Details About SCCM ConfigMgr Native HTTPS Mode PKI Fundamentals. I thought of sharing an excellent write-up on PKI and Certificates by Rob York.
Understanding how the PKI works is crucial if you implement native/HTTPS mode ConfigMgr (2007/2012).
This post would act as a stepping stone to the world of PKI.
I hope this guide will help us understand the basic “fundas” of PKI. This series contains four posts.
- FIX SCCM PKI Client Registration Issue Hotfix
- Fix SCCM Sites That Don’t Have Proper HTTPS Configuration Issue
- Free ConfigMgr Training Part 2 | 20 Hours Of Technical | SCCM
Need for a PKI – Full Post (Let’s Keep it Secret) – ConfigMgr Native HTTPS Mode PKI Fundamentals
Let’s imagine that you want to send some information to a friend. What are the things that you might be interested in within this communication? This section is going off on a rather long tangent, but please bear with me. If you know all this, please skip to the next blog post.
Confidentiality – You might want to ensure that only you and your co-respondent can see the message’s contents. If someone is looking to learn your innermost secrets, then you’d like to have a degree of certainty that the information is secure.
Integrity – You might want to be able to guarantee that the information that was received was verifiably the same information that was sent. Imagine how bad it could be if someone received some information that was even a single character different. Imagine your business’s impact if the quotation you sent to a potential client charging $10,000 is received as £10,000. This might not be bad for you unless someone else quoted $12,000!
Authenticity—When I receive information, I want to be assured that the person the message claims to be from is the sender. If I receive a message from Barack Obama, I’d like to be sure that The President sent me the message. So, you need to prove your identity. (ConfigMgr Native HTTPS Mode PKI Fundamentals)
Public Key Cryptography or Asymmetric concepts – (Let’s make it Public) – ConfigMgr Native HTTPS Mode PKI Fundamentals
We left off having considered that information can be encrypted using a protocol and a key but considering the implications of needing to exchange keys. This problem perplexed many people for years – how do I ensure that a short-term key can be securely exchanged?
Public Key Cryptography, otherwise known as Asymmetric cryptography – the idea of public-key cryptography is quite simple – the idea is that you and I agree on a protocol. Then, within that protocol, I construct two keys: the private key, which I will always protect and NEVER allow anybody to access, and a public key, which I’ll allow anybody to access. These two keys will be mathematically related somehow, but the public key will not give any clue as to the content of the private key. ConfigMgr Native HTTPS Mode PKI Fundamentals.
So, let’s look at our protocol. Let’s say the following:
A private key will be the sum of two randomly selected prime numbers
A public key will be the multiplication of these two randomly chosen prime numbers. (ConfigMgr Native HTTPS Mode PKI Fundamentals)
So, if I chose 3359 and 1249 as my primes, my private key would be 4608 and the public key 4195391.
We have not touched Integrity, so before we look at how this all stitches together, let’s briefly look at hashing.
Hashing is unlike encryption, as hashing does not alter the source data. What it does is generate something brand new, which can sit alongside the data being hashed. The hash will be generated through a hashing algorithm, which will always return a result of a known length. However, that would return a different hash if even a single bit of data hashed is different.
For example, if I hash a single-byte file with MD5, I would see a 128-bit result. If I were to hash 1 terabyte of data, I would see a different 128-bit result. If either of the files were to change slightly, we’d see a different hash. With hashing, we can guarantee that what we have received is what was sent, thereby giving us integrity. ConfigMgr Native HTTPS Mode PKI Fundamentals
For example, if we hash the alphabet using the MD5 algorithm, the output is:
8eb7ab130d2ebf1e0bff12606ccaabd3
If we hash the same string but capitalized, this time the hash string is different
9c4511bd25cb573b3994ea4f80f5652a
- You’ll also know that Public Key Cryptography can be used to offer:
- Confidentiality through encryption
- Integrity through hashing
- Authenticity through encryption and hashing
So, how does all this work? Well, imagine two people meeting up, let’s call them Alice and Bob. All cryptographers know Alice and Bob very well, indeed. Alice and Bob meet up and want to exchange some encrypted data with each other. So, the conversation goes somewhat like this:
Alice :“Hello, my name’s Alice. Nice to meet you”
Bob : “Hello Alice, nice to meet you. I’m Bob”
Some pleasantries (geeks call this handshaking)
Alice : “Bob, wouldn’t it be good to be able to communicate securely?”
Bob : “Yes Alice. Let’s create some keys. Oh here we are. Have my PUBLIC Key called PuB”
Alice : “Thanks Bob. I’ll store PuB in my address book. Here’s my PUBLIC key PuA”
Bob : “Alice, that’s great – PuA’s going in my address book and I’ll be in touch. Bye”
Some more pleasantries (teardown)
After some time, Bob decides to get back in touch with Alice, so he generates a Symmetric Session Key (SKB), cracks open his address book, pulls out PuA, and encrypts SKB with PuA. He then fires this over the network. Alice receives the package, retrieves her PRIVATE KEY (PrA), and uses it to decrypt SKB/PuA.
So, Alice can see the B to A session key. She could reverse this process, and then we’d have two security associations, and they could exchange data two ways. ConfigMgr Native HTTPS Mode PKI Fundamentals
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and leader of the Local User Group Community. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc..
Good Blog Anoop!! this not only underlines but also help you to understand the basic concepts or ‘fundas’ on which the function of PKI is actually based on.