06 APPLYING CRYPTOGRAPHY

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lecture 23 Internet Authentication Applications
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Chapter 5 Network Security Protocols in Practice Part I
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
PKI & SSL Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Unit 1: Protection and Security for Grid Computing Part 2
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
Chapter 12 Advanced Cryptography
Security+ Guide to Network Security Fundamentals, Fifth Edition
Key management issues in PGP
IS3230 Access Security Unit 9 PKI and Encryption
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-501)
Security in ebXML Messaging
Presentation transcript:

06 APPLYING CRYPTOGRAPHY NETWORK SECURITY 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY Contents 6.1 Digital Certificates 6.2 Pubic Key Infrastructure 6.3 Key Management 6.4 Cryptographic Transport Protocols 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Alice receives a package containing an encrypted document from Bob. It is secure as it was encrypted. Yet how can she know that it came from Bob? Because Alice’s asymmetric public key is widely available, anyone could use it to encrypt the document. The answer is to use a digital signature. 06 APPLYING CRYPTOGRAPHY

6.1 Digital Certificates 06 APPLYING CRYTOGRAPHY Alice must retrieve Bob’s public key, how can Alice be sure that it is actually Bob’s key that she is retrieving? What if an imposter posted that public key under Bob’s name? 06 APPLYING CRYTOGRAPHY

