02 February 2018


Feast of the Presentation of Jesus in the Temple
Feast of the Purification of the Blessed Virgin Mary

February 2nd

One of the things I miss most about teaching, is the rhythm of the school year.  Teachers are teased about their ever changing bulletin boards, but the reality is they are an excellent example of the ebb and flow of the school year.  There is always something to be putting away until next year, something to be doing right now, and something to be preparing for.  Working outside of a school system now, it is very easy to get stuck in a rut where every day is just a continuation of the previous; there is always work to do and what doesn't get done today will need to get done tomorrow.  My consolation, then, is that the Church gives us seasons and feasts to give rhythm and flow the the whole year.

Today, Candlemas, is one of my favorite feast days.  Two feast days, really.  In Jewish custom, not only did the first born male need to be purchased back from God with two turtledoves or two young pigeons, but a woman who had given birth was considered unclean, so purification was necessary.  Hence the two feast days.

The Gospel for today does a better job explaining:

Luke 2:22-40 Revised Standard Version Catholic Edition

And when the time came for their purification according to the law of Moses, they brought him up to Jerusalem to present him to the Lord (as it is written in the law of the Lord, “Every male that opens the womb shall be called holy to the Lord”) and to offer a sacrifice according to what is said in the law of the Lord, “a pair of turtledoves, or two young pigeons.” Now there was a man in Jerusalem, whose name was Simeon, and this man was righteous and devout, looking for the consolation of Israel, and the Holy Spirit was upon him. And it had been revealed to him by the Holy Spirit that he should not see death before he had seen the Lord’s Christ. And inspired by the Spirit[a] he came into the temple; and when the parents brought in the child Jesus, to do for him according to the custom of the law, he took him up in his arms and blessed God and said,

“Lord, now lettest thou thy servant depart in peace,
according to thy word;
for mine eyes have seen thy salvation
which thou hast prepared in the presence of all peoples,
a light for revelation to the Gentiles,
and for glory to thy people Israel.”

And his father and his mother marveled at what was said about him; and Simeon blessed them and said to Mary his mother,

“Behold, this child is set for the fall[b] and rising of many in Israel,
and for a sign that is spoken against
(and a sword will pierce through your own soul also),
that thoughts out of many hearts may be revealed.”

And there was a prophetess, Anna, the daughter of Phan′u-el, of the tribe of Asher; she was of a great age, having lived with her husband seven years from her virginity, and as a widow till she was eighty-four. She did not depart from the temple, worshiping with fasting and prayer night and day. And coming up at that very hour she gave thanks to God, and spoke of him to all who were looking for the redemption of Jerusalem.

And when they had performed everything according to the law of the Lord, they returned into Galilee, to their own city, Nazareth. And the child grew and became strong, filled with wisdom; and the favor of God was upon him.

Because of Simeon's words about Jesus being the light to the gentiles, the Church has traditionally blessed the candles to be used during the coming year: Candlemas.

There was an excellent article written in 1942 by a Fr. John Bolen titled The Wax Candle in the Liturgy, and I highly recommend reading it.  Years ago, when we started making candles for our home use, we used paraffin wax.  It was cheap and easy to work with, but recently we have switched to 100% beeswax.  If you are looking for a reason to switch to beeswax candles, the interwebs will give you plenty of reasons.  I do not, however, dip all our candles.  We use tin molds to make both tapers and pillar candles.  In my mind, it is out of economy.  When we dip candles, you always have to have around 4 lbs of wax melted so that the candles don't get stumpy.  When we pour candles, we can use every last drop.

In the sense that we prepare candles before actual Candlemas, we started celebrating weeks ago!

This year, we made white candles, as well as colored candles for our Advent wreath.  The colors we choose were Violet and Rose.  I recommend dye flakes vs pigments.  They are easy to measure and mix, and don't clog the candles.

We then took the candles to Mass with us, and they were blessed!

 We had a wonderful dinner by candlelight, and enjoyed an evening remembering that Christ came into the world to be a light to all of us.

Everything does taste better by candle light....


The Nativity scene will be packed up tomorrow, as we close out Christmastide and we will start gathering everything to start Lent in a few weeks.  All the best from our family to your's.  May your evening be a blessed one, and the coming year be full of grace and peace.

01 February 2018

Multi Factor Authentication - Duo and Yubikey

Multi Factor Authentication / 2 Factor Authentication, is not just all the rage today, but a necessity in today's ultra-connected world.  The balance between security and convenience is a hard one, but has to be weighed and measured for you, your information, and the assets you are responsible for.


I have used, implemented, advised, and researched several forms of Multi Factor Authentication (MFA).  Simply stated, MFA or 2FA just means that you are required to have two pieces to authenticate.  Generally these fall under one of three categories:  knowledge (something you know); possession (something you have), and inherence (something you are).  That means, knowing a password (knowledge) AND having an usb smart card plugged in (possession).  The implementation on many social media and shopping sites is having a password AND having a number generated by a timed one-time-password (TOTP) dongle/app (possession), although SMS is not technically 2FA because it can be spoofed, but it is still 2SV.  This could also be having a bio-metric finger print reader (inherence) and a hardware generated one time password (HOTP possession).

