{"id":52,"date":"2023-01-26T22:45:30","date_gmt":"2023-01-27T05:45:30","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=52"},"modified":"2023-01-26T23:00:09","modified_gmt":"2023-01-27T06:00:09","slug":"an-introductory-guide-to-private-pki-implementation-for-secure-internal-server-communication","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2023\/01\/26\/an-introductory-guide-to-private-pki-implementation-for-secure-internal-server-communication\/","title":{"rendered":"An Introductory Guide to Private PKI Implementation for Secure Internal Server Communication"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Group 1:<\/strong> Leo Choi, David St Louis, Nina Undug, Janelle Wiebe &amp; Jamie Wong<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Many business operations employ public-key cryptography to uphold client privacy rights during the transportation of sensitive data. In public-key cryptography, messages are encrypted using the receiver\u2019s public key, which is publicly available. Consider the following man-in-the-middle attack that may result from such a protocol:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"629\" data-src=\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/Picture1-2-1024x629.png\" alt=\"\" class=\"wp-image-64 lazyload\" data-srcset=\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/Picture1-2-1024x629.png 1024w, https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/Picture1-2-300x184.png 300w, https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/Picture1-2-768x472.png 768w, https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/Picture1-2.png 1200w\" data-sizes=\"(max-width: 1024px) 100vw, 1024px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/629;\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Public Key Infrastructure (PKI) was developed to address this issue. PKI consists of hardware, software, and administrative \u201celements that a trusted third party can use to establish the integrity and ownership of a public key.\u201d [1] PKI seeks to ensure that public keys are bound to the entities that claim to own them.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PKIs are typically comprised of the following components [1, 2]:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Digital Certificate: <\/strong>An electronic document that proves the identity of the entity claiming to own a public key. [1]<\/li>\n\n\n\n<li><strong>Certificate Authority (CA): <\/strong>The root of trust in PKI that provides the services that authenticate the identity of individuals, computers, and other entities. [1]<\/li>\n\n\n\n<li><strong>Registration Authority (RA): <\/strong>An authority that is certified by the CA for specific uses determined by the root. [1] They are authorized to provide digital certificates on a case-by-case basis. [2]<\/li>\n\n\n\n<li><strong>Certificate Database: <\/strong>The place where certificate requests, issued certificates, and revoked certificates are saved on the CA or RA. [1]<\/li>\n\n\n\n<li><strong>Certificate Store: <\/strong>The place where issued certificates and pending\/rejected certificate requests are saved on the local computer. [1]<\/li>\n\n\n\n<li><strong>Key Archival Server: <\/strong>The place where encrypted private keys are saved in the certificate database for backup. [1]<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">There are two main configurations of PKI: public and private. Public PKI is typically used for public domains and web servers where information is transmitted over the Internet. It is managed by a CA.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Private PKI is typically &#8220;used to authenticate entities on an internally hosted service, like a VPN.\u201d [3] It is a system that manages the creation, distribution, and storage of digital certificates for secure internal communication and data transmission within the organization. [3] Private PKI is usually managed by the organization itself or a contracted third party.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, why implement private PKI?<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establishing and verifying identities in a network environment is a crucial component of the overall security of the network. [4]&nbsp;&nbsp;<\/li>\n\n\n\n<li>The cost of acquiring certificates for network entity identification can be potentially exorbitant as many trusted certification authorities charge high prices for issuing certificates. Private PKI implementations provide organizations with a cost-effective method of accomplishing this task. [5,6]&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Incidents on compromised networks where hackers are already inside the network are on the rise. The goal is to make it harder for threat actors to get any information, even if they are already inside the network.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For these reasons, we believe that security professionals should be able implement private PKI. Our project is an interactive training resource complete with a video demonstration to educate new security professionals on implementing one-tier private PKI.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PKI can be implemented with different trust hierarchies that organizations can choose from depending on their needs. These trust hierarchies range from one-tier to three-tier architectures. Three-tier architectures provide the greatest level of protection; however, two-tier hierarchies will typically suffice for what an organization needs. [7]&nbsp;Due to the time limitation on this project, we implement a one-tier private PKI in our demonstration although it is not recommended in practice.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"884\" height=\"628\" data-src=\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/1-tier-CA-pki-architecture-diagram.png\" alt=\"\" class=\"wp-image-61 lazyload\" data-srcset=\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/1-tier-CA-pki-architecture-diagram.png 884w, https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/1-tier-CA-pki-architecture-diagram-300x213.png 300w, https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2023\/01\/1-tier-CA-pki-architecture-diagram-768x546.png 768w\" data-sizes=\"(max-width: 884px) 100vw, 884px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 884px; --smush-placeholder-aspect-ratio: 884\/628;\" \/><figcaption class=\"wp-element-caption\">Figure 1: One-Tier CA Hierarchy (Crane, 2021) [7]<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A one-tier hierarchy consists of a single CA that acts as both a root CA and an issuing CA. This hierarchy is not recommended for any production scenario because the compromise of this single CA equates to a compromise of the entire PKI. A one-tier hierarchy may be sufficient for only simple implementations where ease of management and lower costs outweigh the need for greater levels of security or flexibility. [8]&nbsp; The SSL or TLS handshake enables the client and server to securely communicate with the digital certificate&nbsp;signed by the CA. [9]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The best practices for implementing Private PKI are outlined in <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/specialpublications\/nist.sp.800-57pt3r1.pdf\">NIST SP 800-57 Part 3: Recommendation for Key Management.