good morning everybody and welcome back to next door netadmin so like I said in the free form from March I have had a suggestion a request to go over Acme certificates and the whole nine yards I could do that and I'm planning on doing that but what's the point of talking at length about Acme certificates if nobody knows what they are so I'm actually going to end up doing a threep parter here this week I'm going to talk about what I would call pki Basics we'll get into what pki is in just a second we're going to go over the basics what is a certificate how do these actually work to a computer and why is this all important okay second week we're going to go over the Acme protocol itself what is it how does it function how is this actually planned out so that it's secure and it's doing what it should do cool and then in the third week we're going to go over implementation what are some tools that we can use to manage Acme certificates there's more than just the one how can you actually make this a functional part of your it infrastructure for those of you who are not sis admins or net admins yourself I'm going to be trying to keep this relatively basic and understandable I realize implementation may not be your thing but there's going to be plenty in the other weeks that will help you increase your understanding of what these certificate things are why they're important and kind of a general understanding of how it works and the kind of considerations that go into designing something that is both usable and relatively secure for most purposes okay so with that in mind let's get started with today's this week's lesson that almost sounds so formal I'm just going to start talking okay awesome pki basics pki in this case is public key infrastructure it's important to know that everything to do with certificates uses public private Keys what is that well the general idea is it's a way of handling encryption where there are two keys involved there's a public key which is public it's open to everybody everybody gets to see it everybody knows what it is and then there's a private key which is kept secret there's a lot of complicated math that goes into this I'm not going to get into all of the complicated math don't worry but I am going to give you a broad overview of how it works right off the top I'm going to come clean I'm using the numbers off of the Wikipedia entry okay um because they're they're they're simple numbers they're relatively small and they're more easily understandable the actual numbers involved are many many many times larger but we're going to keep things simple I'm going to walk you through the basic idea of the math Behind These two keys and then I'll come back and I'll tell you why this is kind of important so we have a bunch of numbers here this looks intimidating as all get out I realize stick with me though we're going to make this as basic as we can first thing we need to understand is modular arithmetic or the modulo operation we all know how to add subtract multiply divide this is stuff that's very basic but what are we doing when we look at 8 mod 3 well the easy way to think of mod is as remainder ERS so when you see 8 mod 3 if you take 8 / 3 what's your remainder now mentally in our heads we can all do this if you divide 8 by three well you can divide 6 by three easily and 8 minus 6 is 2 okay so the remainder is two mathematically speaking if you pull out a calculator or open up the calculator app on your PC and I do encourage this for following through with this if you do 8 divided 3 you'll get a number like 2 um zillion sixes followed by a seven if you subtract just the integer part the part before the decimal point you hit minus two then you'll get that and then you hit times three the number that you were modding by and you'll get two this is really useful this is going to be the Keystone of what we're doing here so when we are constructing a public and private key pair you start by getting two different prime numbers we call them p and Q these are very small prime numbers you wouldn't actually use these because they're not secure enough we're using this as an example because it's easier to work with numbers of this size the prime numbers we actually use use in public private key cryptography are 300 plus digits long they're ungodly length for us for humans for computers whatever but the length of the prime number is what actually makes this secure because it makes it very infeasible to reverse what we're actually going to be doing with this but for our example we're just using two small numbers again like I said lifted liberally from Wikipedia so I'm just walking you through this example we have two prime numbers 61 and 53 here p and Q and then we're going to calculate the product of p and Q which is n if you punch this into your calculator you will find that it comes out to 3,233 now again I am glossing over the math we also want to find the least common multiple of P minus one and Q minus1 so the least common multiple of 60 and 52 it's not the same thing as multiplying them together in this case the least common multiple turns out to be 780 take my word for this um but this is also referred to in the math as Lambda the Greek letter Lambda probably familiar to you from the halflife franchise then you need to choose a number which is greater than one less than 780 and has to be co-prime to 780 now for many reasons it is optimal to choose a smallish prime number but you could choose any number it's just best to use a smallish prime number uh because for making sure that it's co-prime you just have to make sure that whatever you choose is not a factor of 780 you cannot evenly divide 780 by 17 that's fine so our number here is going to be 17 that's the one that we chose then we need to choose another integer D and it needs to satisfy this equation E * D mod Lambda equals 1 there's an actual mathematical calculation you can make to correctly get this number but again we're skimming over the heavy stuff it's enough to know that 413 in this case satisfies this equation so if you punch into your calculator 17 * 413 divide it by 780 subtract whatever your integer is and then multiply ly it by 780 you should get exactly one this now forms our actual Keys the public key is the pair of E17 and n 3,233 and the private key is the corresponding d and n so 413 and 3,233 okay that's a bunch of numbers how does that actually help us whatsoever well stick with me we're going to use some more complicated maths but stay in your calculator just punch it through and you can confirm that this works you may need to switch your calculator to Scientific mode if you're using the windows calculator app for example you can choose scientific that will help you in what we're about to do okay okay so just as a reminder here's our public key here's our private key and I've actually put in the numbers here so that we can do this now we have a message remember that to a computer everything including text is a number or can be represented as a number so the letter A the capital letter a is represented in asky code as the number 65 so our letter is a in this case it's the number 65 that's our message m c is our Cipher text the encrypted version of this to calculate C you take M raised to the power of E 17 mod n so it'll look like this equal 65 to ^ of 17 mod 3,233 if you punch that through in your calculator again these are numbers big enough that you're not going to calculate them in your head unless you are genius and I am not when you punch it all through you should get 2790 okay cool to decrypt it you have pretty much the same equation but using the cipher text instead of the message and using your decryption value rather than your encryption value so if your Cipher text is 2790 your message is C to the power of D mod n and it looks like this 2790 to the power of 413 yikes mod 3 , 233 and what you should get is 65 we've used one of these to encrypt the message into Cipher text and the corresponding one has decrypted it back into the