TweetFollow Us on Twitter

Demystifying PKI: Enterprise Environments - Part 4

Volume Number: 25
Issue Number: 09
Column Tag: Security

Demystifying PKI: Enterprise Environments - Part 4

A Series of Articles and How-Tos about PKI technology in the OS X environment m

by Michele (Mike) Hjörleifsson

Part Four: Putting PKI To Work For You

Last month we discussed the deployment of an enterprise class Certificate Authority and how to protect your keys. This month we are going to put our PKI knowledge to practical use. Since you spent the time deploying a CA it's worth looking at what PKI can be used for. There are a myriad of security and assurance implementations that use PKI today, most of which work so well we barely give them any thought. It is worth a quick review to ensure you get the most out of your PKI infrastructure.

PKI implementations can be broken down into four general categories:

Digital Signing

Digital signing is the utilization of a PKI key and an associated algorithm (such as SHA1 or SHA2) that is run against a piece of data to create a signature. Although it sounds complex, you may not realize that you use these all the time. Software Updates from vendors like Apple, Microsoft, Google and thousands of others use a signature to ensure that their update reaches your device (yep, that includes the iPhone) intact and untouched by outside forces. All applications on the iPhone have to utilize a digital signature to verify authenticity. Other common uses of digital signatures include the replacement of a physical signature in contractual documents such as PDF files with a digital signature and, digitally signing emails to assure recipients that the email in fact came from the titled author. More complex applications include digitally signing requests to modify DNS records, referred to as DNSSEC (DNS Security) or digitally signing network routing requests, referred to as SIDR (Secure Internet Domain Routing). A newer implementation is to utilize digital signatures to ensure the authenticity of video files such as video recorded depositions.

Encryption

Encryption and digital signatures are commonly confused. A digital signature is a signature created by running a mathmatical formula against a piece of data with one of your keys to make changes evident. The original piece of data is not affected, whether it is an application, a PDF file, a word document and so on. Encryption on the other hand actually utilizes the PKI key to make the data unreadable to anyone without the corresponding keys and actually acts on the data in question. You can encrypt documents, e-mail messages and even network traffic to keep prying eyes from looking at sensitive information such as personal data and credit card information. If you have ever purchased something on the Internet from an SSL-secured site, you have used PKI-based encryption.

Authentication

Smart cards have been around for some time. They utilize PKI credentials issued to an individual to allow that person to verify their identity to an operating system, or a website etc. The problem with smart cards to date has been the requirement of an external reader. There are several manufacturers that provide USB stick smart card solutions that include the reader and secured storage for your certificates on a small portable USB stick, without the requirement of an additional reader. Companies like BestToken, Gemalto, and Centrify provide OS X compatible smart card solutions. The drivers and underlying frameworks for these solutions are built in to OS X Leopard. That being said, you aren't limited to using smart cards for authentication. Once your credentials are issued you can simply store them in your keychain and use them to authenticate to websites, or web applications. When keys are created for you as an individual, they can be "permission'd" to act as authentication and signing credentials. Alternatively, two separate sets of keys can be issued depending on your preference. You can add protection to these keys by requiring a passphrase—I highly recommend this. Use a PIN code because they are easier to remember and without the physical key and PIN code the key is useless. We will examine protecting a website with PKI keys later in this article.

Authenticity

So what is the difference between authentication and authenticity? In this context, PKI can be used to authenticate the validity of a person, computer or other item. For instance 802.1x network authentication is a standard used for securing access to a network at the wired or wireless layer, prior to talking to any servers. You can issue PKI certificates to devices (such as laptops) to allow access to the network or you can do it by user. Printers commonly use PKI certificates to check the authenticity of the toner cartridge you put into the printer. Wireless providers utilize authenticity certificates to ensure the device connecting to their wireless network is an authentic device provided by that carrier (or allowed by that carrier). Sounds expensive right? In today's market the certificates that are needed to embed into product packaging or the electronics of a product can be bought in bulk for about a dollar or less depending on quantities. The business question is simple: Is it worth the dollar to ensure the authenticity of the device or product? Well, for things like cell phones, controlled pharmaceutical substances, toner cartridges and many others the answer is currently, "yes."

OCSP (Online Certificate Status Protocol) servers become crucial in larger environments or commercial implementations such as product authenticity. Companies need the ability to test and validate whether a certificate that has been issued is still valid, expired or been revoked. For instance, if you didn't pay your cell phone bill, in theory, the wireless provider could revoke your device's certificate or just suspend it until the bill is paid.

Now for the fun part, let's put this knowledge to use. Utilizing either the OS X Certificate Assistant or the EJBCA server you set up in either of the previous two articles, issue yourself a certificate and make sure to include your email address (as it appears in Apple Mail) in the appropriate field. Either method (Certificate Assistant or EJBCA) will create the certificate files. Double click the file to install it into your keychain. You will get a dialog that looks like this:


Figure 1 - importing a certificate into the login keychain.

The Keychain default is set to login which is the correct keychain.

Once installed you will need to trust the certificate. As you can see in the following image, you can trust the certificate for all the permissions provided by the certificate or select the items you want to allow the certificate to be used for. In our case we will just trust it entirely so change the top drop down list box to Always Trust and provide your credentials when prompted.


Figure 2 - Certificate trust.

If you had Apple Mail open, close it and then reopen it. Apple Mail is smart enough to detect the new certificate if the email address in the certificate matches one of your email accounts. Now, compose a message and you will notice two new icons on the left hand side of your message under the subject line. One looks like a lock and the other looks like a stamp you may have received as a 2nd grader for good work. The stamp will have either an X in it or a check mark. The lock represents the encryption status of your message (more on that in a minute).


Figure 3 - Mail.app with certificate support.

The stamp represents the digital signature status of your email. If the stamp is checked, you will be digitally signing your email with the certificate you just installed. You can always shut off the signature by clicking the icon. You will not see any difference in the email itself. Why not? Good question. The digital signature enables S/MIME (Secure MIME, or Multipart Internet Mail Extensions) which is embedded in the header of the email, not in the visible body. Most email clients (including Outlook, Notes, Thunderbird and Apple Mail) will automatically recognize digitally signed emails. However, be aware that fax services such as e-fax and myfax do not like digital signatures on outbound faxes so be sure to shut off digital signatures on any outbound faxes. That was easy, but what did we accomplish? Every signed mail you send from that point forward will assure the recipient that it was sent from you and no one else and that it wasn't tampered with since you authored it. This is pretty important in many scenarios.


Figure 4 - lock icon showing encryption.

The lock is the other item you can enable and disable, but only if you have previously accepted a certificate from the recipient you are sending the mail to. Seems confusing but let's review the concept. When you send your mail with a digital signature, the recipient can double click the seal icon and then accept your certificate and send you a signed email in which you will do the same. Now that you each have the other's public key, you can create an email and encrypt it with the public key of the recipient. Only the recipient can open the email because the recipient is the only one with the private key, which has not been shared with anyone. So what is the difference between signing and encrypting the email? Simple; signing just validates you as the sender and indicates whether the email was tampered with since you sent it. It DOES NOT hide (through encryption) any of the contents of the email. When you need to send private or sensitive information encryption is appropriate. When you are just sending standard emails, a signature should be enough.

You can also use the same infrastructure to issue certificates to users whom you want to have access to protected web content. First, you issue the certificates to the users and have them install the certificates (the same way you just did) or use Apple Remote Desktop (or any other tool) to deploy the certificate automatically to the client machines/accounts in question. Once installed and trusted you can modify the settings on your server and install a couple of files without changing a line of web code. You will need a copy of the CA root public certificate to accomplish this. You can export this easily in certificate assistant if that is how you are issuing your certificates or on EJBCA.Log on to the administration pages and then go to the configuration. You can download the certificate as a text file. From there, you want a PEM based file format and for our case here we will save the file as "ca.crt". Now that you have that file, log into your OS X Server or open Server Admin. Select the web service, and then select the Site you want to modify. Click the options tab (as shown) and turn on Allow overrides. Your website should already be using SSL, if not click on Security and change it to enable SSL and ensure you have a proper certificate installed.


Figure 5-Server Admin web site options.

Next copy the ca.crt file to your OS X server (if it is different than the server you have the file on now) and put it in a safe directory. For this example, let's use /Library/WebServer/. Create an empty file called .htaccess and place it in the root of the web directory of your site. Next, open it with an editor and place the following lines inside:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile /Library/WebServer/ca.crt
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10

That's all there is to it. Now if you try to access the site you may get a certificate warning message (that's if you are using a self-signed certificate and haven't installed that certificate on your local machine). Next, you are prompted to specify which certificate from your keychain to use for authentication. Select the appropriate certificate we installed earlier and voila. No more logons necessary, no realms to manage, no calls to the helpdesk to reset passwords. Single sign-on even from remote locations as long as the client has the appropriate certificate installed. Tip: I recommend that when issuing user certificates that you enable a passphrase and use a 4-6 digit pin. Users tend to remember pin numbers. And, if you are using EJBCA users can logon and self service their own PIN without your assistance. It adds another layer of security without another password which, as we all know, incurs helpdesk calls.

