Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12 Advanced Cryptography

Published byDylan Solomon Randall Modified over 7 years ago

Similar presentations

Presentation on theme: "Chapter 12 Advanced Cryptography"— Presentation transcript:

1 Chapter 12 Advanced Cryptography
Security+ Chapter 12 Advanced Cryptography Modified 10/06/ jw

2 Objectives Define digital certificates
List the various types of digital certificates and how they are used Describe the components of Public Key Infrastructure (PKI) List the tasks associated with key management Describe the different transport encryption algorithms

3 Stuxnet Stuxnet Virus used four different Zero Day exploits on Windows platforms. In addition to the Zero Day attacks, the ‘payload’ included a stolen digital certificate that was issued by Verisign. The certificate allowed the malware to act as a trusted application and communicate with other devices.

4 Digital Certificates Common application of cryptography
Aspects of using digital certificates Understanding their purpose Knowing how they are managed Determining which type of digital certificate is appropriate for different situations

5 Defining Digital Certificates
Digital signature Used to prove a document originated from a valid sender

6

7 Defining Digital Certificates (cont’d)
Weakness of using digital signatures Digital signatures require a reliable way to get public keys A forged public key could be used to forge a digital signature Imposter could post a public key under a sender’s name Do not definitively prove who the sender Do not confirm true identity of the sender

8 Imposter public key

9 Defining Digital Certificates (cont’d.)
Can be used to associate or “bind” a user’s identity to a public key The user’s public key that has itself been “digitally signed” by a reputable source entrusted to sign it Digital certificates make it possible for Alice to verify Bob’s claim that the key belongs to him When Bob sends a message to Alice he does not ask her to retrieve his public key from a central site Instead, Bob attaches the digital certificate to the message

10 Defining Digital Certificates (cont’d.)
SOLUTION is to use Trusted third party Used to help solve the problem of verifying identity Verifies the owner and that the public key belongs to that owner Helps prevent man-in-the-middle attack that impersonates owner of public key NOTE: Self Signed Certificates do not use a trusted third party

11 Defining Digital Certificates (cont’d.)
Information contained in a digital certificate Owner’s name or alias Owner’s public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key

12 Managing Digital Certificates
Technologies used for managing digital certificates Certificate Authority (CA) Registration Authority (RA) Certificate Revocation List (CRL) Certificate Repository (CR) Web browser

13 Managing Digital Certificates (cont’d)
Certificate Authority (CA) Trusted third-party agency responsible for issuing digital certificates A user provides information to a CA that verifies her identity The user generates public and private keys and sends the public key to the CA The CA inserts this public key into the certificate Trusted third party Can be internal or external to an organization

14 Managing Digital Certificates (cont’d.)
Duties of a CA Generate, issue, an distribute public key certificates Distribute CA certificates Generate and publish certificate status information Provide a means for subscribers to request revocation Revoke public-key certificates Maintain security, availability, and continuity of certificate issuance signing functions

15 Managing Digital Certificates (cont’d.)
Subscriber requesting a digital certificate Generate public and private keys Generate Certificate Signing Request (CSR) - Specially formatted encrypted message that validates information CA requires CA receives and verifies the CSR Inserts the public key into certificate Certificates digitally signed with private key of the issuing CA

16 Managing Digital Certificates (cont’d.)
Registration Authority (RA) Subordinate entity designed to handle specific CA tasks Offloading registration functions creates improved workflow for CA General duties of an RA Receive, authenticate, and process certificate revocation requests Identify and authenticate subscribers

17 Managing Digital Certificates (cont’d.)
General duties of an RA (cont’d.) Obtain a public key from the subscriber Verify that the subscriber possesses the asymmetric private key corresponding to the public key submitted for certification Primary function of an RA Verify identity of an individual

18 Managing Digital Certificates (cont’d.)
Means for a digital certificate requestor to identify themselves to an RA Insufficient for activities that must be very secure Documents Birth certificate, employee badge In person Providing government-issued passport or driver’s license

