PACE-IT, Security+ 6.3: Introduction to Public Key Infrastructure (part 2)

Introduction to public key infrastructure II.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Introduction to public key infrastructure II.PACE-IT.

– Certificate authority responsibilities.

– Additional public key infrastructure concepts.

Page 4

Certificate authority responsibilities.Introduction to public key infrastructure II.

Page 5

Certificate authority responsibilities.Introduction to public key infrastructure II.

– Main responsibilities of a certificate authority (CA).

» Issue the digital certificates that are used when implementing a public key infrastructure (PKI) solution.

• Requires that the CA review information supplied by the client making the request.

• The requester begins that process by providing the CA with a certificate signing request (CSR).

» Revoke digital certificates that the CA has issued in the case of fraud (on the requester’s part) or when a security breach that involves the digital certificate has occurred.

» Create, maintain, and publish a list of revoked digital certificates to help ensure that the PKI process remains trusted.

• One method of achieving this is through a certificate revocation list (CRL), which is periodically published to the CA’s website.

• Another method of achieving this is through the use of Online Certificate Status Protocol (OCSP). OCSP is a protocol that uses HTTP to verify the status of a certificate directly with the CA that issued that certificate.

Page 6

Additional public key infrastructure concepts.Introduction to public key infrastructure II.

Page 7


– Recovery agent.» A recovery agent is an individual with authorized

access to the private key archive. » Recovery agents are used within PKI to protect

against loss of a private key due to the key holder’s absence.

• Private keys should be securely archived, with access to the archive strictly limited.

• Due to the sensitivity of private keys, in most cases, the recovery process requires more than a single recovery agent.

– Registration.» A process that is typically used within an

organization that has implemented PKI.• The process is used to issue PKI certificates to

employees or devices within the organization.• The registration authority (RA) has the

responsibility for verifying an individual’s or a device’s need for a digital certificate—passing the request on to the CA if required.

Page 8

Trust models are used in PKI in order to build PKI relationships (trust) between different organizations.

With PKI, trust can be created between two different CAs, so that each CA will implicitly trust the certificates issued by the other. This allows the organizations to quickly validate digital certificates that each receives from the other entity.Trust models (also known as trust paths) are used to reduce the workload on PKI. Without the trust models, each implementation of PKI in the relationship would be required to issue digital certificates for the opposite party. Trust paths are also used to validate digital certificates issued by a subordinate CA back to the root CA.


Page 9

What was covered.Introduction to public key infrastructure II.

The CA is responsible for issuing digital certificates that are used in implementing PKI. The process begins when the requester submits a CSR. The CA is also responsible for revoking digital certificates in the case of fraud or a security breach. The CA periodically publishes a CRL, which can be checked to see if a certificate has been revoked. Alternatively, OCSP can be used to check with the CA directly.

Topic

Certificate authority responsibilities.

Summary

Recovery agents are used in the private key recovery process. Due to the sensitive nature of the private key, in most cases, recovery requires action on the part of more than a single recovery agent. Trust models are used to build PKI trust relationships between different organizations. This eases the PKI workload on the individual entities. Trust paths are also used between a subordinate CA and the root CA.

Additional public key infrastructure concepts.

Page 10

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.