Some Definitions:

2FA - 2 Factor Authentication, use of 2 different MFA methods.
2SV - 2 Step Verification, use of 2 authentication methods that are NOT distinctly different.
AD - Active Directory, Microsoft enterprise level central store for usernames and passwords.
Biometrics - Using unique human attributes to authenticate.
FERPA - Family Educational Rights and Privacy Act, safeguards and security provisions to protect student information, and to allow Parents and Students reasonable access to their data.
HIPPA - Health Insurance Portability and Accountability Act of 1996, safeguards and security provisions to protect medical information
HOTP - Hardware One Time Password, password generated by physical dongle that generates the next password based on an algorithm and successive key presses.
Inherence - Inherence Factor, a factor of MFA, aspects that are integral to the individual in question, like biometrics. Something you are.
International Safe Harbor Privacy Principles - principles developed to prevent private organizations withing the European Union from accidentally disclosing or losing personal information.
Knowledge - a factor of MFA, something that is known only to the user, like a password. Something you know.
MFA - Multi Factor Authentication, any time that 2 or more unique authenticating factors are required to allow access to a resource or asset, this includes 2FA, 3FA, 4FA, etc. Factors include Knowledge, Possession, and Inherence
NFC - Near-Field Communication, wireless technology that allows communication over short distances, usually an inch or less.
NIST - National Institute of Standards and Technology, sets the standards and recommendations for MFA.
OTP - One Time Password, A password that can only be used once.  Based on time or key presses and generated based on pre-shared information and an algorithm.
PCI - Payment Card Industry, most often referring to Payment Card Industry Data Security Standard, a set of security requirements for credit card processors.
PIV - Personal Identity Verification, a standard for a specific type of smart-card that can be used as an access card.  Standardized by FIPS 201 and is used by federal agencies.
PKI - Public Key Infrastructure, all components necessary for using public key encryption.  Utilizes public and private keys for encryption.
Possession - a factor of MFA, something physical that can not be duplicated or spoofed that is used to authenticate or verify a specific user. Something you have.
SmartCard - any number of pocket sized devices that have an embedded integrated circuit.  They can contain personal identification, authentication, data storage, application processing, etc.  They can be contact based or contactless.
SMS - Short Message Service, GSM services that is used to send and receive short text messages between mobile devices.  NOTE: because they can be spoofed or read by service personel, they are not considered a Possession Factor of MFA by NIST.
Spoofing - a form of subterfuge in which communication is sent from an unknown source disguised as a source known to the receive.
TOTP - Time One Time Password, password generated by physical dongle or application that generates the next password based on an algorithm and the time.
VPN - Virtual Private Network, a private network that allows confidential and secure communication over public networks.


In 2017 we saw a huge uptick in cyber attacks.  Equifax, Yahoo, FedEx, Uber, countless facebook, gmail, and twitter accounts saw data breaches and with worms/viruses like WannaCry, NotPetya, Bad Rabbit the reality is that you can not be too careful.

Passwords can be cracked, hacked, shared, and stolen.  MFA applies a second (or third, forth, etc) level of authentication and therefore adds another layer of security.  The cost of a security breach is greater than the cost of 2FA, and the extra steps involved force you to be mindful of what you are accessing, where you are accessing it, and what the loss would mean.

Further more, if you are a business/entity that is required to use MFA to be PCI DSS, HIPAA, FERPA, or Safe Harbor compliant, then you need to put forth the effort now so you don't get blindsided later.


In my mind, any MFA solution has to have certain pieces:

1) Secure - No bypassing, no spoof-able devices, no shared devices, user tokens/certificates/passwords/etc need to be easily revokeable
2) Failover - The solution needs to be reliable. While being secure, there needs to be more than one way to authenticate the 2nd factor, in case the infrastructure for the 1st method fails.
3) Usability - If there is not end-user buy-in, it won't get used, it will get bypassed, and it will all be for nothing.... period
4) Deployability - Sometimes referenced as Scale-ability.  It should be easy to go from 10 users to 100 users overnight.
5) Maintainability - Once the solution is operational, how often will it need to be maintenance, how many help desk calls are going to be for this solution?

There are LOTS of MFA solutions, but the one I want to walk through today is Duo.  The maintainability, deployability, and usability are there, and it can be made secure.  The problem I had with their module to secure windows desktop login, was that if the machine was not connected to the internet, there was no way to verify the 2nd factor.  It does, however allow for failover to be a smartcard.  This is where the Yubikeys enter in.


