Chapter 9: Using and Managing Keys

sunflowerplateΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

87 εμφανίσεις

Chapter 9: Using and

Managing Keys

Security+ Guide to Network
Security Fundamentals

Second Edition

Objectives


Explain cryptography strengths and
vulnerabilities


Define public key infrastructure (PKI)


Manage digital certificates


Explore key management

Understanding Cryptography
Strengths and Vulnerabilities


Cryptography is science of
“scrambling” data through
encryption

so it cannot be viewed by
unauthorized users, making it secure
while being transmitted or stored


When the recipient receives encrypted
text or another user wants to access
stored information, it must be
decrypted

with the
cipher and key

to
produce the original plaintext

Symmetric Cryptography

Strengths and Weaknesses


Identical keys

are used to both
encrypt

and
decrypt

the message


Popular symmetric cipher algorithms include
Data Encryption Standard

(DES),
Triple Data
Encryption

(3DES) Standard,
Advanced
Encryption Standard

(AES),
Rivest Cipher

(RC),
International Data Encryption
Algorithm

(IDEA), and
Blowfish


The
advantage

of
symmetric ciphers

is they
are fast.


Disadvantages

of symmetric encryption
relate to the difficulties of
managing

the
private key

Asymmetric Cryptography Strengths
and Vulnerabilities


With
asymmetric encryption
,
two keys

(key pair) are used instead of one


The
private

key encrypts the message


The
public

key decrypts the message


Remember, the public key can also be
used to encrypt and the private key can
be used to decrypt since the two keys are
mathematically related.


Asymmetric Cryptography Strengths
and Vulnerabilities


Asym keys can greatly improve
cryptography security, convenience, and
flexibility


Public keys can be
distributed

freely


Users cannot deny they have sent a
message if they have previously
encrypted the message with their private
keys (
non repudiation
)


Primary
disadvantage

is that it is
computing
-
intensive

Digital Signatures


Asymmetric encryption

allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
message


However, how can you be sure that the
message you received is from the
actual
sender
?


How can you prove your own
identity
?


A digital signature helps to prove that:


The person sending the message with a public key is
who they claim to be


(b/c I used my private key to encrypt the hash
used in the signature)


The message was not altered


It cannot be denied the message was sent

Digital Certificates


Digital documents that associate an
individual
(identity) with its specific
public
key


A digital certificate is a Data structure
containing a
public key
, details about the
key owner
, and other optional
information that is all digitally
signed by
a trusted
third party

Certification Authority (CA)


The owner of the public key listed in the
digital certificate can be identified to the
CA in different ways


By their e
-
mail address


By additional information that describes the
digital certificate and limits the scope of its
use


Revoked

digital certificates are listed in a
Certificate Revocation List

(CRL), which
can be accessed to check the certificate
status of other users

Certification Authority (CA)


The CA must
publish

the certificates and
CRLs to a directory immediately after a
certificate is
issued or revoked

so users
can refer to this directory to see changes


This information is available in a publicly
accessible directory, called a
Certificate
Repository

(CR)


Some organizations set up a
Registration
Authority

(RA) to handle some CA tasks
such as processing certificate requests
and authenticating users

Understanding Public Key
Infrastructure (PKI)


Weaknesses associated with asymmetric
cryptography led to the development of
PKI


PKI is a
conceptual model
, much like the
OSI model in which public keys are made
available and managed


PKI describes the means by which the
public key cryptography system is going
to be implemented

Description of PKI


PKI is a system that manages keys and identity
information required for asymmetric
cryptography, integrating digital certificates,
public keys, and CAs


For a typical enterprise:


Provides end
-
user enrollment software


Integrates corporate certificate directories


Manages, renews, and revokes certificates


Provides related network services and security


Uses protocol standards by which asym
cryptography could be used automatically
across all platforms and applications.

