TweetFollow Us on Twitter

Demystifying PKI

Volume Number: 25
Issue Number: 06
Column Tag: Security

Demystifying PKI

Part One in a Series of Articles and How-Tos about PKI technology in the OS X environment

By Michele (Mike) Hjörleifsson

Introduction

Public Key Infrastructure, or PKI, is a mature set of tools and technologies that serves as the basis for securing most network communications and dozens of other security technologies. It is one of the most misunderstood technologies in the IT arena. This series of articles presents a brief history of PKI, explains how it's currently used, and describes how you can implement PKI in both small and large OS X implementations for various types of security without breaking the bank or causing excessive brain strain.

What is PKI and Why Should I care ?

Let's start at the beginning,. PKI has evolved from a theory and paper published in 1976 by Diffie-Hellman describing the use of asymmetric ciphers versus symmetric ciphers in a white-pages-like directory where you could pull down or validate an individual's public key. This theory was initially put into practice by a group of mathematicians from the Massachusets Institute of Technology (MIT), namely Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, more popularly known as RSA. RSA's premise was based on the understanding that when you multiply prime numbers together, there is no easy way to reduce the product back to its source. And, the larger the number, the more difficult it is to reduce, making this technique ideal for cryptographic operations that could be implemented to achieve Diffie-Helman's original and additional cryptography goals. Wow, sounds very technical. Under the hood it is quite technical mathematically but here's a more understandable explanation.

A symmetric key encryption scheme requires two or more parties to have a shared key. Think of this as a decoder ring you find in a box of cereal. As long as all the required parties have the decoder you can send encrypted messages back and forth to each other secretly. The big question about symmetric keys is how do we get the decoder ring to everyone in a way that prevents it from being compromised? Enter asymmetric key schemes that, in contrast, have two sets of keys, a private key (your secret key) and a public key (something you send about). The sender of a message uses your public key to encrypt or sign a piece of information and transmits it to you (we will get into the differences between encrypting and signing later). You use your private key to decrypt or verify the signature. Only the private key can decrypt making this a pretty good system, and quite secure.

Now that we have a basic understanding of asymmetric keys, let's talk about how this is implemented in today's technologies that you are most definitely familiar with. When you purchase an item at an online store you are normally directed to a secure page indicated by an https URL in the address bar, commonly known as an SSL protected, or secure sockets protected web page. Without your knowledge, in most cases, your browser has a very fast conversation with the server: the server presents its certificate; your browser checks this certificate against a set of accepted root signing certificates it has preloaded; your browser either accepts the certificate and starts an encrypted session or prompts you with the following message indicating it doesn't "trust" the certificate.

A quick word about "trust". With Mac OS X Server and other operating systems, you can create a self-signed certificate that you generate yourself, typically for internal use in your organization or on a test machine. This certificate in no way diminishes the encryption protection created between the browser and the server. The level of encryption is the same regardless of whether the certificate is publicly "trusted" or privately "trusted" (that is, generated by you on your Mac OS X Server). This "trust" (and I put "trust" in quotes for a reason) is created by the browser manufacturers and a group of companies that have established certain procedures and security measures that make them "trusted" by your browser's manufacturer and the public at large.

Now you see that you have been using PKI for several years and may not have known it. PKI is the technology behind the certificate: how it's generated; how it's validated; and who is or is not trusted.

Let's take another item we are all familiar with: a credit card. I assume anyone reading this article has at least one or more cards with either of the two major card issuer's logos on it. Why is this card accepted at retailers and online stores worldwide? Why do they "trust" your card? Well, you applied for the card, the card company verified your information and then issued you a card with a unique number on it. They also have established a trust relationship with millions of vendors in both brick and mortar and online stores. This concept is quite similar to how PKI works.

In the PKI world, you apply for a certificate to an RA (registration authority), the RA validates your information and, if valid, sends a request to a CA (certificate authority) to issue you a certificate. This certificate has information about you, your organization and a serial number, just like a credit card does. You receive the certificate and use it for one of a myriad of potential uses such as securing a website, signing email, signing documents, smartcard authentication, and perhaps opening a door at your office. When you use the certificate, a VA (validation authority), aka Online Certificate Status Protocol (OCSP) responder, validates your certificate similar to the way your card is validated and checked against your available balance when you use your credit card. Just like your credit card, your PKI certificate can have a PIN (personal identification number) assigned to it to lock or unlock it. Amazingly simple conceptually, yet, as you will see, it is quite powerful and useful.

So what can we do with these neat little certificates and how can we issue our own? For starters, almost all of the services provided with Mac OS X Server can be secured using SSL, also known as TLS (transport layer security). These include iChat Server, iCal Server, Mail, OpenDirectory, VPN Server, Web Server, and Collaboration Services (Wiki/Blog/Web Calendar). They all need a certificate to function properly. Additionally, you can secure access to your wireless through the RADIUS service and a technology known as 802.1x using a certificate to ensure only your users get on the wireless network, not just anyone that figured out some shared key that is probably on a post it note somewhere in your office.