Duo is well documented, and its worth trying for free for 10 users.  To set-up Duo Authentication for Windows Logon and RDP, follow their instructions here: https://duo.com/docs/rdp

For my purposes, I have the installer run from a batch file with my pertinent information.  Make sure you allow smart cards, do NOT let it fail open, and since I was securing both local and remote sessions, turn off RDP only.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="" SKEY="" HOST=""

This means that if Duo can't connect to the internet, your users can still log in with the smart card.  If you use YubiKeys you can also enroll them with duo as hardware keys, to provide the OTP.

To secure Duo, I turn off the Authentication Methods that are capable of being spoofed, and I require an encrypted OS on the phone, and bio-metrics to use the app.

Now, when users log in, they get a prompt to authenticate through Duo

But what happens if the internet is disconnected, or the user is on an airplane with a laptop, etc?


This is where having the SmartCard option is key.  If you already enabled smart cards at install, then duo is already set.  To leverage a Yubikey, or any SmartCard, you will will need a PKI setup.  That starts with a Certificate Authority, then you will need your machines to accept smartcards, and finally you need a way to enroll them.

I would recommend reading the following documents if this is the road you want to go down:

Setting Up a Certificate Authority
YubiKey Smart Card Deployment Guide
YubiKey Smart Card Minidriver User Guide
YubiKey PIV Manager User's Guide
Yubico PIV Tool Command Line Guide

The down and dirty goes like this:

A) Create a Certificate Authority on a fresh server install (Found in Microsoft and Yubikey Documentation)

1. Open Server Manager and choose Add roles and features, > Next.
2. > Role-based or feature-based installation > Next.
3. > Select a server from the server pool.
4. Select your new server.
5. Under Server Roles, > Active Directory Certificate Services, > Next.
6. > Add Features, > Next.
7. > Next again.
8. > Certification Authority, > Next.
9. > Install. Allow several minutes for the process to complete.
10. > Configure Active Directory Certificate Services on the destination server, > Next.
11. > Certification Authority, > Next.
12. Choose Enterprise CA, > Next.
13. Choose Root CA, > Next.
14. Create a new private key, > Next.
15. Select the cryptographic provider, hash algorithm, and key length for the private key, > Next.
(Yubico recommends sticking with default values so you don't create a cert that is too big for the smartcards)
16. Common name and Distinguished name will be automatically populated. Confirm the values match the server name and domain name, > Next.
17. Select the validity period for the Certification Authority certificate, > Next.
18. Leave the Database locations to the default values > Next.
19. Verify all settings match the desired values, > Configure.
20. When the process completes, exit the installation wizard.

B) Install the minidriver
1. Download the minidriver: https://www.yubico.com/support/knowledge-base/categories/downloads/
2. Unzip
3. Right click the one that says it has Setup Information and click Install

C) Create an Enrollment Agent so you can enroll certs on behalf of your users.
If you want to allow users to self enroll, follow the documentation in the deployment guide above
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right click on the template named Enrollment Agent

3) In the security tab, ensure that the user/users/groups that will be in charge of enrolling other users has Read and Enroll permissions on the Template.
4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select Enrollment Agent template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Request a New Certificate
10) Select Active Directory Enrollment Policy, and then select the Enrollment Agent template, and then click Enroll.

D) Create a smart card certificate Template
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right-click Smartcard Logon, and select Duplicate Template.
3) Setup the certificate as follows:

4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select YubiKeySC template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Under Advanced Options, choose Enroll on Behalf of
10) Select Active Directory Enrollment Policy, and then browse and choose your Enrollment Agent cert, choose the correct user and then click Enroll.
11) The default pin is 123456
12) MAKE SURE THE USER CHANGES THEIR PIN.  It has to be 6-8 characters and can be a combination of letters and numbers.  They can change their pin by pressing CTRL-Alt-DEL and switching to the smart card with the sign in options button.

E) Resetting a SmartCard after they lock their pin
It will happen.  You can use the PIV Manager to reset it, or you can download the PIV tool, and run the following batch file:


echo Yubikey will be reset and 
echo you will erase current Certificate. 
set /P c=Are you sure you want to continue [Y/N]?
if /I "%c%" EQU "Y" goto :yes
if /I "%c%" EQU "N" goto :no
goto :choice

echo Resetting Yubikey...
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a reset
echo exiting.............

echo Yubikey was not reset. 
echo exiting.............

After the YubiKey is reset, it will have to be re-enrolled, and the old cert will need to be revoked.

Other Considerations

As I said earlier, this is just one of many options.  Start the conversation now because if you are not using any form of MFA or 2SV then ANYTHING you do is more secure than what you have right now.

I am not payed by any of the aforementioned companies, in fact, I pay them for the use of their services and devices.

Make sure you enroll your Yubikeys in Duo as well as enabling the smart card feature.  Then you can use them as a token, and don't have to rely on the app: https://duo.com/docs/yubikey

Finally, do your homework.  The more prepared you are, and the more you experiment with these items in your own environment, the better prepared you will be for the challenges ahead.