The Italian White Certificates System: Measurement and Verification Protocols Marcella Pavan
NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key...
-
Upload
archibald-fowler -
Category
Documents
-
view
224 -
download
0
Transcript of NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key...
![Page 1: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/1.jpg)
NETWORK SECURITY
06 APPLYING CRYPTOGRAPHY
![Page 2: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/2.jpg)
Contents
6.1 Digital Certificates
6.2 Pubic Key Infrastructure
6.3 Key Management
6.4 Cryptographic Transport Protocols
06 APPLYING CRYPTOGRAPHY 2
![Page 3: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/3.jpg)
6.1 Digital Certificates• Alice receives a package containing an
encrypted document from Bob. It is secure as it was encrypted.
• Yet how can she know that it came from Bob? Because Alice’s asymmetric public key is widely available, anyone could use it to encrypt the document.
• The answer is to use a digital signature.
06 APPLYING CRYPTOGRAPHY 3
![Page 4: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/4.jpg)
6.1 Digital Certificates
06 APPLYING CRYTOGRAPHY 4
![Page 5: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/5.jpg)
6.1 Digital Certificates
06 APPLYING CRYTOGRAPHY 5
![Page 6: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/6.jpg)
6.1 Digital Certificates
6.1.1 Defining Digital Certificates
– Digital certificates can be used to associate or “bind” a user’s identity to a public key.
– A digital certificate is the user’s public key that has itself been “digitally signed” by a reputable source entrusted to sign it.
06 APPLYING CRYPTOGRAPHY 6
![Page 7: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/7.jpg)
6.1 Digital Certificates– Digital certificates prevent a man-in-the-
middle attack that impersonates the owner of the public key.
– Digital certificates can also be used to identify objects other than users, such as servers and applications.
06 APPLYING CRYPTOGRAPHY 7
![Page 8: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/8.jpg)
6.1 Digital Certificates– A digital certificate typically contains the
following information:• Owner’s name or alias• Owner’s public key• Name of the issuer• Digital signature of the issuer• Serial number of the digital certificate• Expiration date of the public key
06 APPLYING CRYPTOGRAPHY 8
![Page 9: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/9.jpg)
6.1 Digital Certificates
6.1.2 Authorizing, Storing and Revoking
•Several entities and technologies are used for authorizing, storing, and revoking digital certificates.
•These include the Certificate Authority (CA) and Registration Authority (RA), a Certificate Repository (CR), and a Certificate Revocation List (CRL).
06 APPLYING CRYPTOGRAPHY 9
![Page 10: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/10.jpg)
6.1 Digital Certificates
Authority (CA) & Registration (RA)
•Instead of a user verifying his own identity, a third-party person or agency is used.
•An entity that issues digital certificates for others is known as a Certificate Authority (CA).
06 APPLYING CRYPTOGRAPHY 10
![Page 11: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/11.jpg)
6.1 Digital Certificates
• A user provides information to a CA that verifies her identity.
• Also, the user generates public and private keys and sends the public key to the CA (or in some instances the CA may create the keys).
• The CA inserts this public key into the certificate.
06 APPLYING CRYPTOGRAPHY 11
![Page 12: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/12.jpg)
6.1 Digital Certificates
• A CA can be external to the organization, or it can be a CA internal to the organization.
• Some organizations set up a subordinate entity, called a Registration Authority (RA), to handle some CA tasks such as processing certificate requests and authenticating users.
06 APPLYING CRYPTOGRAPHY 12
![Page 13: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/13.jpg)
6.1 Digital Certificates
Certificate Revocation List (CRL)•Digital certificates normally have an expiration date.•Expired digital certificates should then be revoked.•Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users.
06 APPLYING CRYPTOGRAPHY 13
![Page 14: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/14.jpg)
6.1 Digital Certificates
Certificate Repository (CR)
•It is important that the CA publishes the certificates and CRLs to a directory.
•This directory can be managed locally or in a publicly accessible directory, which is called a Certificate Repository (CR).
06 APPLYING CRYPTOGRAPHY 14
![Page 15: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/15.jpg)
6.1 Digital Certificates
6.1.3 Types of Digital Certificates
•There are different types of digital certificates.
•In addition, some digital certificates are single-side while others can be dual-sided.
•Also, standards exist for digital certificates.
