a tale of alice, bob, eve & a stretched analogy…
TRANSCRIPT
© JAMF Software, LLC
Let’s Talk About CertificatesA tale of Alice, Bob, Eve & a stretched analogy…
© JAMF Software, LLC
Ben TomsSenior Infrastructure Analyst Pentland Brands Plc
macmuleDoing The Donkey Work To Make You Look Like A Smart Ass!!
© JAMF Software, LLC
“Pentland Brands brings some of the world’s best sports, outdoor and fashion brands to millions of people around the world.
We own Berghaus, Canterbury, Speedo, Boxfresh, Ellesse, KangaROOS, Mitre and Red or Dead.
We’re also the global licensee for Lacoste and Ted Baker footwear and Kickers in the UK.”
© JAMF Software, LLC
The proposal…
In order for people to speak at a JNUC, they are either approached by their JAMF Buddy… or they approach their JAMF buddy with a talk idea…
This is what I submitted…
© JAMF Software, LLC
And if you think that the proposal was weird… you ain’t seen nothing yet!
© JAMF Software, LLC
Let’s Talk About CertificatesPresentation agenda:PKICSRSCEPADCSAPNS
So what will this talk be covering…
Ah yes, IT & Acronyms… We love them.. right?
Now the above I want to attempt to humanise, to give you a sense of understanding about them… It may not be 100% technically correct… but if you walk away with a better understanding, i’ve done my job…
© JAMF Software, LLC
PK ISo PKI… or “Public Key Infrastructure”
it’s about…
© JAMF Software, LLC
Trust
Trust…
© JAMF Software, LLC
Identification
Identification…
© JAMF Software, LLC
Encryption
Encryption…
© JAMF Software, LLC
Trust
So trust…
© JAMF Software, LLC
Say Hi to Bob…
What a handsome devil…
© JAMF Software, LLC
He has a slight plumbing issue…
© JAMF Software, LLC
Bob calls his friend Alice, whom is somewhat perturbed about helping Bob out AGAIN… but calls a plumber she knows..
© JAMF Software, LLC
Alice describes the plumber, as wearing dungarees with a red top & hat.
© JAMF Software, LLC
Soon Bob gets a knock at his front door & there’s the plumber that Alice called.
In the blink of an eye Bob, was able to enjoy his normal bath time activities..
© JAMF Software, LLC
……
So what & I rabbiting on about?
© JAMF Software, LLC
Alice
The Plumber Bob
Here’s Bob, Alice & the Plumber.
© JAMF Software, LLC
Alice
The Plumber Bob
As Bob trusts Alice..
© JAMF Software, LLC
Alice
The Plumber Bob
Alice called the Plumber, who she trusts & is vouching for
© JAMF Software, LLC
Alice
The Plumber Bob
Therefore Bob also trusts the Plumber…
So this is the trust chain/relationship…
© JAMF Software, LLC
Root CA
Client
In computing terms… Bob can be thought of the client, Alice the Root Certificate Authority…
© JAMF Software, LLC
Root CA
Trusted Client
The Plumber can be thought of as the service or websites that’s secured by a certificate issued from the Root CA…
© JAMF Software, LLC
Root CA
Trusted Client
Which as the client trusts the issuing Root CA (Alice), the client then trusts…
© JAMF Software, LLC
Root CA
Client
A few weeks later.. Bob has another plumbing issue… but the plumber is off rescuing a Princess, eating mushrooms or something & so he recommends his brother…
© JAMF Software, LLC
Root CA
Intermediate CA
Trusted
Client
The plumber is now what’s known as an Intermediate CA… & his brother is the trusted server/site…
You can see the trust chain from the root ca, to intermediate CA & the trusted service…
© JAMF Software, LLC
Here is a real world example from a randomly picked site, https://macmule.com
The trust chain shown is something you may have seen in Safari etc…
Everyone with me? Any questions?
