[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Public Key Infrastructure

Posted on 2011-10-20
Medium Priority
Last Modified: 2012-05-12
Dear experts,

What is a best advice to simulate an implementation of a PKI framework.

Any links or examples to share while I do my research too?

This is a small project. Able to share some experts thoughts?

Question by:moombaz
  • 4
  • 4
LVL 33

Expert Comment

by:Dave Howe
ID: 37000109
what do you mean "simulate?"

But there are two major implementations of PKI - the x509 (ssl certificate / pkcs) system used by websites and s/mime, and openpgp.  Of the two, the former is much more common, easy to find tools, libraries and examples of, and is familiar to most people (so will be easier to find someone to validate your work)

If you want to strike out alone, then you can use a basic crypto toolset (dot net has one baked in which will do, or there are plenty) and roll your own, but you will pretty much need to write your own clients, servers and generation tools which is significantly more work.
LVL 33

Expert Comment

ID: 37000135
We needed to test PKI using SCEP so we used the open source DOGTAG software.   Mostly because it supports SCEP but can be used as a PKI CA and RA.  

Here's the link:

Author Comment

ID: 37004344
Hi Dave,

I have a topic "PKI Infrastructure".

Using the topic, I have to come out with a simulation to use the framework. An example I have is that, within a LAN 2 computers want to send a file to each other, before he/she could do it, the process of PKI whereby certificates are used. The he/she is allowed to do so. By proving id this works, I am showing that my PKI implementation is successful. However, I am not sure whether my idea is correct or not.

Im not here to test for PKI. I am suppose to implement a PKI framework. Implement on what? That is open. So i need inputs on ideas.

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 33

Expert Comment

by:Dave Howe
ID: 37007312
Are you allowed to use existing software for this?

if so, just use IIS, seriously.

Steps as follows:

1) use http://sourceforge.net/projects/xca and and create a keystore
2) in the keystore, create a CA key (use CA template) with a 10 year duration.
3) in the keystore, create a Server (use HTTPS_Server template) certificate with a 1 year duration signed by your CA
4) in the keystore, create a Client (HTTPS_Client template) certificate signed by your CA
5) Export Certificate (only!) for CA
6) Export PKCS 12 keystores for Client and Server. Do not include certificate chain.

ok, PKI done. now for working stuff.

7) in windows, import the CA certificate and Server PKCS#12 into the machine keystore - use the mmc certificate snapin for this.

8) In IIS, set your site to use the Server certificate, and require Client certificates signed by the CA cert.

9) on a separate machine.... first, try to download a file from the IIS using internet explorer. it should error with a certificate validation message (proves server validation)

10) on same machine, import the CA certificate, try to download a file (again) from the IIS. your browser should now accept the certificate (server validated by CA) but be rejected by the server for lack of a client cert. (proves server validation and access control via PKI)

11) finally on this machine, import the Client PKCS#12 certificate and demonstrate you can now download the file.

for additional credit, you can use wireshark to demonstrate the details of the exchange (wireshark has the ability to explain SSL captures provided you have the secret key for the server. you can export this from XCA easily). This is a demonstration of how real-world PKI (as implemented in webservers the world over) works, without having to code anything yourself :)


Author Comment

ID: 37007921
I'm not suppose to use an existing software. However your suggestion is great. Sadly it cannot be used.
LVL 33

Expert Comment

by:Dave Howe
ID: 37010863

Are you at least allowed to use existing libraries? and are you restricted in what languages/platforms you can use?

the dot net framework should have all the stuff you need to implement a challenge/response in RSA or DH over a socket, and transfer arbitrary data.  there are others (I tend to work in C) but you need to stick to what is available to you. you could even do most of this in a scripting language :)

simplest solution - open a listening socket and when something connects to it, supply a (prng generated) nonce; client is to return the nonce (thus also acting as a salt), the current time/date, and the file required to be downloaded (simple text string) digitally signed with an RSA key. verify the key, (and that the date/time is within 1 minute of current server time) and if it matches, supply the file, otherwise close the socket.


Author Comment

ID: 37013428
Yup, allowed to use existing library. Will be using Java for this.

SO your idea to simulate a complete PKI framework is

Machine A (Server)
Machine B (Client)

1. A text file stored in Machine A
2. Machine B request to communicate with Machine A to download the text file
3. During the connection of communication and downloading of files, the crypto and PKI all applies.

Am I right to say?
LVL 33

Accepted Solution

Dave Howe earned 2000 total points
ID: 37014491
well (1) one or more named files stored on machine A
(2&3) Machine B to use PKI to satisfy Machine A of its identity using a challenge response protocol comprising

a) a unique token (nonce) generated by Machine A (this can be sent plaintext, as it need not be protected)
b) a timestamp to ensure against repeat attacks based on nonce collision
c) a string representing which file machine B would like to download.
d) a digital signature (using one of the big three algos - Elgamal, RSA, or EC) to confirm that Machine B is authorized to request files

as your requirement didn't state you encrypt anything, I wouldn't bother - just supply whichever file was requested down the socket as soon as you get a valid digitally signed request.

given any decent language with a socket library and at least one PKI algo available, I wouldn't expect it to take more than a couple of hours to code up. java has both its native libraries and the superior Bouncy Castle libraries available, so you shouldn't have much trouble :)

Author Comment

ID: 37023713
Thanks, uve answered my questions perfectly!

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question