security 06 applying cryptography

innocentsickAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

87 views

NETWORK


SECURITY

06

APPLYING CRYPTOGRAPHY

Contents

6.1

Digital Certificates

6.2

Pubic Key Infrastructure

6.3

Key Management

6.4

Cryptographic Transport Protocols



06 APPLYING CRYPTOGRAPHY

2

6.1

Digital Certificates


Alice receives a package containing an
encrypted document from Bob. It is secure
as it was encrypted.


Yet how can she know that it came from
Bob? Because Alice

s asymmetric public
key is widely available, anyone could use
it to encrypt the document.



The answer is to use a
digital signature
.

06 APPLYING CRYPTOGRAPHY

3

6.1 Digital Certificates

06 APPLYING CRYTOGRAPHY

4

6.1 Digital Certificates

06 APPLYING CRYTOGRAPHY

5

6.1

Digital Certificates

6.1.1

Defining Digital Certificates



Digital certificates
can be used to associate
or

bind


a user

s identity to a public key.



A digital certificate is the user

s public key
that has itself been

digitally signed


by a
reputable source entrusted to sign it.

06 APPLYING CRYPTOGRAPHY

6

6.1

Digital Certificates


Digital certificates prevent a man
-
in
-
the
-
middle attack that impersonates the owner of
the public key.



Digital certificates can also be used to identify
objects other than users, such as servers and
applications.


06 APPLYING CRYPTOGRAPHY

7

6.1

Digital Certificates


A digital certificate typically contains the
following information:


Owner

s name or alias


Owner

s public key


Name of the issuer


Digital signature of the issuer


Serial number of the digital certificate


Expiration date of the public key



06 APPLYING CRYPTOGRAPHY

8

6.1

Digital Certificates

6.1.2


Authorizing, Storing and



Revoking


Several entities and technologies are used
for authorizing, storing, and revoking
digital certificates
.


These include the Certificate Authority
(CA)
and
Registration Authority (RA),
a
Certificate
Repository (CR), and a
Certificate Revocation List (CRL).

06 APPLYING CRYPTOGRAPHY

9

6.1

Digital Certificates

Authority (CA) & Registration (RA)


Instead
of a user verifying his own identity,
a
third
-
party person
or agency is used.



An
entity that issues digital certificates for
others is
known as
a
Certificate Authority
(CA)
.


06 APPLYING CRYPTOGRAPHY

10

6.1

Digital Certificates


A user provides information to a CA that
verifies her identity.


Also, the user generates public and private
keys and sends the public key to the CA
(or in some instances the CA may create
the keys).


The CA inserts this public key into the
certificate.

06 APPLYING CRYPTOGRAPHY

11

6.1

Digital Certificates


A CA can be external to the organization,
or it can be a CA internal to the
organization.


Some organizations set up a subordinate
entity, called a
Registration Authority
(RA)
, to handle some CA tasks such as
processing certificate requests and
authenticating users.

06 APPLYING CRYPTOGRAPHY

12

6.1

Digital Certificates

Certificate Revocation List (CRL)


Digital certificates normally have an
expiration date.


Expired digital certificates
should then be
revoked
.


Revoked digital certificates are listed in
a
Certificate
Revocation List (CRL)
, which
can be accessed to check the certificate
status
of other
users.

06 APPLYING CRYPTOGRAPHY

13

6.1

Digital Certificates

Certificate Repository (CR)


It is important that the CA publishes the
certificates
and CRLs
to a
directory.


This directory can be managed locally
or
in
a publicly accessible directory, which is
called a
Certificate Repository (CR)
.

06 APPLYING CRYPTOGRAPHY

14

6.1

Digital Certificates

6.1.3


Types of Digital Certificates



There
are different types of digital
certificates.


In
addition, some digital certificates are
single
-
side while
others can be dual
-
sided.


Also
, standards exist for digital certificates.

06 APPLYING CRYPTOGRAPHY

15

6.1

Digital Certificates


In addition to being used to verify the
sender

s identity, digital certificates can
also be used to:


Encrypt channels to provide secure
communication between clients and servers


Encrypt messages for secure Internet e
-
mail
communication


Verify the identity of clients and servers on the
Web

06 APPLYING CRYPTOGRAPHY

16

6.1

Digital Certificates


Verify the source and integrity of signed
executable code


There are three basic categories of digital
certificates:


personal digital certificates,


Server digital certificates, and


software publisher digital certificates.

06 APPLYING CRYPTOGRAPHY

17

6.1

Digital Certificates

Personal Digital Certificates



Personal
digital certificates are issued by a
CA or RA
directly to
individuals
.


Personal
digital certificates are typically
used to secure e
-
mail transmissions
.


Digital
certificates can also be used
to
authenticate
the authors of documents.

06 APPLYING CRYPTOGRAPHY

18

6.1

Digital Certificates

Server Digital Certificates


Server digital certificates are often issued
from a Web server
to a client.


Typically
perform two functions.


First
, they can ensure the authenticity of
the
Web
server
.


Second, server certificates can ensure the
authenticity of the cryptographic connection to
the Web
server.

06 APPLYING CRYPTOGRAPHY

19

6.1

Digital Certificates


06 APPLYING CRYPTOGRAPHY

20

6.1

Digital Certificates


Most server digital certificates combine
both server authentication and secure
communication between clients and
servers on the Web.


06 APPLYING CRYPTOGRAPHY

21

6.1

Digital Certificates


Software Publisher Digital Certificates



Software publisher digital certificates are
provided by software publishers.



The purpose of these certificates is to
verify that their programs are secure and
have not been tampered with.

