related Schema Extensions are available here: https://technet.microsoft.com/en-us/library/jj635854.aspx.

Configure the list of blocked TPM commands

This group policy allows blocking of TPM commands. You have to enter the TPM Commands that you would like to block. Commands re blocked by command number.

Ignore the default list of blocked TPM commands

This group policy disables the default list of blocked commands which includes: TPM_SetOwnerInstall, TPM_SaveState, TPM_Startup, TPM_KeyControlOwner, TPM_PhysicalEnable, TPM_PhysicalDisable, TPM_LoadManuMantPub, TPM_ReadManuMaintPub, TPM_SetOperatorAuth, TPM_ContinueSelfTest, TPM_PhysicalSetDeactivated, TPM_ForceClear, TPM_SHA1Start, TPM_SHA1Update, TPM_SHA1Complete, TPM_SHA1CompleteExtend, TPM_Init, TPM_Extend, TPM_CreateCounter, TPM_ChangeAuthOwner, TPM_SetOwnerPointer, TPM_PCR_Reset, TPM_SaveContext, TPM_LoadContext, TPM_SaveAuthContext, TPM_SaveAuthContext, TPM_SaveKeyContext, TPM_Terminate_Handle, TPM_GetCapabilitySigned, TPM_GetOrdinalAuditStatus, TPM_GetAuditEventSigned, TPM_ReleaseCounterOwner, TPM_IncrementCounter, TPM_ReleaseCounter, TPM_LoadAuthContext, TPM_LoadKeyContext, TPM_ReadCounter, TPM_Evict Key, TPM_DisablePubekRead, TPM_Reset, TSC_ResetEstablishmentBit, TPM_TakeOwnership, TPM_CertifySelfTest, TPM_DirRead, TPM_DirWriteAuth, TPM_GetAuditEvent, TPM_LoadKey, TPM_ChangeAuthAsymFinish, and TPM_ChangeAuthAsymStart.

Ignore the local list of blocked TPM commands

If this group policy is configured it will ignore the blocked list of commands configured by default in Windows including TPM commands blocked by Group Policy.

Configure the level of TPM owner authorization information available to the operating system

Specifies how much TPM authorizations data to store in the registry:

Full: Stores TPM owner authorization, TPM administrative delegation blog, and the user TPM user delegation blob in the registry.

Delegated: Stores the TPM administrative delegation blob and the TPM user delegation blob in the registry

None: No owner authorization data is stored locally.

Standard user Lockout Duration

The TPM has anti-hammering technologies to prevent a brute force attack on the TPM. The anti-hammering protections block the user from sending TPM commands after a certain number of failed authorizations in a certain period of time. Again, the lockout is brought about by a certain number of authorizations in a certain period of time. This setting controls the “period of time” aspect. In other words, administrators can configure the period of time for which fail authorizations will be counted.

Standard User Individual Lockout Threshold

The TPM has anti-hammering technologies to prevent a brute force attack on the TPM. The anti-hammering protections block the user from sending TPM commands after a certain number of failed authorizations in a certain period of time. Again, the lockout is brought about by a certain number of authorizations in a certain period of time. This setting controls the number of failed authorizations by an individual user aspect. If a user exceeds the number of failed authorizations configured by this setting is the amount of time configured by the Standard User Individual Lockout Threshold setting, they will be blocked from issuing commands to the TPM for a period of time configured by the Standard User Lockout Duration setting.

Standard User Total Lockout Threshold

The TPM has anti-hammering technologies to prevent a brute force attack on the TPM. The anti-hammering protections block the user from sending TPM commands after a certain number of failed authorizations in a certain period of time. Again, the lockout is brought about by a certain number of authorizations in a certain period of time. This setting controls the number of failed authorizations by an all users aspect. If all users combined exceed the number of failed authorizations configured by this setting is the amount of time configured by the Standard User Individual Lockout Threshold setting, they will be blocked from issuing commands to the TPM for a period of time configured by the Standard User Lockout Duration setting.

TPM Administration

There are a number of administration tasks that you may have to perform to manage the TPM. I will be covering the following administration areas: Turning on the TPM, Clearing the TPM, Retrieving the Owner Authorization Password from Active Directory, and Resetting a TPM that has been locked out.