6.1 Digital Certificates 06 APPLYING CRYTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates 6.1.1 Defining Digital Certificates Digital certificates can be used to associate or “bind” a user’s identity to a public key. A digital certificate is the user’s public key that has itself been “digitally signed” by a reputable source entrusted to sign it. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Digital certificates prevent a man-in-the-middle attack that impersonates the owner of the public key. Digital certificates can also be used to identify objects other than users, such as servers and applications. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates A digital certificate typically contains the following information: Owner’s name or alias Owner’s public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates 6.1.2 Authorizing, Storing and Revoking Several entities and technologies are used for authorizing, storing, and revoking digital certificates. These include the Certificate Authority (CA) and Registration Authority (RA), a Certificate Repository (CR), and a Certificate Revocation List (CRL). 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Authority (CA) & Registration (RA) Instead of a user verifying his own identity, a third-party person or agency is used. An entity that issues digital certificates for others is known as a Certificate Authority (CA). 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates A user provides information to a CA that verifies her identity. Also, the user generates public and private keys and sends the public key to the CA (or in some instances the CA may create the keys). The CA inserts this public key into the certificate. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates A CA can be external to the organization, or it can be a CA internal to the organization. Some organizations set up a subordinate entity, called a Registration Authority (RA), to handle some CA tasks such as processing certificate requests and authenticating users. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Certificate Revocation List (CRL) Digital certificates normally have an expiration date. Expired digital certificates should then be revoked. Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Certificate Repository (CR) It is important that the CA publishes the certificates and CRLs to a directory. This directory can be managed locally or in a publicly accessible directory, which is called a Certificate Repository (CR). 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates 6.1.3 Types of Digital Certificates There are different types of digital certificates. In addition, some digital certificates are single-side while others can be dual-sided. Also, standards exist for digital certificates. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates In addition to being used to verify the sender’s identity, digital certificates can also be used to: Encrypt channels to provide secure communication between clients and servers Encrypt messages for secure Internet e-mail communication Verify the identity of clients and servers on the Web 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Verify the source and integrity of signed executable code There are three basic categories of digital certificates: personal digital certificates, Server digital certificates, and software publisher digital certificates. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Personal Digital Certificates Personal digital certificates are issued by a CA or RA directly to individuals. Personal digital certificates are typically used to secure e-mail transmissions. Digital certificates can also be used to authenticate the authors of documents. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Server Digital Certificates Server digital certificates are often issued from a Web server to a client. Typically perform two functions. First, they can ensure the authenticity of the Web server. Second, server certificates can ensure the authenticity of the cryptographic connection to the Web server. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Most server digital certificates combine both server authentication and secure communication between clients and servers on the Web. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Software Publisher Digital Certificates Software publisher digital certificates are provided by software publishers. The purpose of these certificates is to verify that their programs are secure and have not been tampered with. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Single Side and Dual Side Digital certificates can be either single-sided or dual-sided. When Bob sends one digital certificate to Alice along with his message, that is known as a single-sided certificate. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Dual-sided certificates are certificates in which the functionality is split between two certificates. The signing certificate is used to sign a message to prove that that sender is authentic. The encryption certificate is used for the actual encryption of the message. With single-sided certificates it is necessary to have a backup copy of the certificate with each e-mail message in order to ensure that the e-mail could be decrypted again later if necessary. With dual-sided certificates only the encryption certificate must be repeatedly backed up, while the signing certificate could be retained once on the system. This reduces the risk of having multiple copies of certificates that could be maliciously used by attackers. Second, dual-sided certificates facilitate certificate handling in organizations. Copies of each employee’s encryption certificates can be kept in a central storage repository. This permits the organization, if necessary, to access any encrypted messages of any employees. Because it is not necessary to keep copies of individual employee signing certificates, this makes an employee’s digital certificate unavailable for another employee to use maliciously. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates Dual-sided certificates have two advantages. First, dual-sided certificates reduce the need for storing multiple copies of the signing certificate. Second, dual-sided certificates facilitate certificate handling in organizations. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates X.509 Digital Certificates The most widely accepted format for digital certificates is defined by the International Telecommunication Union (ITU) X.509 international standard. X.509 V1 first appeared in 1988. X.509 V2 supported new issuer and subject identifier fields that were absent from Version 1. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates The current version, X.509 V3, was defined in 1996, and introduced the extension field. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.1 Digital Certificates 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure One of the important management tools for the use of digital certificates and asymmetric cryptography is public key infrastructure. Public key infrastructure involves public-key cryptography standards, trust models, and key management. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 6.2.1 What is Public Key Infrastructure In an organization where multiple users have multiple digital certificates, it quickly can become overwhelming to manage all of these entities. In short, there needs to be a consistent means to manage digital certificates. Public key infrastructure (PKI) is just that. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure It is a framework for all of the entities involved in digital certificates—including hardware, software, people, policies and procedures—to create, store, distribute, and revoke digital certificates. In short, PKI is digital certificate management. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure PKI is often erroneously applied to a broader range of cryptography topics beyond managing digital certificates. It is sometimes defined as that which supports “other public key-enabled security services” or “certifying users of a security application.” 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 6.2.2 Public-Key Cryptographic Standards (PKCS) Public-key cryptography standards (PKCS) is a numbered set of PKI standards that have been defined by the RSA Corporation. These standards are based on the RSA public-key algorithm. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure Applications and products that are developed by vendors may choose to support the PKCS standards. For example, Microsoft Windows Vista provides native support for exporting digital certificates based on PKCS #7 and #12. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 6.2.3 Trust Model Trust may be defined as confidence in or reliance on another person or entity. A trust model refers to the type of trusting relationship that can exist between individuals or entities. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure In one type of trust model, direct trust, a relationship exists between two individuals because one person knows the other person. Direct trust is not feasible when dealing with multiple users who each have digital certificates. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure A third party trust refers to a situation in which two individuals trust each other because each trusts a third party. This is the role that a CA plays: for example, it verifies Mary, Amanda, and Javier to Alice. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure There are essentially three PKI trust models that use a CA. These are the hierarchical trust model, the distributed trust model, and the bridge trust model. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure Hierarchical Trust Model The hierarchical trust model assigns a single hierarchy with one master CA called the root. This root signs all digital certificate authorities with a single key. A hierarchical trust model can be used in an organization where one CA or RA is responsible. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure Distributed Trust Model Instead of having a single CA as in the hierarchical trust model, the distributed trust model has multiple CAs that sign digital certificates. The distributed trust model is the basis for digital certificates issued by Internet users. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure Bridge Trust Model The bridge trust model is similar to the distributed trust model in that there is no single CA that signs digital certificates. However, with the bridge trust model there is one CA that acts as a “facilitator” to interconnect all other CAs. 06 APPLYING CRYPTOGRAPHY