06 APPLYING CRYPTOGRAPHY 15
![Page 16: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/16.jpg)
6.1 Digital Certificates
• In addition to being used to verify the sender’s identity, digital certificates can also be used to:– Encrypt channels to provide secure
communication between clients and servers– Encrypt messages for secure Internet e-mail
communication– Verify the identity of clients and servers on the
Web
06 APPLYING CRYPTOGRAPHY 16
![Page 17: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/17.jpg)
6.1 Digital Certificates– Verify the source and integrity of signed
executable code
• There are three basic categories of digital certificates: – personal digital certificates, – Server digital certificates, and – software publisher digital certificates.
06 APPLYING CRYPTOGRAPHY 17
![Page 18: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/18.jpg)
6.1 Digital Certificates
Personal Digital Certificates
•Personal digital certificates are issued by a CA or RA directly to individuals.
•Personal digital certificates are typically used to secure e-mail transmissions.
•Digital certificates can also be used to authenticate the authors of documents.
06 APPLYING CRYPTOGRAPHY 18
![Page 19: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/19.jpg)
6.1 Digital Certificates
Server Digital Certificates
•Server digital certificates are often issued from a Web server to a client.
•Typically perform two functions. – First, they can ensure the authenticity of the
Web server.– Second, server certificates can ensure the
authenticity of the cryptographic connection to the Web server.
06 APPLYING CRYPTOGRAPHY 19
![Page 20: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/20.jpg)
6.1 Digital Certificates
06 APPLYING CRYPTOGRAPHY 20
![Page 21: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/21.jpg)
6.1 Digital Certificates
• Most server digital certificates combine both server authentication and secure communication between clients and servers on the Web.
06 APPLYING CRYPTOGRAPHY 21
![Page 22: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/22.jpg)
6.1 Digital Certificates
• Software Publisher Digital Certificates
• Software publisher digital certificates are provided by software publishers.
• The purpose of these certificates is to verify that their programs are secure and have not been tampered with.
06 APPLYING CRYPTOGRAPHY 22
![Page 23: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/23.jpg)
6.1 Digital Certificates
Single Side and Dual Side
•Digital certificates can be either single-sided or dual-sided.
•When Bob sends one digital certificate to Alice along with his message, that is known as a single-sided certificate.
06 APPLYING CRYPTOGRAPHY 23
![Page 24: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/24.jpg)
6.1 Digital Certificates
• Dual-sided certificates are certificates in which the functionality is split between two certificates.– The signing certificate is used to sign a
message to prove that that sender is authentic.
– The encryption certificate is used for the actual encryption of the message.
06 APPLYING CRYPTOGRAPHY 24
![Page 25: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/25.jpg)
6.1 Digital Certificates
• Dual-sided certificates have two advantages.– First, dual-sided certificates reduce the need
for storing multiple copies of the signing certificate.
– Second, dual-sided certificates facilitate certificate handling in organizations.
06 APPLYING CRYPTOGRAPHY 25
![Page 26: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/26.jpg)
6.1 Digital Certificates
X.509 Digital Certificates
•The most widely accepted format for digital certificates is defined by the International Telecommunication Union (ITU) X.509 international standard.
•X.509 V1 first appeared in 1988. X.509 V2 supported new issuer and subject identifier fields that were absent from Version 1.
06 APPLYING CRYPTOGRAPHY 26
![Page 27: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/27.jpg)
6.1 Digital Certificates
• The current version, X.509 V3, was defined in 1996, and introduced the extension field.
06 APPLYING CRYPTOGRAPHY 27
![Page 28: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/28.jpg)
6.1 Digital Certificates
06 APPLYING CRYPTOGRAPHY 28
![Page 29: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/29.jpg)
6.2 Public Key Infrastructure
• One of the important management tools for the use of digital certificates and asymmetric cryptography is public key infrastructure.
• Public key infrastructure involves public-key cryptography standards, trust models, and key management.
06 APPLYING CRYPTOGRAPHY 29
![Page 30: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/30.jpg)
6.2 Public Key Infrastructure
6.2.1 What is Public Key Infrastructure
•In an organization where multiple users have multiple digital certificates, it quickly can become overwhelming to manage all of these entities.
•In short, there needs to be a consistent means to manage digital certificates.
•Public key infrastructure (PKI) is just that.
06 APPLYING CRYPTOGRAPHY 30
![Page 31: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/31.jpg)
6.2 Public Key Infrastructure
• It is a framework for all of the entities involved in digital certificates—including hardware, software, people, policies and procedures—to create, store, distribute, and revoke digital certificates.
