Details About SCCM ConfigMgr Native HTTPS Mode PKI Fundamentals

1

Thought of sharing an excellent write up on PKI and Certificates by Rob York. It is very important to understand how the PKI works if you’re planning to implement native/HTTPS mode ConfigMgr (2007/2012). This post would act as stepping stone to the world of PKI. Hope, this guide will help us to understand the basic “fundas” of PKI.

This series contains FOUR posts.

1. Need for a PKI  – Full Post (Let’s Keep it Secret)

Let’s imagine that you want to send some information to a friend.  What are the things that you might be interested in within this communication?  This section is going off on a rather long tangent, but please bare with me.  If you know all of this then please skip to the next blog post.

·         Confidentiality – You might want to be certain that only you and your co-respondent can see the message contents.  If there is someone looking to learn your innermost secrets then you’d want to have a degree of certainty that the information is secure.

·         Integrity – You might want to be able to guarantee that the information which was received was verifiably the same information that was sent.  Imagine how bad it could be if someone received some information which was even a single character different.  Imagine what impact to your business there could be if the quotation you sent to a potential client charging $10,000 is actually received as £10,000.  Ok, so this might not be a bad thing for you, unless someone else has quoted $12,000!

·         Authenticity – When I receive some information I want to have some assurance that the person who the message claims to be from actually IS the sender of the information.  If I receive a message from Barack Obama then I’d like to have certainty that it was The President who sent me the message. So, you need to prove your identity.

To read the Full post – Please refer the “Full Post” link above.

2. Public Key Cryptography or Asymmetric concepts – Full Post (Let’s make it Public)

We left off having considered that information can be encrypted using a protocol and a key, but considering the implications of needing to exchange keys.  This is a problem that perplexed many people for many years – how do I successfully ensure that a short-term key can be securely exchanged.
.
.
Public Key Cryptography otherwise known as Asymmetric cryptography – he idea of public key cryptography is really quite simple – the idea is that you and I agree a protocol and then within that protocol I construct two keys: the private key, which I will always protect and NEVER allow anybody to access, and a public key which I’ll allow anybody to have access to.  These two keys will be mathematically related somehow but the public key will not give any clue as to the content of the private key……..
. ………………
So, let’s look at our protocol.  Let’s say the following:
•A private key will be the sum of two randomly selected prime numbers
•A public key will be the multiplication of these two randomly selected prime numbers

So, if I were to choose, say 3359 and 1249 as my primes, my private key would be 4608 and the public key 4195391.

To read the Full post – Please refer the “Full Post” link above.

3. Integrity through Hashing – Full Post (Let’s make it Secure)

We have not really touched Integrity, so, before we look at how this all stitches together let’s briefly look at hashing.

Hashing – Hashing is unlike encryption as hashing does not alter the source data at all.  What it in fact does is to generate something brand new which can sit alongside the data being hashed.  The hash will be generated through a hashing algorithm which will always return a result of a known length but that would return a hash which is completely different if even only a single bit in the data being hashed is different.  For example, if I were to hash a single byte file with MD5 then I would see a 128 bit result.  If I were to hash 1 terabyte of data I would see a different 128 bit result.  If either of the files were to change by the slightest bit then we’d see a totally different hash.  With hashing, we can guarantee that what we have received is what was sent, thereby giving us integrity.

For example, if we hash the alphabet using the MD5 algorithm the output is:

8eb7ab130d2ebf1e0bff12606ccaabd3

If we hash the same string but capitalised, this time the hash string is totally different

9c4511bd25cb573b3994ea4f80f5652a

To read the Full post – Please refer the “Full Post” link above.

4. Process of exchange encrypted data – Full Post (It’s a trust Thing!)

You’ll also know that Public Key Cryptography can be used to offer:
•·         Confidentiality through encryption
•·         Integrity through hashing
•·         Authenticity through encryption and hashing

So, how does all this work?  Well imagine two people meeting up, let’s call them Alice and Bob.  All cryptographers know Alice and Bob very well indeed.  Alice and Bob meet up and want to exchange some encrypted data with each other.  So, the conversation goes rather like this:

Alice      :“Hello, my name’s Alice.  Nice to meet you”
Bob       : “Hello Alice, nice to meet you.  I’m Bob”
Some pleasantries (geeks call this handshaking)

Alice      : “Bob, wouldn’t it be good to be able to communicate securely?”
Bob        : “Yes Alice.  Let’s create some keys.  Oh here we are.  Have my PUBLIC Key called PuB”

Alice      : “Thanks Bob.  I’ll store PuB in my address book.  Here’s my PUBLIC key PuA”
Bob        : “Alice, that’s great – PuA’s going in my address book and I’ll be in touch.  Bye”
Some more pleasantries (teardown)

After some time, Bob decides to get back in touch with Alice, so he generates a Symmetric Session Key (SKB), cracks open his address book, pulls out PuA and encrypts SKB with PuA.  He then fires this over the network.  Alice receives the package, retrieves her PRIVATE KEY (PrA) and uses it to decrypt SKB/PuA.  So, Alice can see the B to A session key.  She could reverse this process and then we’d have two security associations and they could exchange data two ways.

To read the Full post – Please refer the “Full Post” link above.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.