TweetFollow Us on Twitter

Demystifying PKI

Volume Number: 25
Issue Number: 06
Column Tag: Security

Demystifying PKI

Part One in a Series of Articles and How-Tos about PKI technology in the OS X environment

By Michele (Mike) Hjörleifsson

Introduction

Public Key Infrastructure, or PKI, is a mature set of tools and technologies that serves as the basis for securing most network communications and dozens of other security technologies. It is one of the most misunderstood technologies in the IT arena. This series of articles presents a brief history of PKI, explains how it's currently used, and describes how you can implement PKI in both small and large OS X implementations for various types of security without breaking the bank or causing excessive brain strain.

What is PKI and Why Should I care ?

Let's start at the beginning,. PKI has evolved from a theory and paper published in 1976 by Diffie-Hellman describing the use of asymmetric ciphers versus symmetric ciphers in a white-pages-like directory where you could pull down or validate an individual's public key. This theory was initially put into practice by a group of mathematicians from the Massachusets Institute of Technology (MIT), namely Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, more popularly known as RSA. RSA's premise was based on the understanding that when you multiply prime numbers together, there is no easy way to reduce the product back to its source. And, the larger the number, the more difficult it is to reduce, making this technique ideal for cryptographic operations that could be implemented to achieve Diffie-Helman's original and additional cryptography goals. Wow, sounds very technical. Under the hood it is quite technical mathematically but here's a more understandable explanation.

A symmetric key encryption scheme requires two or more parties to have a shared key. Think of this as a decoder ring you find in a box of cereal. As long as all the required parties have the decoder you can send encrypted messages back and forth to each other secretly. The big question about symmetric keys is how do we get the decoder ring to everyone in a way that prevents it from being compromised? Enter asymmetric key schemes that, in contrast, have two sets of keys, a private key (your secret key) and a public key (something you send about). The sender of a message uses your public key to encrypt or sign a piece of information and transmits it to you (we will get into the differences between encrypting and signing later). You use your private key to decrypt or verify the signature. Only the private key can decrypt making this a pretty good system, and quite secure.

Now that we have a basic understanding of asymmetric keys, let's talk about how this is implemented in today's technologies that you are most definitely familiar with. When you purchase an item at an online store you are normally directed to a secure page indicated by an https URL in the address bar, commonly known as an SSL protected, or secure sockets protected web page. Without your knowledge, in most cases, your browser has a very fast conversation with the server: the server presents its certificate; your browser checks this certificate against a set of accepted root signing certificates it has preloaded; your browser either accepts the certificate and starts an encrypted session or prompts you with the following message indicating it doesn't "trust" the certificate.

A quick word about "trust". With Mac OS X Server and other operating systems, you can create a self-signed certificate that you generate yourself, typically for internal use in your organization or on a test machine. This certificate in no way diminishes the encryption protection created between the browser and the server. The level of encryption is the same regardless of whether the certificate is publicly "trusted" or privately "trusted" (that is, generated by you on your Mac OS X Server). This "trust" (and I put "trust" in quotes for a reason) is created by the browser manufacturers and a group of companies that have established certain procedures and security measures that make them "trusted" by your browser's manufacturer and the public at large.

Now you see that you have been using PKI for several years and may not have known it. PKI is the technology behind the certificate: how it's generated; how it's validated; and who is or is not trusted.

Let's take another item we are all familiar with: a credit card. I assume anyone reading this article has at least one or more cards with either of the two major card issuer's logos on it. Why is this card accepted at retailers and online stores worldwide? Why do they "trust" your card? Well, you applied for the card, the card company verified your information and then issued you a card with a unique number on it. They also have established a trust relationship with millions of vendors in both brick and mortar and online stores. This concept is quite similar to how PKI works.

In the PKI world, you apply for a certificate to an RA (registration authority), the RA validates your information and, if valid, sends a request to a CA (certificate authority) to issue you a certificate. This certificate has information about you, your organization and a serial number, just like a credit card does. You receive the certificate and use it for one of a myriad of potential uses such as securing a website, signing email, signing documents, smartcard authentication, and perhaps opening a door at your office. When you use the certificate, a VA (validation authority), aka Online Certificate Status Protocol (OCSP) responder, validates your certificate similar to the way your card is validated and checked against your available balance when you use your credit card. Just like your credit card, your PKI certificate can have a PIN (personal identification number) assigned to it to lock or unlock it. Amazingly simple conceptually, yet, as you will see, it is quite powerful and useful.

So what can we do with these neat little certificates and how can we issue our own? For starters, almost all of the services provided with Mac OS X Server can be secured using SSL, also known as TLS (transport layer security). These include iChat Server, iCal Server, Mail, OpenDirectory, VPN Server, Web Server, and Collaboration Services (Wiki/Blog/Web Calendar). They all need a certificate to function properly. Additionally, you can secure access to your wireless through the RADIUS service and a technology known as 802.1x using a certificate to ensure only your users get on the wireless network, not just anyone that figured out some shared key that is probably on a post it note somewhere in your office.

