Scribd Logo
Upload

Welcome to Scribd!

  • 80 views

    Security+ Guide To Network Security Fundamentals, Third Edition

    Uploaded by

    ptman84
    The document provides an overview of cryptography concepts including digital certificates, public key infrastructure (PKI), and cryptographic transport protocols. It defines digital certificates and their components. PKI involves entities that manage the certificate lifecycle like certificate authorities and registration authorities. It describes trust models, key management procedures, and secure communication protocols like SSH, SSL/TLS, and VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd

    Security+ Guide To Network Security Fundamentals, Third Edition

    Uploaded by

    ptman84
    80 views56 pages
    The document provides an overview of cryptography concepts including digital certificates, public key infrastructure (PKI), and cryptographic transport protocols. It defines digital certificates and their components. PKI involves entities that manage the certificate lifecycle like certificate authorities and registration authorities. It describes trust models, key management procedures, and secure communication protocols like SSH, SSL/TLS, and VPNs.

    Original Title

    ch12-100129134154-phpapp01

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides an overview of cryptography concepts including digital certificates, public key infrastructure (PKI), and cryptographic transport protocols. It defines digital certificates and their components. PKI involves entities that manage the certificate lifecycle like certificate authorities and registration authorities. It describes trust models, key management procedures, and secure communication protocols like SSH, SSL/TLS, and VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    80 views56 pages

    Security+ Guide To Network Security Fundamentals, Third Edition

    Uploaded by

    ptman84
    The document provides an overview of cryptography concepts including digital certificates, public key infrastructure (PKI), and cryptographic transport protocols. It defines digital certificates and their components. PKI involves entities that manage the certificate lifecycle like certificate authorities and registration authorities. It describes trust models, key management procedures, and secure communication protocols like SSH, SSL/TLS, and VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 56

    Security+ Guide to Network Security Fundamentals, Third Edition

    Chapter 12 Applying Cryptography

    Objectives
    Define digital certificates List the various types of digital certificates and how they are used Describe the components of Public Key Infrastructure (PKI) List the tasks associated with key management Describe the different cryptographic transport protocols

    Digital Certificates

    Weakness of Digital Signatures


    Digital signatures require a reliable way to get public keys A forged public key could be used to forge a digital signature

    Digital Certificates
    Digital certificate
    Can be used to associate or bind a users identity to a public key The users public key that has itself been digitally signed by a reputable source entrusted to sign it

    Digital certificates make it possible for Alice to verify Bobs claim that the key belongs to him When Bob sends a message to Alice he does not ask her to retrieve his public key from a central site
    Instead, Bob attaches the digital certificate to the message

    Digital Certificates
    A digital certificate typically contains the following information:
    Owners name or alias Owners public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key

    Authorizing, Storing, and Revoking Digital Certificates


    Certificate Authority (CA)
    An entity that issues digital certificates for others A user provides information to a CA that verifies her identity The user generates public and private keys and sends the public key to the CA The CA inserts this public key into the certificate

    Registration Authority (RA)


    Handles some CA tasks such as processing certificate requests and authenticating users

    Authorizing, Storing, and Revoking Digital Certificates (continued)


    Certificate Revocation List (CRL)
    Lists revoked certificates Can be accessed to check the certificate status of other users Most CRLs can either be viewed or downloaded directly into the users Web browser

    Certificate Repository (CR)


    A publicly accessible directory that contains the certificates and CRLs published by a CA CRs are often available to all users through a Web browser interface (link Ch 12c)

    Certificate Repository

    Uses of Digital Certificates


    Bind a user's identity to a public key Encrypt channels to provide secure communication between clients and servers Encrypt messages for secure Internet e-mail communication Verify the identity of clients and servers on the Web Verify the source and integrity of signed executable code

    Types of Digital Certificates


    Personal digital certificates
    Used to send email from one person to another Free from Thawte (Link Ch 12a)

    Server digital certificates


    Used by Web servers to make HTTPS connections $250 / year from Thawte

    Software publisher digital certificates


    $300 / year from Thawte

    Extended Validation SSL

    Company must be audited and follow EV standards Company can't be "located in a country or be part of an industry identified on a government prohibited list"
    $900 / year, see Link Ch 12b

    Types of Digital Certificates (continued)


    Single-sided certificate
    Contains both the signature and the encryption information

    Dual-sided certificates
    Certificates in which the functionality is split between two certificates
    Signing certificate Encryption certificate

    Types of Digital Certificates (continued)


    Dual-sided certificate advantages:
    Reduce the need for storing multiple copies of the signing certificate Facilitate certificate handling in organizations

    X.509 Digital Certificates


    The most widely accepted format for digital certificates

    X.509 Structure

    Public Key Infrastructure (PKI)

    Managing Digital Certificates


    For Alice and Bob to use asymmetric cryptography: Alice and Bob must generate public and private keys A Certificate Authority (CA) or Registration Authority (RA) must verify the identities of Alice and Bob The certificates must be placed in a Certificate Repository (CR) When they expire, they must be placed on a Certificate Revocation List (CRL) All these things are done by Public key infrastructure (PKI)

    Public Key Infrastructure (PKI)


    Public key infrastructure involves
    Public-key cryptography standards Trust models Key management

    Public Key Infrastructure (PKI)


    A framework for all of the entities involved in digital certificates to create, store, distribute, and revoke digital certificates
    Includes hardware, software, people, policies and procedures

