pace-it, security+ 6.3: introduction to public key infrastructure (part 1)

Introduction to public key infrastructure I.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certification PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– Overview of asymmetric encryption.

– Certificate authorities and digital certificates.

PACE-IT.

Overview of asymmetric encryption.Introduction to public key infrastructure I.

Overview of asymmetric encryption.

– Asymmetric encryption.» In asymmetric encryption, two separate cryptographic

keys are used to encrypt data; the two keys are mathematically linked through special algorithms.

• One key can encrypt the data; the other key is then used to decrypt the data.

» If the parties in the communication are not closely associated with each other, an issue arises on how to exchange security keys.

» Requires more computing resources than symmetrical encryption methods.

– Solution to the overhead issue.» Often, an asymmetric encryption session is used to

establish a trust relationship between two entities—verification that the parties are who they say they are.

• Once verification has taken place, the parties then agree upon a secret key that can be used with an agreed upon symmetrical encryption standard—thus reducing the computing overhead required for communication.



In many situations, asymmetric encryption revolves around a public key infrastructure (PKI).

PKI is a process that is used to generate and manage the two security keys that are necessary for asymmetric encryption. With PKI, two keys are created—a public key and a private key. The public key is made known and is readily associated with a specific entity (e.g., a person or organization). That same entity is responsible for maintaining the security and integrity of the private key. Messages encrypted with the public key can only be decrypted with the private key, thus ensuring the security of any message. PKI is established with the assistance of a certificate authority (CA).


Certificate authorities and digital certificates.Introduction to public key infrastructure I.

Certificate authorities and digital certificates.

– Public CA.» A third party entity that is in the business of issuing

(selling) the digital certificates that are used with PKI.• Useful when there is not an existing trust relationship

between two parties that require the use of asymmetrical encryption.

• Many applications (e.g., Internet Explorer or Firefox) automatically trust certificates issued by public CAs (e.g., VeriSign or GoDaddy).

» Has the power to revoke an entity’s digital certificate (e.g., in cases of fraud).

– Private CA.» The process used when an organization creates its own

PKI.• The organization self-signs its own digital certificates

that are used to support asymmetrical encryption.» An advantage to the private CA is that the organization

doesn’t need to pay for each individual certificate.» A disadvantage to the private CA is that it may be

difficult to get other organizations to accept the self-signed certificates.



– Levels of certificate authorities.» The PKI model requires that there be a hierarchal

structure to the CAs.» The first CA to be installed in PKI is the root CA.

• The root CA issues digital certificates to all other CAs—which are called subordinate CAs—that are installed in the PKI model.

• By default, the root CA must self-sign its own certificate.

– Digital certificate.» An electronic file that is used to store the public key of

the entity that the certificate is issued to.• It is bound to and uniquely identifies the entity that it

is issued to, which eases the asymmetrical encryption process used by PKI.



– Components of the digital certificate.

» Public key: the public encryption key of the entity that the certificate was issued to.

» Serial number: a unique number assigned to the certificate to help identify it.

» Algorithm: the asymmetrical algorithm used by the certificate.

» Subject: the entity that was issued the certificate.» Issuer: the entity that issued the certificate.» Valid from: the start date of the certificate.» Valid to: the end date of the certificate.» Thumbprint algorithm: the hash algorithm to use

when verifying the integrity of the certificate.» Thumbprint: the actual hashed value of the certificate

(which can be used to verify that the certificate has not been altered).


What was covered.Introduction to public key infrastructure I.

Asymmetrical encryption requires the use of two separate, but linked, security keys (one to encrypt and the other to decrypt). Asymmetrical encryption is often used to set up a symmetrical encryption session. PKI is often used in situations involving asymmetrical encryption. A certificate authority (CA) is used when establishing PKI.

Topic


Summary

There are two types of CAs. A public CA is in the business of providing the digital certificates used in the PKI process. A private CA is used when an organization issues its own certificates. The root CA is the first CA used in the PKI process; all other CAs are subordinate CAs. A digital certificate is an electronic file that is used to store the public key of the entity that the certificate is issued to. There are many important fields in the digital certificate which include: public key, serial number, algorithm, validation dates, thumbprint algorithm, and thumbprint.


THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.