Turning on the TPM

The first step is to turn on the TPM in the BIOS. I used my Dell Venue 8 Pro for the testing. In order to access the BIOS on the Dell Venue Pro 8, you power down the device and hold down the Volume Down Button for a few seconds. Once in the BIOS, I select the Security Tab. Then within the Security screen, I then select PTT. This brings up TPM Configuration. Under TPM Configuration, I can enable fTPM as seen in the picture below.

Figure 1

Clearing the TPM and getting the Owner Authorization Password (No AD Backup)

In this example, I am going to cover the steps to Clear the TPM. I will then show how after the TPM is cleared you can save a copy of the Owner Authorization Password when the password is not being backed up to Active Directory. In other words, I have the Turn on TPM backup to Active Directory Domain Services setting disabled in Group Policy.

So, first as seen in Figure 1, I have the TPM management MMC open (tpm.msc). I am going to click on the Clear TPM… link in the Action Menu.

Figure 2

As seen is Figure 2, this brings up the Manage the TPM security hardware wizard. I am prompted to restart the computer to clear the TPM. So, I click Restart.

Figure 3

After the reboot, I receive the following prompt as seen in the picture below:

A configuration change was requested to clear this computer’s TPM (Trusted Platform Module)

WARNING: Clearing erases information stored on the TPM. You will lose all created keys and access to data encrypted by these keys.

Press F12 or Volume Up to clear the TPM

Press ESC or Volume Down to reject this change request and continue

Figure 4

What this prompting really does is prove that I have physical ownership of the device before the TPM is initialized.

Next, I log in. And the Manage the TPM security hardware wizard reappears and informs me that the TPM is ready.

Figure 5

Saving the TPM Owner Authorization Password

In Figure 5, we see that we have the option to Remember my TPM owner password. So, to save the TPM Owner Password, click on that link. You will then be prompted to save the password as a .tpm file, as seen in Figure 6.

Figure 6

And below is screenshot of the contents of that file:

Figure 7

Clearing the TPM (AD Backup)

In this section, I am going to cover Clearing the TPM when the TPM information is backed up to Active Directory using the Turn on TPM backup to Active Directory Domain Services setting disabled in Group Policy. I am also going to cover some issues you may run into while performing this action.

I have the TPM management MMC open (tpm.msc). I am going to click on the Clear TPM… link in the Action Menu.

Figure 8

As seen is Figure 2, this brings up the Manage the TPM security hardware wizard. I am prompted to restart the computer to clear the TPM. So, I click Restart.

Figure 9

After the reboot, I receive the following prompt as seen in the picture below:

A configuration change was requested to clear this computer’s TPM (Trusted Platform Module)

WARNING: Clearing erases information stored on the TPM. You will lose all created keys and access to data encrypted by these keys.

Press F12 or Volume Up to clear the TPM

Press ESC or Volume Down to reject this change request and continue

Figure 10

What this prompting really does is prove that I have physical ownership of the device before the TPM is initialized.

Next, I log in. And the Manage the TPM security hardware wizard reappears and informs me that the TPM is ready.

You will notice that unlike when I cleared the TPM that was not being backed up to Active Directory I do not have the option to backup the TPM Owner Authorization password. This is because this password can be retrieved to Active Directory.

Figure 11

Troubleshooting Issues that occur while clearing the TPM

When clearing the TPM you may run into some issues if you are backing up the TPM to AD. I chose to clear my TPM and after a reboot I got the error:

Unable to turn on TPM security Hardware

The TPM was not turned on due to an Active Directory backup failure. Please contact your system administrator for assistance.

Figure 12

Two issues can cause this error in my experience. The first is the obvious issue of the fact that you do not have network connectivity to the Active Directory Domain. If that is the case run through your normal troubleshooting steps for network connectivity issues.

The other issue that can occur is if the machine account does not have proper permissions in Active Directory. In my example, I had removed my machine from the domain and rejoined it with the same name after deleting the computer object for that machine. I got the error above and so I looked in the System event log.

In the event log, I noticed the TPM-WMI warning. The details of the warning included the error code 0x80070005, which of course is Access Denied.

Figure 13

So, I opened up ADSIEdit on a domain controller, viewed the properties on the associated TPM object, and saw that there was a SID listed and the computer account was not listed.

Figure 14

So, I replaced the SID with the actual computer account.