19 Managing Digital Certificates (cont’d.)
Certificate Revocation List (CRL) Lists digital certificates that have been revoked Can be accessed to check the certificate status of other users Most CRLs can either be viewed or downloaded directly into the user’s Web browser

20 Managing Digital Certificates (cont’d.)
Certificate Revocation List (CRL) Reasons a certificate would be revoked Certificate is no longer used Details of the certificate have changed, such as user’s address Private key has been lost or exposed (or suspected lost or exposed) Digital certificates stolen from CA

21 Certificate Revocation List (CRL)

22 Managing Digital Certificates (cont’d.)
Certificate Repository (CR) Publicly accessible centralized directory of digital certificates and CRLs published by a CA Used to view certificate status Can be managed locally as a storage area connected to the CA server CRs are often available to all users through a Web browser interface

23 Certificate Repository (CR)

24 Managing Digital Certificates (cont’d.)
Web browser management Modern Web browsers preconfigured with default list of CAs Advantages Users can take advantage of digital certificates without need to manually load information Users do not need to install a CRL manually Automatic updates feature will install them automatically if feature is enabled

25 Trusted Root Certification Authorities
In MS Windows: Start Internet Options Content Tab Publishers

26 Online Certificate Status Protocol (OCSP)
Online Certificate Status Protocol (OCSP) - Performs real-time lookup of a certificate’s status OCSP is called “request-response protocol” Browser sends certificate's information to a trusted entity like the CA, known as an OCSP Responder OCSP Responder then provides immediate revocation information on that one specific certificate Online Certificate Status Protocol (OCSP) Online Certificate Status Protocol (OCSP) - Performs real-time lookup of a certificate’s status OCSP is called “request-response protocol” Browser sends certificate's information to a trusted entity like the CA, known as an OCSP Responder OCSP Responder then provides immediate revocation information on that one specific certificate

27 OCSP Stapling OCSP stapling - Variation of OCSP
OCSP requires OCSP Responder provide responses to every web client of certificate in real time; generates high volume of traffic OCSP stapling - Web servers send queries to Responder OCSP server at regular intervals to receive a signed time-stamped OCSP response When Web browser attempts to connect to web server the server can include (staple) in handshake previously received OCSP response OCSP Stapling OCSP stapling - Variation of OCSP OCSP requires OCSP Responder provide responses to every web client of certificate in real time; generates high volume of traffic OCSP stapling - Web servers send queries to Responder OCSP server at regular intervals to receive a signed time-stamped OCSP response When Web browser attempts to connect to web server the server can include (staple) in handshake previously received OCSP response

28 OCSP Stapling OCSP Stapling (Figure 6-4)
A figure of OCSP Stapling. The Web server connects by a line to the OCSP Responder with the line labeled “Step 1: is this certificate valid?” A line from the Responder back to the Web server is labeled “Step 2: Yes here is a signed approval.” A line from the Web server connects to the Web browser and is labeled “Step 3: I want to connect.” A line from the Web server to the Web browser says “Step 4: Here is the approval.”

29 Uses of Digital Certificates
Bind a user's identity to a public key Encrypt channels to provide secure communication between clients and servers Encrypt messages for secure Internet communication Verify the identity of clients and servers on the Web Verify the source and integrity of signed executable code

30 Types of Digital Certificates
Different categories of digital certificates Class 1 through Class 5 Dual-key sided Dual sided

31 Common Categories of Digital Certificates
Personal digital certificates Used to send from one person to another Server digital certificates Used by Web servers to make HTTPS connections $200 to $300 / year from Thawte & Verisign $30 / year GoDaddy Software publisher digital certificates $300 / year from Thawte

32 Types of Digital Certificates (cont’d.)
Class 1: personal digital certificates Issued by an RA directly to individuals Frequently used to secure transmissions Typically only require user’s name and address to receive Users can create Microsoft Word or Adobe Portable Document Format (PDF) document and then use digital certificate to create digital signature

