Lab 7 | Implementing Public Key Infrastructure

Lab 7 | Implementing Public Key Infrastructure

The following lab is designed to help us become more familiar with the basic concepts of cryptography and partake in the process of implementing a public key infrastructure.  

We started by inspecting elements inside the certificate authority, interesting to learn was that the certificate authority contains a certificate the authenticates itself, issued by itself.

If subordinate CA's were produced they would instead have certificates issued by this CA instead of themselves, I also learnt that root CA's are typically kept offline unless they have actions they need to perform, this further solidifies a networks security posture.

We inspecting multiple elements of a certificates authorities & the lab text gave informative information on many of them.


Next, we undertook the tasks of implementing a certificate ourselves.


We created a certificate in our VM that is hosting the classroom website, this proved to be a relatively simplistic process. This certificate is supplied by the certificate authority on our domain controller.



Following the certificate creation process when then bound it to the hosted website, this operation is done so that the certificate authorizes the website as trustworthy. We bound the certificate to https and removed the http binding afterwards, this allows our website to only be connected to over an encrypted connection.

After this process was completed we must now use the correct URL defined in the new site binding to browse to the website from other VM's.



We revoked the certificate from the CA in order to see what happens, it was moved to the revoked certificates folder & to observe that the website offers a warning because that it no longer has possession of a certificate.

Lab Questions

This lab contained no questions.


Critical Thinking & Analysis

Although this lab was short it contained valuable concepts, certificates are attached to site bindings. In our lab it is easy to see how certificates may be handed out within a company network environment, this is likely used for intranet purposes. I am unsure of the process involved in binding a certificate from a CA company to a public website would involve, although the concept is understood that without a valid certificate bonded to a website visitors will be prompted to not visit as the website does not have a trustworthy connection to a CA. I have an internship with a local company and I now understand why certain in-network webpages show warnings when I visit them, they do not have a certificate that proves their authenticity within our company network. Our intranet page, however, does possess a certificate that allows anyone operating within the network to visit without a warning message. Whilst going through the process of issuing the certificate I noticed that certificates can be issued to users and other elements that appear interesting to me. Certificates function as networks identify system, in real life we use identification to prove certain aspects of ourselves when required. Certificates are used in a similar manner, in this labs example, the certificate allows the browser to recognize that the website carried 'identification' that proves itself a trustworthy website within the scope of the domain controller that the certificate came from.

It is also important to mention that certificates allow the ability to transfer the data of the website over an HTTPS encrypted connection, this is integral for websites that work with anything personal at all. I have described the process that Mark has been explaining to us as follows:

Alice sending a message to bob with integrity, non-repudiation & confidentiality

Alice
  1. Message hashed (digest) & locked being Alice's private key (non-repudiated)
  2. Encrypted Message & digest locked behind Alice symmetrical key (confidentiality)
  3. Alice locks the symmetrical key with Bob's public key, only Bob can access this
Bob
  1. Bob unlocks the symmetrical key with his private key
  2. Bob unlocks the access to the message & digest with the symmetrical key
  3. Bob can hash the message and compare the hash to the received digest (integrity)

I am not 100% positive that I have nailed this concept down but as of today that is my current understanding of the process.

Comments

Post a Comment