The following topics describe how to configure EAP-TLS on Windows 10:
-
Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx4
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
-
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
5.3User Guidance
The user views the list of available networks (including networks associated with a configured Wi-Fi profile) in Settings -> Network & Internet -> Wi-Fi. Tapping a given Wi-Fi network presents the option to Connect to the network.
6.Managing TLS
This section contains the following Common Criteria SFRs:
-
Extended: EAP TLS Protocol (FCS_TLSC_EXT.1)
-
Extended: TLS Protocol (FCS_TLSC_EXT.2)
6.1IT Administrator Guidance
The cipher suite selection and priority may be configured on the server side of a connection. Cipher suite selection is made according to the default order as described in the previous section for Windows 10.
The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.
Windows 10 devices may be configured to trust a Certificate Authority by using policy pushed to the device by a MDM. The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities may be managed on the Windows 10 device using workplace enrollment and an MDM.Restricting Applications.
There is no configuration necessary to use client authentication on the device once a device has client authentication certificates. See the Managing Certificates section for information on configuring a device to enroll for client certificates.
6.2Local Administrator Guidance
The mandatory and optional cipher suites listed in the Security Target correlate with those available in the TOE as follows:
Cipher Suites (per Security Target)
|
Cipher Suite Requirement
|
Available Cipher Suites in TOE5
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
Mandatory
|
TLS_RSA_WITH_AES_128_CBC_SHA
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
Optional
|
TLS_RSA_WITH_AES_256_CBC_SHA
|
TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246
|
Optional
|
TLS_RSA_WITH_AES_128_CBC_SHA256
|
TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246
|
Optional
|
TLS_RSA_WITH_AES_256_CBC_SHA256
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
and/or
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
Optional
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
and/or
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
|
The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:
-
Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx
-
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030
The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
-
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
The elliptic curves supported for a particular cipher suite are part of the cipher suite configuration. For example in the table above one of the supported cipher suites is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, note that the string used to configure this cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, which is slightly different than the actual cipher suite name. The difference is the final four characters which indicate the elliptic curve that is to be used, in this case it is the curve P256 (secp256r1).
The reference identifier in Windows 10 for TLS is the URL of the server. There is no configuration of the reference identifier.
The signature algorithm is not configurable in Windows 10 for TLS.
Dostları ilə paylaş: |