33 Types of Digital Certificates (cont’d.)
Class 2: Server Digital certificates Issued from a server (Web, , etc) to a client Ensure authenticity of a Server Ensure authenticity of the cryptographic connection to a Server

34 Figure 12-5 Server digital certificate
© Cengage Learning 2012

35 Cryptographic Handshake: Steps 1-2
Web servers set up secure cryptographic “handshake” connections so that all transmitted data is encrypted by providing server’s public key with digital certificate to client Browser sends message ("ClientHello") to server that contains information, including list of cryptographic algorithms that client supports Web server responds ("ServerHello") by indicating which cryptographic algorithm will be used, and then sends the server digital certificate to browser Cryptographic Handshake: Steps 1-2 Web servers set up secure cryptographic “handshake” connections so that all transmitted data is encrypted by providing server’s public key with digital certificate to client Browser sends message ("ClientHello") to server that contains information, including list of cryptographic algorithms that client supports Web server responds ("ServerHello") by indicating which cryptographic algorithm will be used, and then sends the server digital certificate to browser

36 Cryptographic Handshake: Steps 3-4
Browser verifies server certificate (not expired) and extracts server’s public key; browser generates random value (pre-master secret), encrypts it with server’s public key and sends back to server ("ClientKeyExchange"). Server decrypts message and obtains browser’s pre-master secret; both browser and server can each create the same master secret that used to create session keys (symmetric keys to encrypt/decrypt information exchanged during session and to verify integrity) Cryptographic Handshake: Steps 3-4 Browser verifies server certificate (not expired) and extracts server’s public key; browser generates random value (pre-master secret), encrypts it with server’s public key and sends back to server ("ClientKeyExchange"). Server decrypts message and obtains browser’s pre-master secret; both browser and server can each create the same master secret that used to create session keys (symmetric keys to encrypt/decrypt information exchanged during session and to verify integrity)

37 Server Digital Certificate Handshake
Server Digital Certificate Handshake (Figure 6-5) A figure with a Web browser on the left and a Web server on the right. A line from the browser to the server says “1. ClientHello Cryptographic Information.” A line from the server to the browser says “2. ServerHello Algorithms supported Server digital certificate.” The web browser says, “3. Verifies certificate and creates pre-master secret.” The web browser and web server says, “4. Creates master secret and session keys.”

38 Types of Digital Certificates (cont’d.)
Class 2: server digital certificates (cont’d.) Server authentication and secure communication can be combined into one certificate Displays padlock icon in the browser Click padlock icon to display information about the digital certificate

39 Padlock icon and certificate information

40 Extended Validation SSL Certificate (EV SSL)
Enhanced type of server digital certificate that requires more extensive verification of legitimacy of the business CA must pass an independent audit verifying that it follows the EV standards. Existence and identity of the website owner, including its legal existence, physical address, and operational presence, must be verified by the CA. CA must verify that the website is registered holder and has exclusive control of domain name Extended Validation SSL Certificate (EV SSL) Extended Validation SSL Certificate (EV SSL) - Enhanced type of server digital certificate that requires more extensive verification of legitimacy of the business CA must pass an independent audit verifying that it follows the EV standards. Existence and identity of the website owner, including its legal existence, physical address, and operational presence, must be verified by the CA. CA must verify that the website is registered holder and has exclusive control of domain name

41 Extended Validation SSL
Company must be audited and follow EV standards Company can't be "located in a country or be part of an industry identified on a government prohibited list" $400 / year

42 Types of Digital Certificates (cont’d.)
Class 3: software publisher digital certificates Provided by software publishers Purpose: verify programs are secure and have not been tampered with

43 Types of Digital Certificates (cont’d.)
Class 3: software publisher digital certificates

44 Types of Digital Certificates (cont’d.)
Specialized classes of digital certificates: Class 4 Online business transactions between companies Class 5 Private organizations or governmental security

