Lecture Security + Guide to Network Security Fundamentals - Chapter 9 include objectives: Explain cryptography strengths and vulnerabilities, define public key infrastructure (PKI), manage digital certificates, explore key management.
Trang 1Chapter 9: Using and
Managing Keys
Security+ Guide to Network Security
Fundamentals
Second Edition
Trang 2• Explain cryptography strengths and vulnerabilities
• Define public key infrastructure (PKI)
• Manage digital certificates
• Explore key management
Trang 3Understanding Cryptography Strengths and Vulnerabilities
• Cryptography is science of “scrambling” data so it
cannot be viewed by unauthorized users, making it secure while being transmitted or stored
• When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the
original plaintext
Trang 4Symmetric Cryptography Strengths and Weaknesses
• Identical keys are used to both encrypt and decrypt the message
• Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption
Standard, Advanced Encryption Standard, Rivest
Cipher, International Data Encryption Algorithm, and Blowfish
• Disadvantages of symmetric encryption relate to the difficulties of managing the private key
Trang 5Asymmetric Cryptography Strengths
and Vulnerabilities
• With asymmetric encryption, two keys are used
instead of one
– The private key encrypts the message
– The public key decrypts the message
Trang 6Asymmetric Cryptography Strengths
and Vulnerabilities (continued)
• Can greatly improve cryptography security,
convenience, and flexibility
• Public keys can be distributed freely
• Users cannot deny they have sent a message if they have previously encrypted the message with their
private keys
• Primary disadvantage is that it is computing-intensive
Trang 7Digital Signatures
• Asymmetric encryption allows you to use either the public or private key to encrypt a message; the
receiver uses the other key to decrypt the message
• A digital signature helps to prove that:
– The person sending the message with a public key is who they claim to be
– The message was not altered
– It cannot be denied the message was sent
Trang 9Certification Authority (CA)
• The owner of the public key listed in the digital
certificate can be identified to the CA in different
ways
– By their e-mail address
– By additional information that describes the digital
certificate and limits the scope of its use
• Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users
Trang 10Certification Authority (CA)
(continued)
• The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes
• Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)
• Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users
Trang 11Understanding Public Key
Infrastructure (PKI)
• Weaknesses associated with asymmetric
cryptography led to the development of PKI
• A CA is an important trusted party who can sign and issue certificates for users
• Some of its tasks can also be performed by a
subordinate function, the RA
• Updated certificates and CRLs are kept in a CR for users to refer to
Trang 12The Need for PKI
Trang 13Description of PKI
• Manages keys and identity information required for asymmetric cryptography, integrating digital
certificates, public key cryptography, and CAs
• For a typical enterprise:
– Provides end-user enrollment software
– Integrates corporate certificate directories
– Manages, renews, and revokes certificates
– Provides related network services and security
• Typically consists of one or more CA servers and digital certificates that automate several tasks
Trang 14PKI Standards and Protocols
• A number of standards have been proposed for PKI
– Public Key Cryptography Standards (PKCS)
– X509 certificate standards
Trang 15Public Key Cryptography
Standards (PKCS)
• Numbered set of standards that have been defined
by the RSA Corporation since 1991
• Composed of 15 standards detailed on pages 318 and 319 of the text
Trang 16X509 Digital Certificates
• X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate
• Most widely used certificate format for PKI
• X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)
Trang 17X509 Digital Certificates (continued)
Trang 18• The three different PKI trust models are based on direct and third-party trust
Trang 19Trust Models (continued)
Trang 20• The web of trust model is based on direct trust
• Single-point trust model is based on third-party trust
– A CA directly issues and signs certificates
• In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates for CAs below it
Trang 21Managing Digital Certificates
• After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer
• CA certificates are issued by a CA directly to
individuals
• Typically used to secure e-mail transmissions
through S/MIME and SSL/TLS
Trang 22Managing Digital Certificates (continued)
Trang 23Managing Digital Certificates
(continued)
• Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure
transmission
• Software publisher certificates are provided by
software publishers to verify their programs are
secure
Trang 24Certificate Policy (CP)
• Published set of rules that govern operation of a PKI
• Begins with an opening statement outlining its scope
• Should cover at a minimum the topics listed on
page 325 of the text
Trang 25Certificate Practice Statement (CPS)
• More technical document compared to a CP
• Describes in detail how the CA uses and manages certificates
• Covers topics such as those listed on pages 325 and
326 of the text
Trang 26Certificate Life Cycle
• Typically divided into four parts:
– Creation
– Revocation
– Expiration
– Suspension
Trang 27Exploring Key Management
• Because keys form the very foundation of the
algorithms in asymmetric and PKI systems, it is vital that they be carefully managed
Trang 28Centralized and Decentralized
Trang 29• Another form of software-based storage involves
storing private keys on the user’s local computer
Trang 30Key Storage (continued)
• Storing keys in hardware is an alternative to
software-based keys
• Whether private keys are stored in hardware or software, it is important that they be adequately protected
Trang 31Key Usage
• If you desire more security than a single set of public and private (single-dual) keys can offer, you can
choose to use multiple pairs of dual keys
• One pair of keys may be used to encrypt information and the public key could be backed up to another
location
• The second pair would be used only for digital
signatures and the public key in that pair would never
be backed up
Trang 32Key Handling Procedures
• Certain procedures can help ensure that keys are properly handled:
– Escrow – Expiration
– Renewal – Revocation
– Recovery – Suspension
– Destruction
Trang 33• One of the advantages of symmetric cryptography is that encryption and decryption using a private key is usually fast and easy to implement
• A digital signature solves the problem of
authenticating the sender when using asymmetric cryptography
• With the number of different tools required for
asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications