Security+ Guide to Network Security Fundamentals, Fourth ...cf.linnbenton.edu/bcs/cs/beckerd/upload/CS284Ch12.pdf · Managing Digital Certificates (cont’d.) •Duties ... Security+

Security+ Guide to Network

Security Fundamentals,

Fourth Edition

Chapter 12

Advanced Cryptography

Objectives

• Define digital certificates

• List the various types of digital certificates and how

they are used

• Describe the components of Public Key

Infrastructure (PKI)

• List the tasks associated with key management

• Describe the different transport encryption

algorithms

Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Digital Certificates

• Common application of cryptography

• Aspects of using digital certificates

– Understanding their purpose

– Knowing how they are managed

– Determining which type of digital certificate is

appropriate for different situations


Defining Digital Certificates

• Digital signature

– Used to prove a document originated from a valid

sender

• Weakness of using digital signatures

– Imposter could post a public key under a sender’s

name



Figure 12-1 Imposter public key © Cengage Learning 2012

Defining Digital Certificates (cont’d.)

• Trusted third party

– Used to help solve the problem of verifying identity

– Verifies the owner and that the public key belongs to

that owner

– Helps prevent man-in-the-middle attack that

impersonates owner of public key

• Information contained in a digital certificate

– Owner’s name or alias

– Owner’s public key

– Issuer’s name


Defining Digital Certificates (cont’d.)

• Information contained in a digital certificate

(cont’d.)

– Issuer’s digital signature

– Digital certificate’s serial number

– Expiration date of the public key


Managing Digital Certificates

• Technologies used for managing digital certificates

– Certificate Authority (CA)

– Registration Authority (RA)

– Certificate Revocation List (CRL)

– Certificate Repository (CR)

– Web browser

• Certificate Authority

– Trusted third party

– Responsible for issuing digital certificates

– Can be internal or external to an organization


Managing Digital Certificates (cont’d.)

• Duties of a CA

– Generate, issue, an distribute public key certificates

– Distribute CA certificates

– Generate and publish certificate status information

– Provide a means for subscribers to request

revocation

– Revoke public-key certificates

– Maintain security, availability, and continuity of

certificate issuance signing functions



• Subscriber requesting a digital certificate

– Generates public and private keys

– Sends public key to CA

– CA may in some instances create the keys

– CA inserts public key into certificate

– Certificates are digitally signed with private key of

issuing CA



• Registration Authority

– Subordinate entity designed to handle specific CA

tasks

• Offloading registration functions creates improved

workflow for CA

• General duties of an RA

– Receive, authenticate, and process certificate

revocation requests

– Identify and authenticate subscribers



• General duties of an RA (cont’d.)

– Obtain a public key from the subscriber

– Verify that the subscriber possesses the asymmetric

private key corresponding to the public key

submitted for certification

• Primary function of an RA

– Verify identity of an individual



• Means for a digital certificate requestor to identify

themselves to an RA

– E-mail

• Insufficient for activities that must be very secure

– Documents

• Birth certificate, employee badge

– In person

• Providing government-issued passport or driver’s

license



• Certificate Revocation List

– Lists digital certificates that have been revoked

• Reasons a certificate would be revoked

– Certificate is no longer used

– Details of the certificate have changed, such as

user’s address

– Private key has been lost or exposed (or suspected

lost or exposed)



Figure 12-2 Certificate Revocation List (CRL) © Cengage Learning 2012


• Certificate Repository

– Publicly accessible centralized directory of digital

certificates

– Used to view certificate status

– Can be managed locally as a storage area

connected to the CA server

– Can be made available through a Web browser

interface



Figure 12-3 Certificate Repository (CR) © Cengage Learning 2012


• Web browser management

– Modern Web browsers preconfigured with default list

of CAs

• Advantages

– Users can take advantage of digital certificates

without need to manually load information

– Users do not need to install a CRL manually

• Automatic updates feature will install them

automatically if feature is enabled



Figure 12-4 Web browser default CAs © Cengage Learning 2012

Types of Digital Certificates

• Different categories of digital certificates

– Class 1 through Class 5

– Dual-key sided

– Dual sided

• Other uses for digital certificates

– Provide secure communication between clients and

servers by encrypting channels

– Encrypt messages for secure Internet e-mail

communication


Types of Digital Certificates (cont’d.)

