Journal #Nine [SEC602] - Managing Certificates
Managing Certificates
JOURNAL #NINE [SEC602]
Managing Certificates
The class discussion considered the components that make up access and account management including Identification, Authentication, Authorisation and Accounting, which led to a detailed discussion of access control models as followed:
- Mandatory
- Discretionary
- Role-based
- Rule-based
- Attribute-based
Following group research we examined the benefits and drawbacks of each of the models from an operational and security perspective, it is important to consider the suitability of these roles when considering today’s Lab:
Q1 - AD Certificate Services and CA Web Enrollment.
Active Directory Certificate Services (ADCS)
Active Directory Certificate Services (ADCS) are available as a server role in Windows Server. ADCS is a feature in Windows Server that allows the management and issuing of certificates that form part of a public key infrastructure (PKI). These certificates provide each of the components that make up the CIA Triad as follows:
Confidential - encrypting data and communications
Integrity - issuing of digital signatures
Availability - authenticated certificate keys
Specifically , these certificates are used to encrypt and sign documents and messages, to authenticate computers, users, accounts and devices on a network. The Lab showed how this functionality worked in practice, how it could be used to secure a document and the user access to that document - the components that make up the CIA Triad.
The implementation of ADCS includes many benefits that aim to increase system and network security. Because the service links identity to a corresponding private key, it provides users with the ability to manage the distribution of certificates in a way that is:
- Cost-effective
- Efficient
- Secure
ADCS allows the roles services to be customised, these roles include:
- Certification Authority
- Certification Authority Web Enrollment
- Online Responder
- Certificate Enrollment Web Service
- Certificate Enrollment Web Policy Service
- Network Device Enrollment Service
Reference: An Illusion Called Security, http://blog.windowsserversecurity.com/2012/01/17/a-complete-guide-on-active-directory-certificate-services-in-windows-server-2008-r2/
There are several applications that are supported by ADCS and include:
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- Secure wireless networks
- Virtual private networks (VPN)
- Internet Protocol security (IPsec)
- Encrypting File System (EFS)
- Smart card logon
- Secure Socket Layer/Transport Layer Security (SSL/TLS)
- Digital signatures
Reference: Active Directory Certificate Services (AD CS) Introduction, https://social.technet.microsoft.com/wiki/contents/articles/1137.active-directory-certificate-services-ad-cs-introduction.aspx
When communicating online the ability to trust is essential, the use of certificates allow us to legitimize those users and systems with whom we are communicating.
Certification Authority (CA) Web Enrollment
Certification Authority (CA) Web Enrollment forms part of the ADCS roles and services, which also includes Certificate Enrollment Web Service, together they enable:
- Certificate policy retrieval
- Certificate enrollment
- Certificate renewal
The role of the CA Web Enrollment is to allow clients who are not a part of a given domain network infrastructure to connect to the CA through a web browser. The role requires the requester to create and upload the request manually through the web site, which is downloaded from the web browser once issued by the CA.
The role allows certificates to be both requested and revoked, and can be requested across forests if trust has been established.
Reference: Active Directory Certificate Services, https://www.windows-active-directory.com/what-is-active-directory-certificate-services-html.html
Q2 - Key Archival and Key Recovery Agent.
Key Archival and Recovery is an interesting topic and function. In practice it is quite simple in that copies of the private keys generated by clients, which are them placed into the key archival. There are several reasons and benefits for copying keys in this way:
- Information may need to be decrypted if for example an employee leaves the organisation
- Despite best practices keys can become lost and need to replaced
- In some jurisdictions it is a legal and regulatory requirement to retain the key archival
If a client requests a certificate that requires the private key to be archived, the following steps are performed:
- Client retrieves and validates CA exchange certificate, ensuring only that CA can decrypt the private key
- Public key in CA exchange certificate encrypts private key and then sent to CA
- Private key associated with exchange certificate used to decrypt private key sent by client, and verifies public and private keys are related
- CA encrypts private key with public key in Key Recovery Agent (KRA) certificate. Private key encrypted once, with each public key, so it can be recovered by key recovery agent. Private keys are stored in certificate database
- CA releases all reference to private key, and securely frees all memory that contained the key ensuring they have no further clear text access
Reference: Key Recovery Server, https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-key-recovery-server
A Key Recovery Agent (KRA) is a highly trusted user who is authorised to recover a certificate, as such they can access the key archival to recover the data as required. The KRA is an account holder that is capable of recovering all the private keys held in the database. Due to the sensitive nature of the data access considerations should be made in order to secure the information. This could be achieved through a suitable access control model. In a large corporation or government agency this role would often be assigned to a security officer, or possibly someone with administrator privileges in smaller enterprises.
Key recovery is conducted through the use of an application such as the command line program Certutil, which formed part of today’s Lab, or Krecover.exe, which is a dialog box-based program. ADCS does not support key recover directly.
Reference: Public Key Infrastructure Part 9 – management accounts, https://www.tech-coffee.net/public-key-infrastructure-part-9-management-accounts/
Reference: Configure Automatic Key Archiving in Certificate services key recovery agent, https://w7cloud.com/configure-automatic-key-archiving-in-certificate-services-key-recovery-agent/
Conclusion
PKI is vital in allowing users to safely communicate across the internet, and perform all the functions we have become accustom to. The processes practiced in this Lab, combined with implemented policies and procedures mean we can all place a high level of trust in the technology that has been designed to protect our data and communications.