Security+ Guide to Network Security Fundamentals, Third Edition - PDF document

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives • Define digital certificates • List the various types of digital certificates and how they are used • Describe the components of Public Key Infrastructure (PKI) • List the tasks associated with key management • Describe the different cryptographic transport protocols Digital Certificates • Using digital certificates involves: – Understanding their purpose – Knowing how they are authorized, stored, and revoked – Determining which type of digital certificate is appropriate for different situations – Used to associate (“bind”) the user’s identity to a public key – User must provide proof of their identity to obtain a Public key from a Trusted Agent. – User’s public key is “ digitally signed ” by a reputable source entrusted to sign it (trusted C ertificate A uthority or CA ) – Truste d CA’s are recognized by the operating system and provide a path for the verification (root certificate chain) – This provides a mechanism to validate the certificate is valid and not expired or revoked. – Digital Certificates provide an international standards mechanism to exchange messages that provide proof of integrity and non-repudiation • A digital certificate typically contains the following information: – Owner’s name or alias – Owner’s public key – Name of the Issuer – Digital signature of the issuer – Serial number of the digital certificate – Expiration date of the public key Certificate Authority (CA): – An entity that publishes digital certificates (typically for others) – Houses Root Certificate Server (offline) – Generates certificates for entities who provide verification of identity – Provides validation services for certificates issued – Provided services to notify users of certificates no longer valid (revoked or expired) – CA’s can be external trusted or internal locally issued Storing and Verifying Digital Certificates • Private Key Storage – Stored on the issued individuals system or token – Must be provided tight access controls to only the issued users – Private Key theft allows that user to impersonate the trusted user • Certificate Repository (CR) – A publicly accessible directory that contains the certificates and CRLs published by a CA

– Used to check the validity of the published certificate (e.g. serial # , etc…) – CRs are often available to all users through a Web browser interface – Location is published through the root certificate trust chain • Certificate Trust Overview • Commercial Certificate Authorities – Must pass rigorous auditing – Provide publically accessible Cert Repositories and CRL’s – Are added to OS CA trust lists, allowing anyone who hold a cert instant trust when using. – Fees for certificate issuance and renewal • Private Certificate Authorities – Hosted internal to an organization – Require manual addition to the cert trust chain in each system. – Normally accomplished via GPO – No fee’s associated with issuance or renewal. – Certificate Trust Chains – During Verification • Application attempts to determine if certificate is valid by walking the certificate up the validation chain Revoking Digital Certificates • Certificate Revocation List (CRL) – Required to be published by the CA – Publically available information – Lists Invalidated (revoked) certificates • Reasons can include compromised or expired private keys – Most CRLs can either be viewed or downloaded directly into the user’s Web browser • Size of CRL causes performance issues – Can be used with security enforcement mechanisms to provide protection from questionable content. Digital Certificate Uses and Types • Uses: – Encrypt communications channels – Encrypt email messages – Verify the identity of clients and servers on the Web – Verify the source and integrity of signed executable code • Digital Certificate Categories: – Personal digital certificates – Server digital certificates – Software publisher digital certificates • X.509 Digital Certificates – The most widely accepted format for digital certificates – Web Transaction Overview Types of Digital Certificates • Single-sided certificate – Services of both Digital Signature and Encryption are support via single certificate

• Dual-sided certificates – Certificates in which the functionality is split between two certificates • Signing certificate • Encryption certificate – Advantages: • Reduce need for storing multiple signing certificate copies • Facilitate certificate handling in organizations Public Key Infrastructure (PKI) • Involves public-key cryptography standards, trust models, and key management • Public-Key Cryptography Standards (PKCS) – Based on RSA PKI algorithm – Standards are defined by RSA Corporation • Public key infrastructure (PKI) – Framework and Management mechanism to create, store, distribute, and revoke digital certificates • Includes hardware, software, people, policies and procedures Trust Models • Trust may be defined as confidence in or reliance on another person or entity • Trust Model – Refers to the type of trusting relationship that can exist between individuals or entities • Direct Trust – A relationship exists between two individuals because one person knows the other person • Third party trust (Trust Chain) – Refers to a situation in which two individuals trust each other because each trusts a third party • Trust Models (cont.) • Direct trust is not feasible when dealing with multiple users who each have digital certificates • 3 PKI Trust Models that use a CA – Hierarchical trust model – Distributed trust model – Bridge trust model Public-Key Cryptography Standards (PKCS): Based on a standard and algorithm established by RSA. • Public Key infrastructure (PKI): Framework and Management mechanism to create, store, distribute, and revoke digital certificates. • 15 PKCS standards, some of which have be deprecated and rolled into others. • Trust: Confidence in or reliance of another person or entity • Trust Model: Relationship that exists between individuals or entities • Direct Trust: Relationship that exists between two individuals because one person knows the other person • Third party trust: A situation in which two individuals trust each other because each trusts a third party • Direct trust is not feasible when dealing with multiple users who each have digital certificates • 3 PKI Trust Models: – Hierarchical: Single root, not distributed infrastructure

– Distributed : Used Intermediate CA to distribute and balance workload, lowers risk of a single compromise affecting all issues certificates – Bridge: Hybrid model that combined best of both and allows for trust outside of a single organization. Managing PKI • Certificate Policy (CP) – Published set of rules that govern the operation of a PKI – Provides recommended baseline security requirements for the use and operation of CA, RA, and other PKI components • Certificate Practice Statement (CPS) – Detail how issuing CA uses and manages certificates – A more technical document than a CP – Viewable by anyone who can see your public certificate • Certificate Life Cycle – Creation – Suspension – Revocation – Expiration • Key Management • Proper Key Management includes procedures for: – Key Storage – Key Usage – Key Handling Improper key management places the entire Key set at risk of compromise Key Storage • Public keys are stored by embedding within digital certificates and published • Private keys are stored on the user’s local system (software) or Devices (Hardware) • Software-based storage may leave keys open to attacks (e.g. on OS of a system) • Storing keys in hardware is an alternative to software-based storage • Private keys stored in devices such as smart cards or in tokens are harder to compromise • Key Usage • If more security is needed than a single set of public and private keys – Then multiple pairs of dual keys can be created • Pair One : – Encryption Keys » Public Key - Backed up to another location • Pair Two : – Used only for Digital Signatures » Pair would never be backed up Key Handling Procedures • 7 States with Key Handling Procedures process: – Escrow : Managed by 3 rd Party – Expiration : Sets period key is value, reduces time compromised by can be used – Renewal : Provides for renewing key vs. issuing new key; makes key more susceptible to misuse or theft