You probably weren't aware of this but Mac OS X Server automatically generates a self-signed server certificate you can use for services during its install process. This certificate can be managed from the Server Admin tool by clicking on the Certificates icon. This is the most basic of certificate administration tools. There are several ways you can issue and manage certificates. For smaller environments, Apple provides the certificate assistant located in your /System/Library/Core Services folder. In next month's article, we will delve into setting up your own certificate authority and issuing certificates using this tool. Also, for larger installations, there is an open source project called EJBCA (Enterprise Java Beans Certificate Authority) that offers both free community support and paid for corporate support and training. To download and install EJBCA go to www.ejbca.org. Support, training, and customization are provided by PrimeKey Solutions (www.primekey.se). EJBCA will be described in detail in a future article. For now, just take a look at your Mac OS X Server and play around with the Certificate function to create some self-signed certificates and use them to test some services. Be careful not to delete the default certificate if it is already in use to prevent disrupting anyone's ability to connect to a given service.

Conclusion

So we have started down the wonderful road to public key infrastructure (PKI). With this basic understanding under our belt, we can build our own certificate authorities, generate our own web and other certificates and learn how to use PKI for some pretty neat security functions like email and document signing. Till next month, stay secure and happy computing.

Michele (Mike) Hjörleifsson has been programming Apple computers since the Apple II+, and implementing network and remote access security technologies since the early '90s. He has worked with the nation's largest corporations and government institutions. Mike is currently a certified Apple trainer and independent consultant. Feel free to contact him at mhjorleifsson@me.com

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

pwSafe 4.0.1 - Secure password managemen...
pwSafe provides simple and secure password management across devices and computers. pwSafe uses iCloud to keep your password databases backed-up and synced between Macs and iOS devices. It is... Read more
WALTR 1.5.4 - Drag-and-drop any media fi...
WALTR is designed to make it easy to upload and convert any music or video file to an iPad or iPhone format for native playback. It supports a huge variety of media file types, including MP3, MP4,... Read more
Audio Hijack 3.1 - Record and enhance au...
Audio Hijack (was Audio Hijack Pro) drastically changes the way you use audio on your computer, giving you the freedom to listen to audio when you want and how you want. Record and enhance any audio... Read more
PopChar 7.1 - Floating window shows avai...
We're also selling a 5-license family pack for only $25.99! PopChar helps you get the most out of your font collection. With its crystal-clear interface, PopChar X provides a frustration-free way to... Read more
BBEdit 11.1.1 - Powerful text and HTML e...
BBEdit is the leading professional HTML and text editor for the Mac. Specifically crafted in response to the needs of Web authors and software developers, this award-winning product provides a... Read more
Picasa 3.9.139 - Organize, edit, and sha...
Picasa and Picasa Web Albums allows you to organize, edit, and upload your photos to the Web from your computer in quick, simple steps. Arrange your photos into folders and albums and erase their... Read more
Mac DVDRipper Pro 5.0.5 - Copy, backup,...
Mac DVDRipper Pro is the DVD backup solution that lets you protect your DVDs from scratches, save your batteries by reading your movies from your hard disk, manage your collection with just a few... Read more
NetShade 6.2 - Browse privately using an...
This promotion is for NetShade and 1 year of Proxy and VPN services NetShade is an anonymous proxy and VPN app+service for Mac. Unblock your Internet through NetShade's high-speed proxy and VPN... Read more
CrossOver 14.1.3 - Run Windows apps on y...
CrossOver can get your Windows productivity applications and PC games up and running on your Mac quickly and easily. CrossOver runs the Windows software that you need on Mac at home, in the office,... Read more
Little Snitch 3.5.3 - Alerts you about o...
Little Snitch gives you control over your private outgoing data. Track background activity As soon as your computer connects to the Internet, applications often have permission to send any... Read more