6.2 Public Key Infrastructure 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.3 Key Management Keys form the very foundation of PKI systems it is important to be carefully managed. A quick look at Certificate Life Cycle of PKI: Creation: the certificate is created and issued to the user. Suspension: if the certificate’s validity must be temporarily suspended. Revocation: the certificate is no longer valid. Expiration: the certificate can no longer be used. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.3 Key Management Key Storage The means of storing keys in a PKI system is important. Public keys can be stored by embedding them within digital certificates. Private keys can be stored on the user’s local system. Drawback to software-based storage: may leave keys open to attacks: vulnerabilities in the client OS may expose keys to attackers. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.3 Key Management Key Usage If more security is needed than a single set of public and private keys, multiple pairs of dual keys can be created. One pair of keys may be used to encrypt information and the public key could be backed up to another location. Second pair would be used only for digital sig- natures and the public key in that pair would never be backed up. In the event that the public encryption key was stolen, the attacker would still not be able to digitally sign the document. Proper key management includes key storage, key usage, and key handling procedures. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.3 Key Management Key Handling Procedures in key handling: Escrow – refers to a situation in which keys are managed by a third party, such as a trusted CA. Expiration – Keys have expiration dates. Some systems set keys to expire after a set period of time by default. Renewal – an existing key can be renewed, no need to generate new keys. Revocation – all keys should expire after a set period of time, a key may need to be revoked prior to its expiration date. revoked keys cannot be reinstated. 06 APPLYING CRYPTOGRAPHY

06 APPLYING CRYPTOGRAPHY 6.3 Key Management Key Handling Procedures in key handling (cont’d): Recovery – What happens if an employee is hospitalized for an extended period, yet the organization needs to transact business using her keys? Different techniques may be used. Suspension – the revocation of a key is permanent; key suspension is for a set period of time. A suspended key can be later reinstated. Destruction – key destruction removes all private and public keys along with the user’s identification information in the CA. When a key is revoked or expires, the user’s information remains on the CA for audit purposes. The reason for distributing parts of the key to multiple users is that the absence of one member would not prevent the key from being recovered. 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols File Transfer Protocol does not use encryption usernames, passwords, and files are transferred are in clear-text. very vulnerable to MITM attacks one way to secure it is using SFTP 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols Secure Socket Layer (SSL)/Transport Layer Security (TLS) SSL uses a public key to encrypt data that is transferred over the SSL connection. TLS a protocol that guarantees privacy and data integrity TLS is an extension of SSL Often referred as SSL/TLS SSL/TLS TLS Handshake Protocol  authentication TLS Record Protocol  encryption 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols Secure Shell (SSH) a UNIX-based command interface and protocol for securely accessing a remote computer. SSH is actually a suite of three utilities—slogin, scp, and ssh— that are secure versions of the unsecure UNIX counterpart utilities rlogin, rcp, and rsh. These commands are summarized in Table 12-3. Both the client and server ends of the connection 12 are authenticated using a digital certificate, and passwords are protected by being encrypted. SSH can even be used as a tool for secure network backups. 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols Web Protocols originally insecure, port 80 to secure it: HTTP over SSL/TLS  HTTPS, port 443 SHTTP  not widely used 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols VPN Protocols (Tunneling) securing the communication channel there are many tunneling protocols: PPTP L2TP L3TP IPSec etc (combination L2TP/IPSec, L3TP/IPSec). 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols PPTP most widely used (a part of Windows OS) IP traffic in encrypted and then sent over public network 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols IPSec a set of protocols to securely exchange packets Applications – no need to modify to run under IPsec. Users – do not need to be trained on specific security procedures. Software – no changes needed at local client, as IPsec is implemented in a device 06 APPLYING CRYPTOGRAPHY

6.4 Cryptographic Transport Protocols E-mail Transport Protocol S/MIME uses digital certificates to protect the e-mail messages. S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them. 06 APPLYING CRYPTOGRAPHY