45 Managing Digital Certificates
For Alice and Bob to use asymmetric cryptography: Alice and Bob must generate public and private keys A Certificate Authority (CA) or Registration Authority (RA) must verify the identities of Alice and Bob The certificates must be placed in a Certificate Repository (CR) When they expire, they must be placed on a Certificate Revocation List (CRL) All these things are done by Public key infrastructure (PKI)

46 Public Key Infrastructure (PKI)
Important management tool for the use of: Digital certificates: Asymmetric cryptography Aspects of PKI Public-key cryptography standards Trust models Key management

47 What is Public Key Infrastructure (PKI)?
Need for consistent means to manage digital certificates PKI is digital certificate management PKI: framework for all entities involved in digital certificates Includes hardware, software, people, policies and procedures Certificate management actions facilitated by PKI Create Store Distribute Revoke

48 Public-Key Cryptographic Standards (PKCS)
Numbered set of PKI standards defined by the RSA Corporation Widely accepted in industry Based on the RSA public-key algorithm Composed of 15 standards

49 Trust Models Trust may be defined as confidence in or reliance on another person or entity Trust model Refers to the type of trusting relationship that can exist between individuals or entities Direct trust A relationship exists between two individuals because one person knows the other person Third party trust Refers to a situation in which two individuals trust each other because each trusts a third party

50 Web of Trust Direct trust is not easily scaled to multiple users who each have digital certificates PGP uses a "Web of Trust" in which people trust "friends of friends" Not very secure or scalable (comic from xkcd.org)

51 Trust Models (cont’d) Four PKI trust models that use a CA
Hierarchical trust model Distributed trust model Bridge trust model Hybrid trust model

52 Trust Models (cont’d) Hierarchical trust model
also known as a tree—a root CA at the top provides all the information Bridge trust model a peer-to-peer relationship exists between the root CAs Mesh trust model expands the concepts of the bridge model by supporting multiple paths and multiple root CAs Hybrid trust model can use the capabilities of any or all of the structures discussed in the previous sections

53 Trust Models (cont’d.) Hierarchical trust model
Assigns single hierarchy with one master CA called the root Root signs all digital certificate authorities with a single key Can be used in an organization where one CA is responsible for only that organization’s digital certificates Hierarchical trust model has several limitations Single CA private key may be compromised rendering all certificates worthless

54 One master "root" CA signs all digital certificates with a single key
Figure 12-8 Hierarchical trust model © Cengage Learning 2012 One master "root" CA signs all digital certificates with a single key Single point of failure

55 Trust Models (cont’d.) Distributed trust model
Multiple CAs sign digital certificates Eliminates limitations of hierarchical trust model Used on the Internet

56 Distributed Trust Model

57 Trust Models (cont’d.) Bridge trust model
One CA acts as facilitator to connect all other CAs Facilitator CA does not issue digital certificates Acts as hub between hierarchical and distributed trust model Allows the different models to be linked

58 Trust Models (cont’d.) Bridge trust application examples
Federal and state governments Pharmaceutical industry Aerospace industry

59 Bridge Trust Model Bridge Trust Model
Used to link federal and state governments Links military and civilian ID cards

60 Managing PKI Certificate Policy (CP)
Published set of rules that govern operation of a PKI Provides recommended baseline security requirements for use and operation of CA, RA, and other PKI components Certificate Practice Statement (CPS) Describes in detail how the CA uses and manages certificates A more technical document than a CP

61 Managing PKI (cont’d.) Certificate life cycle Creation Suspension
Occurs after user is positively identified Suspension Certificate cannot be used while suspended May occur when employee on leave of absence Revocation Certificate goes on Certificate Revocation List (CRL) When a private key is lost Certificate no longer valid Expiration Key can no longer be used

62 Key Management

63 Key Storage Means of public key storage Means of private key storage
Embedding within digital certificates Means of private key storage Stored on user’s local system The drawback to software-based storage is that it may leave keys open to attacks Alternative: storing private keys in hardware Tokens Smart-cards

