Tag Archives: SSL

How PKI Works ?

When I talk to customers, engineers, most of them know SSL is “more secure” and works with TCP 443. But most of them do not really know what is a certificate and how this encryption and decryption works. It is very important to know how it’s exactly works then the deployment and management becomes easy. Most of the PKI related issues I have worked on are related to misunderstanding on core technologies, components and concepts related to it, rather than service level issues. 

Symmetric-key vs Asymmetric-key

There are two type of cryptographic methods use to encrypt the data in computer world. Symmetric method works exactly the same way your door lock works. You have one key to lock or open the door. This is also called as shared secret and private key. VPN connections, Backup Software are some of the examples where still uses Symmetric-key to encrypt data.

Asymmetric-key method is in other hand uses key pair to do the encryption and decryption. It includes two keys one is public key and the other one is private key. Public key is always distributed to public and any one can have it. Private key is unique for the object and it will not distribute to others. Any message encrypts using a public key only can decrypt using its private key. Any message encrypts using private key only can decrypt using public key. PKI uses the Asymmetric-key method for digital encryption and digital signature. 

Digital Encryption 

Digital encryption mean, the data transfer between two parties will be encrypted and sender will ensure it only can open from the expected receiver. Even another unauthorized party gain access to that encrypted data, they will not be able to decrypt the data. Best way to explain it will following example, 

pki1

We have an employee in organization called Sean. In PKI environment, he owns two keys which is public key and private key. It can use to encryption and signature process. Now he has a requirement to receive set of confidential data from compony account manager Chris. He doesn’t want anyone else to have this confidential data. The best way to do this to encrypt the data which going to send from Chris to Sean. 

pki2

In order to encrypt the data, Sean sends his public key to Chris. There is no issue with providing public key to any party. Then Chris uses this public key to encrypt the data he is sending over to Sean. This encrypted data only can open using Sean’s private key. He is the only one have this private key. This verifies the receiver and his authority over the data. 

Digital Signature 

Digital signature verifies the authenticity of the service or data. It is similar to signing a document to prove its authenticity. As an example, before purchase anything from amazon, we can check its digital certificate and it will verify the authenticity of the website and prove it’s not a phishing website. Let’s look in to it further with a use case. In previous scenario, Sean successfully decrypted the data he received from Chris. Now Sean wants to send some confidential data back to Chris. It can be encrypt using same method using Chris’s public key. But issue is Chris is not part of the PKI setup and he do not have key pair. Only thing Chris need to verify the sender is legitimate and its same user he claims to be. If Sean can certify it using digital signature and if Chris can verify it, the problem is solved. 

pki3

Now in here, Sean encrypt the data using his private key. Now the only key it can be decrypt is the Sean’s public key. Chris already have this information. Even if he doesn’t have public key it can distribute to him. When Chris receives the data, he decrypts it using Sean’s public key and it confirms the sender is definitely Sean. 

Signing and Encryption  

In previous two scenarios, I have explained how digital encryption and digital signature works with PKI. But both of these scenarios can combined together to provide the encryption and signing in same time. In order to do that system, use two additional techniques.

Symmetric-Key – One time symmetric-key will use for the message encryption process as it is faster than the asymmetric-key encryption algorithms. This key need to be available for the receiver but to improve the security it will be still encrypt using receiver’s public key. 

Hashing – During the sign process system will generate a one-way hash value to represent the original data. Even some one manage to get that hash value it will not possible to reverse engineer to get the original data. If any modification done to the data, hash value will get change and the receiver will know straight away. These hashing algorithms are faster than encryption algorithms and also the hashed data will be smaller than actual data values. 

