Tag Archives: Certificate Services

How PKI Works ?

When I talk to customers, engineers, most of them know SSL is “more secure” and works with TCP 443. But most of them do not really know what is a certificate and how this encryption and decryption works. It is very important to know how it’s exactly works then the deployment and management becomes easy. Most of the PKI related issues I have worked on are related to misunderstanding on core technologies, components and concepts related to it, rather than service level issues. 

Symmetric-key vs Asymmetric-key

There are two type of cryptographic methods use to encrypt the data in computer world. Symmetric method works exactly the same way your door lock works. You have one key to lock or open the door. This is also called as shared secret and private key. VPN connections, Backup Software are some of the examples where still uses Symmetric-key to encrypt data.

Asymmetric-key method is in other hand uses key pair to do the encryption and decryption. It includes two keys one is public key and the other one is private key. Public key is always distributed to public and any one can have it. Private key is unique for the object and it will not distribute to others. Any message encrypts using a public key only can decrypt using its private key. Any message encrypts using private key only can decrypt using public key. PKI uses the Asymmetric-key method for digital encryption and digital signature. 

Digital Encryption 

Digital encryption mean, the data transfer between two parties will be encrypted and sender will ensure it only can open from the expected receiver. Even another unauthorized party gain access to that encrypted data, they will not be able to decrypt the data. Best way to explain it will following example, 

pki1

We have an employee in organization called Sean. In PKI environment, he owns two keys which is public key and private key. It can use to encryption and signature process. Now he has a requirement to receive set of confidential data from compony account manager Chris. He doesn’t want anyone else to have this confidential data. The best way to do this to encrypt the data which going to send from Chris to Sean. 

pki2

In order to encrypt the data, Sean sends his public key to Chris. There is no issue with providing public key to any party. Then Chris uses this public key to encrypt the data he is sending over to Sean. This encrypted data only can open using Sean’s private key. He is the only one have this private key. This verifies the receiver and his authority over the data. 

Digital Signature 

Digital signature verifies the authenticity of the service or data. It is similar to signing a document to prove its authenticity. As an example, before purchase anything from amazon, we can check its digital certificate and it will verify the authenticity of the website and prove it’s not a phishing website. Let’s look in to it further with a use case. In previous scenario, Sean successfully decrypted the data he received from Chris. Now Sean wants to send some confidential data back to Chris. It can be encrypt using same method using Chris’s public key. But issue is Chris is not part of the PKI setup and he do not have key pair. Only thing Chris need to verify the sender is legitimate and its same user he claims to be. If Sean can certify it using digital signature and if Chris can verify it, the problem is solved. 

pki3

Now in here, Sean encrypt the data using his private key. Now the only key it can be decrypt is the Sean’s public key. Chris already have this information. Even if he doesn’t have public key it can distribute to him. When Chris receives the data, he decrypts it using Sean’s public key and it confirms the sender is definitely Sean. 

Signing and Encryption  

In previous two scenarios, I have explained how digital encryption and digital signature works with PKI. But both of these scenarios can combined together to provide the encryption and signing in same time. In order to do that system, use two additional techniques.

Symmetric-Key – One time symmetric-key will use for the message encryption process as it is faster than the asymmetric-key encryption algorithms. This key need to be available for the receiver but to improve the security it will be still encrypt using receiver’s public key. 

Hashing – During the sign process system will generate a one-way hash value to represent the original data. Even some one manage to get that hash value it will not possible to reverse engineer to get the original data. If any modification done to the data, hash value will get change and the receiver will know straight away. These hashing algorithms are faster than encryption algorithms and also the hashed data will be smaller than actual data values. 

Let’s look in to this based on a scenario. We have two employees Simran and Brian and both using PKI setup. Both have their private and public keys assigned. 

pki4

Simran wants to send encrypted and signed data segment to Brian. Process mainly can be divided in to two stages which is data signing and data encryption. It will go through both stages before the data send to Brian. 

pki5

The first stage is to sign the data segment. System received the Data from Simran and first step is to generate the message digest using the hashing algorithms. This will ensure data integrity and if its altered once it leaves the senders system, receiver can easily identify it using the decryption process. This is one-way process. Once message digest it generated, in next step the messages digest will encrypt using Simran’s Private key in order to digitally sign. It will also include Simran’s Public key so Brian will be able to decrypt and verify the authenticity of the message. Once encrypt process finish it will attached with original data value. This process will ensue data was not altered and send from exact expected sender (Genuine). 

pki6

Next stage of the operation is to encrypt the data. First step is in the process is to generate one time symmetric key to encrypt the data. Asymmetric algorithm is less efficient compare to symmetric algorithms to use with long data segments. Once symmetric key is generated the data will encrypt using it (including message digest, signature). This symmetric key will be used by Brian to decrypt the message. There for we need to ensure it only available for Brian. The best way to do it is to encrypt the symmetric key using Brian’s public key. So, once he received it, he will be able to decrypt using his private key. This process is only encrypting symmetric key itself and rest of the message will stay same. Once it completed the data can send to Brian. 

