Security+ Guide to Network Security Fundamentals, Fourth...
Transcript of Security+ Guide to Network Security Fundamentals, Fourth...
Objectives
• Define digital certificates
• List the various types of digital certificates and how
they are used
• Describe the components of Public Key
Infrastructure (PKI)
• List the tasks associated with key management
• Describe the different transport encryption
algorithms
Security+ Guide to Network Security Fundamentals, Fourth Edition 2
Digital Certificates
• Common application of cryptography
• Aspects of using digital certificates
– Understanding their purpose
– Knowing how they are managed
– Determining which type of digital certificate is
appropriate for different situations
Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Defining Digital Certificates
• Digital signature
– Used to prove a document originated from a valid
sender
• Weakness of using digital signatures
– Imposter could post a public key under a sender’s
name
Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Security+ Guide to Network Security Fundamentals, Fourth Edition 5
Figure 12-1 Imposter public key © Cengage Learning 2012
Defining Digital Certificates (cont’d.)
• Trusted third party
– Used to help solve the problem of verifying identity
– Verifies the owner and that the public key belongs to
that owner
– Helps prevent man-in-the-middle attack that
impersonates owner of public key
• Information contained in a digital certificate
– Owner’s name or alias
– Owner’s public key
– Issuer’s name
Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Defining Digital Certificates (cont’d.)
• Information contained in a digital certificate
(cont’d.)
– Issuer’s digital signature
– Digital certificate’s serial number
– Expiration date of the public key
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Managing Digital Certificates
• Technologies used for managing digital certificates
– Certificate Authority (CA)
– Registration Authority (RA)
– Certificate Revocation List (CRL)
– Certificate Repository (CR)
– Web browser
• Certificate Authority
– Trusted third party
– Responsible for issuing digital certificates
– Can be internal or external to an organization
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Managing Digital Certificates (cont’d.)
• Duties of a CA
– Generate, issue, an distribute public key certificates
– Distribute CA certificates
– Generate and publish certificate status information
– Provide a means for subscribers to request
revocation
– Revoke public-key certificates
– Maintain security, availability, and continuity of
certificate issuance signing functions
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Managing Digital Certificates (cont’d.)
• Subscriber requesting a digital certificate
– Generates public and private keys
– Sends public key to CA
– CA may in some instances create the keys
– CA inserts public key into certificate
– Certificates are digitally signed with private key of
issuing CA
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
Managing Digital Certificates (cont’d.)
• Registration Authority
– Subordinate entity designed to handle specific CA
tasks
• Offloading registration functions creates improved
workflow for CA
• General duties of an RA
– Receive, authenticate, and process certificate
revocation requests
– Identify and authenticate subscribers
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Managing Digital Certificates (cont’d.)
• General duties of an RA (cont’d.)
– Obtain a public key from the subscriber
– Verify that the subscriber possesses the asymmetric
private key corresponding to the public key
submitted for certification
• Primary function of an RA
– Verify identity of an individual
Security+ Guide to Network Security Fundamentals, Fourth Edition 12
Managing Digital Certificates (cont’d.)
• Means for a digital certificate requestor to identify
themselves to an RA
• Insufficient for activities that must be very secure
– Documents
• Birth certificate, employee badge
– In person
• Providing government-issued passport or driver’s
license
Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Managing Digital Certificates (cont’d.)
• Certificate Revocation List
– Lists digital certificates that have been revoked
• Reasons a certificate would be revoked
– Certificate is no longer used
– Details of the certificate have changed, such as
user’s address
– Private key has been lost or exposed (or suspected
lost or exposed)
Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Figure 12-2 Certificate Revocation List (CRL) © Cengage Learning 2012
Managing Digital Certificates (cont’d.)
• Certificate Repository
– Publicly accessible centralized directory of digital
certificates
– Used to view certificate status
– Can be managed locally as a storage area
connected to the CA server
– Can be made available through a Web browser
interface
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Figure 12-3 Certificate Repository (CR) © Cengage Learning 2012
Managing Digital Certificates (cont’d.)
• Web browser management
– Modern Web browsers preconfigured with default list
of CAs
• Advantages
– Users can take advantage of digital certificates
without need to manually load information
– Users do not need to install a CRL manually
• Automatic updates feature will install them
automatically if feature is enabled
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
Security+ Guide to Network Security Fundamentals, Fourth Edition 19
Figure 12-4 Web browser default CAs © Cengage Learning 2012
Types of Digital Certificates
• Different categories of digital certificates
– Class 1 through Class 5
– Dual-key sided
– Dual sided
• Other uses for digital certificates
– Provide secure communication between clients and
servers by encrypting channels
– Encrypt messages for secure Internet e-mail
communication
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Types of Digital Certificates (cont’d.)
• Other uses for digital certificates (cont’d.)
– Verify the identity of clients and servers on the Web
– Verify the source and integrity of signed executable
code
• Common categories of digital certificates
– Personal digital certificates
– Server digital certificates
– Software publisher digital certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Types of Digital Certificates (cont’d.)
• Class 1: personal digital certificates
– Issued by an RA directly to individuals
– Frequently used to secure e-mail transmissions
– Typically only require user’s name and e-mail
address to receive
• Class 2: server digital certificates
– Issued from a Web server to a client
– Ensure authenticity of the Web server
– Ensure authenticity of the cryptographic connection
to the Web server
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Figure 12-5 Server digital certificate © Cengage Learning 2012
Types of Digital Certificates (cont’d.)
• Class 2: server digital certificates (cont’d.)
– Server authentication and secure communication
can be combined into one certificate
• Displays padlock icon in the Web browser
• Click padlock icon to display information about the
digital certificate
• Extended Validation SSL Certificate (EV SSL)
– Requires more extensive verification of legitimacy of
the business
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Figure 12-6 Padlock icon and certificate information © Cengage Learning 2012
Types of Digital Certificates (cont’d.)
• Class 3: software publisher digital certificates
– Provided by software publishers
– Purpose: verify programs are secure and have not
been tampered with
• Dual-key digital certificates
– Reduce need for storing multiple copies of the
signing certificate
– Facilitate certificate handling in organizations
• Copies kept in central storage repository
Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Types of Digital Certificates (cont’d.)
• Dual-sided certificates
– Provides ability for client to authenticate back to the
server
– Both sides of the session validate themselves
• X.509 digital certificates
– Standard for most widely accepted format for digital
certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Public Key Infrastructure (PKI)
• Important management tool for the use of:
– Digital certificates:
– Asymmetric cryptography
• Aspects of PKI
– Public-key cryptography standards
– Trust models
– Key management
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
What is Public Key Infrastructure?
• Need for consistent means to manage digital
certificates
• PKI: framework for all entities involved in digital
certificates
• Certificate management actions facilitated by PKI
– Create
– Store
– Distribute
– Revoke
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Public-Key Cryptographic Standards
(PKCS)
• Numbered set of PKI standards defined by the
RSA Corporation
– Widely accepted in industry
– Based on the RSA public-key algorithm
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Table 12-2 PKCS standards (continues)
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Table 12-2 PKCS standards (cont’d.)
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Figure 12-7 Microsoft Windows PKCS support © Cengage Learning 2012
Trust Models
• Trust
– Confidence in or reliance on another person or entity
• Trust model
– Refers to type of trusting relationship that can exist
between individuals and entities
• Direct trust
– One person knows the other person
• Third-party trust
– Two individuals trust each other because each trusts
a third party
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Trust Models (cont’d.)
• Hierarchical trust model
– Assigns single hierarchy with one master CA called
the root
– Root signs all digital certificate authorities with a
single key
– Can be used in an organization where one CA is
responsible for only that organization’s digital
certificates
• Hierarchical trust model has several limitations
– Single CA private key may be compromised
rendering all certificates worthless
Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Figure 12-8 Hierarchical trust model © Cengage Learning 2012
Trust Models (cont’d.)
• Distributed trust model
– Multiple CAs sign digital certificates
– Eliminates limitations of hierarchical trust model
• Bridge trust model
– One CA acts as facilitator to connect all other CAs
• Facilitator CA does not issue digital certificates
– Acts as hub between hierarchical and distributed
trust model
– Allows the different models to be linked
Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Figure 12-9 Distributed trust model © Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Figure 12-10 Bridge trust
model © Cengage Learning 2012
Trust Models (cont’d.)
• Bridge trust application examples
– Federal and state governments
– Pharmaceutical industry
– Aerospace industry
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Managing PKI
• Certificate Policy (CP)
– Published set of rules that govern operation of a PKI
– Provides recommended baseline security
requirements for use and operation of CA, RA, and
other PKI components
• Certificate Practice Statement (CPS)
– Describes in detail how the CA uses and manages
certificates
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Managing PKI (cont’d.)