Let’s look in to this based on a scenario. We have two employees Simran and Brian and both using PKI setup. Both have their private and public keys assigned. 

pki4

Simran wants to send encrypted and signed data segment to Brian. Process mainly can be divided in to two stages which is data signing and data encryption. It will go through both stages before the data send to Brian. 

pki5

The first stage is to sign the data segment. System received the Data from Simran and first step is to generate the message digest using the hashing algorithms. This will ensure data integrity and if its altered once it leaves the senders system, receiver can easily identify it using the decryption process. This is one-way process. Once message digest it generated, in next step the messages digest will encrypt using Simran’s Private key in order to digitally sign. It will also include Simran’s Public key so Brian will be able to decrypt and verify the authenticity of the message. Once encrypt process finish it will attached with original data value. This process will ensue data was not altered and send from exact expected sender (Genuine). 

pki6

Next stage of the operation is to encrypt the data. First step is in the process is to generate one time symmetric key to encrypt the data. Asymmetric algorithm is less efficient compare to symmetric algorithms to use with long data segments. Once symmetric key is generated the data will encrypt using it (including message digest, signature). This symmetric key will be used by Brian to decrypt the message. There for we need to ensure it only available for Brian. The best way to do it is to encrypt the symmetric key using Brian’s public key. So, once he received it, he will be able to decrypt using his private key. This process is only encrypting symmetric key itself and rest of the message will stay same. Once it completed the data can send to Brian. 

Next step of the process to see how the decryption process will happen on Brian’s side. 

pki7

Message decryption process starts with decrypting the symmetric key. Brian needs symmetric to go further with decryption process. It only can decrypt using Brian’s private key. Once its decrypt, symmetric key can use to decrypt the messaged digests + signature. Once decryption done same key information cannot be used to decrypt similar messages as its one time key. 

pki8

Now we have the decrypted data and next step is to verify the signature. At this point we have message digest which is encrypt using Simran’s private key. It can be decrypt using Simran’s public key which is attached to the encrypted message. Once its decrypt we can retrieve the message digest. This digest value is one-way. We cannot reverse engineer it. There for retrieved original data digest value will recalculate using exact same algorithm used by sender. After that this newly generated digest value will compare with the digest value attached to message. If the value is equal it will confirm the data wasn’t modified during the communication process. When value is equal, signature will be verified and original data will issue to Brain. If the digest values are different the message will be discard as it been altered or not signed by Simran. 

This explained how PKI environment works with encryption/decryption process as well as digital signing /verification process.  

If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory Federation Services (AD FS) – Part 3

This is the part 3 of the series of articles which explains about the AD FS and configuration. If you still not read the part 1 and 2 you can find it here.

Active Directory Federation Services (AD FS) – Part 1

Active Directory Federation Services (AD FS) – Part 2

In this post let’s see how we can install AD FS web application proxy. As I explain on part 1 of the series, web application proxy need to be installed in perimeter network. Using it we can authenticate AD FS users before allow access to published application in corporate network.

Installation of Web Application Proxy

External DNS record

To access the web service from external it needs valid external DNS record which can use to connect from internet. If your organization DNS hosted in external make sure you create appropriate records and allow time for DNS propagation before proceed with the installation. 

In here for the demo I have created DNS entry for host name adfsproxy.contoso.com and point it to the server which will use for the service install.

adfsp1

Valid SSL

To allow the HTTPS communication it is must to have valid SSL certificate in place to use with the proxy server. It can be from external SSL provider or via company CA. it needs to match with the DNS entry we created on previous step.

In demo I have created self-signed SSL and deploy it on the server.

adfsp2

Installation Steps

To start the installation, log in to the server you choose as domain admin or enterprise admin.

