a tale of alice, bob, eve & a stretched analogy…

© JAMF Software, LLC

Let’s Talk About CertificatesA tale of Alice, Bob, Eve & a stretched analogy…


Ben TomsSenior Infrastructure Analyst Pentland Brands Plc

macmuleDoing The Donkey Work To Make You Look Like A Smart Ass!!


“Pentland Brands brings some of the world’s best sports, outdoor and fashion brands to millions of people around the world.

We own Berghaus, Canterbury, Speedo, Boxfresh, Ellesse, KangaROOS, Mitre and Red or Dead.

We’re also the global licensee for Lacoste and Ted Baker footwear and Kickers in the UK.”


The proposal…

In order for people to speak at a JNUC, they are either approached by their JAMF Buddy… or they approach their JAMF buddy with a talk idea…

This is what I submitted…


And if you think that the proposal was weird… you ain’t seen nothing yet!


Let’s Talk About CertificatesPresentation agenda:PKICSRSCEPADCSAPNS

So what will this talk be covering…

Ah yes, IT & Acronyms… We love them.. right?

Now the above I want to attempt to humanise, to give you a sense of understanding about them… It may not be 100% technically correct… but if you walk away with a better understanding, i’ve done my job…


PK ISo PKI… or “Public Key Infrastructure”

it’s about…


Trust

Trust…


Identification

Identification…


Encryption

Encryption…


Trust

So trust…


Say Hi to Bob…

What a handsome devil…


He has a slight plumbing issue…


Bob calls his friend Alice, whom is somewhat perturbed about helping Bob out AGAIN… but calls a plumber she knows..


Alice describes the plumber, as wearing dungarees with a red top & hat.


Soon Bob gets a knock at his front door & there’s the plumber that Alice called.

In the blink of an eye Bob, was able to enjoy his normal bath time activities..


……

So what & I rabbiting on about?


Alice

The Plumber Bob

Here’s Bob, Alice & the Plumber.


Alice

The Plumber Bob

As Bob trusts Alice..


Alice

The Plumber Bob

Alice called the Plumber, who she trusts & is vouching for


Alice

The Plumber Bob

Therefore Bob also trusts the Plumber…

So this is the trust chain/relationship…


Root CA

Client

In computing terms… Bob can be thought of the client, Alice the Root Certificate Authority…


Root CA

Trusted Client

The Plumber can be thought of as the service or websites that’s secured by a certificate issued from the Root CA…


Root CA

Trusted Client

Which as the client trusts the issuing Root CA (Alice), the client then trusts…


Root CA

Client

A few weeks later.. Bob has another plumbing issue… but the plumber is off rescuing a Princess, eating mushrooms or something & so he recommends his brother…


Root CA

Intermediate CA

Trusted

Client

The plumber is now what’s known as an Intermediate CA… & his brother is the trusted server/site…

You can see the trust chain from the root ca, to intermediate CA & the trusted service…


Here is a real world example from a randomly picked site, https://macmule.com

The trust chain shown is something you may have seen in Safari etc…

Everyone with me? Any questions?

The trust chain/relationship thing is pertinent to this whole talk & certificates in general… so please speak if not with me…


Identification

So that’s some basic concepts of Trust run through, another major part is Identification…


If you remember, Alice described the plumber to Bob, as wearing dungarees with a red top & hat…

Well, imagine if multiple people knocked on Bobs door…


How do we know which is the right one?

One may fix your plumbing, the other may well offer another service…


Name:

License No.Valid From:Valid To:Company:

123456789Mario Mario01/01/2014

01/01/2016Mario Bros.

To confirm the validity of this card please

contact Gas Safe Register on:

0800 408 5500 or online at:

www.GasSafeRegister.co.uk

Got

Gas?

Trus

t me, g

uy!

xxx

Here both “wannabe” plumbers have handed over forms of ID.. still this is not enough on it’s own… you’d still scan a validate some of the details…


Name:License No.

Valid From:Valid To:Company:

123456789Mario Mario01/01/201401/01/2016Mario Bros.

To confirm the validity of this card please contact Gas Safe Register on:0800 408 5500 or online at: www.GasSafeRegister.co.uk

Let’s look at the less hand written looking ID in more detail…

It has all the usual fields you’d expect from some ID & some these fields are ones that we use when checking a certificate…


Name:License No.




So lets connect the dots…


Name:License No.




To the right we have the certificate used on macmule.com…


Name:License No.




So starting at the top, we have the “License No.” this is a unique value for the ID…

Certificates have a couple keys that can be used to validate it’s uniqueness…


Name:License No.




The certificates serial number “should” be unique.. but is not always…


Name:License No.