• Certificate life cycle
– Creation
• Occurs after user is positively identified
– Suspension
• May occur when employee on leave of absence
– Revocation
• Certificate no longer valid
– Expiration
• Key can no longer be used
Security+ Guide to Network Security Fundamentals, Fourth Edition 43
Key Storage
• Means of public key storage
– Embedding within digital certificates
• Means of private key storage
– Stored on user’s local system
• Software-based storage may expose keys to
attackers
• Alternative: storing keys in hardware
– Tokens
– Smart-cards
Security+ Guide to Network Security Fundamentals, Fourth Edition 44
Key Usage
• Multiple pairs of dual keys
– Created if more security needed than single set of
public/private keys
– One pair used to encrypt information
• Public key backed up in another location
– Second pair used only for digital signatures
• Public key in that pair never backed up
Security+ Guide to Network Security Fundamentals, Fourth Edition 45
Key-Handling Procedures
• Key escrow
– Keys managed by a third party
– Private key is split and each half is encrypted
– Two halves sent to third party, which stores each
half in separate location
– User can retrieve and combine two halves and use
this new copy of private key for decryption
• Expiration
– Keys expire after a set period of time
Security+ Guide to Network Security Fundamentals, Fourth Edition 46
Key-Handling Procedures (cont’d.)
• Renewal
– Existing key can be renewed
• Revocation
– Key may be revoked prior to its expiration date
– Revoked keys may not be reinstated
• Recovery
– Need to recover keys of an employee hospitalized
for extended period
– Key recovery agent may be used
– Group of people may be used (M-of-N control)
Security+ Guide to Network Security Fundamentals, Fourth Edition 47
Security+ Guide to Network Security Fundamentals, Fourth Edition 48
Figure 12-11 M-of-N control © Cengage Learning 2012
Key-Handling Procedures (cont’d.)
• Suspension
– Suspended for a set period of time and then
reinstated
• Destruction
– Removes all public and private keys and user’s
identification from the CA
Security+ Guide to Network Security Fundamentals, Fourth Edition 49
Transport Encryption Algorithms
• Secure Sockets Layer (SSL)
– Most common transport encryption algorithm
– Developed by Netscape
– Uses a public key to encrypt data transferred over
the SSL connection
• Transport Layer Security (TLS)
– Protocol that guarantees privacy and data integrity
between applications communicating over the
Internet
• Both provide server and client authentication, and
data encryption
Security+ Guide to Network Security Fundamentals, Fourth Edition 50
Secure Shell (SSH)
• Encrypted alternative to Telnet protocol used to
access remote computers
• Linux/UNIX-based command interface and protocol
• Suite of three utilities: slogin, ssh, and scp
• Client and server ends of connection are
authenticated using a digital certificate
• Passwords are encrypted
• Can be used as a tool for secure network backups
Security+ Guide to Network Security Fundamentals, Fourth Edition 51
Hypertext Transport Protocol over
Secure Sockets Layer (HTTPS)
• Common use of SSL
– Secure Web Hypertext Transport Protocol (HTTP)
communications between browser and Web server
– Users must enter URLs with https://
• Secure Hypertext Transport Protocol (SHTTP)
– Cryptographic transport protocol released as a
public specification
– Supports a variety of encryption types, including
3DES
– Not as widely used as HTTPS
Security+ Guide to Network Security Fundamentals, Fourth Edition 53
IP Security (IPsec)
• Open System Interconnection (OSI) model
– Security tools function at different layers
• Operating at higher levels such as Application layer
– Advantage: tools designed to protect specific
applications
– Disadvantage: multiple security tools may be needed
• IPsec
– Set of protocols developed to support secure
exchange of packets
– Operates at a low level in the OSI model
Security+ Guide to Network Security Fundamentals, Fourth Edition 54
Security+ Guide to Network Security Fundamentals, Fourth Edition 55
Figure 12-12 Security tools and the OSI model © Cengage Learning 2012
IP Security (cont’d.)
• IPsec considered transparent to:
– Applications
– Users
– Software
• Located in the operating system or communication
hardware
• Provides authentication, confidentiality, and key
management
• Supports two encryption modes: transport and
tunnel
Security+ Guide to Network Security Fundamentals, Fourth Edition 56
Security+ Guide to Network Security Fundamentals, Fourth Edition 57
Figure 12-13 New IPsec packet using transport or tunnel mode © Cengage Learning 2012
Summary
• Digital certificate provides third party verification of
public key owner’s identity
• A Certificate Authority issues digital certificates for
others
• Personal digital certificates are issued by an RA to
individuals
• Server digital certificates ensure authenticity of a
Web server and its cryptographic connection
Security+ Guide to Network Security Fundamentals, Fourth Edition 58
Summary (cont’d.)
• PKI is a framework for all entities involved in digital
certificates
• Three basic PKI trust models exist
• Cryptography can protect data as it is being
transported across a network
– SSL/TLS is a widely used algorithm
• IPsec supports a secure exchange of packets
– Considered to be a transparent security protocol
Security+ Guide to Network Security Fundamentals, Fourth Edition 59