06 APPLYING CRYPTOGRAPHY

22

6.1

Digital Certificates

Single Side and Dual Side


Digital certificates can
be either
single
-
sided or dual
-
sided
.


When Bob sends one digital certificate to
Alice along
with his
message, that is
known as a
single
-
sided certificate
.

06 APPLYING CRYPTOGRAPHY

23

6.1

Digital Certificates


Dual
-
sided certificates
are certificates in
which the functionality is split between two
certificates.


The
signing certificate
is used to sign a
message to prove that that sender is
authentic.


The
encryption certificate
is used for the
actual encryption of the message.

06 APPLYING CRYPTOGRAPHY

24

6.1

Digital Certificates


Dual
-
sided certificates have two
advantages.


First, dual
-
sided certificates reduce the need
for storing multiple copies of the signing
certificate.


Second, dual
-
sided certificates facilitate
certificate handling in organizations.


06 APPLYING CRYPTOGRAPHY

25

6.1

Digital Certificates

X.509 Digital Certificates


The most widely accepted format for
digital certificates is
defined by
the
International Telecommunication Union
(ITU)
X.509
international standard
.


X.509 V1 first appeared in 1988. X.509 V2
supported new issuer and subject
identifier
fields
that were absent from Version 1.

06 APPLYING CRYPTOGRAPHY

26

6.1

Digital Certificates


The current version, X.509 V3, was
defined in 1996, and introduced the
extension field.


06 APPLYING CRYPTOGRAPHY

27

6.1

Digital Certificates


06 APPLYING CRYPTOGRAPHY

28

6.2 Public Key Infrastructure


One of the important management tools
for the use of digital certificates and
asymmetric cryptography is public key
infrastructure.


Public key infrastructure involves public
-
key cryptography standards, trust models,
and key management.

06 APPLYING CRYPTOGRAPHY

29

6.2 Public Key Infrastructure

6.2.1


What is Public Key




Infrastructure


In an organization where multiple users
have multiple digital certificates
, it
quickly
can become overwhelming to manage all
of these entities.


In
short,
there needs
to be a consistent
means to manage digital certificates
.


Public key infrastructure (PKI)
is just
that.

06 APPLYING CRYPTOGRAPHY

30

6.2 Public Key Infrastructure


It is a framework for all of the entities
involved in digital certificates

including
hardware, software, people, policies and
procedures

to create, store, distribute,
and revoke digital certificates.


In short,
PKI is digital certificate
management
.

06 APPLYING CRYPTOGRAPHY

31

6.2 Public Key Infrastructure


PKI is often erroneously applied to a
broader range of cryptography topics
beyond managing digital certificates.



It is sometimes defined as that which
supports

other public key
-
enabled
security services


or

certifying users of a
security application.



06 APPLYING CRYPTOGRAPHY

32

6.2 Public Key Infrastructure

6.2.2


Public
-
Key Cryptographic



Standards (PKCS)


Public
-
key
cryptography standards
(PKCS) is a numbered set of PKI
standards that have
been defined
by the
RSA Corporation
.


These standards are based on the RSA
public
-
key algorithm.

06 APPLYING CRYPTOGRAPHY

33

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

34

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

35

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

36

6.2 Public Key Infrastructure


Applications and products that are
developed by vendors may choose to
support the PKCS standards.


For example, Microsoft Windows Vista
provides native
support for exporting
digital certificates based on PKCS #7 and
#12.

06 APPLYING CRYPTOGRAPHY

37

6.2 Public Key Infrastructure

6.2.3


Trust Model


Trust
may be defined as confidence in or
reliance on another person or entity
.


A
trust model
refers to the type of trusting
relationship that can exist between
individuals or
entities
.

06 APPLYING CRYPTOGRAPHY

38

6.2 Public Key Infrastructure


In one type of trust model,
direct trust,
a
relationship exists between two individuals
because one person knows the other
person.


Direct trust is not feasible when dealing
with multiple users who each have digital
certificates.

06 APPLYING CRYPTOGRAPHY

39

6.2 Public Key Infrastructure


A
third party trust
refers to a situation in
which two individuals trust each other
because each trusts a third party.


This is the role that a CA plays: for
example, it verifies Mary, Amanda, and
Javier to Alice.


06 APPLYING CRYPTOGRAPHY

40

6.2 Public Key Infrastructure


There are essentially three PKI trust
models that use a CA. These are


the hierarchical trust model,


the distributed trust model, and


the bridge trust model.

06 APPLYING CRYPTOGRAPHY

41

6.2 Public Key Infrastructure

Hierarchical Trust Model


The
hierarchical trust model
assigns a
single hierarchy
with one
master CA called
the
root
.


This
root signs all digital certificate
authorities with a
single key.


A hierarchical trust model can be used in
an organization where one CA or RA is
responsible.

06 APPLYING CRYPTOGRAPHY

42

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

43

6.2 Public Key Infrastructure

Distributed Trust Model


Instead of having a single CA as in the
hierarchical
trust model
, the
distributed
trust model
has multiple CAs that sign
digital certificates
.


The distributed trust model is the basis for
digital certificates issued by Internet users.


06 APPLYING CRYPTOGRAPHY

44

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

45

6.2 Public Key Infrastructure

Bridge Trust Model


The
bridge trust model
is similar to the
distributed trust model in that there is no
single CA that signs digital certificates.


However, with the bridge trust model there
is one CA that acts as a

facilitator


to
interconnect all other CAs.

06 APPLYING CRYPTOGRAPHY

46

6.2 Public Key Infrastructure


06 APPLYING CRYPTOGRAPHY

47