SSL PKI Design & Implementation and Threat Modelling for Hexad0m

Assignment Tasks

In this task you will create a Certification Authority (CA) which will act as a subordinate Enterprise Certification Authority to issue certificates to users and computers for an organisation called Hexad0m. An offline root Certification Authority is expected to be installed and configured to establish the fundamentals in the PKI architecture to serve as an issuer to your subordinate CA. You will also demonstrate a comprehensive threat model against two categories, namely identity spoofing and CA threats as part of your analysis. The group is advised to use a Windows 2012 server and any machine to perform the attacks against the system. Groups are free to completely virtualise the testing environment.

Your work must be presented in the form of a Project Report and be no longer than 4500 words (excl. references, figures, tables and appendices) plus a facing page that includes the executive summary.  This should be typed on A4 paper and use a font size Arial 10 single spacing.  For completeness, you may if you wish include additional material in an appendix but this will not contribute to the marks.

Section 1:  SSL PKI Design & Implementation

The technical requirements are listed as follows:

1.Install and configure an offline Root Certification Authority

2.Install and issue a Certification Authority

3.Configure the appropriate certificate templates of the issuing CA

4.Check the revocation status of certificates by installing and configuring an online responder

5.Create a fully operational TLS-enabled Web page and observe encrypted traffic

6.Demonstrate at least two (2) attacks against your PKI infrastructure in alignment with the two (2) threat categories outlined in Section 2.

Section 2:  SSL PKI Threat Modelling & Ethical Considerations 

The non-technical Requirements are listed as follows:

1.SSL PKI threat model: Identify the threats, attacks arising from the proposed description of the SSL PKI security issues raised in your design/proposal. Create and discuss a taxonomy of those threats relevant to your design and propose suitable mitigation plans with clear references to the literature. You are required to threat model only against identity spoofing and certificate authority threats using a standardised methodology to identify and rank the threats identified. 

2.Threat Ranking: Define, adopt and validate the appropriate method to rank threats in SSL PKI architecture.

3.Threat mitigation Plan: A detailed threat mitigation plan is also required as part of your deliverables. Clear evidence of a systematic approach taken to validate threats identified must be clearly articulated as part of your analysis.

PKI Risks: Critically discuss at least two (2) significant risks of PKI and link these to privacy. What kind of ethical and legal concerns are raised by the adaptation of PKI in Industry 4.0 for the authentication of IoT devices?