    PKI is digital certificate management

    Public-Key Cryptographic Standards (PKCS)


    A numbered set of PKI standards that have been defined by the RSA Corporation These standards are based on the RSA public-key algorithm

    In Windows 7 Beta: Start Internet Options Content Tab Certificates Select a Cerrtificate Export

    Trust Models
    Trust may be defined as confidence in or reliance on another person or entity Trust model
    Refers to the type of trusting relationship that can exist between individuals or entities

    Direct trust
    A relationship exists between two individuals because one person knows the other person

    Third party trust


    Refers to a situation in which two individuals trust each other because each trusts a third party

    Web of Trust
    Direct trust is not easily scaled to multiple users who each have digital certificates PGP uses a "Web of Trust" in which people trust "friends of friends"
    Not very secure or scalable (comic from xkcd.org)

    Trust Models
    Three PKI trust models that use a CA
    Hierarchical trust model Distributed trust model Bridge trust model

    Hierarchical Trust Model

    One master "root" CA signs all digital certificates with a single key Single point of failure

    Distributed Trust Model

    Used on the Internet

    Trusted Root Certification Authorities


    In Windows 7 Beta: Start Internet Options Content Tab Publishers

    Bridge Trust Model


    Used to link federal and state governments Links military and civilian ID cards

    Managing PKI
    Certificate policy (CP)
    A published set of rules that govern the operation of a PKI Provides recommended baseline security requirements for the use and operation of CA, RA, and other PKI components

    Certificate practice statement (CPS)


    Describes in detail how the CA uses and manages certificates A more technical document than a CP

    Certificate Life Cycle


    Creation Suspension
    Certificate cannot be used while suspended When an employee goes on leave

    Revocation
    Certificate goes on Certificate Revocation List (CRL) When a private key is lost

    Expiration

    Key Management

    Key Storage
    Public keys can be stored by embedding them within digital certificates
    While private keys can be stored on the users local system

    The drawback to software-based storage is that it may leave keys open to attacks Storing keys in hardware is an alternative to software-based storage Private keys can be stored on smart cards or in tokens

    Key Handling Procedures


    Escrow
    Private key is split in halves and stored by two separate trusted parties Some people want the government to have everyone's keys in escrow so they can read all encrypted documents

    Expiration Renewal

    Key Handling Procedures


    Revocation Recovery
    Key recovery agent (KRA)
    A highly trusted person authorized to recover others' keys

    M-of-N control
    A certain number of people need to agree to recover a key

    Suspension Destruction

    Cryptographic Transport Protocols

    File Transfer Protocols


    File Transfer Protocol (FTP)
    Part of the TCP/IP suite Used to connect to an FTP server

    Vulnerabilities
    Usernames, passwords, and files being transferred are in cleartext Files being transferred by FTP are vulnerable to manin-the-middle attacks

    One of the ways to reduce the risk of attack is to use encrypted Secure FTP (SFTP)

    File Transfer Protocols (continued)


    Secure Sockets Layer (SSL)
    A protocol developed by Netscape for securely transmitting documents over the Internet Uses a public key to encrypt data that is transferred over the SSL connection

    Transport Layer Security (TLS)


    A protocol that guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL

    Are often referred to as SSL/TLS or TLS/SSL

    File Transfer Protocols (continued)


    A second protocol that can be used with SFTP is Secure Shell (SSH)
    Also called SFTP/SSH

    SSH
    A UNIX-based command interface and protocol for securely accessing a remote computer Suite of three utilities: slogin, scp, and ssh Both the client and server ends of the connection are authenticated using a digital certificate
    Passwords are protected by being encrypted

    SSH Commands

    Web Protocols
    Another use of SSL is to secure Web HTTP communications between a browser and a Web server Hypertext Transport Protocol over Secure Sockets Layer
    Plain HTTP sent over SSL/TLS

    Secure Hypertext Transport Protocol


    Allows clients and the server to negotiate independently encryption, authentication, and digital signature methods, in any combination, in both directions

    VPN Protocols
    Point-to-Point Tunneling Protocol (PPTP)
    Most widely deployed tunneling protocol Allows IP traffic to be encrypted and then encapsulated in an IP header to be sent across a public IP network such as the Internet Based on the Point-to-Point Protocol (PPP)

    Point-to-Point Protocol over Ethernet (PPPoE)


    Another variation of PPP that is used by DSL or cable modem connections No encryption
    Link Ch 12f

    PPTP

    VPN Protocols (continued)


    Layer 2 Tunneling Protocol (L2TP)
    Merges the features of PPTP with Ciscos Layer 2 Forwarding Protocol (L2F) L2TP is not limited to working with TCP/IP-based networks, but supports a wide array of protocols An industry-standard tunneling protocol that allows IP traffic to be encrypted
    And then transmitted over any medium that supports point-to-point delivery

    VPN Protocols (continued)


    IP Security (IPsec)
    A set of protocols developed to support the secure exchange of packets

    Because it operates at a low level in the OSI model


    IPsec is considered to be a transparent security protocol for applications, users, and software

    IPsec provides three areas of protection:


    Authentication, confidentiality, and key management

    VPN Protocols (continued)

    E-mail Transport Protocol


    S/MIME (Secure/Multipurpose Internet Mail Extensions)
    One of the most common e-mail transport protocols Uses digital certificates to protect the e-mail messages

    S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them

    You might also like