message now here is a very important property if you do this in Reverse it still works your Cipher text can be message to the power of the decryption value 65 to the power of 413 mod 3,233 and that'll equal something completely different but when you use the corresponding half the encryption value you can retrieve the original message so these equations work both ways and that's a very important factor as you'll see in just a moment now the math that I've just walked through here is valid for what's called RSA Keys RSA is just the initials of the people who developed it it doesn't stand for anything more complicated than that regardless these are the older style of keys used in public private key cryptography they're still valid they're still secure they're still used they're still actually required for some very specific purposes there are newer Keys as well using something called elliptic curve cryptography this is also shortened to ECC ECC keys have the definite advantage of being much smaller for the same degree of security an RSA key that is 248 bits long you can get equivalent security from an ECC key that's only 256 bits long eight times smaller this has major benefits when you're working with mobile devices like phones or tablets it consumes less power it transmits faster because it's eight times smaller it's hugely beneficial and recommended to use ECC Keys these days wherever you can cool I'm not going to walk you through all of that because all you really need to know is that the same fundamental principle applies and this is the key Point pun intended anything that one half of the key pair does public or private the other half can undo public or private public matches with private private matches with public cool why is this important this property is what underpins all of the certificates in the world because when you use the public key to encrypt something only the receiver's private key can decrypt it this is basic but if you go the other direction anything that the private key encrypt can only be decrypted by the public key and this forms a signature more specifically if you take an entire document or let's say public key itself if you take that data and squash it down and create a what's called a hash of it a hash very basically is a representation of the input you can't get the input back from the hash but the idea is that if you change anything in the input you'll get a different hash value so you can kind of take the input squish it down and get a hash value if it matches the hash that you're told it should hash to you know it hasn't been altered cool if you take that hash and encrypt it using a private key then anybody with that public key can decrypt the hash and compare it to the hash of the actual data and this does two things number one you know the data has not been changed because the hash values match but number two you know that the owner of this private key had and referenced the exact same input document because that signature the encrypted hash is called a signature in this case that signature could only be produced by this exact input document and that private key because it matched the public key that you used to decrypt it and then do the comparison this signature is what underpins all of the certificates globally I can take my own certificate and say Here's the public key and I'm going to sign it that doesn't really mean a whole lot does it any Joe Sidman out there anywhere could create his own certificate claiming that hi I am Office 365 . and sign it does that mean we should trust it no it really doesn't so it's more useful if I produce a certificate I will take that public key my public key and send it to a certificate Authority and say I would like you to sign this the certificate Authority looks at it verifies everything is good according to to whatever method they're using we'll get into that next week but then they take the hash of my public key and they use their private key to encrypt the hash so that they are signing it they are saying yes this public key for the next door nedman has not been changed and we the certificate Authority are certifying to to everybody else in the public that we have seen it it has not changed and we have verified it and we have marked this by signing it with our private key anybody out there with the public key for the certificate Authority can look at it and say ah this certificate Authority signed it and then they can compare the hash value and say and this certificate is good it has not changed we now know that we have a valid public key for the next door nedman and we can use that public key to encrypt any communication going to that server and we know that it's good how are certificate authorities chosen how do you do this well there are ways to create your own certificate Authority and to manually instruct all of your devices to trust that this is something that is perhaps a little more advanced and we're not going to get too deep into it but there are a number of public certificate authorities and they have a lot of requirements for their physical security for their electronic security and everything else to safeguard this but when a public certificate Authority goes through all of these steps to verify that everything is good then another Authority usually the browser or the operating system Microsoft has a root certificate program Mozilla for Firefox has its own root certificate program Google has a root certificate program for Chrome and Chrome OS Apple has its own root certificate program for everything Mac iPhone iPad the all of that all of these Gatekeepers vendors manufacturers whatever word you want to use for them they will ass assess the security practices of the root certificate Authority and if it's all good then that root certificate will be added to the operating system or to the browser as a valid trusted root certificate Authority and then anything that that certificate Authority signs can be trusted and again I am generalizing somewhat here in an actual pki infrastructure you will have multiple levels of certificate authorities because you don't actually want your root certificate authority to sign every person's certificate there's security reasons behind that but I'm not going to go into that right now we're keeping things General today the big important part to know is that there's multiple types of certificates they work as a public key followed by well technically speaking a a certificate itself here's what a certificate is has a bunch of data including the domain name of the server any other domain names it can be referenced by it'll typically have space for other data such as the organization the organizational unit city state country there are all fields that can be filled out not every certificate has them but but it has space for them then you'll have the public key of the entity that is claiming the certificate is theirs and then you'll have one or more signatures by various entities one of which hopefully is or chains back to a root certificate Authority I will explain a chain because I just used an unfamiliar term without getting too deep into why we set it up this way you can chain things if I have a certificate and it's signed by you and you have a certificate that is signed by the root certificate Authority then everything's good it chains back the root verified you you verify me there it is cool so that's what I mean when I say chains it needs to chain back there eventually certificates are an immensely complicated subject so don't feel like you're be how do I phrase this certificates are just an immensely complicated subject and I could go on for hours and hours and hours but I'm not going to go on for hours and hours and hours don't feel bad if you don't get it right away sometimes it'll it'll just take time or just enjoy this video for what it was and in either case do do what I don't know I was saying something hi in any case thank you very much for joining me today I am your next door nedman we'll see you next week
