8. Components of a PKI Certificate and CA Management Tools Certification Authority Certificate and CRL Distribution Points Certificate Template Digital Certificate Certificate Revocation List Public Key-Enabled Applications and Services
It’s important in PKI to know whether the certificate you are generating is for a user or computer (or device or service), because each gives you a different type of authentication.
Instructor Notes:
In this instance, it’s not whether we trust the program the digital certificate is trying to authenticate, it is whether or not we (or our computer or application) trusts the CA that issued the publisher’s digital certificate.
If we trust the CA, it means we trust the CA to have correctly identified the entity attached to the cert.
Either way, we still have to make a second trust decision of whether to trust the publisher and the content they are sending us. The CA just verifies the identity of the publisher and their cert.
Instructor’s Notes:
Key sizes that are usually talked about and published, usually refer to the public key size. The related private key is normally significantly short than the public key size. For example, a 1024 bit public key can be associated with a 512 or 636 bit private key.
SSL transactions used to be commonly use 40-bit keys, but now use 128-bits routinely. Thus, you may remember the 40- and 128-bit versions of Internet Explorer years ago.
“...more than the known atoms in the universe” quote can be attributed to many crypto writings including http://www.ssh.com/support/cryptography/algorithms/asymmetric.html
Instructor’s Notes:
Key sizes that are usually talked about and published, usually refer to the public key size. The related private key is normally significantly short than the public key size. For example, a 1024 bit public key can be associated with a 512 or 636 bit private key.
SSL transactions used to be commonly use 40-bit keys, but now use 128-bits routinely. Thus, you may remember the 40- and 128-bit versions of Internet Explorer years ago.
“...more than the known atoms in the universe” quote can be attributed to many crypto writings including http://www.ssh.com/support/cryptography/algorithms/asymmetric.html
Note that key is often shown in hexadecimal form instead of binary just to make it easier to read and easier to store.
It is always okay to share a public encryption key. There is absolutely no benefit to “hiding” it or making it a secret. Public keys are meant to be shared by everyone.
Instructor’s Notes:
Key sizes that are usually talked about and published, usually refer to the public key size. The related private key is normally significantly short than the public key size. For example, a 1024 bit public key can be associated with a 512 or 636 bit private key.
SSL transactions used to be commonly use 40-bit keys, but now use 128-bits routinely. Thus, you may remember the 40- and 128-bit versions of Internet Explorer years ago.
“...more than the known atoms in the universe” quote can be attributed to many crypto writings including http://www.ssh.com/support/cryptography/algorithms/asymmetric.html
Instructor’s Notes:
3DES can still be used in some gov’t applications, it still considered FIPS-compliant, although DES is not.
Windows can use DESX or 3DES when AES can’t be used.
DESX, an improved version of DES, was made by Ron Rivest (of RSA fame) in May 1984.
Instructor Notes:
No normal key pair should ever be shared. It would defeat the purpose. (Although there are specialized PKI systems where multiple security principals must present individual parts of a big central key to decrypt or sign very valuable data. It makes the key pair stronger by requiring collusion by multiple parties. No one party can compromise the protected data.
It is very common for a single entity to have multiple key pairs, different key pairs for different purposes (e.g. EFS, S/MIME, wireless security, etc.), and to have multiple key pairs from different PKI systems (e.g. Microsoft Certificate Services, Versign for public email, etc.), and a single identity may have a different key pair for encryption than they do signing, but it is preferred that within a single PKI system (i.e. corporate PKI server) that each user/computer have a single key pair for a particular application (e.g. EFS). It makes PKI key management easier.
Instructor Notes:
In real-life the key generator (e.g. sysadmin, Certification Authority) may also have access to the key pair besides the user, but in the most secure systems, even those parties are not able to ever see the private key. But if these normal parties see or have access to the private key, and it is a function of how those keys are supposed to be generated and delivered, it is not considered a compromise.
