Chapter 9: Using and Managing Keys

Chapter 9: Using and

Managing Keys

Security+ Guide to Network
Security Fundamentals

Second Edition

Objectives


Explain cryptography strengths and
vulnerabilities


Define public key infrastructure (PKI)


Manage digital certificates


Explore key management

Understanding Cryptography
Strengths and Vulnerabilities


Cryptography is science of
“scrambling” data through
encryption

so it cannot be viewed by
unauthorized users, making it secure
while being transmitted or stored


When the recipient receives encrypted
text or another user wants to access
stored information, it must be
decrypted

with the
cipher and key

to
produce the original plaintext

Symmetric Cryptography

Strengths and Weaknesses


Identical keys

are used to both
encrypt

and
decrypt

the message


Popular symmetric cipher algorithms include
Data Encryption Standard

(DES),
Triple Data
Encryption

(3DES) Standard,
Advanced
Encryption Standard

(AES),
Rivest Cipher

(RC),
International Data Encryption
Algorithm

(IDEA), and
Blowfish


The
advantage

of
symmetric ciphers

is they
are fast.


Disadvantages

of symmetric encryption
relate to the difficulties of
managing

the
private key

Asymmetric Cryptography Strengths
and Vulnerabilities


With
asymmetric encryption
,
two keys

(key pair) are used instead of one


The
private

key encrypts the message


The
public

key decrypts the message


Remember, the public key can also be
used to encrypt and the private key can
be used to decrypt since the two keys are
mathematically related.


Asymmetric Cryptography Strengths
and Vulnerabilities


Asym keys can greatly improve
cryptography security, convenience, and
flexibility


Public keys can be
distributed

freely


Users cannot deny they have sent a
message if they have previously
encrypted the message with their private
keys (
non repudiation
)


Primary
disadvantage

is that it is
computing
-
intensive

Digital Signatures


Asymmetric encryption

allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
message


However, how can you be sure that the
message you received is from the
actual
sender
?


How can you prove your own
identity
?


A digital signature helps to prove that:


The person sending the message with a public key is
who they claim to be


(b/c I used my private key to encrypt the hash
used in the signature)


The message was not altered


It cannot be denied the message was sent

Digital Certificates


Digital documents that associate an
individual
(identity) with its specific
public
key


A digital certificate is a Data structure
containing a
public key
, details about the
key owner
, and other optional
information that is all digitally
signed by
a trusted
third party

Certification Authority (CA)


The owner of the public key listed in the
digital certificate can be identified to the
CA in different ways


By their e
-
mail address


By additional information that describes the
digital certificate and limits the scope of its
use


Revoked

digital certificates are listed in a
Certificate Revocation List

(CRL), which
can be accessed to check the certificate
status of other users

Certification Authority (CA)


The CA must
publish

the certificates and
CRLs to a directory immediately after a
certificate is
issued or revoked

so users
can refer to this directory to see changes


This information is available in a publicly
accessible directory, called a
Certificate
Repository

(CR)


Some organizations set up a
Registration
Authority

(RA) to handle some CA tasks
such as processing certificate requests
and authenticating users

Understanding Public Key
Infrastructure (PKI)


Weaknesses associated with asymmetric
cryptography led to the development of
PKI


PKI is a
conceptual model
, much like the
OSI model in which public keys are made
available and managed


PKI describes the means by which the
public key cryptography system is going
to be implemented

Description of PKI


PKI is a system that manages keys and identity
information required for asymmetric
cryptography, integrating digital certificates,
public keys, and CAs


For a typical enterprise:


Provides end
-
user enrollment software


Integrates corporate certificate directories


Manages, renews, and revokes certificates


Provides related network services and security


Uses protocol standards by which asym
cryptography could be used automatically
across all platforms and applications.