The trust chain/relationship thing is pertinent to this whole talk & certificates in general… so please speak if not with me…
© JAMF Software, LLC
Identification
So that’s some basic concepts of Trust run through, another major part is Identification…
© JAMF Software, LLC
If you remember, Alice described the plumber to Bob, as wearing dungarees with a red top & hat…
Well, imagine if multiple people knocked on Bobs door…
© JAMF Software, LLC
How do we know which is the right one?
One may fix your plumbing, the other may well offer another service…
© JAMF Software, LLC
Name:
License No.Valid From:Valid To:Company:
123456789Mario Mario01/01/2014
01/01/2016Mario Bros.
To confirm the validity of this card please
contact Gas Safe Register on:
0800 408 5500 or online at:
www.GasSafeRegister.co.uk
Got
Gas?
Trus
t me, g
uy!
xxx
Here both “wannabe” plumbers have handed over forms of ID.. still this is not enough on it’s own… you’d still scan a validate some of the details…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Let’s look at the less hand written looking ID in more detail…
It has all the usual fields you’d expect from some ID & some these fields are ones that we use when checking a certificate…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
So lets connect the dots…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
To the right we have the certificate used on macmule.com…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
So starting at the top, we have the “License No.” this is a unique value for the ID…
Certificates have a couple keys that can be used to validate it’s uniqueness…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
The certificates serial number “should” be unique.. but is not always…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Next we have the issued persons Name.
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Next we the Name, on a “normal” certificate this will be the “Common Name”
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
However, as with people certificates can also have other names… these are the “Subject Alternative Names” of SAN names…
Alice may have mentioned to Bob that she called the plumber from “Mario Bros.” for example
We all have similar, I’m Ben, Benjamin, macmule & mummies little soldier… errr…
© JAMF Software, LLC
Names
• Common Name: jss.mario.com• SANs: www.mario.com, mario.mario.com,
luigi.mario.com, super.mario.com• Wildcard: *.mario.com
Examples
Ok… there’s a fair amount of analogies going on… so here are some examples valid names on certs for the mario.com domain.
So a common name is an FQDN, as are the SANs… the Wildcard is for the whole mario.com domain…
© JAMF Software, LLC
Names
• On November 22, 2011, the CA/Browser Forum adopted “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Version 1.0” to take effect on July 1, 2012.”
Caveats
Now there are some caveats with names available in certificates, which are coming in soon…
So what does this mean?
© JAMF Software, LLC
Names
• After November 1st 2015, it will be impossible to obtain a publicly trusted certificate for any host name or IP that cannot be externally verified.
Caveats
More information to come on public CA’s, but certificates from a Public CA should not contain an IP as a Name nor should they contain an “internal name”… which are non-fqdn names like: myserver or my server.local
© JAMF Software, LLC
Names
• Any certificates issued from a Public CA with a host name or IP that cannot be externally verified will expire on November 1st 2015.
Caveats
© JAMF Software, LLC
Names
• Any Public CA issued certs containing a host name or IP that cannot be externally verified will be revoked by October 2016.
• https://cabforum.org/internal-names/
Caveats
So basically, no certs from public CA’s with internal names or IP over HTTPS etc…
This is a massive FYI incase you have a site or service with a certificate that’s from a public CA & clients connect to it’s internal name or IP over HTTPS…
Also, if you’re planning on buying a cert for jss.local… it’s time you think about that JSS URL…
© JAMF Software, LLC
Names
• Wildcard certs only contain a single subdomain, so *.domain.com or testjss.domain.com & not *.*.domain.com or test.jss.domain.com
Caveats
This shows some caveats with wildcard certs that are worth noting…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Ok.. so let’s talk about certificate authorities..
In this example this passport has been issued by the Gas Safe Register.
This is the official list of gas engineers who are registered to work safely and legally on gas appliances in the UK… Plumbers are often Gas Safe register as it’s not uncommon for them to have to fix a boiler…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
If you look at any issued certificate you’ll see an “ISSUER NAME” this will be the details of the CA that issued the cert…
© JAMF Software, LLC
Authorities
• Private• Public• Self
Types
There are 3 levels of authority when it comes to certs…
Private: which is Alice in this example… Alice is trusted by Bob… But if you ask others about Alice… they’ll say “Alice? ALICE?? who the flip is Alice?”