If the private key is ever viewed or accessed by an unintendeded party, the entire key pair is compromised and should be revoked.
Private keys must be securely stored, and can often be protected by passwords and other authentication mechanisms.
In Windows, a user’s private key is often securely stored in their local user profile. If their user profile is compromised (e.g. the bad guy learns the user’s password and logs on as the user), then the keys should be considered compromised.
Theoretically, the entire world can see any public key they want (it’s innate in the very name of public key)...it’s meant for the public...the entire public. In reality, public keys normally have to be sent to the receiving party to be relied upon, either with the content (e.g. ActiveX/Authenticode delivered content), sent to the receiver (e.g. in email), or downloaded from a key server that the receiver can access.
Instructor’s Notes:
RSA is the most popular
ECC just added with Windows Vista and later
ElGamal was invented in 1984. It isn’t installed by Microsoft, but is installed/used by PGP and GNU Privacy Guard.
Instructor Notes:
Visio diagram isn’t 100% accurate, but close. The TLS Handshake Protocol involves the following steps:
The client sends a "Client hello" message to the server, along with the client's random value and supported cipher suites.
The server responds by sending a "Server hello" message to the client, along with the server's random value.
The server sends its certificate to the client for authentication and may request a certificate from the client. The server sends the "Server hello done" message.
If the server has requested a certificate from the client, the client sends it.
The client creates a random Pre-Master Secret and encrypts it with the public key from the server's certificate, sending the encrypted Pre-Master Secret to the server.
The server receives the Pre-Master Secret. The server and client each generate the Master Secret and session keys based on the Pre-Master Secret.
The client sends "Change cipher spec" notification to server to indicate that the client will start using the new session keys for hashing and encrypting messages. Client also sends "Client finished" message.
Server receives "Change cipher spec" and switches its record layer security state to symmetric encryption using the session keys. Server sends "Server finished" message to the client.
Client and server can now exchange application data over the secured channel they have established. All messages sent from client to server and from server to client are encrypted using session key.
Instructor Notes:
ECC patent is actually owned Canadian company, and licensed to US gov’t for $25M
Great info link: http://en.wikipedia.org/wiki/NSA_Suite_B
There is a Suite A, also, which is an unpublished set of crypto algorithms for highly sensitive crypto
If Web Enrollment is not installed on the same computer as Certificate Services is installed, the computer must be joined to the domain and the computer account must be trusted for delegation.
Autoenrollment does not work for devices or services
Network Device Enrollment Service is also known as Simple Certificate Enrollment Protocol (SCEP)
SCEP is heavily favored by many network device vendors including Cisco. When SCEP is used, one or more SCEP-related certs are issued on CA, and network devices can enroll against those certs. Normal certificate template used is IPSec offline
NDES is covered in Part III of course for interested students.
Certificate Template v.3.0 do not work with systems prior to Vista.
Certificate Template v.3.0 do not work with OSs prior to Vista
IDP = Issuer or Issuing Distribution Point . Allows the implementation of partitioned CRLs. Allows really big base CRLs to be split. Partitioning of CRLs can also be split so that the IDP CRL covers only parts of the infrastructure, i.e., end user certificates only, CA certificates only, etc.
CAPI2 Diagnostics: Makes troubleshooting easier (not specific to CA – available on both Vista client and W2k8 server) - http://www.microsoft.com/downloads/details.aspx?FamilyID=FE8EB7EA-68DA-4331-9D38-BDBF9FA2C266&displaylang=en
Certificate Lifecycle Manager (CLM) is a component of ILM (Identity Lifecycle Manager 2), which is now known as Forefront Identity Manager
Values are just suggestions
Students must make sure that CDP and AIA locations are valid and correct. They should absolutely ensure that the paths are valid before using. If the paths are not valid, fix them or delete.
You can add LoadDefaultTemplates=0 to make sure the default templates are not published upon installing (W2K3 SP1 and later)
How about adding a Policy statement?