Next we have the issued persons Name.


Name:License No.




Next we the Name, on a “normal” certificate this will be the “Common Name”


Name:License No.




However, as with people certificates can also have other names… these are the “Subject Alternative Names” of SAN names…

Alice may have mentioned to Bob that she called the plumber from “Mario Bros.” for example

We all have similar, I’m Ben, Benjamin, macmule & mummies little soldier… errr…


Names

• Common Name: jss.mario.com• SANs: www.mario.com, mario.mario.com,

luigi.mario.com, super.mario.com• Wildcard: *.mario.com

Examples

Ok… there’s a fair amount of analogies going on… so here are some examples valid names on certs for the mario.com domain.

So a common name is an FQDN, as are the SANs… the Wildcard is for the whole mario.com domain…

http://www.mario.com

http://mario.mario.com

http://luigi.mario.com

http://super.mario.com

http://mario.com


Names

• On November 22, 2011, the CA/Browser Forum adopted “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Version 1.0” to take effect on July 1, 2012.”

Caveats

Now there are some caveats with names available in certificates, which are coming in soon…

So what does this mean?


Names

• After November 1st 2015, it will be impossible to obtain a publicly trusted certificate for any host name or IP that cannot be externally verified.

Caveats

More information to come on public CA’s, but certificates from a Public CA should not contain an IP as a Name nor should they contain an “internal name”… which are non-fqdn names like: myserver or my server.local


Names

• Any certificates issued from a Public CA with a host name or IP that cannot be externally verified will expire on November 1st 2015.

Caveats


Names

• Any Public CA issued certs containing a host name or IP that cannot be externally verified will be revoked by October 2016.

• https://cabforum.org/internal-names/

Caveats

So basically, no certs from public CA’s with internal names or IP over HTTPS etc…

This is a massive FYI incase you have a site or service with a certificate that’s from a public CA & clients connect to it’s internal name or IP over HTTPS…

Also, if you’re planning on buying a cert for jss.local… it’s time you think about that JSS URL…

https://cabforum.org/internal-names/


Names

• Wildcard certs only contain a single subdomain, so *.domain.com or testjss.domain.com & not *.*.domain.com or test.jss.domain.com

Caveats

This shows some caveats with wildcard certs that are worth noting…

http://domain.com

http://testjss.domain.com

http://domain.com

http://test.jss.domain.com


Name:License No.




Ok.. so let’s talk about certificate authorities..

In this example this passport has been issued by the Gas Safe Register.

This is the official list of gas engineers who are registered to work safely and legally on gas appliances in the UK… Plumbers are often Gas Safe register as it’s not uncommon for them to have to fix a boiler…


Name:License No.




If you look at any issued certificate you’ll see an “ISSUER NAME” this will be the details of the CA that issued the cert…


Authorities

• Private• Public• Self

Types

There are 3 levels of authority when it comes to certs…

Private: which is Alice in this example… Alice is trusted by Bob… But if you ask others about Alice… they’ll say “Alice? ALICE?? who the flip is Alice?”

Private CA’s require their certs to be 1st installed on devices to trust certs issued from it… They do not come preinstalled…

Public CA’s are one’s that are generally supported by devices without installing certificates as each device has a list of Public CA’s that it trusts these allow for devices to trust certs issued from automatically as the root CA cert is already installed…

So in the UK the “Gas Safe Register” can be thought of as a Public CA as it’s known of & trusted…

Other examples include CA’s such as Apple, DigiCert, Go Daddy, Geo Trust etc… There are over 200 trusted public CA’s on OS X…


Got Gas?

Trust

me, guy!

xxx

Self signed certs mean that the device offering the cert is the same as the one that’s validating the cert… Would you trust this guy for a “service”??


You’re really not helping yourself using self-signed certs…


Name:License No.




Most pieces of ID only have a limited validity period, this is very much the same with both Certificates & passports…

Here we can see the passport is only valid from 2014-2015…


Name:License No.




& the certificate is valid from 2015 - 2018…

Certificates expire when not reissued/renewed before the expiration date… However…


If your client goes back to the future with it’s time changes… they might not see a certificate as valid as how can a device with a clock set to 1970 validate a certificate that’s valid from 2015?


Name:License No.




Certificates can also be revoked, in this example imagine that the Plumber could well be showing a previously issued ID & they may have been suspended…


Name:License No.




This ID card contains contact details for the “Gas Safe Register” to check the validity of the ID…

On devices this can be performed via the “Certificate Revocation List” or more recently the “Online Certificate Status Protocol"


Name:License No.




Lastly, the relevant ID needs to be used in the right context… you’d not be able to use a driving license when a passport is needed… or your work pass either…


Name:License No.