You probably weren't aware of this but Mac OS X Server automatically generates a self-signed server certificate you can use for services during its install process. This certificate can be managed from the Server Admin tool by clicking on the Certificates icon. This is the most basic of certificate administration tools. There are several ways you can issue and manage certificates. For smaller environments, Apple provides the certificate assistant located in your /System/Library/Core Services folder. In next month's article, we will delve into setting up your own certificate authority and issuing certificates using this tool. Also, for larger installations, there is an open source project called EJBCA (Enterprise Java Beans Certificate Authority) that offers both free community support and paid for corporate support and training. To download and install EJBCA go to www.ejbca.org. Support, training, and customization are provided by PrimeKey Solutions (www.primekey.se). EJBCA will be described in detail in a future article. For now, just take a look at your Mac OS X Server and play around with the Certificate function to create some self-signed certificates and use them to test some services. Be careful not to delete the default certificate if it is already in use to prevent disrupting anyone's ability to connect to a given service.

Conclusion

So we have started down the wonderful road to public key infrastructure (PKI). With this basic understanding under our belt, we can build our own certificate authorities, generate our own web and other certificates and learn how to use PKI for some pretty neat security functions like email and document signing. Till next month, stay secure and happy computing.

Michele (Mike) Hjörleifsson has been programming Apple computers since the Apple II+, and implementing network and remote access security technologies since the early '90s. He has worked with the nation's largest corporations and government institutions. Mike is currently a certified Apple trainer and independent consultant. Feel free to contact him at mhjorleifsson@me.com

 
AAPL
$102.24
Apple Inc.
+0.45
MSFT
$46.73
Microsoft Corpora
+0.05
GOOG
$591.40
Google Inc.
+2.13

MacTech Search:
Community Search:

Software Updates via MacUpdate

Attachment Tamer 3.1.14b9 - Take control...
Attachment Tamer gives you control over attachment handling in Apple Mail. It fixes the most annoying Apple Mail flaws, ensures compatibility with other email software, and allows you to set up how... Read more
Duplicate Annihilator 5.0 - Find and del...
Duplicate Annihilator takes on the time-consuming task of comparing the images in your iPhoto library using effective algorithms to make sure that no duplicate escapes. Duplicate Annihilator detects... Read more
jAlbum Pro 12.2 - Organize your digital...
jAlbum Pro has all the features you love in jAlbum, but comes with a commercial license. With jAlbum, you can create gorgeous custom photo galleries for the Web without writing a line of code!... Read more
jAlbum 12.2 - Create custom photo galler...
With jAlbum, you can create gorgeous custom photo galleries for the Web without writing a line of code! Beginner-friendly, with pro results Simply drag and drop photos into groups, choose a design... Read more
Quicken 2015 2.0.4 - Complete personal f...
Quicken 2015 helps you manage all your personal finances in one place, so you can see where you're spending and where you can save. Quicken automatically categorizes your financial transactions,... Read more
iMazing 1.0 - Complete iOS device manage...
iMazing (formerly DiskAid) is the ultimate iOS device manager with capabilities far beyond what iTunes offers. With iMazing and your iOS device (iPhone, iPad, or iPod), you can: Copy music to and... Read more
Xcode 6.0.1 - Integrated development env...
Apple Xcode is Apple Computer's integrated development environment (IDE) for OS X. The full Xcode package is free to ADC members and includes all the tools you need to create, debug, and optimize... Read more
Apple Safari 7.1 - Apple's Web brow...
Apple Safari in OS X Mavericks brings you all-new ways to find and enjoy the best of the web. It works with iCloud to give you a seamless browsing experience across all your devices. It looks out for... Read more
Delivery Status 6.1.2 - Check delivery s...
Delivery Status displays delivery status of packages for a variety of shipment services. Can't wait for your packages to arrive? Don't waste your time checking the site constantly, just open this all... Read more
Mavericks Cache Cleaner 8.0.9 - Clear ca...
Mavericks Cache Cleaner is an award-winning general purpose tool for OS X. MCC makes system maintenance simple with an easy point-and-click interface to many OS X functions. Novice and expert users... Read more