Block Fortress has a Big New Update for...
Block Fortress is a survival-style game that's as fun as it is blocky. It's also just gotten a rather sizeable update that adds a lot more cool stuff. [Read more] | Read more »
Simple and Surreal Star Base Sim rymdkap...
I really like rymdkapsel. Not just because I'm a sucker for games that are cleverly simple or highly stylisitc, but because it's fun and challenging. Actually it's extremely challenging, which is why I was excited to learn that it's getting a couple... | Read more »
Check out the anticipated Angel Stone in...
Fincon has finally revealed Angel Stone in action in the first ever official gameplay trailer for the anticipated hack and slasher. Angel Stone is set in a post-apocalyptic world in which humanity is in danger of being wiped out by the demonic... | Read more »
Moleskine Timepage is an All-New Calenda...
Moleskine Timepage is a bit of a departure for the notebook manufacturer (since it has little to do with notebooks), but it certainly carries their simple and elegant style quite well. [Read more] | Read more »
Jog on Over and Check Out the New Runtas...
Runtastic has put out a fair number of apps to help you sleep, track excercise, and train various parts of your body. Now it's time for your legs to have their own time in the spotlight with Runtastic Leg Trainer. [Read more] | Read more »
It's Lights Out in the Upcoming Pla...
Ember’s Journey is a stark puzzle platformer with a twist: the entire game is played in darkness. The only light you can see by is the one emanating from your own character. [Read more] | Read more »
MooVee - Your Movies Guru (Entertainmen...
MooVee - Your Movies Guru 1.0 Device: iOS iPhone Category: Entertainment Price: $1.99, Version: 1.0 (iTunes) Description: MooVee helps you effortlessly manage your movies, on your iPhone. | Read more »
Geometry Wars 3: Dimensions (Games)
Geometry Wars 3: Dimensions 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Enjoy the next chapter in the award-winning Geometry Wars franchise and enjoy stunning, console-quality... | Read more »
CHAOS RINGS Ⅲ (Games)
CHAOS RINGS Ⅲ 1.0.0 Device: iOS Universal Category: Games Price: $19.99, Version: 1.0.0 (iTunes) Description: The newest addition to the popular smartphone RPG series is finally here! ・CHAOS RINGS Overview | Read more »
The Popular Insight Series of Travel Gui...
Getting around in a country when you can't understand the primary language can be tough. Fortunately there are several options available to help wold travellers with the important stuff like giving directions to a cab driver or asking where the... | Read more »

Price Scanner via MacPrices.net

Top Markets Saturation To Slow Global Smartph...
According to a new mobile phone forecast from the International Data Corporation (IDC) Worldwide Quarterly Mobile Phone Tracker, smartphone shipments are expected to grow 11.3% in 2015 — down from 27... Read more
Apple refurbished 2014 13-inch Retina MacBook...
The Apple Store has Apple Certified Refurbished 2014 13″ Retina MacBook Pros available for up to $400 off original MSRP, starting at $979. An Apple one-year warranty is included with each model, and... Read more
What Would the ideal Apple Productivity Platf...
For the past four years I’ve kept a foot in both the Mac and iPad camps respectively. my daily computing hours divided about 50/50 between the two devices with remarkable consistency. However, there’... Read more
PageMeUp 1.2.1 Ten Dollar Page Layout Applica...
Paris, France-based Softobe, an OS X software development company, has announced that their PageMeUp v. 1.2.1, is available on the Mac App Store for $9.99. The license can be installed on up to 5... Read more
Eight New Products For USB Type-C Application...
Fresco Logic, specialists in advanced connectivity technologies and ICs, has introduced two new product families targeting the Type-C connector recently introduced across a number of consumer... Read more
Scripps National Spelling Bee Launches Buzzwo...
Scripps National Spelling Bee fans can monitor the action at the 2015 Spelling Bee with the new Buzzworthy app for iOS, Android and Windows mobile devices. The free Buzzworthy app provides friendly... Read more
13-inch 2.5GHz MacBook Pro on sale for $120 o...
B&H Photo has the 13″ 2.5GHz MacBook Pro on sale for $979 including free shipping plus NY sales tax only. Their price is $120 off MSRP, and it’s the lowest price for this model (except for Apple’... Read more
27-inch 3.3GHz 5K iMac on sale for $1899, $10...
B&H Photo has the new 27″ 3.3GHz 5K iMac on sale for $1899.99 including free shipping plus NY tax only. Their price is $100 off MSRP. Read more
Save up to $50 on iPad Air 2, NY tax only, fr...
B&H Photo has iPad Air 2s on sale for up to $50 off MSRP including free shipping plus NY sales tax only: - 16GB iPad Air 2 WiFi: $469 $30 off - 64GB iPad Air 2 WiFi: $549.99 $50 off - 128GB iPad... Read more
Updated Mac Price Trackers
We’ve updated our Mac Price Trackers with the latest information on prices, bundles, and availability on systems from Apple’s authorized internet/catalog resellers: - 15″ MacBook Pros - 13″ MacBook... Read more

Jobs Board

*Apple* Retail - Multiple Positions (US) - A...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
Program Manager, *Apple* Community Support...
**Job Summary** Apple Support Communities ( discussions. apple .com) helps customers get the most from their Apple products and services by providing access to Read more
Senior Data Scientist, *Apple* Retail - Onl...
**Job Summary** Apple Retail - Online sells Apple products to customers around the world. In addition to selling Apple products with unique services such as iPad Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
*Apple* Watch SW Application Project Manager...
**Job Summary** The Apple Watch software team is looking for an Application Engineering Project Manager to work on new projects for Apple . The successful candidate Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.