<\/a> [10] A few general best practices are highlighted below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block ciphers should support AES-128 (at minimum)<\/li>\n\n\n\n<li>P-384 elliptic curve and SHA-384 must support AES-256<\/li>\n\n\n\n<li>RSA keys should support three-key triple-DES for legacy system support<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Our Private-PKI Implementation Guide goes into further detail on the history of PKI, how CAs verify keys, the differences between public and private PKI, use cases for private PKI, trust hierarchies, TLS\/SSL handshake protocols, and common challenges with private PKI. We encourage you to voluntarily subject yourself to our detailed training resource specifically designed so that you cannot skim through the presentation \u2013 just as your employers would want! \ud83d\ude00<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>References:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[1] Microsoft. (2021, January 7). <em>Public Key Infrastructure. <\/em>Windows App Development. Retrieved January 26, 2023, from <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/seccertenroll\/public-key-infrastructure?redirectedfrom=MSDN\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/seccertenroll\/public-key-infrastructure?redirectedfrom=MSDN<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[2] Venafi. (n.d.). <em>What is PKI and How Does It Work? <\/em>Public Key Infrastructure. Retrieved January 26, 2023, from <a href=\"https:\/\/venafi.com\/machine-identity-basics\/what-is-pki-and-how-does-it-work\/#item-0\">https:\/\/venafi.com\/machine-identity-basics\/what-is-pki-and-how-does-it-work\/#item-0<\/a> &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[3] National Cyber Security Centre. (n.d.). <em>Design and build a privately hosted Public Key Infrastructure<\/em>. Retrieved January 20, 2023, from <a href=\"https:\/\/www.ncsc.gov.uk\/collection\/in-house-public-key-infrastructure\">https:\/\/www.ncsc.gov.uk\/collection\/in-house-public-key-infrastructure<\/a> &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[4] Rose, S. et al. (2020, August). Zero Trust Architecture. NIST Computer Security Resource Center. Retrieved January 19, 2023, from <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\">https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final<\/a> &nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[5] Compare TLS\/SSL Certificates. (n.d.). DigiCert. Retrieved January 19, 2023, from <a href=\"https:\/\/www.digicert.com\/tls-ssl\/compare-certificates\">https:\/\/www.digicert.com\/tls-ssl\/compare-certificates<\/a> &nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[6]<em> Standard Plus OV SSL. <\/em>(n.d.). Entrust. Retrieved January 19, 2023, from <a href=\"https:\/\/store.entrust.com\/default\/certificate-services\/tls-ssl\/standard-plus-ov-ssl.html?_ga=2.67098158.1810026480.1674151902-1295093578.1674151902&amp;_gl=1*goqp5x*_ga*MTI5NTA5MzU3OC4xNjc0MTUxOTAy*_ga_6QRW66BW5T*MTY3NDE1MTkwMi4xLjEuMTY3NDE1MTkyMy4wLjAuMA\">https:\/\/store.entrust.com\/default\/certificate-services\/tls-ssl\/standard-plus-ov-ssl.html?_ga=2.67098158.1810026480.1674151902-1295093578.1674151902&amp;_gl=1*goqp5x*_ga*MTI5NTA5MzU3OC4xNjc0MTUxOTAy*_ga_6QRW66BW5T*MTY3NDE1MTkwMi4xLjEuMTY3NDE1MTkyMy4wLjAuMA<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[7] Crane, C. (2021, December 15). <em>PKI Architecture: Fundamentals of Designing a Private PKI System.<\/em> Hashedout by The SSL Store. Retrieved January 16, 2023, from <a href=\"https:\/\/www.thesslstore.com\/blog\/pki-architecture-fundamentals-of-designing-a-private-pki-system\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.thesslstore.com\/blog\/pki-architecture-fundamentals-of-designing-a-private-pki-system\/<\/a>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[8] Microsoft. (2016, August 31). <em>Securing PKI: Planning a CA Hierarchy<\/em>. Retrieved January 20, 2023, from <a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/dn786436(v=ws.11)\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/dn786436(v=ws.11)<\/a>&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[9] IBM. (2022, November 30). <em>An overview of the SSL or TLS handshake.<\/em> Retrieved January 20, 2023, from <a href=\"https:\/\/www.ibm.com\/docs\/en\/ibm-mq\/7.5?topic=ssl-overview-tls-handshake\">https:\/\/www.ibm.com\/docs\/en\/ibm-mq\/7.5?topic=ssl-overview-tls-handshake<\/a> <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">[10] Barker, E. and Dang, Q. (2015, January). <em>Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. <\/em>NIST Computer Security Resource Center. Retrieved January 19, 2023, from <a rel=\"noreferrer noopener\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final\" target=\"_blank\">https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-57-part-3\/rev-1\/final<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Group 1: Leo Choi, David St Louis, Nina Undug, Janelle Wiebe &amp; Jamie Wong Many business operations employ public-key cryptography to uphold client privacy rights during the transportation of sensitive data. In public-key cryptography, messages are encrypted using the receiver\u2019s public key, which is publicly available. Consider the following man-in-the-middle attack that may result from &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2023\/01\/26\/an-introductory-guide-to-private-pki-implementation-for-secure-internal-server-communication\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;An Introductory Guide to Private PKI Implementation for Secure Internal Server Communication&#8221;<\/span><\/a><\/p>\n","protected":false},"author":575,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-52","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Janelle Wiebe","author_link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/author\/janelle-wiebe\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/52","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/users\/575"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/comments?post=52"}],"version-history":[{"count":11,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":74,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/52\/revisions\/74"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media?parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/categories?post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/tags?post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}