Figure 15

However, the initialization of the TPM never finished because of the AD backup error. So, in the TPM management console, I had to click on Prepare the TPM...

Figure 16

And run through the wizard to complete the initialization of the TPM.

Figure 17

Acquiring and Using Owner Authorization Password from Active Directory Backup

If you configure the Group Policy setting Turn on TPM backup to Active Directory Domain Services you probably as I did want to know how to get the TPM Owner Authorization password, so that you can use it to reset a TPM lockout or use it to change the TPM Owner Authorization password.

So, let us first understand how this works. In Active Directory, there is a Computer object associated with the machine. On the Computer object there is an attribute named msTPM-TpmInformationForComputer. That attribute lets you locate the TPM Device Object that is associated with the computer. On the TPM Device Object, you can then locate the msTPM-OwnerInformation attribute and extract the hash of the TPM Owner Authorization password. You can then insert that hash in a text file and use the hash to change the Owner Authorization password or to reset a TPM lockout.

So, here in my example you can see the contents of the msTPM-TpmInformationForCopmuter attribute for my computer named MYDELLVENUE:

Figure 18

As you can see, it shows me the Active Directory location for the associated TPM Device Object. I then navigate to that object in ADSIEdit.msc.

Figure 19

I then open the msTPM-OwnerInformation attribute and copy the string, which is a hash of the TPM Owner Authorization password.

Figure 20

In order to use the hash, I need to insert it into a specially formatted xml document that has a .tpm extension. The format of the document is illustrated below. Where you would insert your TPM Owner Authorization Password Hash where the string TPMOwnerAuthorizationHashGoesHere:

<?xml version=”1.0” encoding=”UTF 8”?>
< tpmOwnerData>
< ownerAuth>TPMOwnerAuthorizationHashGoesHere</ownerAuth>
</tpmOwnerData>

Change TPM Owner Authorization Password

If you need to change the TPM Owner Authorization Password that can be completed using the TPM Management Console. First, open the TPM Management Console (TPM.msc). Then in the Action Pane click on Change Owner Password…

This will open the Manage the TPM security hardware wizard.

Figure 21

On the Change TPM owner password screen of the wizard you can select I have the owner password file if you have .tpm file that has the hash of the TPM Owners Authorization password or if you have the actual password you can select I want to enter the owner password.

Figure 22

In my case I selected I have the owner password file. I am then prompted for the location of the associated .tpm file. I then select Create New Password.

Figure 23

On the next page of the wizard, I have to choose to Automatically create the password (recommended) or Manually create the password. I chose to Automatically create the password (recommended) .

Figure 24

I am then presented with the new TPM Owner Authorization password. I click on Change Password to initiate the change.

Figure 25

Finally, I am notified that the Password change completed

Figure 26

Reset TPM Lockout

The TPM has built in anti-hammering technology. Which essentially means that the TPM will lock itself out when invalid data is presented a number of times over a certain time threshold. If you are using a Virtual Smart Card, a number of invalid PIN entries can cause a TPM to lockout. The number of failed attempts and the time threshold are controlled with the following Group Policy settings: Standard user Lockout Duration, Standard User Individual Lockout Threshold, and Standard User Total Lockout Threshold.

My example below illustrates resetting the TPM lockout with the owner password file.

In the TPM Management Console, I click on Reset TPM Lockout…

Figure 27

On the first page of the Manage the TPM security hardware wizard, I am prompted to either supply the owner password file or the owner password. I chose, I have the owner password file.

Figure 28

I then select the owner password file and then click on Reset TPM Lockout.

Figure 29

I am then notified that the TPM lockout reset completed

Figure 30

If you use the wrong TPM Owner Authorization password, you will get an error like this:

Figure 31

And if you lockout the TPM because you entered the wrong TPM Authorization Owner password, you will get the following error:

clip_image069

Figure 32

TPM PowerShell Commands

If you wish to use PowerShell instead of the GUI to manage your TPM, visit the following website for the list of TPM PowerShell commands: https://technet.microsoft.com/en-us/library/jj603116.aspx.

Summary

In this blog posting, I covered an overview of the Trusted Platform Module (TPM). I also covered management of the TPM through the TPM Management Console. In the next blog posting, I will cover how to deploy Virtual Smart Cards.

-Chris