security+ guide to network security fundamentals, fourth edition chapter 12 advanced cryptography
TRANSCRIPT
Objectives
• Define digital certificates
• List the various types of digital certificates and how they are used
• Describe the components of Public Key Infrastructure (PKI)
• List the tasks associated with key management
• Describe the different transport encryption algorithms
Security+ Guide to Network Security Fundamentals, Fourth Edition 2
Digital Certificates
• Common application of cryptography
• Aspects of using digital certificates– Understanding their purpose– Knowing how they are managed– Determining which type of digital certificate is
appropriate for different situations
Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Defining Digital Certificates
• Digital signature– Used to prove a document originated from a valid
sender
• Weakness of using digital signatures– Imposter could post a public key under a sender’s
name
Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Security+ Guide to Network Security Fundamentals, Fourth Edition 5
Figure 12-1 Imposter public key© Cengage Learning 2012
Defining Digital Certificates (cont’d.)
• Trusted third party– Used to help solve the problem of verifying identity– Verifies the owner and that the public key belongs to
that owner– Helps prevent man-in-the-middle attack that
impersonates owner of public key
• Information contained in a digital certificate– Owner’s name or alias– Owner’s public key– Issuer’s name
Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Defining Digital Certificates (cont’d.)
• Information contained in a digital certificate (cont’d.)– Issuer’s digital signature– Digital certificate’s serial number– Expiration date of the public key
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Managing Digital Certificates
• Technologies used for managing digital certificates– Certificate Authority (CA)– Registration Authority (RA)– Certificate Revocation List (CRL)– Certificate Repository (CR)– Web browser
• Certificate Authority– Trusted third party– Responsible for issuing digital certificates– Can be internal or external to an organization
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Managing Digital Certificates (cont’d.)
• Duties of a CA– Generate, issue, an distribute public key certificates– Distribute CA certificates– Generate and publish certificate status information– Provide a means for subscribers to request
revocation– Revoke public-key certificates– Maintain security, availability, and continuity of
certificate issuance signing functions
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Managing Digital Certificates (cont’d.)
• Subscriber requesting a digital certificate– Generates public and private keys– Sends public key to CA– CA may in some instances create the keys– CA inserts public key into certificate– Certificates are digitally signed with private key of
issuing CA
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
Managing Digital Certificates (cont’d.)
• Registration Authority– Subordinate entity designed to handle specific CA
tasks• Offloading registration functions creates improved
workflow for CA
• General duties of an RA– Receive, authenticate, and process certificate
revocation requests– Identify and authenticate subscribers
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Managing Digital Certificates (cont’d.)
• General duties of an RA (cont’d.)– Obtain a public key from the subscriber– Verify that the subscriber possesses the asymmetric
private key corresponding to the public key submitted for certification
• Primary function of an RA– Verify identity of an individual
Security+ Guide to Network Security Fundamentals, Fourth Edition 12
Managing Digital Certificates (cont’d.)
• Means for a digital certificate requestor to identify themselves to an RA– E-mail
• Insufficient for activities that must be very secure
– Documents• Birth certificate, employee badge
– In person• Providing government-issued passport or driver’s
license
Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Managing Digital Certificates (cont’d.)
• Certificate Revocation List– Lists digital certificates that have been revoked
• Reasons a certificate would be revoked– Certificate is no longer used– Details of the certificate have changed, such as
user’s address– Private key has been lost or exposed (or suspected
lost or exposed)
Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Figure 12-2 Certificate Revocation List (CRL)© Cengage Learning 2012
Managing Digital Certificates (cont’d.)
• Certificate Repository– Publicly accessible centralized directory of digital
certificates– Used to view certificate status– Can be managed locally as a storage area
connected to the CA server– Can be made available through a Web browser
interface
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Figure 12-3 Certificate Repository (CR)© Cengage Learning 2012
Managing Digital Certificates (cont’d.)
• Web browser management– Modern Web browsers preconfigured with default list
of CAs
• Advantages– Users can take advantage of digital certificates
without need to manually load information– Users do not need to install a CRL manually
• Automatic updates feature will install them automatically if feature is enabled
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
Security+ Guide to Network Security Fundamentals, Fourth Edition 19
Figure 12-4 Web browser default CAs© Cengage Learning 2012
Types of Digital Certificates
• Different categories of digital certificates– Class 1 through Class 5– Dual-key sided– Dual sided
• Other uses for digital certificates– Provide secure communication between clients and
servers by encrypting channels– Encrypt messages for secure Internet e-mail
communication
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Types of Digital Certificates (cont’d.)
• Other uses for digital certificates (cont’d.)– Verify the identity of clients and servers on the Web– Verify the source and integrity of signed executable
code
• Common categories of digital certificates– Personal digital certificates– Server digital certificates– Software publisher digital certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Types of Digital Certificates (cont’d.)
• Class 1: personal digital certificates– Issued by an RA directly to individuals– Frequently used to secure e-mail transmissions– Typically only require user’s name and e-mail
address to receive
• Class 2: server digital certificates– Issued from a Web server to a client– Ensure authenticity of the Web server– Ensure authenticity of the cryptographic connection
to the Web server
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Figure 12-5 Server digital certificate© Cengage Learning 2012
Types of Digital Certificates (cont’d.)
• Class 2: server digital certificates (cont’d.)– Server authentication and secure communication
can be combined into one certificate• Displays padlock icon in the Web browser
• Click padlock icon to display information about the digital certificate
• Extended Validation SSL Certificate (EV SSL)– Requires more extensive verification of legitimacy of
the business
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Figure 12-6 Padlock icon and certificate information© Cengage Learning 2012
Types of Digital Certificates (cont’d.)
• Class 3: software publisher digital certificates– Provided by software publishers– Purpose: verify programs are secure and have not
been tampered with
• Dual-key digital certificates– Reduce need for storing multiple copies of the
signing certificate– Facilitate certificate handling in organizations
• Copies kept in central storage repository
Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Types of Digital Certificates (cont’d.)
• Dual-sided certificates– Provides ability for client to authenticate back to the
server– Both sides of the session validate themselves
• X.509 digital certificates– Standard for most widely accepted format for digital
certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Public Key Infrastructure (PKI)
• Important management tool for the use of:– Digital certificates:– Asymmetric cryptography
• Aspects of PKI– Public-key cryptography standards– Trust models– Key management
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
What is Public Key Infrastructure?
• Need for consistent means to manage digital certificates
• PKI: framework for all entities involved in digital certificates
• Certificate management actions facilitated by PKI– Create– Store– Distribute– Revoke
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Public-Key Cryptographic Standards (PKCS)
• Numbered set of PKI standards defined by the RSA Corporation– Widely accepted in industry– Based on the RSA public-key algorithm
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Table 12-2 PKCS standards (continues)
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Table 12-2 PKCS standards (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Figure 12-7 Microsoft Windows PKCS support© Cengage Learning 2012
Trust Models
• Trust– Confidence in or reliance on another person or entity
• Trust model– Refers to type of trusting relationship that can exist
between individuals and entities
• Direct trust– One person knows the other person
• Third-party trust– Two individuals trust each other because each trusts
a third party
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Trust Models (cont’d.)
• Hierarchical trust model– Assigns single hierarchy with one master CA called
the root– Root signs all digital certificate authorities with a
single key– Can be used in an organization where one CA is
responsible for only that organization’s digital certificates
• Hierarchical trust model has several limitations– Single CA private key may be compromised
rendering all certificates worthlessSecurity+ Guide to Network Security Fundamentals, Fourth Edition 36
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Figure 12-8 Hierarchical trust model© Cengage Learning 2012
Trust Models (cont’d.)
• Distributed trust model– Multiple CAs sign digital certificates– Eliminates limitations of hierarchical trust model
• Bridge trust model– One CA acts as facilitator to connect all other CAs
• Facilitator CA does not issue digital certificates– Acts as hub between hierarchical and distributed
trust model– Allows the different models to be linked
Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Figure 12-9 Distributed trust model© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Figure 12-10 Bridge trust model© Cengage Learning 2012
Trust Models (cont’d.)
• Bridge trust application examples – Federal and state governments– Pharmaceutical industry– Aerospace industry
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Managing PKI
• Certificate Policy (CP)– Published set of rules that govern operation of a PKI– Provides recommended baseline security
requirements for use and operation of CA, RA, and other PKI components
• Certificate Practice Statement (CPS)– Describes in detail how the CA uses and manages
certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Managing PKI (cont’d.)
• Certificate life cycle– Creation
• Occurs after user is positively identified
– Suspension• May occur when employee on leave of absence
– Revocation• Certificate no longer valid
– Expiration• Key can no longer be used
Security+ Guide to Network Security Fundamentals, Fourth Edition 43
Key Storage
• Means of public key storage– Embedding within digital certificates
• Means of private key storage– Stored on user’s local system
• Software-based storage may expose keys to attackers
• Alternative: storing keys in hardware– Tokens– Smart-cards
Security+ Guide to Network Security Fundamentals, Fourth Edition 44
Key Usage
• Multiple pairs of dual keys– Created if more security needed than single set of
public/private keys– One pair used to encrypt information
• Public key backed up in another location
– Second pair used only for digital signatures• Public key in that pair never backed up
Security+ Guide to Network Security Fundamentals, Fourth Edition 45
Key-Handling Procedures
• Key escrow– Keys managed by a third party– Private key is split and each half is encrypted– Two halves sent to third party, which stores each half
in separate location– User can retrieve and combine two halves and use
this new copy of private key for decryption
• Expiration– Keys expire after a set period of time
Security+ Guide to Network Security Fundamentals, Fourth Edition 46
Key-Handling Procedures (cont’d.)
• Renewal– Existing key can be renewed
• Revocation– Key may be revoked prior to its expiration date– Revoked keys may not be reinstated
• Recovery– Need to recover keys of an employee hospitalized
for extended period– Key recovery agent may be used– Group of people may be used (M-of-N control)
Security+ Guide to Network Security Fundamentals, Fourth Edition 47
Security+ Guide to Network Security Fundamentals, Fourth Edition 48
Figure 12-11 M-of-N control© Cengage Learning 2012
Key-Handling Procedures (cont’d.)
• Suspension– Suspended for a set period of time and then
reinstated
• Destruction– Removes all public and private keys and user’s
identification from the CA
Security+ Guide to Network Security Fundamentals, Fourth Edition 49
Transport Encryption Algorithms
• Secure Sockets Layer (SSL)– Most common transport encryption algorithm– Developed by Netscape– Uses a public key to encrypt data transferred over
the SSL connection
• Transport Layer Security (TLS)– Protocol that guarantees privacy and data integrity
between applications communicating over the Internet
• Both provide server and client authentication, and data encryption
Security+ Guide to Network Security Fundamentals, Fourth Edition 50
Secure Shell (SSH)
• Encrypted alternative to Telnet protocol used to access remote computers
• Linux/UNIX-based command interface and protocol
• Suite of three utilities: slogin, ssh, and scp
• Client and server ends of connection are authenticated using a digital certificate
• Passwords are encrypted
• Can be used as a tool for secure network backups
Security+ Guide to Network Security Fundamentals, Fourth Edition 51
Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)
• Common use of SSL– Secure Web Hypertext Transport Protocol (HTTP)
communications between browser and Web server– Users must enter URLs with https://
• Secure Hypertext Transport Protocol (SHTTP)– Cryptographic transport protocol released as a public
specification– Supports a variety of encryption types, including
3DES– Not as widely used as HTTPS
Security+ Guide to Network Security Fundamentals, Fourth Edition 53
IP Security (IPsec)
• Open System Interconnection (OSI) model– Security tools function at different layers
• Operating at higher levels such as Application layer– Advantage: tools designed to protect specific
applications– Disadvantage: multiple security tools may be needed
• IPsec– Set of protocols developed to support secure
exchange of packets– Operates at a low level in the OSI model
Security+ Guide to Network Security Fundamentals, Fourth Edition 54
Security+ Guide to Network Security Fundamentals, Fourth Edition 55
Figure 12-12 Security tools and the OSI model© Cengage Learning 2012
IP Security (cont’d.)
• IPsec considered transparent to:– Applications– Users– Software
• Located in the operating system or communication hardware
• Provides authentication, confidentiality, and key management
• Supports two encryption modes: transport and tunnel
Security+ Guide to Network Security Fundamentals, Fourth Edition 56
Security+ Guide to Network Security Fundamentals, Fourth Edition 57
Figure 12-13 New IPsec packet using transport or tunnel mode© Cengage Learning 2012
Summary
• Digital certificate provides third party verification of public key owner’s identity
• A Certificate Authority issues digital certificates for others
• Personal digital certificates are issued by an RA to individuals
• Server digital certificates ensure authenticity of a Web server and its cryptographic connection
Security+ Guide to Network Security Fundamentals, Fourth Edition 58
Summary (cont’d.)
• PKI is a framework for all entities involved in digital certificates
• Three basic PKI trust models exist
• Cryptography can protect data as it is being transported across a network– SSL/TLS is a widely used algorithm
• IPsec supports a secure exchange of packets– Considered to be a transparent security protocol
Security+ Guide to Network Security Fundamentals, Fourth Edition 59