# Chapter 9: Using and Managing Keys

AI and Robotics

Nov 21, 2013 (4 years and 5 months ago)

102 views

Chapter 9: Using and

Managing Keys

Security+ Guide to Network
Security Fundamentals

Second Edition

Objectives

Explain cryptography strengths and
vulnerabilities

Define public key infrastructure (PKI)

Manage digital certificates

Explore key management

Understanding Cryptography
Strengths and Vulnerabilities

Cryptography is science of
“scrambling” data through
encryption

so it cannot be viewed by
unauthorized users, making it secure
while being transmitted or stored

text or another user wants to access
stored information, it must be
decrypted

with the
cipher and key

to
produce the original plaintext

Symmetric Cryptography

Strengths and Weaknesses

Identical keys

are used to both
encrypt

and
decrypt

the message

Popular symmetric cipher algorithms include
Data Encryption Standard

(DES),
Triple Data
Encryption

(3DES) Standard,
Encryption Standard

(AES),
Rivest Cipher

(RC),
International Data Encryption
Algorithm

(IDEA), and
Blowfish

The

of
symmetric ciphers

is they
are fast.

of symmetric encryption
relate to the difficulties of
managing

the
private key

Asymmetric Cryptography Strengths
and Vulnerabilities

With
asymmetric encryption
,
two keys

(key pair) are used instead of one

The
private

key encrypts the message

The
public

key decrypts the message

Remember, the public key can also be
used to encrypt and the private key can
be used to decrypt since the two keys are
mathematically related.

Asymmetric Cryptography Strengths
and Vulnerabilities

Asym keys can greatly improve
cryptography security, convenience, and
flexibility

Public keys can be
distributed

freely

Users cannot deny they have sent a
message if they have previously
encrypted the message with their private
keys (
non repudiation
)

Primary

is that it is
computing
-
intensive

Digital Signatures

Asymmetric encryption

allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
message

However, how can you be sure that the
message you received is from the
actual
sender
?

How can you prove your own
identity
?

A digital signature helps to prove that:

The person sending the message with a public key is
who they claim to be

(b/c I used my private key to encrypt the hash
used in the signature)

The message was not altered

It cannot be denied the message was sent

Digital Certificates

Digital documents that associate an
individual
(identity) with its specific
public
key

A digital certificate is a Data structure
containing a
public key
key owner
, and other optional
information that is all digitally
signed by
a trusted
third party

Certification Authority (CA)

The owner of the public key listed in the
digital certificate can be identified to the
CA in different ways

By their e
-

By additional information that describes the
digital certificate and limits the scope of its
use

Revoked

digital certificates are listed in a
Certificate Revocation List

(CRL), which
can be accessed to check the certificate
status of other users

Certification Authority (CA)

The CA must
publish

the certificates and
CRLs to a directory immediately after a
certificate is
issued or revoked

so users
can refer to this directory to see changes

This information is available in a publicly
accessible directory, called a
Certificate
Repository

(CR)

Some organizations set up a
Registration
Authority

(RA) to handle some CA tasks
such as processing certificate requests
and authenticating users

Understanding Public Key
Infrastructure (PKI)

Weaknesses associated with asymmetric
cryptography led to the development of
PKI

PKI is a
conceptual model
, much like the
OSI model in which public keys are made
available and managed

PKI describes the means by which the
public key cryptography system is going
to be implemented

Description of PKI

PKI is a system that manages keys and identity
information required for asymmetric
cryptography, integrating digital certificates,
public keys, and CAs

For a typical enterprise:

Provides end
-
user enrollment software

Integrates corporate certificate directories

Manages, renews, and revokes certificates

Provides related network services and security

Uses protocol standards by which asym
cryptography could be used automatically
across all platforms and applications.