• Other uses for digital certificates (cont’d.)

– Verify the identity of clients and servers on the Web

– Verify the source and integrity of signed executable

code

• Common categories of digital certificates

– Personal digital certificates

– Server digital certificates

– Software publisher digital certificates



• Class 1: personal digital certificates

– Issued by an RA directly to individuals

– Frequently used to secure e-mail transmissions

– Typically only require user’s name and e-mail

address to receive

• Class 2: server digital certificates

– Issued from a Web server to a client

– Ensure authenticity of the Web server

– Ensure authenticity of the cryptographic connection

to the Web server



Figure 12-5 Server digital certificate © Cengage Learning 2012


• Class 2: server digital certificates (cont’d.)

– Server authentication and secure communication

can be combined into one certificate

• Displays padlock icon in the Web browser

• Click padlock icon to display information about the

digital certificate

• Extended Validation SSL Certificate (EV SSL)

– Requires more extensive verification of legitimacy of

the business



Figure 12-6 Padlock icon and certificate information © Cengage Learning 2012


• Class 3: software publisher digital certificates

– Provided by software publishers

– Purpose: verify programs are secure and have not

been tampered with

• Dual-key digital certificates

– Reduce need for storing multiple copies of the

signing certificate

– Facilitate certificate handling in organizations

• Copies kept in central storage repository



• Dual-sided certificates

– Provides ability for client to authenticate back to the

server

– Both sides of the session validate themselves

• X.509 digital certificates

– Standard for most widely accepted format for digital

certificates



Table 12-1 X.509 structure

Public Key Infrastructure (PKI)

• Important management tool for the use of:

– Digital certificates:

– Asymmetric cryptography

• Aspects of PKI

– Public-key cryptography standards

– Trust models

– Key management


What is Public Key Infrastructure?

• Need for consistent means to manage digital

certificates

• PKI: framework for all entities involved in digital

certificates

• Certificate management actions facilitated by PKI

– Create

– Store

– Distribute

– Revoke


Public-Key Cryptographic Standards

(PKCS)

• Numbered set of PKI standards defined by the

RSA Corporation

– Widely accepted in industry

– Based on the RSA public-key algorithm



Table 12-2 PKCS standards (continues)


Table 12-2 PKCS standards (cont’d.)


Figure 12-7 Microsoft Windows PKCS support © Cengage Learning 2012

Trust Models

• Trust

– Confidence in or reliance on another person or entity

• Trust model

– Refers to type of trusting relationship that can exist

between individuals and entities

• Direct trust

– One person knows the other person

• Third-party trust

– Two individuals trust each other because each trusts

a third party


Trust Models (cont’d.)

• Hierarchical trust model

– Assigns single hierarchy with one master CA called

the root

– Root signs all digital certificate authorities with a

single key

– Can be used in an organization where one CA is

responsible for only that organization’s digital

certificates

• Hierarchical trust model has several limitations

– Single CA private key may be compromised

rendering all certificates worthless



Figure 12-8 Hierarchical trust model © Cengage Learning 2012


• Distributed trust model

– Multiple CAs sign digital certificates

– Eliminates limitations of hierarchical trust model

• Bridge trust model

– One CA acts as facilitator to connect all other CAs

• Facilitator CA does not issue digital certificates

– Acts as hub between hierarchical and distributed

trust model

– Allows the different models to be linked



Figure 12-9 Distributed trust model © Cengage Learning 2012


Figure 12-10 Bridge trust

model © Cengage Learning 2012


• Bridge trust application examples

– Federal and state governments

– Pharmaceutical industry

– Aerospace industry


Managing PKI

• Certificate Policy (CP)

– Published set of rules that govern operation of a PKI

– Provides recommended baseline security

requirements for use and operation of CA, RA, and

other PKI components

• Certificate Practice Statement (CPS)

– Describes in detail how the CA uses and manages

certificates


Managing PKI (cont’d.)