Latest Forum Discussions

See All

MUJO Review
MUJO Review By Campbell Bird on September 19th, 2014 Our Rating: :: ASSEMBLE THE GODSUniversal App - Designed for iPhone and iPad This match-three game has collectible and role-playing elements that make it continually satisfying... | Read more »
Project Life (Photography)
Project Life 1.0 Device: iOS Universal Category: Photography Price: $2.99, Version: 1.0 (iTunes) Description: Imagine scrapbooking without scissors or adhesive or tools … or without having to print photos! Never before has... | Read more »
Skater (Games)
Skater 1.0 Device: iOS iPhone Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: All of Skateboarding In The Palm Of Your Hand Designed by skaters for skaters, we teamed up with 17 of the most prominent brands in... | Read more »
Huerons (Games)
Huerons 1.1 Device: iOS Universal Category: Games Price: $.99, Version: 1.1 (iTunes) Description: EXCLUSIVE LAUNCH PRICE! Huerons is 50% off until September 20th! Huerons are tiny colored circles. Merge them by clicking on an empty... | Read more »
Down Among the Dead Men (Games)
Down Among the Dead Men 1.0 Device: iOS Universal Category: Games Price: $.99, Version: 1.0 (iTunes) Description: Avast! Take to the high seas in a fully interactive piratical tale of broadsides and buccaneers. From author Dave... | Read more »
Sling Adds Chromecast Support Through Sl...
Sling Adds Chromecast Support Through Slingplaye​r Mobile Apps Posted by Jessica Fisher on September 18th, 2014 [ permalink ] | Read more »
How to Completely Delete Your iPhone’s C...
The iPhone 6 is out tomorrow, and plenty of people are excited about it. So much so that they’re planning to – or already have – traded in their old iPhone to go towards it. The thing about trading in hardware is it’s very important to make sure... | Read more »
Dragon Quest I Review
Dragon Quest I Review By Andrew Fisher on September 18th, 2014 Our Rating: :: THINE QUEST AWAITETHUniversal App - Designed for iPhone and iPad Its historical significance aside, Dragon Quest 1 is a fun, campy, difficult, thoroughly... | Read more »
It Came From Canada: Overkill 3
Overkill 3 is like every trope of big modern gaming rolled into one. It’s a sequel to an action-packed military shooter. It’s flashy and scripted and flaunts its sophisticated graphics. And it’s a mobile game with a heavy emphasis on in-app... | Read more »
Down Among the Dead Men Review
Down Among the Dead Men Review By Jennifer Allen on September 18th, 2014 Our Rating: :: AHOY, ME HEARTIESUniversal App - Designed for iPhone and iPad Down Among the Dead is a pirate themed gamebook that’s quite delightful, if short... | Read more »

Price Scanner via MacPrices.net

Previous-generation 15-inch 2.0GHz Retina Mac...
B&H Photo has leftover previous-generation 15″ 2.0GHz Retina MacBook Pros now available for $1599 including free shipping plus NY sales tax only. Their price is $400 off original MSRP. B&H... Read more
21″ 2.7GHz iMac available for $1179, save $12...
Adorama has 21″ 2.7GHz Hawell iMacs on sale for $1179.99 including free shipping. Their price is $120 off MSRP. NY and NJ sales tax only. Read more
iOS 8 Adoption Rate Slower than iOS 7, 6, Hit...
Apple began pushing out iOS 8 updates to eligible devices around 1pm ET on September 17, 2014. However, unlike with iOS 7, which boasted a wide variety of differences from its predecessor iOS 6, in... Read more
LIkely Final Definitive OS X 10.9.5 Mavericks...
Apple has released what will almost certainly be the last incremental version number update of OS X 10.9 Mavericks (save for futire security updates) before OS X 10.10 Yosemite is released next month... Read more
Fingerprints, Apple Pay and Identity Theft Wa...
On Sep 9th, CEO Tim Cook unveiled Apple Pay, along with the new iPhone 6 and iWatch. Apple Pay is a newly developed technology that utilizes a near field communication (NFC) to enable customer... Read more
Amazon Introduces Two All-New Kindles
Amazon on Thursday introduced the 7th generation of its Kindle dedicated e-reader device: Kindle Voyage, its top-of-the-line e-reader, and the new $79 Kindle, with a 20% faster processor, twice the... Read more
Save up to $300 on the price of a new Mac wit...
Purchase a new Mac or iPad at The Apple Store for Education and take up to $300 off MSRP. All teachers, students, and staff of any educational institution qualify for the discount. Shipping is free,... Read more
13-inch 2.8GHz Retina MacBook Pro available f...
B&H Photo has the new 2014 13″ 2.8GHz Retina MacBook Pro on sale for $1699.99 including free shipping plus NY sales tax only. They’ll also include free copies of Parallels Desktop and LoJack for... Read more
16GB iPad Air on sale for $449, save $50
Walmart has the 16GB iPad Air WiFi on sale for $449 on their online store for a limited time. Choose free home shipping or free local store pickup. Their price represents a $50 savings over standard... Read more
13-inch 256GB MacBook Air on sale for $1099,...
B&H Photo has the 2014 13″ 1.4GHz 256GB MacBook Air on sale for $1099.99. Shipping is free, and B&H charges NY sales tax only. Their price is $100 off MSRP. Read more

Jobs Board

Project Manager, *Apple* Financial Services...
**Job Summary** Apple Financial Services (AFS) offers consumers, businesses and educational institutions ways to finance Apple purchases. We work with national and Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.