Public Key Infrastructure

Dear experts,

What is a best advice to simulate an implementation of a PKI framework.

Any links or examples to share while I do my research too?

This is a small project. Able to share some experts thoughts?

Who is Participating?
Dave HoweSoftware and Hardware EngineerCommented:
well (1) one or more named files stored on machine A
(2&3) Machine B to use PKI to satisfy Machine A of its identity using a challenge response protocol comprising

a) a unique token (nonce) generated by Machine A (this can be sent plaintext, as it need not be protected)
b) a timestamp to ensure against repeat attacks based on nonce collision
c) a string representing which file machine B would like to download.
d) a digital signature (using one of the big three algos - Elgamal, RSA, or EC) to confirm that Machine B is authorized to request files

as your requirement didn't state you encrypt anything, I wouldn't bother - just supply whichever file was requested down the socket as soon as you get a valid digitally signed request.

given any decent language with a socket library and at least one PKI algo available, I wouldn't expect it to take more than a couple of hours to code up. java has both its native libraries and the superior Bouncy Castle libraries available, so you shouldn't have much trouble :)
Dave HoweSoftware and Hardware EngineerCommented:
what do you mean "simulate?"

But there are two major implementations of PKI - the x509 (ssl certificate / pkcs) system used by websites and s/mime, and openpgp.  Of the two, the former is much more common, easy to find tools, libraries and examples of, and is familiar to most people (so will be easier to find someone to validate your work)

If you want to strike out alone, then you can use a basic crypto toolset (dot net has one baked in which will do, or there are plenty) and roll your own, but you will pretty much need to write your own clients, servers and generation tools which is significantly more work.
We needed to test PKI using SCEP so we used the open source DOGTAG software.   Mostly because it supports SCEP but can be used as a PKI CA and RA.  

Here's the link:
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

moombazAuthor Commented:
Hi Dave,

I have a topic "PKI Infrastructure".

Using the topic, I have to come out with a simulation to use the framework. An example I have is that, within a LAN 2 computers want to send a file to each other, before he/she could do it, the process of PKI whereby certificates are used. The he/she is allowed to do so. By proving id this works, I am showing that my PKI implementation is successful. However, I am not sure whether my idea is correct or not.

Im not here to test for PKI. I am suppose to implement a PKI framework. Implement on what? That is open. So i need inputs on ideas.

Dave HoweSoftware and Hardware EngineerCommented:
Are you allowed to use existing software for this?

if so, just use IIS, seriously.

Steps as follows:

1) use and and create a keystore
2) in the keystore, create a CA key (use CA template) with a 10 year duration.
3) in the keystore, create a Server (use HTTPS_Server template) certificate with a 1 year duration signed by your CA
4) in the keystore, create a Client (HTTPS_Client template) certificate signed by your CA
5) Export Certificate (only!) for CA
6) Export PKCS 12 keystores for Client and Server. Do not include certificate chain.

ok, PKI done. now for working stuff.

7) in windows, import the CA certificate and Server PKCS#12 into the machine keystore - use the mmc certificate snapin for this.

8) In IIS, set your site to use the Server certificate, and require Client certificates signed by the CA cert.

9) on a separate machine.... first, try to download a file from the IIS using internet explorer. it should error with a certificate validation message (proves server validation)

10) on same machine, import the CA certificate, try to download a file (again) from the IIS. your browser should now accept the certificate (server validated by CA) but be rejected by the server for lack of a client cert. (proves server validation and access control via PKI)

11) finally on this machine, import the Client PKCS#12 certificate and demonstrate you can now download the file.

for additional credit, you can use wireshark to demonstrate the details of the exchange (wireshark has the ability to explain SSL captures provided you have the secret key for the server. you can export this from XCA easily). This is a demonstration of how real-world PKI (as implemented in webservers the world over) works, without having to code anything yourself :)

moombazAuthor Commented:
I'm not suppose to use an existing software. However your suggestion is great. Sadly it cannot be used.
Dave HoweSoftware and Hardware EngineerCommented:

Are you at least allowed to use existing libraries? and are you restricted in what languages/platforms you can use?

the dot net framework should have all the stuff you need to implement a challenge/response in RSA or DH over a socket, and transfer arbitrary data.  there are others (I tend to work in C) but you need to stick to what is available to you. you could even do most of this in a scripting language :)

simplest solution - open a listening socket and when something connects to it, supply a (prng generated) nonce; client is to return the nonce (thus also acting as a salt), the current time/date, and the file required to be downloaded (simple text string) digitally signed with an RSA key. verify the key, (and that the date/time is within 1 minute of current server time) and if it matches, supply the file, otherwise close the socket.

moombazAuthor Commented:
Yup, allowed to use existing library. Will be using Java for this.

SO your idea to simulate a complete PKI framework is

Machine A (Server)
Machine B (Client)

1. A text file stored in Machine A
2. Machine B request to communicate with Machine A to download the text file
3. During the connection of communication and downloading of files, the crypto and PKI all applies.

Am I right to say?
moombazAuthor Commented:
Thanks, uve answered my questions perfectly!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.