PKI Standards and Protocols


Two major standards are responsible for
PKI


Public Key Cryptography Standards (PKCS)


X.509 certificate standards

Public Key Cryptography

Standards (PKCS)


Numbered set of standards that have been
defined by the
RSA Corporation

since 1991


Based on the RSA public key algorithm


Composed of
15 standards

detailed on
pages 318 and 319 of the text

For example:


PKCS#1 defines the RSA Encryption Standard


PKCS#3 defines the Diffie
-
Hellman key agreement


PKCS#11 defines Cryptographic Token Interface Standard

(Tokens and Smart Cards)


PKCS#13 defines the Elliptic Curve Cryptography Standard

X.509 Digital Certificates


X.509 is an international standard
defined by the
International
Telecommunication Union

(ITU) that
defines the format for the digital
certificate


Most widely used certificate format for
PKI


X.509 is used by
Secure Socket Layers

(SSL)/
Transport Layer Security

(TLS),
IP Security

(IPSec), and
Secure/Multipurpose Internet Mail
Extensions

(S/MIME)

X509 Digital Certificates

Trust Models


The foundation of PKI is based on
trust


Refers to the type of
relationship

that can
exist
between people or organizations


In the
direct trust
, a
personal relationship

exists between
two individuals


Third
-
party trust

refers to a situation in which
two individuals trust each other only because
each individually trusts a
third party


The
three different PKI trust models

are based
on direct and/or third
-
party trust

Trust Models (continued)


The
web of trust

model is based on
direct
trust


I trust you and you trust your brother and your
brother trusts you, so we
all trust each other


You can send me your brother’s public key


Single
-
point trust

model is based on
third
-
party trust


A CA directly issues and signs certificates


In an
hierarchical trust model
, the primary or
root certificate authority issues and signs the
certificates for CAs below it


Also based on
third party trust

Trust Models (continued)

Managing Digital Certificates


After a user decides to trust a CA, they
can download the
digital certificate

and
public key from the CA and store them
on their local computer


CA certificates are issued by a CA directly
to individuals


Typically used to secure e
-
mail
transmissions through S/MIME and web
transmissions through SSL/TLS


Managing Digital Certificates

Managing Digital Certificates


Server certificates

can be issued from
a Web server, FTP server, or mail
server to ensure a secure transmission


Software publisher certificates

are
provided by software publishers to
verify their programs are secure

Certificate Life Cycle


Typically divided into four parts:

1.
Creation

2.
Revocation

3.
Expiration

4.
Suspension

Exploring Key Management


Because keys form the very
foundation of the algorithms in
asymmetric and PKI systems, it is vital
that they be carefully managed

Centralized and Decentralized
Management


Key management can either be
centralized

or
decentralized



An example of a
decentralized

key
management system is the PKI
web of
trust

model


Centralized

key management is the
foundation for single
-
point trust
models and hierarchical trust models,
with
keys being distributed by the CA

Key Storage


It is possible to store public keys by
embedding them within digital
certificates


This is a form of software
-
based
storage and doesn’t involve any
cryptography hardware


Another form of software
-
based
storage involves storing private keys
on the user’s local computer

Key Storage (continued)


Storing keys in hardware is an
alternative to software
-
based keys


Keys stored on hardware are stored on a
token (USB drive) or card


Whether private keys are stored in
hardware or software, it is important
that they be adequately protected


Password protected


Backed
-
up

Key Handling Procedures


Certain procedures can help ensure
that keys are properly handled:


Escrow


-

handled by third
-
party



Renewal


renew before expiration



Suspension


suspend but not revoke


Destruction


removes the key pair


Expiration


key pair expires


Revocation


key revoked and invalid


Recovery


key divided and given to
different parties for later recovery


Summary


One of the advantages of symmetric
cryptography is that encryption and
decryption using a private key is
usually fast and easy to implement


A digital signature solves the problem
of authenticating the sender when
using asymmetric cryptography


With the number of different tools
required for asymmetric cryptography,
an organization can find itself
implementing piecemeal solutions for
different applications


Summary (continued)


PKCS is a numbered set of standards
that have been defined by the RSA
Corporation since 1991


The three PKI trust models are based
on direct and third
-
party trust


Digital certificates are managed
through CPs and CPSs