TweetFollow Us on Twitter

Demystifying PKI

Volume Number: 25
Issue Number: 06
Column Tag: Security

Demystifying PKI

Part One in a Series of Articles and How-Tos about PKI technology in the OS X environment

By Michele (Mike) Hjörleifsson

Introduction

Public Key Infrastructure, or PKI, is a mature set of tools and technologies that serves as the basis for securing most network communications and dozens of other security technologies. It is one of the most misunderstood technologies in the IT arena. This series of articles presents a brief history of PKI, explains how it's currently used, and describes how you can implement PKI in both small and large OS X implementations for various types of security without breaking the bank or causing excessive brain strain.

What is PKI and Why Should I care ?

Let's start at the beginning,. PKI has evolved from a theory and paper published in 1976 by Diffie-Hellman describing the use of asymmetric ciphers versus symmetric ciphers in a white-pages-like directory where you could pull down or validate an individual's public key. This theory was initially put into practice by a group of mathematicians from the Massachusets Institute of Technology (MIT), namely Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, more popularly known as RSA. RSA's premise was based on the understanding that when you multiply prime numbers together, there is no easy way to reduce the product back to its source. And, the larger the number, the more difficult it is to reduce, making this technique ideal for cryptographic operations that could be implemented to achieve Diffie-Helman's original and additional cryptography goals. Wow, sounds very technical. Under the hood it is quite technical mathematically but here's a more understandable explanation.

A symmetric key encryption scheme requires two or more parties to have a shared key. Think of this as a decoder ring you find in a box of cereal. As long as all the required parties have the decoder you can send encrypted messages back and forth to each other secretly. The big question about symmetric keys is how do we get the decoder ring to everyone in a way that prevents it from being compromised? Enter asymmetric key schemes that, in contrast, have two sets of keys, a private key (your secret key) and a public key (something you send about). The sender of a message uses your public key to encrypt or sign a piece of information and transmits it to you (we will get into the differences between encrypting and signing later). You use your private key to decrypt or verify the signature. Only the private key can decrypt making this a pretty good system, and quite secure.

Now that we have a basic understanding of asymmetric keys, let's talk about how this is implemented in today's technologies that you are most definitely familiar with. When you purchase an item at an online store you are normally directed to a secure page indicated by an https URL in the address bar, commonly known as an SSL protected, or secure sockets protected web page. Without your knowledge, in most cases, your browser has a very fast conversation with the server: the server presents its certificate; your browser checks this certificate against a set of accepted root signing certificates it has preloaded; your browser either accepts the certificate and starts an encrypted session or prompts you with the following message indicating it doesn't "trust" the certificate.

A quick word about "trust". With Mac OS X Server and other operating systems, you can create a self-signed certificate that you generate yourself, typically for internal use in your organization or on a test machine. This certificate in no way diminishes the encryption protection created between the browser and the server. The level of encryption is the same regardless of whether the certificate is publicly "trusted" or privately "trusted" (that is, generated by you on your Mac OS X Server). This "trust" (and I put "trust" in quotes for a reason) is created by the browser manufacturers and a group of companies that have established certain procedures and security measures that make them "trusted" by your browser's manufacturer and the public at large.

Now you see that you have been using PKI for several years and may not have known it. PKI is the technology behind the certificate: how it's generated; how it's validated; and who is or is not trusted.

Let's take another item we are all familiar with: a credit card. I assume anyone reading this article has at least one or more cards with either of the two major card issuer's logos on it. Why is this card accepted at retailers and online stores worldwide? Why do they "trust" your card? Well, you applied for the card, the card company verified your information and then issued you a card with a unique number on it. They also have established a trust relationship with millions of vendors in both brick and mortar and online stores. This concept is quite similar to how PKI works.

In the PKI world, you apply for a certificate to an RA (registration authority), the RA validates your information and, if valid, sends a request to a CA (certificate authority) to issue you a certificate. This certificate has information about you, your organization and a serial number, just like a credit card does. You receive the certificate and use it for one of a myriad of potential uses such as securing a website, signing email, signing documents, smartcard authentication, and perhaps opening a door at your office. When you use the certificate, a VA (validation authority), aka Online Certificate Status Protocol (OCSP) responder, validates your certificate similar to the way your card is validated and checked against your available balance when you use your credit card. Just like your credit card, your PKI certificate can have a PIN (personal identification number) assigned to it to lock or unlock it. Amazingly simple conceptually, yet, as you will see, it is quite powerful and useful.

So what can we do with these neat little certificates and how can we issue our own? For starters, almost all of the services provided with Mac OS X Server can be secured using SSL, also known as TLS (transport layer security). These include iChat Server, iCal Server, Mail, OpenDirectory, VPN Server, Web Server, and Collaboration Services (Wiki/Blog/Web Calendar). They all need a certificate to function properly. Additionally, you can secure access to your wireless through the RADIUS service and a technology known as 802.1x using a certificate to ensure only your users get on the wireless network, not just anyone that figured out some shared key that is probably on a post it note somewhere in your office.

