Chapter 9: Using and
Managing Keys
Security+ Guide to Network
Security Fundamentals
Second Edition
Objectives
Explain cryptography strengths and
vulnerabilities
Define public key infrastructure (PKI)
Manage digital certificates
Explore key management
Understanding Cryptography
Strengths and Vulnerabilities
Cryptography is science of
“scrambling” data through
encryption
so it cannot be viewed by
unauthorized users, making it secure
while being transmitted or stored
When the recipient receives encrypted
text or another user wants to access
stored information, it must be
decrypted
with the
cipher and key
to
produce the original plaintext
Symmetric Cryptography
Strengths and Weaknesses
Identical keys
are used to both
encrypt
and
decrypt
the message
Popular symmetric cipher algorithms include
Data Encryption Standard
(DES),
Triple Data
Encryption
(3DES) Standard,
Advanced
Encryption Standard
(AES),
Rivest Cipher
(RC),
International Data Encryption
Algorithm
(IDEA), and
Blowfish
The
advantage
of
symmetric ciphers
is they
are fast.
Disadvantages
of symmetric encryption
relate to the difficulties of
managing
the
private key
Asymmetric Cryptography Strengths
and Vulnerabilities
With
asymmetric encryption
,
two keys
(key pair) are used instead of one
The
private
key encrypts the message
The
public
key decrypts the message
Remember, the public key can also be
used to encrypt and the private key can
be used to decrypt since the two keys are
mathematically related.
Asymmetric Cryptography Strengths
and Vulnerabilities
Asym keys can greatly improve
cryptography security, convenience, and
flexibility
Public keys can be
distributed
freely
Users cannot deny they have sent a
message if they have previously
encrypted the message with their private
keys (
non repudiation
)
Primary
disadvantage
is that it is
computing
-
intensive
Digital Signatures
Asymmetric encryption
allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
message
However, how can you be sure that the
message you received is from the
actual
sender
?
How can you prove your own
identity
?
A digital signature helps to prove that:
The person sending the message with a public key is
who they claim to be
(b/c I used my private key to encrypt the hash
used in the signature)
The message was not altered
It cannot be denied the message was sent
Digital Certificates
Digital documents that associate an
individual
(identity) with its specific
public
key
A digital certificate is a Data structure
containing a
public key
, details about the
key owner
, and other optional
information that is all digitally
signed by
a trusted
third party
Certification Authority (CA)
The owner of the public key listed in the
digital certificate can be identified to the
CA in different ways
By their e
-
mail address
By additional information that describes the
digital certificate and limits the scope of its
use
Revoked
digital certificates are listed in a
Certificate Revocation List
(CRL), which
can be accessed to check the certificate
status of other users
Certification Authority (CA)
The CA must
publish
the certificates and
CRLs to a directory immediately after a
certificate is
issued or revoked
so users
can refer to this directory to see changes
This information is available in a publicly
accessible directory, called a
Certificate
Repository
(CR)
Some organizations set up a
Registration
Authority
(RA) to handle some CA tasks
such as processing certificate requests
and authenticating users
Understanding Public Key
Infrastructure (PKI)
Weaknesses associated with asymmetric
cryptography led to the development of
PKI
PKI is a
conceptual model
, much like the
OSI model in which public keys are made
available and managed
PKI describes the means by which the
public key cryptography system is going
to be implemented
Description of PKI
PKI is a system that manages keys and identity
information required for asymmetric
cryptography, integrating digital certificates,
public keys, and CAs
For a typical enterprise:
Provides end
-
user enrollment software
Integrates corporate certificate directories
Manages, renews, and revokes certificates
Provides related network services and security
Uses protocol standards by which asym
cryptography could be used automatically
across all platforms and applications.
