All Postings (92)

2017

Taking stock! Physics

Subversive? Physics?

My Philosophy!

Scripts Beget Scripts

2016

Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015

2015

Unspeakable

Self-Poetry

Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry

PKI-Status-Update

Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert

2014

2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?

Bio

PKI FAQ

Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings

WOP!

Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'

Writing

On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books

2013

Explain, Evaluate, Utilize

Technology

About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso

Retrospection

Newsletter Resurrection

2012

For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...

Profile

Physics on the Fringe

Graduation Speech

The Element is Back!

Offline

Physics Links

2011

Not Funny

Calendar and Magic

Expert

In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge

2008

Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art

Netizen

2007

The End

No. 1: On Subversion at Large

2005

Emergency Exit

Modern Networker

2004

The Scary Part

Exploring the Work Space

2003

Instead of a CV

Favorite Books

2002

Elke was here

Last link changed: Migration of classical CSP to CNG / KSP, and old but good MS overview on certificates for network authentication of devices.

PKI: Links and Resources

(elkement. Last changed: 2015-12-07. Created: 2014-03-04. Tags: Resources, Links, IT, PKI, Public Key Infrastructure, Security, X.509, Cryptography. German Version.)

This is my list of Links to white papers and the like that I have found useful (restarted 2014). It is not an attempt to create a balanced or educational list. I am adding what I need right now!

Comprehensive reviews of PKI issues

Analysis by Peter Gutmann who likes to throw rocks at PKI according to his bio:

Certificate validation

Request for Comments:

In Windows systems:

Cross-certification and hierachies

Certificate enrollment

Links for Microsoft's autoenrollment are provided in more MS-related sections

Weird, hacked, forged certificates

PKI planning

Somewhat Microsoft-centric:

Windows PKI: Features and management

After I started compiling my own list, I found this - I will keep picking some of the microsoft.com links and publish them to this page though:

Some of the features required to run a Microsoft PKI in a larger, corporate environment:

Windows PKI 2008 R2 versus 2012 R2 and upgrade of hash algorithms

New features in 2012! Note I started added some the detailed articles about specific features - NDES, templates - also to other sections. This section is for overviews covering many new features or cryptograpy / algorithms in particular.

New ways to leverage a TPM chip - key attestation by validation of an endorsement key. You could have used a TPM chip as a custom key store for the machine / SYSTEM in earlier versions of Windows (basically like a 'smartcard for machines) in case the vendor of the TPM chip or a vendor of crypto software provided a suitable CSP / CNG provider. Starting with Windows 8.1 as the end-entity's OS the CA (2012 R2) is able to check if the private key had really been stored to a TPM chip.

New algorithms:

  • Changing public key algorithm of a CA certificate - only the hash algorithm can be changed (for CNG providers), not the provider itself.
  • Upgrade Certification Authority to SHA256 - after the change of a registry key the CA signs anything with the new algorithm, including CRLs and its own CA certificate when renewed (Step-by-step-instructions).
    Attention - according to my experiences with 2008 R2 the registry value for hash values is case-sensitive. Good: The change of the hash algorithm can be reverted easily. Bad: This is a per-CA settings, so once the algorithm has been changed all certificates and CRLs issued by that CA are signed using the new algorithm.

Certificate and key stores

Windows client-side stores:

Encoding

Using certificates for authentication

Native Active Directory logon:

Webserver-based mapping (no directory)

Apple iDevices, SAP, and other non-MS clients

  • In contrast to Windows'/AD's native logon via UPN string mapping SAP uses a 1:1 mapping of binary certificates to users:
    Single Sign-on mit SAP (part of a German book, assignment of the certificate is explained on pp.33)
  • Apple iPhones, 802.1x authentication against Active Directory using Windows RADIUS server (NPS)
    (promoted to blog post, summary kept here for traceability).
    • Properties of the certificate
      Subject CN: host/machine.domain.com
      Subject Alternative Name machine.domain.com
      Certificate Template (Windows Enterprise PKI): Copy the default template Workstation Authentication, Subject Name: Name as submitted with the Request.
    • Create the key, request and certificate on a dedicated enrollment machine and export key and certificates as PKCS#12 (PFX) file.
    • Create a shadow account in Active Directory
      dnsHostName: machine.domain.com
      s
      ervicePrincipalNames: HOST/machine.domain.com
    • According to my tests, the creation of an additional name mapping (as recommended here) is not required - SAN-DNS gets mapped onto dnsHostName in AD.

Network authentication of devices

  • Overview: Certificates for different services / protocols, like 802.1x or IPsec

PKI Applications

Started in 2014-10. Usual suspects as SMIME, EFS, 802.1x to be added as needed over time. See also the list of Technet Postings and the PKI FAQ.

Useful commands (in the Windows world)

Configuration parameters:

Emergency processes, for Windows.

  • Delete cached CRLs:
    certutil -setreg chain\ChainCacheResyncFiletime @now
    (Weitere Optionen siehe diesen MS-PKI-Team-Blogeintrag)
  • Start a CA even if the revocation check on its own certificate has failed - set this flag:
    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  • Key Recovery:
    • Search for the archived keys of a specific user and create a batach script (CA admin permissions required)
      certutil –getkey domain\username >recovery-username.bat
      This script also contains the password of the p12 key file that will be created.
    • Run this batch file. This creates a single p12 file including all keys for this user. Pre-requisites: The user executing the script needs to have one Key Recovery Agent's certificates associated with each of the keys to be recovered in his/her store. In addition CA Admin permissions are required and this needs to be an admin cmd session.
    • The batch file does the following for every key found:
      certutil -getkey [SerialNumber] [encrypted blob]
      certutil -recoverykey [encrypted blob]
      A temporary p12 file is created from every blob; then all p12 files are merged using
      certutil -mergepfx and all temporary files are deleted.

PKI and smart metering

Requirements for a smart meter PKI in Germany:
Sicherheitsinfrastruktur für „smarte“ Versorgungsnetze

An example: Smart Meter mit PKI Sicherheit

X.509 Certificate

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact and Legal Notice