• In short, PKI is digital certificate management.
06 APPLYING CRYPTOGRAPHY 31
![Page 32: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/32.jpg)
6.2 Public Key Infrastructure
• PKI is often erroneously applied to a broader range of cryptography topics beyond managing digital certificates.
• It is sometimes defined as that which supports “other public key-enabled security services” or “certifying users of a security application.”
06 APPLYING CRYPTOGRAPHY 32
![Page 33: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/33.jpg)
6.2 Public Key Infrastructure
6.2.2 Public-Key Cryptographic Standards (PKCS)
•Public-key cryptography standards (PKCS) is a numbered set of PKI standards that have been defined by the RSA Corporation.
•These standards are based on the RSA public-key algorithm.
06 APPLYING CRYPTOGRAPHY 33
![Page 34: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/34.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 34
![Page 35: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/35.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 35
![Page 36: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/36.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 36
![Page 37: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/37.jpg)
6.2 Public Key Infrastructure
• Applications and products that are developed by vendors may choose to support the PKCS standards.
• For example, Microsoft Windows Vista provides native support for exporting digital certificates based on PKCS #7 and #12.
06 APPLYING CRYPTOGRAPHY 37
![Page 38: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/38.jpg)
6.2 Public Key Infrastructure
6.2.3 Trust Model
•Trust may be defined as confidence in or reliance on another person or entity.
•A trust model refers to the type of trusting relationship that can exist between individuals or entities.
06 APPLYING CRYPTOGRAPHY 38
![Page 39: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/39.jpg)
6.2 Public Key Infrastructure
• In one type of trust model, direct trust, a relationship exists between two individuals because one person knows the other person.
• Direct trust is not feasible when dealing with multiple users who each have digital certificates.
06 APPLYING CRYPTOGRAPHY 39
![Page 40: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/40.jpg)
6.2 Public Key Infrastructure
• A third party trust refers to a situation in which two individuals trust each other because each trusts a third party.
• This is the role that a CA plays: for example, it verifies Mary, Amanda, and Javier to Alice.
06 APPLYING CRYPTOGRAPHY 40
![Page 41: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/41.jpg)
6.2 Public Key Infrastructure
• There are essentially three PKI trust models that use a CA. These are – the hierarchical trust model, – the distributed trust model, and – the bridge trust model.
06 APPLYING CRYPTOGRAPHY 41
![Page 42: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/42.jpg)
6.2 Public Key Infrastructure
Hierarchical Trust Model•The hierarchical trust model assigns a single hierarchy with one master CA called the root. •This root signs all digital certificate authorities with a single key.•A hierarchical trust model can be used in an organization where one CA or RA is responsible.
06 APPLYING CRYPTOGRAPHY 42
![Page 43: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/43.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 43
![Page 44: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/44.jpg)
6.2 Public Key Infrastructure
Distributed Trust Model
•Instead of having a single CA as in the hierarchical trust model, the distributed trust model has multiple CAs that sign digital certificates.
•The distributed trust model is the basis for digital certificates issued by Internet users.
06 APPLYING CRYPTOGRAPHY 44
![Page 45: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/45.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 45
![Page 46: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/46.jpg)
6.2 Public Key Infrastructure
Bridge Trust Model
•The bridge trust model is similar to the distributed trust model in that there is no single CA that signs digital certificates.
•However, with the bridge trust model there is one CA that acts as a “facilitator” to interconnect all other CAs.
06 APPLYING CRYPTOGRAPHY 46
![Page 47: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/47.jpg)
6.2 Public Key Infrastructure
06 APPLYING CRYPTOGRAPHY 47
![Page 48: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/48.jpg)
6.3 Key Management
• Keys form the very foundation of PKI systems– it is important to be carefully managed.
• A quick look at Certificate Life Cycle of PKI:– Creation: the certificate is created and issued to
the user.
– Suspension: if the certificate’s validity must be temporarily suspended.
– Revocation: the certificate is no longer valid.
– Expiration: the certificate can no longer be used.
06 APPLYING CRYPTOGRAPHY 48
![Page 49: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/49.jpg)
6.3 Key Management• Key Storage
– The means of storing keys in a PKI system is important.
– Public keys can be stored by embedding them within digital certificates.
– Private keys can be stored on the user’s local system.
– Drawback to software-based storage: may leave keys open to attacks:
• vulnerabilities in the client OS may expose keys to attackers.
