Lecture Security+ Certification: Chapter 10 - Trung tâm Athena

Chapter 10 - Public key infrastructure. After completing this chapter, students will be able to: Explain cryptography strengths and vulnerabilities, define public key infrastructure (PKI), manage digital certificates, explore key management.

Chapter 10 Public Key Infrastructure

Objectives in this Chapter

vulnerabilities

vulnerabilities

Understanding Cryptography

Strengths and Vulnerabilities

it cannot be viewed by unauthorized users,making it secure while being transmitted orstored

another user wants to access storedinformation, it must be decrypted with thecipher and key to produce the original plaintext

it cannot be viewed by unauthorized users,making it secure while being transmitted orstored

another user wants to access storedinformation, it must be decrypted with thecipher and key to produce the original plaintext

Symmetric Cryptography

Strengths and Weaknesses

decrypt the message

Data Encryption Standard, Triple DataEncryption Standard, Advanced EncryptionStandard, Rivest Cipher, International DataEncryption Algorithm, and Blowfish

to the difficulties of managing the private key

decrypt the message

Data Encryption Standard, Triple DataEncryption Standard, Advanced EncryptionStandard, Rivest Cipher, International DataEncryption Algorithm, and Blowfish

to the difficulties of managing the private key

Asymmetric Cryptography Strengths and Vulnerabilities

instead of one

• The private key decrypts the message

• The public key encrypts the message

Asymmetric Cryptography Strengths and Vulnerabilities (continued)

convenience, and flexibility

 Public keys can be distributed freely

they have previously encrypted the messagewith their private keys

computing-intensive

convenience, and flexibility

 Public keys can be distributed freely

they have previously encrypted the messagewith their private keys

computing-intensive

Digital Signatures

the public or private key to encrypt a message;the receiver uses the other key to decrypt themessage

 A digital signature helps to prove that:

• The person sending the message with a public key is who they claim to be

• The message was not altered

• It cannot be denied the message was sent

the public or private key to encrypt a message;the receiver uses the other key to decrypt themessage

 A digital signature helps to prove that:

• The person sending the message with a public key is who they claim to be

• The message was not altered

• It cannot be denied the message was sent

Digital Certificates

with its specific public key

about the key owner, and other optionalinformation that is all digitally signed by atrusted third party

with its specific public key

about the key owner, and other optionalinformation that is all digitally signed by atrusted third party

Certification Authority (CA)

 The owner of the public key listed in the digitalcertificate can be identified to the CA in

different ways

• By their e-mail address

• By additional information that describes the digital certificate and limits the scope of its use

 Revoked digital certificates are listed in a

Certificate Revocation List (CRL), which can beaccessed to check the certificate status of otherusers

 The owner of the public key listed in the digitalcertificate can be identified to the CA in

different ways

• By their e-mail address

• By additional information that describes the digital certificate and limits the scope of its use

 Revoked digital certificates are listed in a

Certificate Revocation List (CRL), which can beaccessed to check the certificate status of otherusers

Certification Authority (CA)

(continued)

to a directory immediately after a certificate isissued or revoked so users can refer to this

directory to see changes

accessible directory, called a CertificateRepository (CR)

Authority (RA) to handle some CA, tasks such

as processing certificate requests andauthenticating users

to a directory immediately after a certificate isissued or revoked so users can refer to this

directory to see changes

accessible directory, called a CertificateRepository (CR)

Authority (RA) to handle some CA, tasks such

as processing certificate requests andauthenticating users

Understanding Public Key

Infrastructure (PKI)

cryptography led to the development of PKI

and issue certificates for users

subordinate function, the RA

for users to refer to

cryptography led to the development of PKI

and issue certificates for users

subordinate function, the RA

for users to refer to

The Need for PKI

Description of PKI

required for asymmetric cryptography,integrating digital certificates, public keycryptography, and CAs

 For a typical enterprise:

• Provides end-user enrollment software

• Integrates corporate certificate directories

• Manages, renews, and revokes certificates

• Provides related network services and security

and digital certificates that automate severaltasks

required for asymmetric cryptography,integrating digital certificates, public keycryptography, and CAs

 For a typical enterprise:

