View
232
Download
4
Embed Size (px)
Citation preview
Chapter 9: Using and Managing Keys
Security+ Guide to Network Security FundamentalsSecond Edition
Objectives
Explain cryptography strengths and vulnerabilities
Define public key infrastructure (PKI) Manage digital certificates Explore key management
Understanding Cryptography Strengths and Vulnerabilities
Cryptography is science of “scrambling” data through encryption so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored
When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext
Symmetric Cryptography Strengths and Weaknesses
Identical keys are used to both encrypt and decrypt the message
Popular symmetric cipher algorithms include Data Encryption Standard (DES), Triple Data Encryption (3DES) Standard, Advanced Encryption Standard (AES), Rivest Cipher (RC), International Data Encryption Algorithm (IDEA), and Blowfish
The advantage of symmetric ciphers is they are fast.
Disadvantages of symmetric encryption relate to the difficulties of managing the private key
Asymmetric Cryptography Strengths and Vulnerabilities
With asymmetric encryption, two keys (key pair) are used instead of one The private key encrypts the message The public key decrypts the message
Remember, the public key can also be used to encrypt and the private key can be used to decrypt since the two keys are mathematically related.
Asymmetric Cryptography Strengths and Vulnerabilities
Asym keys can greatly improve cryptography security, convenience, and flexibility
Public keys can be distributed freely Users cannot deny they have sent a
message if they have previously encrypted the message with their private keys (non repudiation)
Primary disadvantage is that it is computing-intensive
Digital Signatures
Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message
However, how can you be sure that the message you received is from the actual sender? How can you prove your own identity?
A digital signature helps to prove that: The person sending the message with a public key is
who they claim to be (b/c I used my private key to encrypt the hash used
in the signature) The message was not altered It cannot be denied the message was sent
Digital Certificates
Digital documents that associate an individual (identity) with its specific public key
A digital certificate is a Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party
Certification Authority (CA)
The owner of the public key listed in the digital certificate can be identified to the CA in different ways By their e-mail address By additional information that describes the
digital certificate and limits the scope of its use
Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users
Certification Authority (CA)
The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes
This information is available in a publicly accessible directory, called a Certificate Repository (CR)
Some organizations set up a Registration Authority (RA) to handle some CA tasks such as processing certificate requests and authenticating users
Understanding Public Key Infrastructure (PKI)
Weaknesses associated with asymmetric cryptography led to the development of PKI
PKI is a conceptual model, much like the OSI model in which public keys are made available and managed
PKI describes the means by which the public key cryptography system is going to be implemented
Description of PKI
PKI is a system that manages keys and identity information required for asymmetric cryptography, integrating digital certificates, public keys, and CAs
For a typical enterprise: Provides end-user enrollment software Integrates corporate certificate directories Manages, renews, and revokes certificates Provides related network services and security
Uses protocol standards by which asym cryptography could be used automatically across all platforms and applications.
PKI Standards and Protocols
Two major standards are responsible for PKI Public Key Cryptography Standards (PKCS) X.509 certificate standards
Public Key Cryptography Standards (PKCS)
Numbered set of standards that have been defined by the RSA Corporation since 1991 Based on the RSA public key algorithm
Composed of 15 standards detailed on pages 318 and 319 of the text
For example: PKCS#1 defines the RSA Encryption Standard PKCS#3 defines the Diffie-Hellman key agreement PKCS#11 defines Cryptographic Token Interface Standard
(Tokens and Smart Cards) PKCS#13 defines the Elliptic Curve Cryptography Standard
X.509 Digital Certificates
X.509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate
Most widely used certificate format for PKI
X.509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)
X509 Digital Certificates
Trust Models The foundation of PKI is based on trust Refers to the type of relationship that can exist
between people or organizations In the direct trust, a personal relationship
exists between two individuals Third-party trust refers to a situation in which
two individuals trust each other only because each individually trusts a third party
The three different PKI trust models are based on direct and/or third-party trust
Trust Models (continued)
The web of trust model is based on direct trust I trust you and you trust your brother and your
brother trusts you, so we all trust each other You can send me your brother’s public key
Single-point trust model is based on third-party trust A CA directly issues and signs certificates
In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates for CAs below it Also based on third party trust
Trust Models (continued)
Managing Digital Certificates
After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer
CA certificates are issued by a CA directly to individuals
Typically used to secure e-mail transmissions through S/MIME and web transmissions through SSL/TLS
Managing Digital Certificates
Managing Digital Certificates
Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure transmission
Software publisher certificates are provided by software publishers to verify their programs are secure
Certificate Life Cycle
Typically divided into four parts:1. Creation2. Revocation3. Expiration4. Suspension
Exploring Key Management
Because keys form the very foundation of the algorithms in asymmetric and PKI systems, it is vital that they be carefully managed
Centralized and Decentralized Management
Key management can either be centralized or decentralized
An example of a decentralized key management system is the PKI web of trust model
Centralized key management is the foundation for single-point trust models and hierarchical trust models, with keys being distributed by the CA
Key Storage
It is possible to store public keys by embedding them within digital certificates
This is a form of software-based storage and doesn’t involve any cryptography hardware
Another form of software-based storage involves storing private keys on the user’s local computer
Key Storage (continued)
Storing keys in hardware is an alternative to software-based keys Keys stored on hardware are stored on a
token (USB drive) or card Whether private keys are stored in
hardware or software, it is important that they be adequately protected Password protected Backed-up
Key Handling Procedures
Certain procedures can help ensure that keys are properly handled: Escrow - handled by third-party Renewal – renew before expiration Suspension – suspend but not revoke Destruction – removes the key pair Expiration – key pair expires Revocation – key revoked and invalid Recovery – key divided and given to
different parties for later recovery
Summary
One of the advantages of symmetric cryptography is that encryption and decryption using a private key is usually fast and easy to implement
A digital signature solves the problem of authenticating the sender when using asymmetric cryptography
With the number of different tools required for asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications
Summary (continued)
PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991
The three PKI trust models are based on direct and third-party trust
Digital certificates are managed through CPs and CPSs