Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 12 Advanced Cryptography.

Security+ Guide to Network Security Fundamentals,

Fourth Edition

Chapter 12Advanced Cryptography

Objectives

• Define digital certificates

• List the various types of digital certificates and how they are used

• Describe the components of Public Key Infrastructure (PKI)

• List the tasks associated with key management

• Describe the different transport encryption algorithms

Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Digital Certificates

• Common application of cryptography

• Aspects of using digital certificates– Understanding their purpose– Knowing how they are managed– Determining which type of digital certificate is

appropriate for different situations


Defining Digital Certificates

• Digital signature– Used to prove a document originated from a valid

sender

• Weakness of using digital signatures– Imposter could post a public key under a sender’s

name



Figure 12-1 Imposter public key© Cengage Learning 2012

Defining Digital Certificates (cont’d.)

• Trusted third party– Used to help solve the problem of verifying identity– Verifies the owner and that the public key belongs to

that owner– Helps prevent man-in-the-middle attack that

impersonates owner of public key

• Information contained in a digital certificate– Owner’s name or alias– Owner’s public key– Issuer’s name


Defining Digital Certificates (cont’d.)

• Information contained in a digital certificate (cont’d.)– Issuer’s digital signature– Digital certificate’s serial number– Expiration date of the public key


Managing Digital Certificates

• Technologies used for managing digital certificates– Certificate Authority (CA)– Registration Authority (RA)– Certificate Revocation List (CRL)– Certificate Repository (CR)– Web browser

• Certificate Authority– Trusted third party– Responsible for issuing digital certificates– Can be internal or external to an organization


Managing Digital Certificates (cont’d.)

• Duties of a CA– Generate, issue, an distribute public key certificates– Distribute CA certificates– Generate and publish certificate status information– Provide a means for subscribers to request

revocation– Revoke public-key certificates– Maintain security, availability, and continuity of

certificate issuance signing functions



• Subscriber requesting a digital certificate– Generates public and private keys– Sends public key to CA– CA may in some instances create the keys– CA inserts public key into certificate– Certificates are digitally signed with private key of

issuing CA



• Registration Authority– Subordinate entity designed to handle specific CA

tasks• Offloading registration functions creates improved

workflow for CA

• General duties of an RA– Receive, authenticate, and process certificate

revocation requests– Identify and authenticate subscribers



• General duties of an RA (cont’d.)– Obtain a public key from the subscriber– Verify that the subscriber possesses the asymmetric

private key corresponding to the public key submitted for certification

• Primary function of an RA– Verify identity of an individual



• Means for a digital certificate requestor to identify themselves to an RA– E-mail

• Insufficient for activities that must be very secure

– Documents• Birth certificate, employee badge

– In person• Providing government-issued passport or driver’s

license



• Certificate Revocation List– Lists digital certificates that have been revoked

• Reasons a certificate would be revoked– Certificate is no longer used– Details of the certificate have changed, such as

user’s address– Private key has been lost or exposed (or suspected

lost or exposed)



Figure 12-2 Certificate Revocation List (CRL)© Cengage Learning 2012


• Certificate Repository– Publicly accessible centralized directory of digital

certificates– Used to view certificate status– Can be managed locally as a storage area

connected to the CA server– Can be made available through a Web browser

interface



Figure 12-3 Certificate Repository (CR)© Cengage Learning 2012


• Web browser management– Modern Web browsers preconfigured with default list

of CAs

• Advantages– Users can take advantage of digital certificates

without need to manually load information– Users do not need to install a CRL manually

• Automatic updates feature will install them automatically if feature is enabled



Figure 12-4 Web browser default CAs© Cengage Learning 2012

Types of Digital Certificates

• Different categories of digital certificates– Class 1 through Class 5– Dual-key sided– Dual sided

• Other uses for digital certificates– Provide secure communication between clients and

servers by encrypting channels– Encrypt messages for secure Internet e-mail

communication


Types of Digital Certificates (cont’d.)

• Other uses for digital certificates (cont’d.)– Verify the identity of clients and servers on the Web– Verify the source and integrity of signed executable

code

• Common categories of digital certificates– Personal digital certificates– Server digital certificates– Software publisher digital certificates



• Class 1: personal digital certificates– Issued by an RA directly to individuals– Frequently used to secure e-mail transmissions– Typically only require user’s name and e-mail

address to receive

• Class 2: server digital certificates– Issued from a Web server to a client– Ensure authenticity of the Web server– Ensure authenticity of the cryptographic connection

to the Web server



Figure 12-5 Server digital certificate© Cengage Learning 2012


• Class 2: server digital certificates (cont’d.)– Server authentication and secure communication

can be combined into one certificate• Displays padlock icon in the Web browser

• Click padlock icon to display information about the digital certificate

• Extended Validation SSL Certificate (EV SSL)– Requires more extensive verification of legitimacy of

the business



Figure 12-6 Padlock icon and certificate information© Cengage Learning 2012


• Class 3: software publisher digital certificates– Provided by software publishers– Purpose: verify programs are secure and have not

been tampered with

• Dual-key digital certificates– Reduce need for storing multiple copies of the

signing certificate– Facilitate certificate handling in organizations

• Copies kept in central storage repository



• Dual-sided certificates– Provides ability for client to authenticate back to the

server– Both sides of the session validate themselves

• X.509 digital certificates– Standard for most widely accepted format for digital

certificates



Table 12-1 X.509 structure

Public Key Infrastructure (PKI)

• Important management tool for the use of:– Digital certificates:– Asymmetric cryptography

• Aspects of PKI– Public-key cryptography standards– Trust models– Key management


What is Public Key Infrastructure?

• Need for consistent means to manage digital certificates

• PKI: framework for all entities involved in digital certificates

• Certificate management actions facilitated by PKI– Create– Store– Distribute– Revoke


Public-Key Cryptographic Standards (PKCS)

• Numbered set of PKI standards defined by the RSA Corporation– Widely accepted in industry– Based on the RSA public-key algorithm



Table 12-2 PKCS standards (continues)


Table 12-2 PKCS standards (cont’d.)


Figure 12-7 Microsoft Windows PKCS support© Cengage Learning 2012

Trust Models

• Trust– Confidence in or reliance on another person or entity

• Trust model– Refers to type of trusting relationship that can exist

between individuals and entities

• Direct trust– One person knows the other person

• Third-party trust– Two individuals trust each other because each trusts

a third party


Trust Models (cont’d.)

• Hierarchical trust model– Assigns single hierarchy with one master CA called

the root– Root signs all digital certificate authorities with a

single key– Can be used in an organization where one CA is

responsible for only that organization’s digital certificates

• Hierarchical trust model has several limitations– Single CA private key may be compromised

rendering all certificates worthlessSecurity+ Guide to Network Security Fundamentals, Fourth Edition 36


Figure 12-8 Hierarchical trust model© Cengage Learning 2012


• Distributed trust model– Multiple CAs sign digital certificates– Eliminates limitations of hierarchical trust model

• Bridge trust model– One CA acts as facilitator to connect all other CAs

• Facilitator CA does not issue digital certificates– Acts as hub between hierarchical and distributed

trust model– Allows the different models to be linked



Figure 12-9 Distributed trust model© Cengage Learning 2012


Figure 12-10 Bridge trust model© Cengage Learning 2012


• Bridge trust application examples – Federal and state governments– Pharmaceutical industry– Aerospace industry


Managing PKI

• Certificate Policy (CP)– Published set of rules that govern operation of a PKI– Provides recommended baseline security

requirements for use and operation of CA, RA, and other PKI components

• Certificate Practice Statement (CPS)– Describes in detail how the CA uses and manages

certificates


Managing PKI (cont’d.)