PKI Standards and Protocols
Two major standards are responsible for
PKI
Public Key Cryptography Standards (PKCS)
X.509 certificate standards
Public Key Cryptography
Standards (PKCS)
Numbered set of standards that have been
defined by the
RSA Corporation
since 1991
Based on the RSA public key algorithm
Composed of
15 standards
detailed on
pages 318 and 319 of the text
For example:
PKCS#1 defines the RSA Encryption Standard
PKCS#3 defines the Diffie
-
Hellman key agreement
PKCS#11 defines Cryptographic Token Interface Standard
(Tokens and Smart Cards)
PKCS#13 defines the Elliptic Curve Cryptography Standard
X.509 Digital Certificates
X.509 is an international standard
defined by the
International
Telecommunication Union
(ITU) that
defines the format for the digital
certificate
Most widely used certificate format for
PKI
X.509 is used by
Secure Socket Layers
(SSL)/
Transport Layer Security
(TLS),
IP Security
(IPSec), and
Secure/Multipurpose Internet Mail
Extensions
(S/MIME)
X509 Digital Certificates
Trust Models
The foundation of PKI is based on
trust
Refers to the type of
relationship
that can
exist
between people or organizations
In the
direct trust
, a
personal relationship
exists between
two individuals
Third
-
party trust
refers to a situation in which
two individuals trust each other only because
each individually trusts a
third party
The
three different PKI trust models
are based
on direct and/or third
-
party trust
Trust Models (continued)
The
web of trust
model is based on
direct
trust
I trust you and you trust your brother and your
brother trusts you, so we
all trust each other
You can send me your brother’s public key
Single
-
point trust
model is based on
third
-
party trust
A CA directly issues and signs certificates
In an
hierarchical trust model
, the primary or
root certificate authority issues and signs the
certificates for CAs below it
Also based on
third party trust
Trust Models (continued)
Managing Digital Certificates
After a user decides to trust a CA, they
can download the
digital certificate
and
public key from the CA and store them
on their local computer
CA certificates are issued by a CA directly
to individuals
Typically used to secure e
-
mail
transmissions through S/MIME and web
transmissions through SSL/TLS
Managing Digital Certificates
Managing Digital Certificates
Server certificates
can be issued from
a Web server, FTP server, or mail
server to ensure a secure transmission
Software publisher certificates
are
provided by software publishers to
verify their programs are secure
Certificate Life Cycle
Typically divided into four parts:
1.
Creation
2.
Revocation
3.
Expiration
4.
Suspension
Exploring Key Management
Because keys form the very
foundation of the algorithms in
asymmetric and PKI systems, it is vital
that they be carefully managed
Centralized and Decentralized
Management
Key management can either be
centralized
or
decentralized
An example of a
decentralized
key
management system is the PKI
web of
trust
model
Centralized
key management is the
foundation for single
-
point trust
models and hierarchical trust models,
with
keys being distributed by the CA
Key Storage
It is possible to store public keys by
embedding them within digital
certificates
This is a form of software
-
based
storage and doesn’t involve any
cryptography hardware
Another form of software
-
based
storage involves storing private keys
on the user’s local computer
Key Storage (continued)
Storing keys in hardware is an
alternative to software
-
based keys
Keys stored on hardware are stored on a
token (USB drive) or card
Whether private keys are stored in
hardware or software, it is important
that they be adequately protected
Password protected
Backed
-
up
Key Handling Procedures
Certain procedures can help ensure
that keys are properly handled:
Escrow
-
handled by third
-
party
Renewal
–
renew before expiration
Suspension
–
suspend but not revoke
Destruction
–
removes the key pair
Expiration
–
key pair expires
Revocation
–
key revoked and invalid
Recovery
–
key divided and given to
different parties for later recovery
Summary
One of the advantages of symmetric
cryptography is that encryption and
decryption using a private key is
usually fast and easy to implement
A digital signature solves the problem
of authenticating the sender when
using asymmetric cryptography
With the number of different tools
required for asymmetric cryptography,
an organization can find itself
implementing piecemeal solutions for
different applications
Summary (continued)
PKCS is a numbered set of standards
that have been defined by the RSA
Corporation since 1991
The three PKI trust models are based
on direct and third
-
party trust
Digital certificates are managed
through CPs and CPSs
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο