Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Published byThomas Page Modified over 9 years ago

Similar presentations

Presentation on theme: "Security+ Guide to Network Security Fundamentals, Fourth Edition"— Presentation transcript:

1 Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 12 Advanced Cryptography

2 Objectives Define digital certificates
List the various types of digital certificates and how they are used Describe the components of Public Key Infrastructure (PKI) List the tasks associated with key management Describe the different transport encryption algorithms Security+ Guide to Network Security Fundamentals, Fourth Edition

3 Digital Certificates Common application of cryptography
Aspects of using digital certificates Understanding their purpose Knowing how they are managed Determining which type of digital certificate is appropriate for different situations Security+ Guide to Network Security Fundamentals, Fourth Edition

4 Defining Digital Certificates
Digital signature Used to prove a document originated from a valid sender Weakness of using digital signatures Imposter could post a public key under a sender’s name Security+ Guide to Network Security Fundamentals, Fourth Edition

5 Figure 12-1 Imposter public key
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

6 Defining Digital Certificates (cont’d.)
Trusted third party Used to help solve the problem of verifying identity Verifies the owner and that the public key belongs to that owner Helps prevent man-in-the-middle attack that impersonates owner of public key Information contained in a digital certificate Owner’s name or alias Owner’s public key Issuer’s name Security+ Guide to Network Security Fundamentals, Fourth Edition

7 Defining Digital Certificates (cont’d.)
Information contained in a digital certificate (cont’d.) Issuer’s digital signature Digital certificate’s serial number Expiration date of the public key Security+ Guide to Network Security Fundamentals, Fourth Edition

8 Managing Digital Certificates
Technologies used for managing digital certificates Certificate Authority (CA) Registration Authority (RA) Certificate Revocation List (CRL) Certificate Repository (CR) Web browser Certificate Authority Trusted third party Responsible for issuing digital certificates Can be internal or external to an organization Security+ Guide to Network Security Fundamentals, Fourth Edition

9 Managing Digital Certificates (cont’d.)
Duties of a CA Generate, issue, an distribute public key certificates Distribute CA certificates Generate and publish certificate status information Provide a means for subscribers to request revocation Revoke public-key certificates Maintain security, availability, and continuity of certificate issuance signing functions Security+ Guide to Network Security Fundamentals, Fourth Edition

10 Managing Digital Certificates (cont’d.)
Subscriber requesting a digital certificate Generates public and private keys Sends public key to CA CA may in some instances create the keys CA inserts public key into certificate Certificates are digitally signed with private key of issuing CA Security+ Guide to Network Security Fundamentals, Fourth Edition

11 Managing Digital Certificates (cont’d.)
Registration Authority Subordinate entity designed to handle specific CA tasks Offloading registration functions creates improved workflow for CA General duties of an RA Receive, authenticate, and process certificate revocation requests Identify and authenticate subscribers Security+ Guide to Network Security Fundamentals, Fourth Edition

12 Managing Digital Certificates (cont’d.)
General duties of an RA (cont’d.) Obtain a public key from the subscriber Verify that the subscriber possesses the asymmetric private key corresponding to the public key submitted for certification Primary function of an RA Verify identity of an individual Security+ Guide to Network Security Fundamentals, Fourth Edition

13 Managing Digital Certificates (cont’d.)
Means for a digital certificate requestor to identify themselves to an RA Insufficient for activities that must be very secure Documents Birth certificate, employee badge In person Providing government-issued passport or driver’s license Security+ Guide to Network Security Fundamentals, Fourth Edition

14 Managing Digital Certificates (cont’d.)
Certificate Revocation List Lists digital certificates that have been revoked Reasons a certificate would be revoked Certificate is no longer used Details of the certificate have changed, such as user’s address Private key has been lost or exposed (or suspected lost or exposed) Security+ Guide to Network Security Fundamentals, Fourth Edition

15 Figure 12-2 Certificate Revocation List (CRL)
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

16 Managing Digital Certificates (cont’d.)
Certificate Repository Publicly accessible centralized directory of digital certificates Used to view certificate status Can be managed locally as a storage area connected to the CA server Can be made available through a Web browser interface Security+ Guide to Network Security Fundamentals, Fourth Edition

17 Figure 12-3 Certificate Repository (CR)
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

18 Managing Digital Certificates (cont’d.)
Web browser management Modern Web browsers preconfigured with default list of CAs Advantages Users can take advantage of digital certificates without need to manually load information Users do not need to install a CRL manually Automatic updates feature will install them automatically if feature is enabled Security+ Guide to Network Security Fundamentals, Fourth Edition

19 Figure 12-4 Web browser default CAs
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

20 Types of Digital Certificates
Different categories of digital certificates Class 1 through Class 5 Dual-key sided Dual sided Other uses for digital certificates Provide secure communication between clients and servers by encrypting channels Encrypt messages for secure Internet communication Security+ Guide to Network Security Fundamentals, Fourth Edition

21 Types of Digital Certificates (cont’d.)
Other uses for digital certificates (cont’d.) Verify the identity of clients and servers on the Web Verify the source and integrity of signed executable code Common categories of digital certificates Personal digital certificates Server digital certificates Software publisher digital certificates Security+ Guide to Network Security Fundamentals, Fourth Edition

22 Types of Digital Certificates (cont’d.)
Class 1: personal digital certificates Issued by an RA directly to individuals Frequently used to secure transmissions Typically only require user’s name and address to receive Class 2: server digital certificates Issued from a Web server to a client Ensure authenticity of the Web server Ensure authenticity of the cryptographic connection to the Web server Security+ Guide to Network Security Fundamentals, Fourth Edition

23 Figure 12-5 Server digital certificate
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

24 Types of Digital Certificates (cont’d.)
Class 2: server digital certificates (cont’d.) Server authentication and secure communication can be combined into one certificate Displays padlock icon in the Web browser Click padlock icon to display information about the digital certificate Extended Validation SSL Certificate (EV SSL) Requires more extensive verification of legitimacy of the business Security+ Guide to Network Security Fundamentals, Fourth Edition

25 Figure 12-6 Padlock icon and certificate information
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

26 Types of Digital Certificates (cont’d.)
Class 3: software publisher digital certificates Provided by software publishers Purpose: verify programs are secure and have not been tampered with Dual-key digital certificates Reduce need for storing multiple copies of the signing certificate Facilitate certificate handling in organizations Copies kept in central storage repository Security+ Guide to Network Security Fundamentals, Fourth Edition

27 Types of Digital Certificates (cont’d.)
Dual-sided certificates Provides ability for client to authenticate back to the server Both sides of the session validate themselves X.509 digital certificates Standard for most widely accepted format for digital certificates Security+ Guide to Network Security Fundamentals, Fourth Edition

28 Table 12-1 X.509 structure Security+ Guide to Network Security Fundamentals, Fourth Edition

29 Public Key Infrastructure (PKI)
Important management tool for the use of: Digital certificates: Asymmetric cryptography Aspects of PKI Public-key cryptography standards Trust models Key management Security+ Guide to Network Security Fundamentals, Fourth Edition

30 What is Public Key Infrastructure?
Need for consistent means to manage digital certificates PKI: framework for all entities involved in digital certificates Certificate management actions facilitated by PKI Create Store Distribute Revoke Security+ Guide to Network Security Fundamentals, Fourth Edition

31 Public-Key Cryptographic Standards (PKCS)
Numbered set of PKI standards defined by the RSA Corporation Widely accepted in industry Based on the RSA public-key algorithm Security+ Guide to Network Security Fundamentals, Fourth Edition

32 Table 12-2 PKCS standards (continues)
Security+ Guide to Network Security Fundamentals, Fourth Edition

33 Table 12-2 PKCS standards (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition

34 Figure 12-7 Microsoft Windows PKCS support
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

35 Trust Models Trust Trust model Direct trust Third-party trust
Confidence in or reliance on another person or entity Trust model Refers to type of trusting relationship that can exist between individuals and entities Direct trust One person knows the other person Third-party trust Two individuals trust each other because each trusts a third party Security+ Guide to Network Security Fundamentals, Fourth Edition

36 Trust Models (cont’d.) Hierarchical trust model
Assigns single hierarchy with one master CA called the root Root signs all digital certificate authorities with a single key Can be used in an organization where one CA is responsible for only that organization’s digital certificates Hierarchical trust model has several limitations Single CA private key may be compromised rendering all certificates worthless Security+ Guide to Network Security Fundamentals, Fourth Edition

37 Figure 12-8 Hierarchical trust model
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

38 Trust Models (cont’d.) Distributed trust model Bridge trust model
Multiple CAs sign digital certificates Eliminates limitations of hierarchical trust model Bridge trust model One CA acts as facilitator to connect all other CAs Facilitator CA does not issue digital certificates Acts as hub between hierarchical and distributed trust model Allows the different models to be linked Security+ Guide to Network Security Fundamentals, Fourth Edition

39 Figure 12-9 Distributed trust model
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

40 Figure 12-10 Bridge trust model
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

41 Trust Models (cont’d.) Bridge trust application examples
Federal and state governments Pharmaceutical industry Aerospace industry Security+ Guide to Network Security Fundamentals, Fourth Edition

42 Managing PKI Certificate Policy (CP)
Published set of rules that govern operation of a PKI Provides recommended baseline security requirements for use and operation of CA, RA, and other PKI components Certificate Practice Statement (CPS) Describes in detail how the CA uses and manages certificates Security+ Guide to Network Security Fundamentals, Fourth Edition

43 Managing PKI (cont’d.) Certificate life cycle Creation Suspension
Occurs after user is positively identified Suspension May occur when employee on leave of absence Revocation Certificate no longer valid Expiration Key can no longer be used Security+ Guide to Network Security Fundamentals, Fourth Edition

44 Key Storage Means of public key storage Means of private key storage
Embedding within digital certificates Means of private key storage Stored on user’s local system Software-based storage may expose keys to attackers Alternative: storing keys in hardware Tokens Smart-cards Security+ Guide to Network Security Fundamentals, Fourth Edition

45 Key Usage Multiple pairs of dual keys
Created if more security needed than single set of public/private keys One pair used to encrypt information Public key backed up in another location Second pair used only for digital signatures Public key in that pair never backed up Security+ Guide to Network Security Fundamentals, Fourth Edition

46 Key-Handling Procedures
Key escrow Keys managed by a third party Private key is split and each half is encrypted Two halves sent to third party, which stores each half in separate location User can retrieve and combine two halves and use this new copy of private key for decryption Expiration Keys expire after a set period of time Security+ Guide to Network Security Fundamentals, Fourth Edition

47 Key-Handling Procedures (cont’d.)
Renewal Existing key can be renewed Revocation Key may be revoked prior to its expiration date Revoked keys may not be reinstated Recovery Need to recover keys of an employee hospitalized for extended period Key recovery agent may be used Group of people may be used (M-of-N control) Security+ Guide to Network Security Fundamentals, Fourth Edition

48 Figure 12-11 M-of-N control
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

49 Key-Handling Procedures (cont’d.)
Suspension Suspended for a set period of time and then reinstated Destruction Removes all public and private keys and user’s identification from the CA Security+ Guide to Network Security Fundamentals, Fourth Edition

50 Transport Encryption Algorithms
Secure Sockets Layer (SSL) Most common transport encryption algorithm Developed by Netscape Uses a public key to encrypt data transferred over the SSL connection Transport Layer Security (TLS) Protocol that guarantees privacy and data integrity between applications communicating over the Internet Both provide server and client authentication, and data encryption Security+ Guide to Network Security Fundamentals, Fourth Edition

51 Secure Shell (SSH) Encrypted alternative to Telnet protocol used to access remote computers Linux/UNIX-based command interface and protocol Suite of three utilities: slogin, ssh, and scp Client and server ends of connection are authenticated using a digital certificate Passwords are encrypted Can be used as a tool for secure network backups Security+ Guide to Network Security Fundamentals, Fourth Edition

52 Table 12-3 SSH commands Security+ Guide to Network Security Fundamentals, Fourth Edition

53 Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)
Common use of SSL Secure Web Hypertext Transport Protocol (HTTP) communications between browser and Web server Users must enter URLs with Secure Hypertext Transport Protocol (SHTTP) Cryptographic transport protocol released as a public specification Supports a variety of encryption types, including 3DES Not as widely used as HTTPS Security+ Guide to Network Security Fundamentals, Fourth Edition

54 IP Security (IPsec) Open System Interconnection (OSI) model
Security tools function at different layers Operating at higher levels such as Application layer Advantage: tools designed to protect specific applications Disadvantage: multiple security tools may be needed IPsec Set of protocols developed to support secure exchange of packets Operates at a low level in the OSI model Security+ Guide to Network Security Fundamentals, Fourth Edition

55 Figure 12-12 Security tools and the OSI model
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

56 IP Security (cont’d.) IPsec considered transparent to:
Applications Users Software Located in the operating system or communication hardware Provides authentication, confidentiality, and key management Supports two encryption modes: transport and tunnel Security+ Guide to Network Security Fundamentals, Fourth Edition

57 Figure 12-13 New IPsec packet using transport or tunnel mode
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

58 Summary Digital certificate provides third party verification of public key owner’s identity A Certificate Authority issues digital certificates for others Personal digital certificates are issued by an RA to individuals Server digital certificates ensure authenticity of a Web server and its cryptographic connection Security+ Guide to Network Security Fundamentals, Fourth Edition

59 Summary (cont’d.) PKI is a framework for all entities involved in digital certificates Three basic PKI trust models exist Cryptography can protect data as it is being transported across a network SSL/TLS is a widely used algorithm IPsec supports a secure exchange of packets Considered to be a transparent security protocol Security+ Guide to Network Security Fundamentals, Fourth Edition

Download ppt "Security+ Guide to Network Security Fundamentals, Fourth Edition"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
(n)Code Solutions A division of GNFC

(n)Code Solutions A division of GNFC
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002MÃ¥rten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002MÃ¥rten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google