06 APPLYING CRYPTOGRAPHY 49
![Page 50: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/50.jpg)
6.3 Key Management
06 APPLYING CRYPTOGRAPHY 50
• Key Usage– If more security is needed than a single set of
public and private keys, multiple pairs of dual keys can be created.
– One pair of keys may be used to encrypt information and the public key could be backed up to another location.
– Second pair would be used only for digital sig- natures and the public key in that pair would never be backed up.
– In the event that the public encryption key was stolen, the attacker would still not be able to digitally sign the document.
![Page 51: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/51.jpg)
6.3 Key Management• Key Handling• Procedures in key handling:
– Escrow – refers to a situation in which keys are managed by a third party, such as a trusted CA.
– Expiration – Keys have expiration dates. • Some systems set keys to expire after a set period of time by
default.– Renewal – an existing key can be renewed, no need
to generate new keys.– Revocation – all keys should expire after a set period
of time, a key may need to be revoked prior to its expiration date.
• revoked keys cannot be reinstated.
06 APPLYING CRYPTOGRAPHY 51
![Page 52: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/52.jpg)
6.3 Key Management• Key Handling• Procedures in key handling (cont’d):
– Recovery – What happens if an employee is hospitalized for an extended period, yet the organization needs to transact business using her keys?
• Different techniques may be used.– Suspension – the revocation of a key is permanent; key
suspension is for a set period of time.• A suspended key can be later reinstated.
– Destruction – key destruction removes all private and public keys along with the user’s identification information in the CA.
• When a key is revoked or expires, the user’s information remains on the CA for audit purposes.
06 APPLYING CRYPTOGRAPHY 52
![Page 53: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/53.jpg)
6.4 Cryptographic Transport Protocols• File Transfer Protocol
– does not use encryption– usernames, passwords, and files are
transferred are in clear-text.– very vulnerable to MITM attacks– one way to secure it is using SFTP
06 APPLYING CRYPTOGRAPHY 53
![Page 54: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/54.jpg)
6.4 Cryptographic Transport Protocols• Secure Socket Layer (SSL)/Transport
Layer Security (TLS)– SSL uses a public key to encrypt data that is
transferred over the SSL connection.– TLS a protocol that guarantees privacy and data
integrity – TLS is an extension of SSL– Often referred as SSL/TLS
• SSL/TLS– TLS Handshake Protocol authentication– TLS Record Protocol encryption
06 APPLYING CRYPTOGRAPHY 54
![Page 55: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/55.jpg)
6.4 Cryptographic Transport Protocols• Secure Shell (SSH)
– a UNIX-based command interface and protocol for securely accessing a remote computer.
06 APPLYING CRYPTOGRAPHY 55
![Page 56: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/56.jpg)
6.4 Cryptographic Transport Protocols• Web Protocols
– originally insecure, port 80– to secure it:
• HTTP over SSL/TLS HTTPS, port 443• SHTTP not widely used
06 APPLYING CRYPTOGRAPHY 56
![Page 57: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/57.jpg)
6.4 Cryptographic Transport Protocols• VPN Protocols (Tunneling)
– securing the communication channel– there are many tunneling protocols:
• PPTP• L2TP• L3TP• IPSec• etc (combination L2TP/IPSec, L3TP/IPSec).
06 APPLYING CRYPTOGRAPHY 57
![Page 58: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/58.jpg)
6.4 Cryptographic Transport Protocols• PPTP
– most widely used (a part of Windows OS)– IP traffic in encrypted and then sent over
public network
06 APPLYING CRYPTOGRAPHY 58
![Page 59: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/59.jpg)
6.4 Cryptographic Transport Protocols• IPSec
– a set of protocols to securely exchange packets
• Applications – no need to modify to run under IPsec.
• Users – do not need to be trained on specific security procedures.
• Software – no changes needed at local client, as IPsec is implemented in a device
06 APPLYING CRYPTOGRAPHY 59
![Page 60: NETWORK SECURITY 06APPLYING CRYPTOGRAPHY. Contents 6.1Digital Certificates 6.2Pubic Key Infrastructure 6.3Key Management 6.4Cryptographic Transport Protocols.](https://reader035.fdocuments.us/reader035/viewer/2022062221/56649ec75503460f94bd3a15/html5/thumbnails/60.jpg)
6.4 Cryptographic Transport Protocols• E-mail Transport Protocol
– S/MIME uses digital certificates to protect the e-mail messages.
– S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them.
06 APPLYING CRYPTOGRAPHY 60