Ch12 Cryptographic Protocols and Public Key Infrastructure
-
Upload
information-technology -
Category
Education
-
view
6.427 -
download
1
description
Transcript of Ch12 Cryptographic Protocols and Public Key Infrastructure
![Page 1: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/1.jpg)
Security+ Guide to Network Security Fundamentals, Third
Edition
Chapter 12Applying Cryptography
![Page 2: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/2.jpg)
Objectives
• Define digital certificates
• List the various types of digital certificates and how they are used
• Describe the components of Public Key Infrastructure (PKI)
• List the tasks associated with key management
• Describe the different cryptographic transport protocols
![Page 3: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/3.jpg)
Digital Certificates
![Page 4: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/4.jpg)
![Page 5: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/5.jpg)
Weakness of Digital Signatures
• Digital signatures require a reliable way to get public keys
• A forged public key could be used to forge a digital signature
![Page 6: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/6.jpg)
![Page 7: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/7.jpg)
Digital Certificates
• Digital certificate– Can be used to associate or “bind” a user’s identity to
a public key– The user’s public key that has itself been “digitally
signed” by a reputable source entrusted to sign it
• Digital certificates make it possible for Alice to verify Bob’s claim that the key belongs to him
• When Bob sends a message to Alice he does not ask her to retrieve his public key from a central site– Instead, Bob attaches the digital certificate to the
message
![Page 8: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/8.jpg)
Digital Certificates
• A digital certificate typically contains the following information:– Owner’s name or alias– Owner’s public key– Name of the issuer– Digital signature of the issuer– Serial number of the digital certificate– Expiration date of the public key
![Page 9: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/9.jpg)
Authorizing, Storing, and Revoking Digital Certificates
• Certificate Authority (CA)– An entity that issues digital certificates for others– A user provides information to a CA that verifies her
identity– The user generates public and private keys and sends
the public key to the CA– The CA inserts this public key into the certificate
• Registration Authority (RA)– Handles some CA tasks such as processing certificate
requests and authenticating users
![Page 10: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/10.jpg)
Authorizing, Storing, and Revoking Digital Certificates (continued)
• Certificate Revocation List (CRL)– Lists revoked certificates– Can be accessed to check the certificate status of
other users– Most CRLs can either be viewed or downloaded
directly into the user’s Web browser
• Certificate Repository (CR)– A publicly accessible directory that contains the
certificates and CRLs published by a CA– CRs are often available to all users through a Web
browser interface (link Ch 12c)
![Page 11: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/11.jpg)
![Page 12: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/12.jpg)
Certificate Repository
![Page 13: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/13.jpg)
Uses of Digital Certificates
• Bind a user's identity to a public key
• Encrypt channels to provide secure communication between clients and servers
• Encrypt messages for secure Internet e-mail communication
• Verify the identity of clients and servers on the Web
• Verify the source and integrity of signed executable code
![Page 14: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/14.jpg)
Types of Digital Certificates
• Personal digital certificates– Used to send email from one person to another– Free from Thawte (Link Ch 12a)
• Server digital certificates– Used by Web servers to make HTTPS connections – $250 / year from Thawte
• Software publisher digital certificates– $300 / year from Thawte
![Page 15: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/15.jpg)
![Page 16: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/16.jpg)
Extended Validation SSL
• Company must be audited and follow EV standards
• Company can't be "located in a country or be part of an industry identified on a government prohibited list"– $900 / year, see Link Ch 12b
![Page 17: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/17.jpg)
Types of Digital Certificates (continued)
• Single-sided certificate– Contains both the signature and the encryption
information
• Dual-sided certificates– Certificates in which the functionality is split between
two certificates• Signing certificate
• Encryption certificate
![Page 18: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/18.jpg)
Types of Digital Certificates (continued)
• Dual-sided certificate advantages:– Reduce the need for storing multiple copies of the
signing certificate– Facilitate certificate handling in organizations
• X.509 Digital Certificates– The most widely accepted format for digital certificates
![Page 19: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/19.jpg)
X.509 Structure
![Page 20: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/20.jpg)
![Page 21: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/21.jpg)
![Page 22: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/22.jpg)
Public Key Infrastructure (PKI)
![Page 23: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/23.jpg)
Managing Digital Certificates
For Alice and Bob to use asymmetric cryptography:
• Alice and Bob must generate public and private keys
• A Certificate Authority (CA) or Registration Authority (RA) must verify the identities of Alice and Bob
• The certificates must be placed in a Certificate Repository (CR)
• When they expire, they must be placed on a Certificate Revocation List (CRL)
All these things are done by Public key infrastructure (PKI)
![Page 24: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/24.jpg)
Public Key Infrastructure (PKI)
• Public key infrastructure involves– Public-key cryptography standards– Trust models– Key management
![Page 25: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/25.jpg)
Public Key Infrastructure (PKI)
• A framework for all of the entities involved in digital certificates to create, store, distribute, and revoke digital certificates– Includes hardware, software, people, policies and
procedures
• PKI is digital certificate management
![Page 26: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/26.jpg)
Public-Key Cryptographic Standards (PKCS)
• A numbered set of PKI standards that have been defined by the RSA Corporation
• These standards are based on the RSA public-key algorithm
![Page 27: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/27.jpg)
![Page 28: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/28.jpg)
![Page 29: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/29.jpg)
• In Windows 7 Beta:• Start• Internet Options• Content Tab• Certificates• Select a Cerrtificate• Export
![Page 30: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/30.jpg)
Trust Models
• Trust may be defined as confidence in or reliance on another person or entity
• Trust model – Refers to the type of trusting relationship that can exist
between individuals or entities
• Direct trust– A relationship exists between two individuals because
one person knows the other person
• Third party trust– Refers to a situation in which two individuals trust
each other because each trusts a third party
![Page 31: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/31.jpg)
Web of Trust
• Direct trust is not easily scaled to multiple users who each have digital certificates
• PGP uses a "Web of Trust" in which people trust "friends of friends"– Not very secure or scalable (comic from xkcd.org)
![Page 32: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/32.jpg)
Trust Models
• Three PKI trust models that use a CA– Hierarchical trust model– Distributed trust model– Bridge trust model
![Page 33: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/33.jpg)
Hierarchical Trust Model
• One master "root" CA signs all digital certificates with a single key
• Single point of failure
![Page 34: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/34.jpg)
Distributed Trust Model
• Used on the Internet
![Page 35: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/35.jpg)
Trusted Root Certification Authorities
• In Windows 7 Beta:
• Start• Internet Options• Content Tab• Publishers
![Page 36: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/36.jpg)
Bridge Trust Model• Used to link
federal and state governments
• Links military and civilian ID cards
![Page 37: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/37.jpg)
Managing PKI
• Certificate policy (CP)– A published set of rules that govern the operation of a
PKI– Provides recommended baseline security
requirements for the use and operation of CA, RA, and other PKI components
• Certificate practice statement (CPS)– Describes in detail how the CA uses and manages
certificates– A more technical document than a CP
![Page 38: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/38.jpg)
Certificate Life Cycle
• Creation
• Suspension– Certificate cannot be used while suspended– When an employee goes on leave
• Revocation– Certificate goes on Certificate Revocation List (CRL)– When a private key is lost
• Expiration
![Page 39: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/39.jpg)
Key Management
![Page 40: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/40.jpg)
Key Storage
• Public keys can be stored by embedding them within digital certificates– While private keys can be stored on the user’s local
system
• The drawback to software-based storage is that it may leave keys open to attacks
• Storing keys in hardware is an alternative to software-based storage
• Private keys can be stored on smart cards or in tokens
![Page 41: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/41.jpg)
Key Handling Procedures
• Escrow– Private key is split in halves and stored by two
separate trusted parties– Some people want the government to have
everyone's keys in escrow so they can read all encrypted documents
• Expiration
• Renewal
![Page 42: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/42.jpg)
Key Handling Procedures
• Revocation
• Recovery– Key recovery agent (KRA)
• A highly trusted person authorized to recover others' keys
– M-of-N control• A certain number of people need to agree to recover a
key
• Suspension
• Destruction
![Page 43: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/43.jpg)
![Page 44: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/44.jpg)
Cryptographic Transport Protocols
![Page 45: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/45.jpg)
File Transfer Protocols
• File Transfer Protocol (FTP)– Part of the TCP/IP suite– Used to connect to an FTP server
• Vulnerabilities– Usernames, passwords, and files being transferred
are in cleartext– Files being transferred by FTP are vulnerable to man-
in-the-middle attacks
• One of the ways to reduce the risk of attack is to use encrypted Secure FTP (SFTP)
![Page 46: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/46.jpg)
File Transfer Protocols (continued)
• Secure Sockets Layer (SSL)– A protocol developed by Netscape for securely
transmitting documents over the Internet– Uses a public key to encrypt data that is transferred
over the SSL connection
• Transport Layer Security (TLS)– A protocol that guarantees privacy and data integrity
between applications communicating over the Internet– An extension of SSL
• Are often referred to as SSL/TLS or TLS/SSL
![Page 47: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/47.jpg)
File Transfer Protocols (continued)
• A second protocol that can be used with SFTP is Secure Shell (SSH)– Also called SFTP/SSH
• SSH– A UNIX-based command interface and protocol for
securely accessing a remote computer– Suite of three utilities: slogin, scp, and ssh– Both the client and server ends of the connection are
authenticated using a digital certificate• Passwords are protected by being encrypted
![Page 48: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/48.jpg)
SSH Commands
![Page 49: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/49.jpg)
Web Protocols
• Another use of SSL is to secure Web HTTP communications between a browser and a Web server
• Hypertext Transport Protocol over Secure Sockets Layer– “Plain” HTTP sent over SSL/TLS
• Secure Hypertext Transport Protocol– Allows clients and the server to negotiate independently
encryption, authentication, and digital signature methods, in any combination, in both directions
![Page 50: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/50.jpg)
VPN Protocols
• Point-to-Point Tunneling Protocol (PPTP)– Most widely deployed tunneling protocol
– Allows IP traffic to be encrypted and then encapsulated in an IP header to be sent across a public IP network such as the Internet
– Based on the Point-to-Point Protocol (PPP)
• Point-to-Point Protocol over Ethernet (PPPoE)– Another variation of PPP that is used by DSL or cable
modem connections
– No encryption• Link Ch 12f
![Page 51: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/51.jpg)
PPTP
![Page 52: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/52.jpg)
VPN Protocols (continued)
• Layer 2 Tunneling Protocol (L2TP)– Merges the features of PPTP with Cisco’s Layer 2
Forwarding Protocol (L2F)– L2TP is not limited to working with TCP/IP-based
networks, but supports a wide array of protocols– An industry-standard tunneling protocol that allows IP
traffic to be encrypted• And then transmitted over any medium that supports
point-to-point delivery
![Page 53: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/53.jpg)
VPN Protocols (continued)
• IP Security (IPsec)– A set of protocols developed to support the secure
exchange of packets
• Because it operates at a low level in the OSI model– IPsec is considered to be a transparent security
protocol for applications, users, and software
• IPsec provides three areas of protection:– Authentication, confidentiality, and key management
![Page 54: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/54.jpg)
![Page 55: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/55.jpg)
VPN Protocols (continued)
![Page 56: Ch12 Cryptographic Protocols and Public Key Infrastructure](https://reader033.fdocuments.us/reader033/viewer/2022061200/54786c525906b573318b481e/html5/thumbnails/56.jpg)
E-mail Transport Protocol
• S/MIME (Secure/Multipurpose Internet Mail Extensions)– One of the most common e-mail transport protocols– Uses digital certificates to protect the e-mail
messages
• S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them