You can extend the functionality to perform live OCSP checks on the certificate and to check for immediate revocation status. That is a little bit beyond the scope of this introduction but more information is available at http://apache.org and http://www.askapache.com.

Errata

A quick note, the download information on EJBCA's OS X implementation in last month's article is incorrect. The version was removed from the site temporarily. It is being updated to utilize the latest version of EJBCA and provide an OS X client as well as server installation. Also, the underlying database is being switched from MySQL to Ingres due to the uncertain future of the MySQL database platform given the pending purchase of Sun by Oracle. Ingres is another powerful open source database platform that provides a similar licensing model, free community editions and paid for support and training. Ingres is actually designed from the ground up for deployment in the enterprise. For more information on Ingres see http://www.ingres.com

Finish

Thank you for spending time learning about the mystical world of PKI. I hope these articles have shed some light on what PKI is and how you can use it in your infrastructure.


Michele (Mike) Hjörleifsson has been programming Apple computers since the Apple II+, and implementing network and remote access security technologies since the early '90s. He has worked with the nation's largest corporations and government institutions. Mike is currently a certified Apple trainer and independent consultant. Feel free to contact him at mhjorleifsson@me.com

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Drop to GIF 1.28 - Drag-and-drop creatio...
Drag to GIF means zero-click movie-to-GIF conversion. Select a folder to watch and every movie saved or moved into that folder will be converted to an animated GIF. Features Dragging - Drag a movie... Read more
BetterTouchTool 3.158 - Customize multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom)... Read more
NeoFinder 7.4.1 - Catalog your external...
NeoFinder (formerly CDFinder) rapidly organizes your data, either on external or internal disks, or any other volumes. It catalogs and manages all your data, so you stay in control of your data... Read more
Tunnelblick 3.8.0 - GUI for OpenVPN.
Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X. It provides easy control of OpenVPN client and/or server connections. It comes as a ready-to-use application with all... Read more
Tweetbot 3 for Twitter 3.3.1 - Popular T...
Tweetbot is a full-featured OS X Twitter client with a lot of personality. Whether it's the meticulously-crafted interface, sounds and animation, or features like multiple timelines and column views... Read more
Monosnap 3.5.9 - Versatile screenshot ut...
Monosnap lets you capture screenshots, share files, and record video and .gifs. Features Capture Capture full screen, just part of the screen, or a selected window Make your crop area pixel... Read more
Monosnap 3.5.9 - Versatile screenshot ut...
Monosnap lets you capture screenshots, share files, and record video and .gifs. Features Capture Capture full screen, just part of the screen, or a selected window Make your crop area pixel... Read more
Tweetbot 3 for Twitter 3.3.1 - Popular T...
Tweetbot is a full-featured OS X Twitter client with a lot of personality. Whether it's the meticulously-crafted interface, sounds and animation, or features like multiple timelines and column views... Read more
Tunnelblick 3.8.0 - GUI for OpenVPN.
Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X. It provides easy control of OpenVPN client and/or server connections. It comes as a ready-to-use application with all... Read more
Bookends 13.2.5 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Bookends uses the cloud to sync reference libraries on all the Macs you use.... Read more

Latest Forum Discussions

See All

Void Tyrant guide - Tips and tricks for...
Void Tyrant continues to get a lot of play in these parts. Probably because the game is just so deep and varied. The next stop on our guide series for Void Tyrant is class-specific guides. First up is the Knight, as it’s the first class anyone has... | Read more »
Summon beasts and battle evil in epic re...
Imagine a tale of conlict between factions of good and evil, where rogueish heroes summon beasts to aid them in them in warfare and courageously battle dragons over fields of scorched earth and brimstone - that's exactly the essence of epic fantasy... | Read more »
Upcoming visual novel Arranged shines a...
If you’re in the market for a new type of visual novel designed to inform and make you think deeply about its subject matter, then Arranged by Kabuk Games could be exactly what you’re looking for. It’s a wholly unique take on marital traditions in... | Read more »
TEPPEN guide - The three best decks in T...
TEPPEN’s unique take on the collectible card game genre is exciting. It’s just over a week old, but that isn’t stopping lots of folks from speculating about the long-term viability of the game, as well as changes and additions that will happen over... | Read more »
Intergalactic puzzler Silly Memory serve...
Recently released matching puzzler Silly Memory is helping its fans with their intergalactic journeys this month with some very special offers on in-app purchases. In case you missed it, Silly Memory is the debut title of French based indie... | Read more »
TEPPEN guide - Tips and tricks for new p...
TEPPEN is a wild game that nobody asked for, but I’m sure glad it exists. Who would’ve thought that a CCG featuring Capcom characters could be so cool and weird? In case you’re not completely sure what TEPPEN is, make sure to check out our review... | Read more »
Dr. Mario World guide - Other games that...
We now live in a post-Dr. Mario World world, and I gotta say, things don’t feel too different. Nintendo continues to squirt out bad games on phones, causing all but the most stalwart fans of mobile games to question why they even bother... | Read more »
Strategy RPG Brown Dust introduces its b...
Epic turn-based RPG Brown Dust is set to turn 500 days old next week, and to celebrate, Neowiz has just unveiled its biggest and most exciting update yet, offering a host of new rewards, increased gacha rates, and a brand new feature that will... | Read more »
Dr. Mario World is yet another disappoin...
As soon as I booted up Dr. Mario World, I knew I wasn’t going to have fun with it. Nintendo’s record on phones thus far has been pretty spotty, with things trending downward as of late. [Read more] | Read more »
Retro Space Shooter P.3 is now available...
Shoot-em-ups tend to be a dime a dozen on the App Store, but every so often you come across one gem that aims to shake up the genre in a unique way. Developer Devjgame’s P.3 is the latest game seeking to do so this, working as a love letter to the... | Read more »