1)    Load Server Manager > Add Roles and Features

adfsp3

2)    It will open up the add roles and features wizard. Click next to continue.

adfsp4

3)    In next window keep selection as “Role-based or feature-based installation” and click next to continue.

adfsp5

4)    In next window keep the default selection and click next to continue.

adfsp6

5)    In role selection window select “Remote Access” and click next

adfsp7

6)    On the feature selection leave the default selection and click next

adfsp8

7)    Then in next window it will give brief description about remote access role. Click next to continue

adfsp9

8)    In next window select the option “Web Application Proxy” then it will prompt to add features. Click on “add features” button and then click next on window to proceed.

adfsp10

adfsp11

9)    In next window it will give brief description about the selections you made so far and click install to begin the installation.

adfsp12

10)    It will start the installation process.

adfsp13

11)    Once its completed, click on “open the web application proxy wizard” from the window

adfsp14

12)    It will open up the web application proxy configuration wizard and click next to proceed

adfsp15

13)    In next window needs to input ADFS server and admin account info to connect to it. It will use for the authentication. Once input data correctly, click on next to continue.

adfsp16

14)    In the next window, need to specify the SSL cert which will use by the proxy server.

adfsp17

15)    In next window it will give the confirmation about the configuration and to begin install click on configure.

adfsp18

This finishes the installation and configuration of the web application proxy. In next post let’s look in to some of the configuration options in ADFS. If you have any questions about the post feel free to contact me on rebeladm@live.com

How to configure Direct Access? – Part 01

If someone in your organization ask how he/she can connect to the internal network from remote location, the solution which will come to your mind (most of time) will be “VPN” (Virtual Private Network). Once you setup VPN server in your local network you can allows the users from any remote location to “dial-in” to the server and make particular device in part of network. This communication will happen via secure channel.

All most all of switch/router/firewall manufactures build their products with integrated VPN servers and also we can find ton of VPN server softwares in internet nowadays. Even this solutions works very well there are few common issues. As we know most of the time the people on travel are either company sales staff or management staff. Unfortunately most of them are not too technical. So you need to spend time on training them how to use VPN client in device. Also the troubleshooting is nightmare if they come up with any sort of error. Believe me most of the time they do not know to tell beyond just “VPN is not working”. No offense but this is what mostly happen. Another issue VPN have is connectivity. We cannot expect “solid” internet connections when you travels. It can be hotel wifi, coffeshop wifi, client’s public wifi etc. which used to dial in to the VPN. If the connection is dropping VPN will kick you off from VPN. So you have to dial it in again. But some time you even not know if you already kick off from VPN. So may be most of you time on travel you spend on clicking on “connect” button on your vpn client.

What is direct access?

Along with windows 7 and windows 2008 R2 Microsoft introduce new feature called “DirectAccess”. It is Microsoft product and it act as “always-on” connection from remote location to local network. So remote clients will be automatically connect to the local network and with each and every connection drop it will establish the connection without user interact. This feature is works based on IPsec and IPv6. So if your network is not yet move in to IPv6 you need to use transition mechanism such as Trendo, 6to4 etc to use it along with IPv4.

Once DirectAccess configured when you switch on a device first it will check if it’s connected to the corporation network with local area network. If it’s not it will automatically make connection with direct access server. As I mentioned before this connection will be made based on IPsec and IPv6. If system is not using IPv6 yet it will use transition mechanism which setup by the corporation. Then if Network Policy Server (NPS) setup with policies, the device health will be checked against them before grant access to the network. If its meets the health requirements to be a part of network it will issue health certificate which will submitted to the direct access server for authentication.

Requirements for DirectAccess

To get direct access up and running in your network needs following,

1)    It must be active directory domain environment and must be running at least with windows 2008 R2 domain functional level.
2)    The server which will run directaccess server role must be added to the domain.
3)    DirectAccess clients must be running Windows 7 Enterprise, Ultimate versions or upper. It will not works with home or starter editions. All devices must be member of domain.
4)    DirectAccess server must be available for access via internet. It means it should be able to access via a public ip address.
5)    If network is not running with IPv6, transitioning technologies such as 6to4, Teredo, ISATAP should be available to use with direct access server.
6)    PKI (public key infrastructure) to issue certificates for devices authentication. Direct access server must have SSL installed and must contain valid FQDN which can be access from internet.

This is the end of Part 1 of series of articles which will explain the setup process of DirectAccess role. If you have any questions feel free to contact me on rebeladm@live.com