• Certificate life cycle

– Creation

• Occurs after user is positively identified

– Suspension

• May occur when employee on leave of absence

– Revocation

• Certificate no longer valid

– Expiration

• Key can no longer be used


Key Storage

• Means of public key storage

– Embedding within digital certificates

• Means of private key storage

– Stored on user’s local system

• Software-based storage may expose keys to

attackers

• Alternative: storing keys in hardware

– Tokens

– Smart-cards


Key Usage

• Multiple pairs of dual keys

– Created if more security needed than single set of

public/private keys

– One pair used to encrypt information

• Public key backed up in another location

– Second pair used only for digital signatures

• Public key in that pair never backed up


Key-Handling Procedures

• Key escrow

– Keys managed by a third party

– Private key is split and each half is encrypted

– Two halves sent to third party, which stores each

half in separate location

– User can retrieve and combine two halves and use

this new copy of private key for decryption

• Expiration

– Keys expire after a set period of time


Key-Handling Procedures (cont’d.)

• Renewal

– Existing key can be renewed

• Revocation

– Key may be revoked prior to its expiration date

– Revoked keys may not be reinstated

• Recovery

– Need to recover keys of an employee hospitalized

for extended period

– Key recovery agent may be used

– Group of people may be used (M-of-N control)



Figure 12-11 M-of-N control © Cengage Learning 2012

Key-Handling Procedures (cont’d.)

• Suspension

– Suspended for a set period of time and then

reinstated

• Destruction

– Removes all public and private keys and user’s

identification from the CA


Transport Encryption Algorithms

• Secure Sockets Layer (SSL)

– Most common transport encryption algorithm

– Developed by Netscape

– Uses a public key to encrypt data transferred over

the SSL connection

• Transport Layer Security (TLS)

– Protocol that guarantees privacy and data integrity

between applications communicating over the

Internet

• Both provide server and client authentication, and

data encryption


Secure Shell (SSH)

• Encrypted alternative to Telnet protocol used to

access remote computers

• Linux/UNIX-based command interface and protocol

• Suite of three utilities: slogin, ssh, and scp

• Client and server ends of connection are

authenticated using a digital certificate

• Passwords are encrypted

• Can be used as a tool for secure network backups



Table 12-3 SSH commands

Hypertext Transport Protocol over

Secure Sockets Layer (HTTPS)

• Common use of SSL

– Secure Web Hypertext Transport Protocol (HTTP)

communications between browser and Web server

– Users must enter URLs with https://

• Secure Hypertext Transport Protocol (SHTTP)

– Cryptographic transport protocol released as a

public specification

– Supports a variety of encryption types, including

3DES

– Not as widely used as HTTPS


IP Security (IPsec)

• Open System Interconnection (OSI) model

– Security tools function at different layers

• Operating at higher levels such as Application layer

– Advantage: tools designed to protect specific

applications

– Disadvantage: multiple security tools may be needed

• IPsec

– Set of protocols developed to support secure

exchange of packets

– Operates at a low level in the OSI model



Figure 12-12 Security tools and the OSI model © Cengage Learning 2012

IP Security (cont’d.)

• IPsec considered transparent to:

– Applications

– Users

– Software

• Located in the operating system or communication

hardware

• Provides authentication, confidentiality, and key

management

• Supports two encryption modes: transport and

tunnel



Figure 12-13 New IPsec packet using transport or tunnel mode © Cengage Learning 2012

Summary

• Digital certificate provides third party verification of

public key owner’s identity

• A Certificate Authority issues digital certificates for

others

• Personal digital certificates are issued by an RA to

individuals

• Server digital certificates ensure authenticity of a

Web server and its cryptographic connection


Summary (cont’d.)

• PKI is a framework for all entities involved in digital

certificates

• Three basic PKI trust models exist

• Cryptography can protect data as it is being

transported across a network

– SSL/TLS is a widely used algorithm

• IPsec supports a secure exchange of packets

– Considered to be a transparent security protocol