Price Scanner via MacPrices.net

13″ 1.8GHz MacBook Air on sale again for only...
Amazon has the 2017 13″ 1.8GHz/128GB MacBook Air on sale today for only $749.99 shipped. That’s $250 off Apple’s original MSRP for this model and the cheapest MacBook Air available from any Apple... Read more
Apple’s $1489 clearance price on refurbished...
Apple has Certified Refurbished 2018 13″ 2.3GHz 4-Core Touch Bar MacBook Pros available starting at $1489. Apple’s one-year warranty is included, shipping is free, and each MacBook has a new outer... Read more
New 2019 13″ 2.4GHz 4-Core MacBook Pros on sa...
Apple resellers B&H Photo and Amazon are offering the new 2019 13″ 2.4GHz 4-Core Touch Bar MacBook Pros for $150 off Apple’s MSRP. These are the same MacBook Pros sold by Apple in its retail and... Read more
B&H drops prices another $50 on clearance...
B&H Photo has dropped prices on clearance 2018 13″ MacBook Airs by a further $50 with models now available for $250 off Apple’s original MSRP. Overnight shipping, or expedited shipping, is free... Read more
Find the best sales & lowest prices on Ap...
Our Apple award-winning price trackers are the best place to look for the best sales and lowest prices on Apple gear. Scan our price trackers for the latest information on sales, bundles, and... Read more
Apple has clearance 2018 13″ MacBook Airs now...
Apple has Certified Refurbished 2018 13″ MacBook Airs available starting at only $849. Each MacBook features a new outer case, comes with a standard Apple one-year warranty, and is shipped free. The... Read more
Save $400 on the 8-Core iMac Pro today at Ama...
Amazon has the base 8-core iMac Pro on sale today for $4599 including free shipping. Their price is $400 off Apple’s MSRP, and it’s the currently lowest price available for an iMac Pro. For the... Read more
Flash sale! New 11″ 1TB WiFi iPad Pros for th...
Amazon has the 11″ 1TB WiFi iPad Pro on sale today for only $1199.99 including free shipping. Their price is $350 off Apple’s MSRP for this model, and it’s the lowest price ever for a 1TB 11″ iPad... Read more
Weekend Deal: 2018 13″ MacBook Airs starting...
B&H Photo has clearance 2018 13″ MacBook Airs available starting at only $999 with all models now available for $200 off Apple’s original MSRP. Overnight shipping, or expedited shipping, is free... Read more
Apple has clearance 10.5″ iPad Pros available...
Apple has Certified Refurbished 2017 10.5″ iPad Pros available starting at $469. An Apple one-year warranty is included with each iPad, outer shells are new, and shipping is free: – 64GB 10″ iPad Pro... Read more

Jobs Board

Best Buy *Apple* Computing Master - Best Bu...
**711495BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Store Associates **Location Number:** 000882-Waterfront-Store **Job Description:** The Read more
Best Buy *Apple* Computing Master - Best Bu...
**711597BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Location Number:** 000873-Colma CA-Store **Job Description:** **What does a Read more
Best Buy *Apple* Computing Master - Best Bu...
**711346BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Store Associates **Location Number:** 001095-Chesterfield-Store **Job Description:** Read more
Best Buy *Apple* Computing Master - Best Bu...
**704899BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Location Number:** 000135-Pleasant Hill-Store **Job Description:** **What does Read more
Best Buy *Apple* Computing Master - Best Bu...
**707083BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Location Number:** 000045-Rockford-Store **Job Description:** **What does a Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.