Automatic Key Recovery

This section covers advanced concepts of Citrix Password Manager's Automatic Key Recovery. Topics include:

Migrating the V4 Secret from one Password Manager Service machine to another. This will cover how to migrate the very important V4 Secret in the case that a server is to be decommissioned and replaced by another.
A comparison between Automatic Key Recovery features offered with Citrix Password Manager. This is an overview of how key recovery is handled without Automatic Key Recovery and how Automatic Key Recovery handles this differently.

Migrating the V4 Secret from one Citrix Password Manager Service Machine to Another
The encryption mechanism uses a master secret named V4. V4 is one of a set of 4 random numbers used by the Automatic Key Recovery Service to generate a key that encrypts and decrypts the Primary Authentication Key. The V4 secret is a cryptographically strong random number that is encrypted using machine-level DPAPI and stored on the local hard drive of the machine running the Citrix Password Manager Service. Only code that is running on the Citrix Password Manager Service machine can decrypt V4. V4 is the only one of the four random numbers that remains static throughout the course of a deployment. If this number changes and Agent users have already registered with Automatic Key Recovery with a previous V4, their credentials will be lost.

If multiple instances of the Citrix Password Manager Service are installed in a deployment and load balanced using a 3^rd^-party load balancing mechanism it will be necessary to copy V4 (as well as the Data Integrity certificate and private key data) to these other machines.

In order to facilitate this activity, a command-line tool named CtxMoveKeyRecoveryData is installed with the Citrix Password Manager Service and will allow the administrator to copy the secret data from one machine to another. CtxMoveKeyRecoveryData can be found in the following location:

C:\Program Files\Citrix\MetaFrame Password Manager\Service\Tools>CtxMoveServiceData

USAGE:

CtxMoveServiceData [option] [filename]

options:

-generation generates new key recovery data for the Automatic Key Recovery function.

-export [filename] exports the key recovery data, encrypts it with a user-supplied password, and writes it to the specified file.

-import [filename] reads the key recovery data from the specified file, decrypts it with a user-supplied password, and imports it.

On export the tool creates a 3-DES encrypted file of the V4 secret, using the password to compose the key. On the migrated system where an import is performed, the password is used to 3-DES decrypt the V4 secret, which then is encrypted automatically using DPAPI.

Comparison Between Automatic Key Recovery and Existing Question Based Key Recovery Methods
Automatic key recovery is an alternative to the use of Security Questions (Question-Based Authentication) or Previous Password mechanisms for recovering the Authentication key. Automatic Key Recovery, unlike the other methods, does not require any interaction from the user.

The following illustrates the steps when Security Questions or Previous Password is used:

The end user enters primary logon credentials and answers user questions during setup if Security Questions is used.
The Crypto API generates a unique Primary Authentication Key during setup (first-time-use).
The Primary Authentication Key is encrypted with the password of the primary logon credentials, and the resulting key is stored in MS CAPI.
1. If Security Questions is being used, the Primary Authentication Key is encrypted with the user question, and the resulting key is stored in MS CAPI.
When subsequent logons occur, successful authentication unlocks MS CAPI, and the Primary Authentication Key is unlocked and becomes available to the Crypto API.
Crypto API passes the key to the Shell (agent) which uses it to decrypt end user credentials.

The main difference between Automatic Key Recovery and other methods is how the Authentication key is encrypted. This involves the use of the Citrix Password Manager Service.

Enrollment for Automatic Key Recovery
At a high level, the following sequence will occur when a user first uses the Password Manager Agent:

The Agent will execute an algorithm which will result in deriving a 3DES key called the Automatic Key Recovery encryption key (AKRKey). The Agent will use the AKRKey in a similar manner as it ordinarily uses the key derived from the user's Security Questions or Password information.
The Agent will conceptually break the key into 2 parts. The Agent will store one part of the data in the user's object on the synchronization point. The Agent will transmit the 2^nd^ part of the data to the Citrix Password Manager Service.
The Citrix Password Manager Service will encrypt its portion of the key derivation data and store the resulting encrypted data in the user's folder or under the user's AD object on the synchronization point.

Key Recovery
After a password change initiated by the Administrator or a Self-Service Password Reset, the following sequence will occur to recover the key:

The Agent will authenticate to the Citrix Password Manager Service using NTLM authentication.
The Service will decrypt the data it originally encrypted and return it to the Agent.
The Agent will retrieve its portion of the key derivation data from the Central Store and use both parts of the data to reconstitute the AKRKey.
The Agent will then use the AKRKey in a similar fashion as it ordinarily uses the key derived from the user's Security Questions information to recover the user's encryption key(s). No user interaction is required.
At this point, a new AKRKey will be generated and the Agent will perform the Enrollment process again with the new key data.

Automatic Key Recovery

Tags

Comments (16)

darren sy says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Anonymous says:

Add to Bookmarks