Should make sure public publication areas are available and configured in IIS before putting in locations
“Public Key Services” has spaces in between words.
Instructor Note: Have students experiment with different CSPs, and look at the different associated key lengths and hashes
We have to be careful about using SHA-1 or MD-5, but at the same time, many operating systems don’t understand the newer hashes. If you use Vista or later, you can use any of these options, and you should use something other than MD5 or SHA-1.
Note that we have to “re-select” the Root CA key size of 4096 (and be careful it jumps back to the default of 2048 whenever you choose a new CSP), because the key size we put in the CAPolicy.inf file is only for the key renewal, not for the initial generation of the key.
Strong key protection, in this case, will mean that the private key is password protected
You can have common names with spaces for readability, but it makes using the CA’s name harder when using commandline tools (you have to remember to put the name in quotes)
No need to put in a Distinguished Name Suffix, because this CA is offline and won’t be part of a DNS lookup
Note database and log files go into the same folder
In real life you may want to change these values to reflect NAS or SANS storage
For better performance the database and log files should not be on the same physical hard drive
If Certificate Services was installed on an Enterprise edition of W2K8, you would also so the Certificate Templates container.
Select version appropriate, usually v.2003 is right for most environments. If you have only Windows Vista or later you can use v.2008.
Used for some new types of templates, like OCSP Response Signing
For example, if certificate revocation checking is enabled in IE, IE will only report a certificate as revoked if it could access the certificates revocation information and confirm that the certificate is revoked. If the digital certificate does not have revocation information or if that revocation information is invalid, IE doesn’t report it to the user.
For example, if certificate revocation checking is enabled in IE, IE will only report a certificate as revoked if it could access the certificates revocation information and confirm that the certificate is revoked. If the digital certificate does not have revocation information or if that revocation information is invalid, IE doesn’t report it to the user.
SSTP is a new VPN protocol in W2K8.
W2K3, XP, and later supports delta CRLs, which are CRLs that only include the added revoked certificates since the last full or delta CRL. Full CRLs always contain all previously revoked certificates. The idea is that delta CRLs are smaller and can be released more frequently, in between the normal time periods of the larger full CRL releases.
CDP’s should not be placed on https: locations because it causes a problem with certificate chaining.
Microsoft OCSP only works on W2K8, but the OCSP responder can respond for W2K3 and W2K8 servers to OCSP clients.
Microsoft only has OCSP clients for Vista (built-in), and later.
By default Vista (and later) will check for OCSP first, before CDP/CRL, but behavior can be changed.
If admin wants OCSP on earlier Windows client they must use third party or open source OCSP client.
Microsoft OCSP only works on W2K8, but the OCSP responder can respond for W2K3 and W2K8 servers to OCSP clients.
Microsoft only has OCSP clients for Vista (built-in), and later.
By default Vista (and later) will check for OCSP first, before CDP/CRL, but behavior can be changed.
If admin wants OCSP on earlier Windows client they must use third party or open source OCSP client.
Microsoft OCSP only works on W2K8, but the OCSP responder can respond for W2K3 and W2K8 servers to OCSP clients. Microsoft only has OCSP clients for Vista (built-in). If admin wants OCSP on earlier Windows client they must use third party or open source OCSP client.
Note: Do not choose Autoenroll, as it will cause the OCSP to request multiple certificates
If the CA is configured to issue delta CRLs, the revocation provider will use the URL provided in the Base CRLs list to retrieve the base CRL and will use the information included in the base CRL itself to retrieve the delta CRLs. The Delta CRLs list should be used only if you would like the revocation provider to retrieve the delta CRLs from a different location than the one specified in the base CRL.
The revocation provider will always look for a valid CRL and a delta CRL on the local computer before trying to retrieve them from the network. If the Online Responder is installed on the same computer as the CA, the values configured in the revocation provider are ignored.
The Microsoft OCSP client does not support the nonce extension.