Private CA’s require their certs to be 1st installed on devices to trust certs issued from it… They do not come preinstalled…
Public CA’s are one’s that are generally supported by devices without installing certificates as each device has a list of Public CA’s that it trusts these allow for devices to trust certs issued from automatically as the root CA cert is already installed…
So in the UK the “Gas Safe Register” can be thought of as a Public CA as it’s known of & trusted…
Other examples include CA’s such as Apple, DigiCert, Go Daddy, Geo Trust etc… There are over 200 trusted public CA’s on OS X…
© JAMF Software, LLC
Got Gas?
Trust
me, guy!
xxx
Self signed certs mean that the device offering the cert is the same as the one that’s validating the cert… Would you trust this guy for a “service”??
© JAMF Software, LLC
You’re really not helping yourself using self-signed certs…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Most pieces of ID only have a limited validity period, this is very much the same with both Certificates & passports…
Here we can see the passport is only valid from 2014-2015…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
& the certificate is valid from 2015 - 2018…
Certificates expire when not reissued/renewed before the expiration date… However…
© JAMF Software, LLC
If your client goes back to the future with it’s time changes… they might not see a certificate as valid as how can a device with a clock set to 1970 validate a certificate that’s valid from 2015?
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Certificates can also be revoked, in this example imagine that the Plumber could well be showing a previously issued ID & they may have been suspended…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
This ID card contains contact details for the “Gas Safe Register” to check the validity of the ID…
On devices this can be performed via the “Certificate Revocation List” or more recently the “Online Certificate Status Protocol"
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Lastly, the relevant ID needs to be used in the right context… you’d not be able to use a driving license when a passport is needed… or your work pass either…
© JAMF Software, LLC
Name:License No.
Valid From:Valid To:Company:
123456789Mario Mario01/01/201401/01/2016Mario Bros.
To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk
Certificates have something similar in “KEY USAGE”
This indicates one or more purposes for which a certificate can be used.
© JAMF Software, LLC
Encryption
Next we’ll look at encryption & really… REALLY… stretch the analogy to breaking point…
With encryption, you can have a conversation n plain sight… but other parties cannot de-cipher them…
Let’s expand on that next…
© JAMF Software, LLC
Say Hi to Eve
© JAMF Software, LLC
Eve is Bob’s annoying & nosy neighbour…
© JAMF Software, LLC
She’s constantly spying on him & “Eve’s”dropping in on Bobs conversations…
Geddit??
© JAMF Software, LLC
Alice & Bob are well aware of this… & one day at work decided that at times they’d speak in a defined code…
© JAMF Software, LLC
When Laura calls her friend the plumber she gives him a heads up about this code, the definition of the codes pattern is the codes key…
© JAMF Software, LLC
The Plumber can the openly talk to Bob, even in view of Eve…
© JAMF Software, LLC
…or the other Plumber… as those they cannot decode the conversation…
They can view the conversation, but without knowing how to decipher, it’ll just be garbled text or seemingly random chatter…
© JAMF Software, LLC
Encryption
• Symmetric Key: same key used to encrypt & decrypt messages.
• Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process.
Main Types
So, what am I blabbering on about in this stretched analogy?
There are two main methods of encryption.
The one in the analogy can be referred to as “Symmetric Key” Encryption… This is where (as per the analogy) the same key used to encrypt & decrypt messages… Which was easy-ish to put into the analogy…
Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process… The CA cert would have a public key that’s used along with each devices generated private key…
With both of the above methods a cipher is also used to encrypt the data… A cipher is a pattern or code that along with the with keys to be used to turn the plain text data into readable data & with the correct shared secret &/or public & private keys can then be used to decrypt or decipher the data…
© JAMF Software, LLC
it’s all very mathematical… & really beyond the idea of this talk… But can you see how the data could be obfuscated? Also, we’re talking numbers & computers… So they go hand in hand…
But as you can imagine one caveat is that the encrypting & decrypting of data takes more resources & means the data takes longer to read than if in plain text…
© JAMF Software, LLC
If we look at the “Symmetric Key” used in the analogy…
© JAMF Software, LLC
We know that Alice used that with Bob & the plumber…
However, if that’s the only method of encryption used you can imagine how insecure this becomes as the shared secret is shared out more & more & how easy it would be then for the secret to be obtained & used maliciously…
© JAMF Software, LLC
Encryption
• Symmetric Key: same key used to encrypt & decrypt messages.
• Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process.
Main Types
So lets look at Asymmetric or Public Key encryptions definition again…
BOTH parties encrypt & decrypt data with the CA’s public key as well as their own private key…
© JAMF Software, LLC
So whilst the public key is known to all it’s fine..
People would need a private key from participants in the exchange in order to decrypt the data…
So, if Alice blabbed her private key… someone could decrypt all data sent to her… from all clients…
To lessen this issue Intermediate CA’s are used…
© JAMF Software, LLC
Root CA
Intermediate CA
Trusted
Client
If you remember this slide from earlier, the public key from the Intermediate is used by the issued certs…
© JAMF Software, LLC
Root CA
Intermediate CA
Trusted
Client
So if this is compromised only the certs issued from the intermediate are affected…
Like shown…
© JAMF Software, LLC
Screenshot or photo dimensions
1080 px
525
px
Everyone with me? Any questions?
The previous slides cover kind of what client does when assessing & communicating with a secured source… There are some caveats there that might smooth out the process for you…
© JAMF Software, LLC
Excellent…
Right, so i’ve chatted a little about the certificate evaluation process & how it secures data in transit…
Now how would do we get a cert?
© JAMF Software, LLC
CSRSo, CSR… or “Certificate Signing Request”… is probably the most known of method…
So what’s a CSR?
© JAMF Software, LLC
That’s a CSR… pretty clear right??
No… oh ok…
© JAMF Software, LLC
erm… it’s a request you send to a Certificate Authority to have a signed certificate from them…
So what it says really…
© JAMF Software, LLC
Think of it as an Application Form for some ID… you can’t get a Passport or Driving License without applying right? Well same principle applies…
So you’ve seen a CSR… & how certificate based communication is handy in the way it not only encrypts data, but also validates whom you’re talking too…
Well, imagine you wished to use certificate based communication on a large scale… as in say, having your clients connect to the JSS? Well, filling out a CSR per client would be a bit of a faff…
© JAMF Software, LLC
And if you think that the proposal was weird… you ain’t seen nothing yet!
© JAMF Software, LLC
SCEPEnter SCEP… or “Simple Certificate Enrollment Protocol”…
& you’re probably using it…
© JAMF Software, LLC
The JSS leverages SCEP to issue & revoke certs to devices enrolled into it… One of the nice things about SCEP is that it auto-renews, again lessening the faff…
One example of this is our JNUC passes… we registered for JNUC & bam! We get this pass… register next year & you’ll get the same & so on…
© JAMF Software, LLC
ADCSUsed to somewhat of a lesser extent but still worth a mention is “Active Directory Certificate Services”…
This allows clients to request a certificate from their organisations Active Directory bound Certificate Authority…
© JAMF Software, LLC
In my hand is the pass I use to be able to open doors etc in the office… This pass was issued to me by HR… The level of building access I have is the same as the rest of IT, so we could say that my ID was issued with access from the IT Template…
No CSR in the traditional sense needed (so very much like SCEP), I am an employee & so am issued the correct ID for my job function…
© JAMF Software, LLC
32Screenshot workflow build example
- refer to build inspector for build style and ordering
Both SCEP & ADCS certificate requests available payloads within the JSS as the are standard payloads as a part of the Configuration Profile spec…
As mentioned both of these methods can greatly simplify Certificate Requests…
© JAMF Software, LLC
APNSOk, so can’t really talk about certificates & not talk about the cert we all have to renew annually or bad things happen…
Lets RTFM…
© JAMF Software, LLC
The above is taken from the Casper Admin guide, the JSS needs an APNS cert from Apple to be able to communicate with Apple’s Push Notification Servers… Why is this?