64 Key Usage Multiple pairs of dual keys
Created if more security needed than single set of public/private keys One pair used to encrypt information Public key backed up in another location Second pair used only for digital signatures Public key in that pair never backed up

65 Key-Handling Procedures
Key escrow Keys managed by a third party Private key is split and each half is encrypted Two halves sent to third party, which stores each half in separate location User can retrieve and combine two halves and use this new copy of private key for decryption Expiration Keys expire after a set period of time

66 Key-Handling Procedures (cont’d.)
Renewal Existing key can be renewed Revocation Key may be revoked prior to its expiration date Revoked keys may not be reinstated

67 Key-Handling Procedures (cont’d.)
Recovery Need to recover keys of an employee hospitalized for extended period Key recovery agent (KRA) may be used A highly trusted person authorized to recover others' keys Group of people may be used (M-of-N control) A certain number of people need to agree to recover a key

68 Figure 12-11 M-of-N control
© Cengage Learning 2012

69 Key-Handling Procedures (cont’d.)
Suspension Suspended for a set period of time and then reinstated Destruction Removes all public and private keys and user’s identification from the CA

70 Cryptographic Transport Protocols

71 Transport Encryption Algorithms
Secure Sockets Layer (SSL) A protocol developed by Netscape for securely transmitting documents over the Internet Uses a public key to encrypt data that is transferred over the SSL connection Transport Layer Security (TLS) A protocol that guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL Are often referred to as SSL/TLS or TLS/SSL Both provide server and client authentication, and data encryption

72 Secure Shell (SSH) Secure encrypted alternative to Telnet protocol used to access remote computers Linux/UNIX-based command interface and protocol Suite of three utilities: slogin, ssh, and scp Client and server ends of connection are authenticated using a digital certificate Passwords and traffic are encrypted Can be used as a tool for secure network backups TCP Port 22

73 Table 12-3 SSH commands

74 Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)
Another use of SSL is to secure Web HTTP communications between a browser and a Web server Secure Web Hypertext Transport Protocol (HTTPS) communications between browser and Web server Users must enter URLs with “Plain” HTTP sent over SSL/TLS Secure Hypertext Transport Protocol (SHTTP) Cryptographic transport protocol released as a public specification Supports a variety of encryption types, including 3DES Not as widely used as HTTPS Security+ Guide to Network Security Fundamentals, Fourth Edition

75 HTTPS continued Are you safe with your Web Browser using SSL / TLS?

76 IP Security (IPsec) Open System Interconnection (OSI) model
Security tools function at different layers Operating at higher levels such as Application layer Advantage: tools designed to protect specific applications Disadvantage: multiple security tools may be needed

77 IP Security (IPsec) (cont’d)
A set of protocols developed to support the secure exchange of packets Because it operates at a low level in the OSI model IPsec is considered to be a transparent security protocol for applications, users, and software IPsec provides three areas of protection: Authentication, confidentiality, and key management

78 Security tools and the OSI model

79 IP Security (cont’d.) IPsec considered transparent to:
Applications Users Software Located in the operating system or communication hardware Supports two encryption modes: transport and tunnel

80 Figure 12-13 New IPsec packet using transport or tunnel mode
© Cengage Learning 2012

81 Summary Digital certificate provides third party verification of public key owner’s identity A Certificate Authority issues digital certificates for others Personal digital certificates are issued by an RA to individuals Server digital certificates ensure authenticity of a Web server and its cryptographic connection

82 Summary (cont’d.) PKI is a framework for all entities involved in digital certificates Three basic PKI trust models exist Cryptography can protect data as it is being transported across a network SSL/TLS is a widely used algorithm IPsec supports a secure exchange of packets Considered to be a transparent security protocol

Download ppt "Chapter 12 Advanced Cryptography"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Similar presentations

Ads by Google