Next step of the process to see how the decryption process will happen on Brian’s side. 

pki7

Message decryption process starts with decrypting the symmetric key. Brian needs symmetric to go further with decryption process. It only can decrypt using Brian’s private key. Once its decrypt, symmetric key can use to decrypt the messaged digests + signature. Once decryption done same key information cannot be used to decrypt similar messages as its one time key. 

pki8

Now we have the decrypted data and next step is to verify the signature. At this point we have message digest which is encrypt using Simran’s private key. It can be decrypt using Simran’s public key which is attached to the encrypted message. Once its decrypt we can retrieve the message digest. This digest value is one-way. We cannot reverse engineer it. There for retrieved original data digest value will recalculate using exact same algorithm used by sender. After that this newly generated digest value will compare with the digest value attached to message. If the value is equal it will confirm the data wasn’t modified during the communication process. When value is equal, signature will be verified and original data will issue to Brain. If the digest values are different the message will be discard as it been altered or not signed by Simran. 

This explained how PKI environment works with encryption/decryption process as well as digital signing /verification process.  

If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How to install Certificate Services in Domain Environment ?

In here with the demonstration I will show how to install active directory certificate services and how we can use the issued certificate for different tasks. specifically i will demonstrate how to issue company’s trusted certificates for each and every client who connects to the domain.

Here i am using a server which is already added to the domain. i have explain how to install domain services in windows 2008 server in one of my previous posts.

The demo environment using windows 2008 standard R2 server and as the client pc i am using windows 7 sp1 pc. This is still valid for windows 2012 as well.

Let’s go ahead and install the certificate services.

To start, log in to the domain server as a domain admin and the open server manager.

Once it open, right click on roles and select add roles.

cert1

Once the wizard is open click on next to continue.

cert2

From the list select “Active Directory Certificate Services” and click next.

cert3

In next window it displays some warning about service and the use of it. Click next to continue.

cert4

From next window select the “Certificate authority” as the service and click next to continue.

cert5

In next window can select the setup type. Use the default enterprise setup as this is a dc server. Click next to continue.

cert6

In next window select the CA type, in here I used the root as this will be the only one used for the demo.

cert7

In next window select “create a new private key” option and click next to create pk for the server.

cert8

In next window you can change the cryptography settings but I will be using default.

cert9

In next window you can change the CA name if need. I will be using the default.

In next window you can define the validity period of the certificates. I will use the default 5 years.

cert10

In next window it will ask about the file path to save the certificates database.

cert11

The next window it will confirm about the installation and click on install to start the installation.

cert12

Once it is installed it will pass the confirmation.

cert13

Now we do have the AD CS is installed. Next step is to configure it to issue secure certificate for the computers which are connecting to the domain.

By default there will not be any certificate issues for the computer. To test this I will be log in to a pc which is connected to greenwich.local as user “cs1”(This user is having local admin rights as if not it want show up the certificates which assigned for the computer level).

Once log in go to start > run > mmc
Then it will open the mmc.
Once it open go to File > Add/Remove Snap in

cert14

From the window click on certificates and click on add button.

cert15

Then in next window select “computer account” as we need to view the certificates issue for the computer. Then click next.

cert16

In next window select local computer and click on finish.

cert17

Then it will show the added snap in and click on ok to open the snap in.

cert18

Once it’s open expand the tree and go to personal > certificates. Then you can see there is on certificate issued for the pc.

cert19

Now we need to configure the AD CS to issue certificates for the client computers.

To do that first we need to log back to the server we have installed the AD CS services as domain admin or enterprise admin. Then need to open mmc console like we did on above.

Then go to add/remove snap in as previous step.
From the available snaps-in select “Certificate Authority” and add it.

cert20

Then also select “Certificate Templates” and click ok.

Then it will open the console as following

cert21

Then click on Certificate templates and from available templates select “Workstation Authentication template”

cert22

On the Action menu, click Duplicate Template. The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK . The new template properties dialog box opens.

cert23

cert24

Once its open the window On the General tab, in Display Name , type a new name for the certificate template or keep the default name.

cert25

Go to security tab and then select “Domain Computers” from the list. Then from permissions, Under Allow, select the Enroll and Auto enroll permission check boxes, and then click OK .

cert26

Then click ok to apply the changes.
Then Double-click Certification Authority , double-click the CA name, and then click Certificate Templates .

cert27

On the Action menu, point to New , and then click Certificate Template to Issue . The Enable Certificate Templates dialog box opens.

cert28

Click the name of the certificate template you just configured, and then click OK . For example, if you did not change the default certificate template name, click Copy of Workstation Authentication , and then click OK .

cert29

Then go to “Group Policy Object Editor” and right-click Default Domain Policy and select edit.

Open Computer Configuration, then Policies, then Windows Settings, then Security Settings, and then Public Key Policies.

cert30

In the right hand panel, double-click “Certificate Services Client – Auto-Enrollment” . The Certificate Services Client – Auto-Enrollment Properties dialog box opens.

In the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model , select Enabled .

cert31

Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box and click ok.

cert32

Now we have everything in place with the configuration. We need to test out by log in to the pc again to see if its issue the certificate now. I will be login in to same computer with user cs1 (these users have local admin rights for this pc otherwise user only can see certificate for the user). After login will load up the mmc as we did in beginning and browse to the same location.

cert33

cert34

This shows clearly the new certificate which is created for the computer by the certificate server.