PKI Standards and Protocols


Two major standards are responsible for
PKI


Public Key Cryptography Standards (PKCS)


X.509 certificate standards

Public Key Cryptography

Standards (PKCS)


Numbered set of standards that have been
defined by the
RSA Corporation

since 1991


Based on the RSA public key algorithm


Composed of
15 standards

detailed on
pages 318 and 319 of the text

For example:


PKCS#1 defines the RSA Encryption Standard


PKCS#3 defines the Diffie
-
Hellman key agreement


PKCS#11 defines Cryptographic Token Interface Standard

(Tokens and Smart Cards)


PKCS#13 defines the Elliptic Curve Cryptography Standard

X.509 Digital Certificates


X.509 is an international standard
defined by the
International
Telecommunication Union

(ITU) that
defines the format for the digital
certificate


Most widely used certificate format for
PKI


X.509 is used by
Secure Socket Layers

(SSL)/
Transport Layer Security

(TLS),
IP Security

(IPSec), and
Secure/Multipurpose Internet Mail
Extensions

(S/MIME)

X509 Digital Certificates

Trust Models


The foundation of PKI is based on
trust


Refers to the type of
relationship

that can
exist
between people or organizations


In the
direct trust
, a
personal relationship

exists between
two individuals


Third
-
party trust

refers to a situation in which
two individuals trust each other only because
each individually trusts a
third party


The
three different PKI trust models

are based
on direct and/or third
-
party trust

Trust Models (continued)


The
web of trust

model is based on
direct
trust


I trust you and you trust your brother and your
brother trusts you, so we
all trust each other


You can send me your brother’s public key


Single
-
point trust

model is based on
third
-
party trust


A CA directly issues and signs certificates


In an
hierarchical trust model
, the primary or
root certificate authority issues and signs the
certificates for CAs below it


Also based on
third party trust

Trust Models (continued)

Managing Digital Certificates


After a user decides to trust a CA, they
can download the
digital certificate

and
public key from the CA and store them
on their local computer


CA certificates are issued by a CA directly
to individuals


Typically used to secure e
-
mail
transmissions through S/MIME and web
transmissions through SSL/TLS


Managing Digital Certificates

Managing Digital Certificates


Server certificates

can be issued from
a Web server, FTP server, or mail
server to ensure a secure transmission


Software publisher certificates

are
provided by software publishers to
verify their programs are secure

Certificate Life Cycle


Typically divided into four parts:

1.
Creation

2.
Revocation

3.
Expiration

4.
Suspension

Exploring Key Management


Because keys form the very
foundation of the algorithms in
asymmetric and PKI systems, it is vital
that they be carefully managed

Centralized and Decentralized
Management


Key management can either be
centralized

or
decentralized



An example of a
decentralized

key
management system is the PKI
web of
trust

model


Centralized

key management is the
foundation for single
-
point trust
models and hierarchical trust models,
with
keys being distributed by the CA

Key Storage


It is possible to store public keys by
embedding them within digital
certificates


This is a form of software
-
based
storage and doesn’t involve any
cryptography hardware


Another form of software
-
based
storage involves storing private keys
on the user’s local computer

Key Storage (continued)


Storing keys in hardware is an
alternative to software
-
based keys


Keys stored on hardware are stored on a
token (USB drive) or card


Whether private keys are stored in
hardware or software, it is important
that they be adequately protected


Password protected


Backed
-
up

Key Handling Procedures


Certain procedures can help ensure
that keys are properly handled:


Escrow


-

handled by third
-
party



Renewal
–

renew before expiration



Suspension
–

suspend but not revoke


Destruction
–

removes the key pair


Expiration
–

key pair expires


Revocation
–

key revoked and invalid


Recovery
–

key divided and given to
different parties for later recovery


Summary


One of the advantages of symmetric
cryptography is that encryption and
decryption using a private key is
usually fast and easy to implement


A digital signature solves the problem
of authenticating the sender when
using asymmetric cryptography


With the number of different tools
required for asymmetric cryptography,
an organization can find itself
implementing piecemeal solutions for
different applications


Summary (continued)


PKCS is a numbered set of standards
that have been defined by the RSA
Corporation since 1991


The three PKI trust models are based
on direct and third
-
party trust


Digital certificates are managed
through CPs and CPSs