PKI Standards and Protocols

Two major standards are responsible for
PKI

Public Key Cryptography Standards (PKCS)

X.509 certificate standards

Public Key Cryptography

Standards (PKCS)

Numbered set of standards that have been
defined by the
RSA Corporation

since 1991

Based on the RSA public key algorithm

Composed of
15 standards

detailed on
pages 318 and 319 of the text

For example:

PKCS#1 defines the RSA Encryption Standard

PKCS#3 defines the Diffie
-
Hellman key agreement

PKCS#11 defines Cryptographic Token Interface Standard

(Tokens and Smart Cards)

PKCS#13 defines the Elliptic Curve Cryptography Standard

X.509 Digital Certificates

X.509 is an international standard
defined by the
International
Telecommunication Union

(ITU) that
defines the format for the digital
certificate

Most widely used certificate format for
PKI

X.509 is used by
Secure Socket Layers

(SSL)/
Transport Layer Security

(TLS),
IP Security

(IPSec), and
Secure/Multipurpose Internet Mail
Extensions

(S/MIME)

X509 Digital Certificates

Trust Models

The foundation of PKI is based on
trust

Refers to the type of
relationship

that can
exist
between people or organizations

In the
direct trust
, a
personal relationship

exists between
two individuals

Third
-
party trust

refers to a situation in which
two individuals trust each other only because
each individually trusts a
third party

The
three different PKI trust models

are based
on direct and/or third
-
party trust

Trust Models (continued)

The
web of trust

model is based on
direct
trust

I trust you and you trust your brother and your
brother trusts you, so we
all trust each other

You can send me your brother’s public key

Single
-
point trust

model is based on
third
-
party trust

A CA directly issues and signs certificates

In an
hierarchical trust model
, the primary or
root certificate authority issues and signs the
certificates for CAs below it

Also based on
third party trust

Trust Models (continued)

Managing Digital Certificates

After a user decides to trust a CA, they
digital certificate

and
public key from the CA and store them
on their local computer

CA certificates are issued by a CA directly
to individuals

Typically used to secure e
-
mail
transmissions through S/MIME and web
transmissions through SSL/TLS

Managing Digital Certificates

Managing Digital Certificates

Server certificates

can be issued from
a Web server, FTP server, or mail
server to ensure a secure transmission

Software publisher certificates

are
provided by software publishers to
verify their programs are secure

Certificate Life Cycle

Typically divided into four parts:

1.
Creation

2.
Revocation

3.
Expiration

4.
Suspension

Exploring Key Management

Because keys form the very
foundation of the algorithms in
asymmetric and PKI systems, it is vital
that they be carefully managed

Centralized and Decentralized
Management

Key management can either be
centralized

or
decentralized

An example of a
decentralized

key
management system is the PKI
web of
trust

model

Centralized

key management is the
foundation for single
-
point trust
models and hierarchical trust models,
with
keys being distributed by the CA

Key Storage

It is possible to store public keys by
embedding them within digital
certificates

This is a form of software
-
based
storage and doesn’t involve any
cryptography hardware

Another form of software
-
based
storage involves storing private keys
on the user’s local computer

Key Storage (continued)

Storing keys in hardware is an
alternative to software
-
based keys

Keys stored on hardware are stored on a
token (USB drive) or card

Whether private keys are stored in
hardware or software, it is important

Backed
-
up

Key Handling Procedures

Certain procedures can help ensure
that keys are properly handled:

Escrow

-

handled by third
-
party

Renewal

renew before expiration

Suspension

suspend but not revoke

Destruction

removes the key pair

Expiration

key pair expires

Revocation

key revoked and invalid

Recovery

key divided and given to
different parties for later recovery

Summary

One of the advantages of symmetric
cryptography is that encryption and
decryption using a private key is
usually fast and easy to implement

A digital signature solves the problem
of authenticating the sender when
using asymmetric cryptography

With the number of different tools
required for asymmetric cryptography,
an organization can find itself
implementing piecemeal solutions for
different applications

Summary (continued)

PKCS is a numbered set of standards
that have been defined by the RSA
Corporation since 1991

The three PKI trust models are based
on direct and third
-
party trust

Digital certificates are managed
through CPs and CPSs