• Certificate life cycle– Creation

• Occurs after user is positively identified

– Suspension• May occur when employee on leave of absence

– Revocation• Certificate no longer valid

– Expiration• Key can no longer be used


Key Storage

• Means of public key storage– Embedding within digital certificates

• Means of private key storage– Stored on user’s local system

• Software-based storage may expose keys to attackers

• Alternative: storing keys in hardware– Tokens– Smart-cards


Key Usage

• Multiple pairs of dual keys– Created if more security needed than single set of

public/private keys– One pair used to encrypt information

• Public key backed up in another location

– Second pair used only for digital signatures• Public key in that pair never backed up


Key-Handling Procedures

• Key escrow– Keys managed by a third party– Private key is split and each half is encrypted– Two halves sent to third party, which stores each half

in separate location– User can retrieve and combine two halves and use

this new copy of private key for decryption

• Expiration– Keys expire after a set period of time


Key-Handling Procedures (cont’d.)

• Renewal– Existing key can be renewed

• Revocation– Key may be revoked prior to its expiration date– Revoked keys may not be reinstated

• Recovery– Need to recover keys of an employee hospitalized

for extended period– Key recovery agent may be used– Group of people may be used (M-of-N control)



Figure 12-11 M-of-N control© Cengage Learning 2012

Key-Handling Procedures (cont’d.)

• Suspension– Suspended for a set period of time and then

reinstated

• Destruction– Removes all public and private keys and user’s

identification from the CA


Transport Encryption Algorithms

• Secure Sockets Layer (SSL)– Most common transport encryption algorithm– Developed by Netscape– Uses a public key to encrypt data transferred over

the SSL connection

• Transport Layer Security (TLS)– Protocol that guarantees privacy and data integrity

between applications communicating over the Internet

• Both provide server and client authentication, and data encryption


Secure Shell (SSH)

• Encrypted alternative to Telnet protocol used to access remote computers

• Linux/UNIX-based command interface and protocol

• Suite of three utilities: slogin, ssh, and scp

• Client and server ends of connection are authenticated using a digital certificate

• Passwords are encrypted

• Can be used as a tool for secure network backups



Table 12-3 SSH commands

Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)

• Common use of SSL– Secure Web Hypertext Transport Protocol (HTTP)

communications between browser and Web server– Users must enter URLs with https://

• Secure Hypertext Transport Protocol (SHTTP)– Cryptographic transport protocol released as a public

specification– Supports a variety of encryption types, including

3DES– Not as widely used as HTTPS


IP Security (IPsec)

• Open System Interconnection (OSI) model– Security tools function at different layers

• Operating at higher levels such as Application layer– Advantage: tools designed to protect specific

applications– Disadvantage: multiple security tools may be needed

• IPsec– Set of protocols developed to support secure

exchange of packets– Operates at a low level in the OSI model



Figure 12-12 Security tools and the OSI model© Cengage Learning 2012

IP Security (cont’d.)

• IPsec considered transparent to:– Applications– Users– Software

• Located in the operating system or communication hardware

• Provides authentication, confidentiality, and key management

• Supports two encryption modes: transport and tunnel



Figure 12-13 New IPsec packet using transport or tunnel mode© Cengage Learning 2012

Summary

• Digital certificate provides third party verification of public key owner’s identity

• A Certificate Authority issues digital certificates for others

• Personal digital certificates are issued by an RA to individuals

• Server digital certificates ensure authenticity of a Web server and its cryptographic connection


Summary (cont’d.)

• PKI is a framework for all entities involved in digital certificates

• Three basic PKI trust models exist

• Cryptography can protect data as it is being transported across a network– SSL/TLS is a widely used algorithm

• IPsec supports a secure exchange of packets– Considered to be a transparent security protocol


Date post:	21-Dec-2015
Category:	Documents
Upload:	thomas-page
View:	223 times
Download:	2 times