You probably weren't aware of this but Mac OS X Server automatically generates a self-signed server certificate you can use for services during its install process. This certificate can be managed from the Server Admin tool by clicking on the Certificates icon. This is the most basic of certificate administration tools. There are several ways you can issue and manage certificates. For smaller environments, Apple provides the certificate assistant located in your /System/Library/Core Services folder. In next month's article, we will delve into setting up your own certificate authority and issuing certificates using this tool. Also, for larger installations, there is an open source project called EJBCA (Enterprise Java Beans Certificate Authority) that offers both free community support and paid for corporate support and training. To download and install EJBCA go to www.ejbca.org. Support, training, and customization are provided by PrimeKey Solutions (www.primekey.se). EJBCA will be described in detail in a future article. For now, just take a look at your Mac OS X Server and play around with the Certificate function to create some self-signed certificates and use them to test some services. Be careful not to delete the default certificate if it is already in use to prevent disrupting anyone's ability to connect to a given service.

Conclusion

So we have started down the wonderful road to public key infrastructure (PKI). With this basic understanding under our belt, we can build our own certificate authorities, generate our own web and other certificates and learn how to use PKI for some pretty neat security functions like email and document signing. Till next month, stay secure and happy computing.

Michele (Mike) Hjörleifsson has been programming Apple computers since the Apple II+, and implementing network and remote access security technologies since the early '90s. He has worked with the nation's largest corporations and government institutions. Mike is currently a certified Apple trainer and independent consultant. Feel free to contact him at mhjorleifsson@me.com

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

DiskCatalogMaker 7.1.3 - Catalog your di...
DiskCatalogMaker is a simple disk management tool which catalogs disks. Simple, light-weight, and fast Finder-like intuitive look and feel Super-fast search algorithm Can compress catalog data for... Read more
Amadeus Pro 2.4 - Multitrack sound recor...
Amadeus Pro lets you use your Mac for any audio-related task, such as live audio recording, digitizing tapes and records, converting between a variety of sound formats, etc. Thanks to its outstanding... Read more
Little Snitch 4.0.1 - Alerts you about o...
Little Snitch gives you control over your private outgoing data. Track background activity As soon as your computer connects to the Internet, applications often have permission to send any... Read more
Sparkle Pro 2.2.1 - $79.99
Sparkle Pro will change your mind if you thought building websites wasn't for you. Sparkle is the intuitive site builder that lets you create sites for your online portfolio, team or band pages, or... Read more
iWatermark Pro 2.0.0fc4 - Easily add wat...
iWatermark Pro is the essential watermarking app for professional, business, and personal use. Easily secure and protect your photos with text, a graphic, a signature, or a QR watermark. Once added... Read more
Together 3.8.7 - Store and organize all...
Together helps you organize your Mac, giving you the ability to store, edit and preview your files in a single clean, uncluttered interface. Together Features Smart storage. With simple drag-and-... Read more
DiskCatalogMaker 7.1.3 - Catalog your di...
DiskCatalogMaker is a simple disk management tool which catalogs disks. Simple, light-weight, and fast Finder-like intuitive look and feel Super-fast search algorithm Can compress catalog data for... Read more
Together 3.8.7 - Store and organize all...
Together helps you organize your Mac, giving you the ability to store, edit and preview your files in a single clean, uncluttered interface. Together Features Smart storage. With simple drag-and-... Read more
Little Snitch 4.0.1 - Alerts you about o...
Little Snitch gives you control over your private outgoing data. Track background activity As soon as your computer connects to the Internet, applications often have permission to send any... Read more
Sparkle Pro 2.2.1 - $79.99
Sparkle Pro will change your mind if you thought building websites wasn't for you. Sparkle is the intuitive site builder that lets you create sites for your online portfolio, team or band pages, or... Read more