Certificates have something similar in “KEY USAGE”

This indicates one or more purposes for which a certificate can be used.


Encryption

Next we’ll look at encryption & really… REALLY… stretch the analogy to breaking point…

With encryption, you can have a conversation n plain sight… but other parties cannot de-cipher them…

Let’s expand on that next…


Say Hi to Eve


Eve is Bob’s annoying & nosy neighbour…


She’s constantly spying on him & “Eve’s”dropping in on Bobs conversations…

Geddit??


Alice & Bob are well aware of this… & one day at work decided that at times they’d speak in a defined code…


When Laura calls her friend the plumber she gives him a heads up about this code, the definition of the codes pattern is the codes key…


The Plumber can the openly talk to Bob, even in view of Eve…


…or the other Plumber… as those they cannot decode the conversation…

They can view the conversation, but without knowing how to decipher, it’ll just be garbled text or seemingly random chatter…


Encryption

• Symmetric Key: same key used to encrypt & decrypt messages.

• Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process.

Main Types

So, what am I blabbering on about in this stretched analogy?

There are two main methods of encryption.

The one in the analogy can be referred to as “Symmetric Key” Encryption… This is where (as per the analogy) the same key used to encrypt & decrypt messages… Which was easy-ish to put into the analogy…

Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process… The CA cert would have a public key that’s used along with each devices generated private key…

With both of the above methods a cipher is also used to encrypt the data… A cipher is a pattern or code that along with the with keys to be used to turn the plain text data into readable data & with the correct shared secret &/or public & private keys can then be used to decrypt or decipher the data…


it’s all very mathematical… & really beyond the idea of this talk… But can you see how the data could be obfuscated? Also, we’re talking numbers & computers… So they go hand in hand…

But as you can imagine one caveat is that the encrypting & decrypting of data takes more resources & means the data takes longer to read than if in plain text…


If we look at the “Symmetric Key” used in the analogy…


We know that Alice used that with Bob & the plumber…

However, if that’s the only method of encryption used you can imagine how insecure this becomes as the shared secret is shared out more & more & how easy it would be then for the secret to be obtained & used maliciously…


Encryption

• Symmetric Key: same key used to encrypt & decrypt messages.

• Asymmetric Key or Public Key: Public & Private keys are both used in the encryption & decryption process.

Main Types

So lets look at Asymmetric or Public Key encryptions definition again…

BOTH parties encrypt & decrypt data with the CA’s public key as well as their own private key…


So whilst the public key is known to all it’s fine..

People would need a private key from participants in the exchange in order to decrypt the data…

So, if Alice blabbed her private key… someone could decrypt all data sent to her… from all clients…

To lessen this issue Intermediate CA’s are used…


Root CA

Intermediate CA

Trusted

Client

If you remember this slide from earlier, the public key from the Intermediate is used by the issued certs…


Root CA

Intermediate CA

Trusted

Client

So if this is compromised only the certs issued from the intermediate are affected…

Like shown…


Screenshot or photo dimensions

1080 px

525

px

Everyone with me? Any questions?

The previous slides cover kind of what client does when assessing & communicating with a secured source… There are some caveats there that might smooth out the process for you…


Excellent…

Right, so i’ve chatted a little about the certificate evaluation process & how it secures data in transit…

Now how would do we get a cert?


CSRSo, CSR… or “Certificate Signing Request”… is probably the most known of method…

So what’s a CSR?


That’s a CSR… pretty clear right??

No… oh ok…


erm… it’s a request you send to a Certificate Authority to have a signed certificate from them…

So what it says really…


Think of it as an Application Form for some ID… you can’t get a Passport or Driving License without applying right? Well same principle applies…

So you’ve seen a CSR… & how certificate based communication is handy in the way it not only encrypts data, but also validates whom you’re talking too…

Well, imagine you wished to use certificate based communication on a large scale… as in say, having your clients connect to the JSS? Well, filling out a CSR per client would be a bit of a faff…


And if you think that the proposal was weird… you ain’t seen nothing yet!