Well, the APNS cert identifies & encrypts the traffic from the MDM (the JSS) to Apple’s Push Notification Servers… Therefore we need to obtain a certificate…
© JAMF Software, LLC
Let’s look at how we get this cert… oh, it’s a CSR…
So the same process is being employed as we’ve discussed… So things like making sure to not use internal names etc applies…
& i wanted to mention this as it may give you more of a feel for the whole CSR like process as you’ve probably done it yourself but may have not equated it to the same…
© JAMF Software, LLC
In closing…To note:https://cabforum.org/internal-names/#httpseverywhere
I hope you have found this talk informative & that it has somehow connected the dots where certificates are concerned…
I mentioned this before, but just wanted to hammer home the changes happening to Public CA issued certificates with Internal Names & IP’s… This may impact you & if it’s going to impact your JSS, please contact your TAM to schedule a call on the issue, as changing your JSS URL (if needed) is not something to be done lightly…
The hashtag #httpseverywhere is a movement which is trying to get everyone to use “https everywhere”… With iOS9 Apple & 10.11 Apple added the API “App Transport Security”…
© JAMF Software, LLC
This is taken from the tech note for “App Transport Security”… This is currently for newly created Applications for iOS 9 & 10.11 with older apps having to be moved to this new standard in the future…
tl;dr new apps will only be able to connect to HTTPS resources & only encrypt data using certain strength ciphers…
© JAMF Software, LLC
the JSS recently when through a change when it came to ciphers used too in order to fix the “LogJam” vulnerability…
Now this KB confused some people… Basically… if updating from a JSS that’s been around longer that 9.73, you’ll need to make the changes manually… if updating from 9.73 or newer… nothing to be done…
The list of acceptable ciphers is somewhat similar to what Apple require for “App Transport Security”… go figure!
© JAMF Software, LLC
In closing…To note:https://cabforum.org/internal-names/#httpseverywhereApp Transport SecurityJAMF Tomcat ciphers
So, we’ve run through the above… & it may seem like it’s all a bit of a faff…
Well, certificates provide a way of identification & encryption…
Soon you’ll not be able to do much without them, the ground swell has started…
Compliance, best practice & common sense should drive you sooner of later to secure what you can…
© JAMF Software, LLC
If you have looked at certs, you may have been put off by the cost…
© JAMF Software, LLC
In closing…
• Common Name: jss.mario.com $• SANs: www.mario.com, mario.mario.com,
luigi.mario.com, super.mario.com $$• Wildcard: *.mario.com $$$
Public Certificate costs
That would scale like shown.
Well there is a new CA soon to be in town…
© JAMF Software, LLC
Let’s Encrypt looks to be a great solution for us looking to secure a JSS or website…
© JAMF Software, LLC
Let’s Encrypt
“Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.”
letsencrypt.org
In their words…
© JAMF Software, LLC
Let’s Encrypt
“Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”)” - https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html
letsencrypt.org
So founded by a number of well known organisations…
Let’s Encrypt should have legs & I hope that we can see a JSS update offering automated JSS certificate enrolment to lets encrypt so we can secure each JSS…
© JAMF Software, LLC
Thank you!
Thank you all for putting up with me, hope this has been informative, funny & maybe debunked some preconceptions you had around certificates.
© JAMF Software, LLC
Thanks also to…The following from the MacAdmins.org Slack
@franton @macgirl84 @bruienne @davidacland @gatoraidb
@gatoraidab
The following where instrumental in many ways in helping with this talk…
You may know @franton as Richard Purves, @macgirl84 as Vanessa White, @bruienne as Pepjin Bruienne & @davidacland as er… David Acland…
Last but not least, lets thank @gatoraidb AKA Andrew Barrett…
The guy whom setup the gofundme campaign to get me here…
© JAMF Software, LLC
The campaign is shown here… Many, many thanks to all of you whom contributed…
You only have yourselves to blame & all complaints go to Andrew!!
© JAMF Software, LLC
Thank you!
But again, thanks…