Explore the internals and security aspects of Windows Hello for Business (WHFB) authentication protocol in this 41-minute conference talk from x33fcon. Dive deep into how WHFB credentials function within Azure AD, examining key provisioning processes, technical components, and token requirements. Learn about different WHFB flavors including Azure AD native and hybrid implementations, PIN setup procedures, and cloud Kerberos trust mechanisms. Discover identified vulnerabilities, attack vectors like device code phishing, and lateral movement possibilities within WHFB environments. Understand the implications of key storage, registration processes, and SSO data manipulation while analyzing the security implications of Kerberos Key Trust and TGT upgrade mechanisms.
Windows Hello for Business Security Analysis and Authentication Protocol Deep Dive - Lecture 10
Overview
Syllabus
Intro
Windows Hello (for Business)
Windows Hello for Business key points
Windows Hello for Business flavours
Azure AD native WHFB
Azure AD WHFB provisioning - PIN setup
WHFB Provisioning-technical components
WHFB Provisioning token requirements
WHFB provisioning response
Signed assertion with WHFB private key
Analyzing WHFB security
Analyzing key provisioning
Key provisioning flaws
Attack schematics
Get token with SSO data
Provisioning a new WHFB key
WHFB key storage
Registering WHFB keys directly on users
Registering a new WHFB key
Attack method: device code phishing
Alternative scenarios
WHFB Hybrid
WHFB Cloud Kerberos Trust
Lateral movement with WHFB
Request PRT for hybrid user
TGT Upgrade reply
Kerberos Key Trust consequences
Windows Hello for Business - conclusions
Taught by
x33fcon