• Provides end-user enrollment software

• Integrates corporate certificate directories

• Manages, renews, and revokes certificates

• Provides related network services and security

and digital certificates that automate severaltasks

PKI Standards and Protocols

PKI

• Public Key Cryptography Standards (PKCS)

• X509 certificate standards

Public Key Cryptography

Standards (PKCS)

defined by the RSA Corporation since 1991

318 and 319 of the text

X509 Digital Certificates

the International Telecommunication Union(ITU) that defines the format for the digitalcertificate

(SSL)/Transport Layer Security (TLS), IPSecurity (IPSec), and Secure/MultipurposeInternet Mail Extensions (S/MIME)

the International Telecommunication Union(ITU) that defines the format for the digitalcertificate

(SSL)/Transport Layer Security (TLS), IPSecurity (IPSec), and Secure/MultipurposeInternet Mail Extensions (S/MIME)

X509 Digital Certificates (continued)

based on direct and third-party trust

 Refers to the type of relationship that canexist between people or organizations

 In the direct trust, a personal relationshipexists between two individuals

 Third-party trust refers to a situation inwhich two individuals trust each other onlybecause each individually trusts a third party

based on direct and third-party trust

Trust Models (continued)

Trust Models (continued)

trust

• A CA directly issues and signs certificates

root certificate authority issues and signs thecertificates for CAs below it

trust

• A CA directly issues and signs certificates

root certificate authority issues and signs thecertificates for CAs below it

Managing Digital Certificates

 After a user decides to trust a CA, they can

download the digital certificate and public keyfrom the CA and store them on their local

computer

 CA certificates are issued by a CA directly toindividuals

through S/MIME and SSL/TLS

 After a user decides to trust a CA, they can

download the digital certificate and public keyfrom the CA and store them on their local

computer

 CA certificates are issued by a CA directly toindividuals

through S/MIME and SSL/TLS

Managing Digital Certificates (continued)

Managing Digital Certificates

(continued)

server, FTP server, or mail server to ensure asecure transmission

software publishers to verify their programs aresecure

server, FTP server, or mail server to ensure asecure transmission

software publishers to verify their programs aresecure

page 325 of the text

PKI

scope

page 325 of the text

Certificate Practice Statement (CPS)

manages certificates

and 326 of the text

manages certificates

and 326 of the text

Certificate Life Cycle

 Typically divided into four parts:

Exploring Key Management

algorithms in asymmetric and PKI systems, it isvital that they be carefully managed

Centralized and Decentralized

Management

decentralized

system is the PKI web of trust model

for single-point trust models and hierarchicaltrust models, with keys being distributed by theCA

decentralized

system is the PKI web of trust model

for single-point trust models and hierarchicaltrust models, with keys being distributed by theCA

Key Storage

them within digital certificates

doesn’t involve any cryptography hardware

involves storing private keys on the user’s localcomputer

them within digital certificates

doesn’t involve any cryptography hardware

involves storing private keys on the user’s localcomputer

Key Storage (continued)

software-based keys

software, it is important that they be adequatelyprotected

software-based keys

software, it is important that they be adequatelyprotected

Key Usage

 If you desire more security than a single set ofpublic and private (single-dual) keys can offer,you can choose to use multiple pairs of dual

keys

information and the public key could be backed

up to another location

signatures and the public key in that pair wouldnever be backed up

 If you desire more security than a single set ofpublic and private (single-dual) keys can offer,you can choose to use multiple pairs of dual

keys

information and the public key could be backed

up to another location

signatures and the public key in that pair wouldnever be backed up

Key Handling Procedures

are properly handled:

• Destruction

are properly handled:

• Destruction

cryptography is that encryption and decryptionusing a private key is usually fast and easy toimplement

authenticating the sender when usingasymmetric cryptography

asymmetric cryptography, an organization canfind itself implementing piecemeal solutions fordifferent applications

cryptography is that encryption and decryptionusing a private key is usually fast and easy toimplement

authenticating the sender when usingasymmetric cryptography

asymmetric cryptography, an organization canfind itself implementing piecemeal solutions fordifferent applications

Summary (continued)

been defined by the RSA Corporation since 1991

and third-party trust

and CPSs

been defined by the RSA Corporation since 1991

and third-party trust

and CPSs