Latest Forum Discussions

See All

Mix and match magical brews in Miracle M...
Miracle Merchant, the charming fantasy card game by Tiny Touch Tales, is arriving next week. The development team, which also brought you Card Crawl and Card Thief, announced the game's launch with a pleasant little trailer that showcases the game'... | Read more »
Last Day on Earth: Zombie Survival guide...
Last Day on Earth: Zombie Survival is the latest big hit in the survival game craze. The gist of the game is pretty cut and dry -- try your best to survive in a world overrun by flesh-eating zombies. But Last Day on Earth justifies the hype... | Read more »
Eden: Renaissance (Games)
Eden: Renaissance 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: Eden: Renaissance is a thrilling turn-based puzzle adventure set in a luxurious world, offering a deep and moving... | Read more »
Glyph Quest Chronicles guide - how to ma...
Glyph Quest returns with a new free-to-play game, Glyph Quest Chronicles. Chronicles offers up more of the light-hearted, good humored fantasy fun that previous games featured, but with a few more refined tricks up its sleeve. It's a clever mix of... | Read more »
Catch yourself a Lugia and Articuno in P...
Pokémon Go Fest may have been a bit of a disaster, with Niantic offering fans full refunds and $100 worth of in-game curency to apologize for the failed event, but that hasn't ruined trainers' chances of catching new legendary Pokémon. Lugia nad... | Read more »
The best deals on the App Store this wee...
There are quite a few truly superb games on sale on the App Store this week. If you haven't played some of these, many of which are true classics, now's the time to jump on the bandwagon. Here are the deals you need to know about. [Read more] | Read more »
Realpolitiks Mobile (Games)
Realpolitiks Mobile 1.0 Device: iOS Universal Category: Games Price: $5.99, Version: 1.0 (iTunes) Description: PLEASE NOTE: The game might not work properly on discontinued 1GB of RAM devices (iPhone 5s, iPhone 6, iPhone 6 Plus, iPad... | Read more »
Layton’s Mystery Journey (Games)
Layton’s Mystery Journey 1.0.0 Device: iOS Universal Category: Games Price: $15.99, Version: 1.0.0 (iTunes) Description: THE MUCH-LOVED LAYTON SERIES IS BACK WITH A 10TH ANNIVERSARY INSTALLMENT! Developed by LEVEL-5, LAYTON’S... | Read more »
Full Throttle Remastered (Games)
Full Throttle Remastered 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: Originally released by LucasArts in 1995, Full Throttle is a classic graphic adventure game from industry legend Tim... | Read more »
Stunning shooter Morphite gets a new tra...
Morphite is officially landing on iOS in September. The game looks like the space shooter we've been needing on mobile, and we're going to see if it fits the bill quite shortly. The game's a collaborative effort between Blowfish Studios, We're Five... | Read more »

Price Scanner via MacPrices.net

PHOOZY World’s First Thermal Capsules to Summ...
Summer days spent soaking up the sun can be tough on smartphones, causing higher battery consumption and overheating. To solve this problem, eXclaim IP, LLC has introduced the PHOOZY Thermal Capsule... Read more
2018 Honda Ridgeline with Android Auto and Ap...
The 2018 Honda Ridgeline is arriving in dealerships nationwide with a Manufacturer’s Suggested Retail Price (MSRP1) starting at $29,630. The 2017 Honda Ridgeline was named North American Truck of the... Read more
comScore Ranks Top 15 U.S. Smartphone Apps fo...
comScore, Inc. recently released data from comScore Mobile Metrix, reporting the top smartphone apps in the U.S. by audience reach for June 2017. * “Apple Music,” as it appears in comScore’s monthly... Read more
13-inch 3.1GHz MacBook Pros on sale for $100...
B&H Photo has the new 2017 13″ 3.1GHz Space Gray MacBook Pros in stock today and on sale for $100 off MSRP including free shipping. B&H charges sales tax in NY and NJ only: – 13″ 3.1GHz/256GB... Read more
Apple refurbished Mac minis available startin...
Apple has Certified Refurbished Mac minis available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: – 1.4GHz Mac mini: $419 $80 off MSRP – 2.6GHz Mac... Read more
Apple’s 2017 Back to School Promotion: Free B...
Purchase a new Mac using Apple’s Education discount, and take up to $300 off MSRP. All teachers, students, and staff of any educational institution qualify for the discount. Shipping is free. As part... Read more
Clearance 2016 13-inch MacBook Pros available...
B&H Photo has clearance 2016 13″ MacBook Pros in stock today for up to $220 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 13″ 2.9GHz/512GB Touch Bar... Read more
Apple Move Away from White Label Event Apps C...
DoubleDutch, Inc., a global provider of Live Engagement Marketing (LEM) solutions, has made a statement in the light of a game-changing announcement from Apple at this year’s WWDC conference.... Read more
70 Year Old Artist Creates Art Tools for the...
New Hampshire-based developer Pirate’s Moon has announced MyArtTools 1.1.3, the update to their precision drawing app, designed by artist Richard Hoeper exclusively for use with the 12.9-inch iPad... Read more
Sale! New 2017 13-inch 2.3GHz MacBook Pros fo...
Amazon has new 2017 13″ 2.3GHz/128GB MacBook Pros on sale today for $150 off MSRP including free shipping. Their prices are the lowest available for these models from any reseller: – 13″ 2.3GHz/128GB... Read more

Jobs Board

*Apple* Solutions Consultant (ASC) - Poole -...
Job Summary The people here at Apple don't just create products - they create the kind of wonder that's revolutionised entire industries. It's the diversity of those Read more
SW Engineer *Apple* TV - Apple Inc. (United...
Changing the world is all in a day's work at Apple . If you love innovation, here's your chance to make a career of it. You'll work hard. But the job comes with more Read more
Frameworks Engineering Manager, *Apple* Wat...
Frameworks Engineering Manager, Apple Watch Job Number: 41632321 Santa Clara Valley, California, United States Posted: Jun. 15, 2017 Weekly Hours: 40.00 Job Summary Read more
Product Manager - *Apple* Pay on the *Appl...
Job Summary Apple is looking for a talented product manager to drive the expansion of Apple Pay on the Apple Online Store. This position includes a unique Read more
*Apple* Retail - Multiple Positions - Apple...
SalesSpecialist - Retail Customer Service and SalesTransform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.