SCEPEnter SCEP… or “Simple Certificate Enrollment Protocol”…

& you’re probably using it…


The JSS leverages SCEP to issue & revoke certs to devices enrolled into it… One of the nice things about SCEP is that it auto-renews, again lessening the faff…

One example of this is our JNUC passes… we registered for JNUC & bam! We get this pass… register next year & you’ll get the same & so on…


ADCSUsed to somewhat of a lesser extent but still worth a mention is “Active Directory Certificate Services”…

This allows clients to request a certificate from their organisations Active Directory bound Certificate Authority…


In my hand is the pass I use to be able to open doors etc in the office… This pass was issued to me by HR… The level of building access I have is the same as the rest of IT, so we could say that my ID was issued with access from the IT Template…

No CSR in the traditional sense needed (so very much like SCEP), I am an employee & so am issued the correct ID for my job function…


32Screenshot workflow build example

- refer to build inspector for build style and ordering

Both SCEP & ADCS certificate requests available payloads within the JSS as the are standard payloads as a part of the Configuration Profile spec…

As mentioned both of these methods can greatly simplify Certificate Requests…


APNSOk, so can’t really talk about certificates & not talk about the cert we all have to renew annually or bad things happen…

Lets RTFM…


The above is taken from the Casper Admin guide, the JSS needs an APNS cert from Apple to be able to communicate with Apple’s Push Notification Servers… Why is this?

Well, the APNS cert identifies & encrypts the traffic from the MDM (the JSS) to Apple’s Push Notification Servers… Therefore we need to obtain a certificate…


Let’s look at how we get this cert… oh, it’s a CSR…

So the same process is being employed as we’ve discussed… So things like making sure to not use internal names etc applies…

& i wanted to mention this as it may give you more of a feel for the whole CSR like process as you’ve probably done it yourself but may have not equated it to the same…


In closing…To note:https://cabforum.org/internal-names/#httpseverywhere

I hope you have found this talk informative & that it has somehow connected the dots where certificates are concerned…

I mentioned this before, but just wanted to hammer home the changes happening to Public CA issued certificates with Internal Names & IP’s… This may impact you & if it’s going to impact your JSS, please contact your TAM to schedule a call on the issue, as changing your JSS URL (if needed) is not something to be done lightly…

The hashtag #httpseverywhere is a movement which is trying to get everyone to use “https everywhere”… With iOS9 Apple & 10.11 Apple added the API “App Transport Security”…



This is taken from the tech note for “App Transport Security”… This is currently for newly created Applications for iOS 9 & 10.11 with older apps having to be moved to this new standard in the future…

tl;dr new apps will only be able to connect to HTTPS resources & only encrypt data using certain strength ciphers…


the JSS recently when through a change when it came to ciphers used too in order to fix the “LogJam” vulnerability…

Now this KB confused some people… Basically… if updating from a JSS that’s been around longer that 9.73, you’ll need to make the changes manually… if updating from 9.73 or newer… nothing to be done…

The list of acceptable ciphers is somewhat similar to what Apple require for “App Transport Security”… go figure!


In closing…To note:https://cabforum.org/internal-names/#httpseverywhereApp Transport SecurityJAMF Tomcat ciphers

So, we’ve run through the above… & it may seem like it’s all a bit of a faff…

Well, certificates provide a way of identification & encryption…

Soon you’ll not be able to do much without them, the ground swell has started…

Compliance, best practice & common sense should drive you sooner of later to secure what you can…



If you have looked at certs, you may have been put off by the cost…


In closing…

• Common Name: jss.mario.com $• SANs: www.mario.com, mario.mario.com,

luigi.mario.com, super.mario.com $$• Wildcard: *.mario.com $$$

Public Certificate costs

That would scale like shown.

Well there is a new CA soon to be in town…

http://jss.mario.com

http://www.mario.com

http://mario.mario.com

http://luigi.mario.com

http://super.mario.com

http://mario.com


Let’s Encrypt looks to be a great solution for us looking to secure a JSS or website…


Let’s Encrypt

“Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.”

letsencrypt.org

In their words…

http://letsencrypt.org


Let’s Encrypt

“Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”)” - https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

letsencrypt.org

So founded by a number of well known organisations…

Let’s Encrypt should have legs & I hope that we can see a JSS update offering automated JSS certificate enrolment to lets encrypt so we can secure each JSS…

https://letsencrypt.org/2014/11/18/announcing-lets-encrypt.html

http://letsencrypt.org


Thank you!

Thank you all for putting up with me, hope this has been informative, funny & maybe debunked some preconceptions you had around certificates.


Thanks also to…The following from the MacAdmins.org Slack

@franton @macgirl84 @bruienne @davidacland @gatoraidb

@gatoraidab

The following where instrumental in many ways in helping with this talk…

You may know @franton as Richard Purves, @macgirl84 as Vanessa White, @bruienne as Pepjin Bruienne & @davidacland as er… David Acland…

Last but not least, lets thank @gatoraidb AKA Andrew Barrett…

The guy whom setup the gofundme campaign to get me here…

http://MacAdmins.org


The campaign is shown here… Many, many thanks to all of you whom contributed…

You only have yourselves to blame & all complaints go to Andrew!!


Thank you!

But again, thanks…

a tale of alice, bob, eve & a stretched analogy…

Documents