Security+ Guide to Network Security Fundamentals, 2e
Chapter 9
Using and Managing Keys
At a Glance
Instructor’s Notes
Chapter Overview
Chapter Objectives
Technical Notes
Lecture Notes
Quick Quizzes
Discussion Questions
Additional Activities
Security+ Guide to Network Security Fundamentals, 2e
Instructor’s Notes
Chapter Overview
In this chapter, students will explore the world of public key infrastructure and learn how key management can play
a crucial role in this important cryptographic technology.
Chapter Objectives
After reading this chapter, students will be able to:
Explain cryptography strengths and vulnerabilities
Define public key infrastructure (PKI)
Manage digital certificates
Explore key management
Technical Notes
Project 9-1
Project 9-2
Computer PC
Computer PC
Windows XP
Windows XP
Project 9-3
Computer PC
Windows XP
Internet connectivity
Internet connectivity and
Adobe Acrobat 6.0
Internet connectivity and
Adobe Acrobat 6.0
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3to 5-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Understanding Cryptography Strengths and Vulnerabilities
Cryptography is the science of “scrambling” data so that it cannot be viewed by unauthorized users, thus making it
secure while it is being transmitted or stored. When the recipient receives the encrypted text or another user wants to
access the stored information, it must be decrypted with the cipher and the key to produce the original plaintext.
Figure 9-1 on page 308 of the text reviews this process.
Symmetric Cryptography Strengths and Weaknesses
In symmetric encryption, identical keys are used to both encrypt and decrypt the message, as shown in Figure 9-2 on
page 309 of the text. Several popular symmetric cipher algorithms are used, including Data Encryption Standard
(DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), Rivest Cipher (RC),
International Data Encryption Algorithm (IDEA), and blowfish. The significant disadvantages of symmetric
encryption relate to the difficulties of managing the private key.
Asymmetric Cryptography Strengths and Vulnerabilities
Security+ Guide to Network Security Fundamentals, 2e
With asymmetric encryption, two keys are used instead of one. One of the keys, known as the private key, encrypts
the message. The second key, called the public key, decrypts the message. Asymmetric encryption is illustrated in
Figure 9-3 on page 311 of the text.
Asymmetric algorithms can greatly improve cryptography security, convenience, and flexibility. Public keys can be
distributed freely. Furthermore, users cannot deny that they have sent a message if they have previously encrypted
the message with their private keys. The primary disadvantage of public key cryptography is that it is computingintensive.
Digital Signatures
As its name implies, asymmetric encryption allows you to use either the public or private key to encrypt a message;
the receiver then uses the other key to decrypt the message. A digital signature helps to prove that the person
sending the message with a public key is actually who they claim to be, that the message was not altered, and that it
cannot be denied that the message was sent.
Digital Certificates
Digital certificates are digital documents that associate an individual with a specific public key. A certificate is a
data structure containing a public key, details about the key owner, and other optional information that is all digitally
signed by a trusted third party. Digital certificates are illustrated in Figure 9-6 on page 314 of the text.
Certification Authority (CA)
The owner of the public key listed in the digital certificate can be identified to the certification authority (CA) in
different ways. In the simplest form, the owner may be only identified by their e-mail address. A digital certificate
also normally includes additional information that describes the digital certificate and limits the scope of its use.
Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the
certificate status of other users.
The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so
users can refer to this directory to see changes. Another option is to provide the information in a publicly accessible
directory, which is called a Certificate Repository (CR). Some organizations set up a subordinate server, called a
Registration Authority (RA), to handle some CA tasks such as processing certificate requests and authenticating
Understanding Public Key Infrastructure (PKI)
Just as weaknesses with symmetric cryptography led to the development of asymmetric cryptography, the
weaknesses associated with asymmetric cryptography led to the development of another type of encryption called
public key infrastructure (PKI).
The Need for PKI
A CA is an important trusted party who can sign and issue certificates for users. Some of its tasks can also be
performed by a subordinate function, the RA. Updated certificates and CRLs are kept in a CR for users to refer to as
shown in Figure 9-7 on page 316 of the text.
Security+ Guide to Network Security Fundamentals, 2e
Description of PKI
Public Key Infrastructure (PKI) is a system that manages the keys and identity information required for
asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs.
Quick Reference
Discuss some of the things a PKI for a typical enterprise does, as listed on page
317 of the text.
PKIs typically consist of one or more CA servers and digital certificates that automate several tasks.
Quick Quiz
___________ is the science of “scrambling” data so that it cannot be viewed by unauthorized users, thus
making it secure while it is being transmitted or stored. ANSWER: Cryptography
Three ___________ algorithms are commonly used: Rivest Shamir Adleman (RSA), Diffie-Hellman, and Pretty
Good Privacy (PGP). ANSWER: asymmetric
A(n) ___________ is an encrypted hash of a message that is transmitted along with the message.
ANSWER: digital signature
___________ function like passports in that they provide a means of identification. ANSWER: Digital
____________ combines the software, encryption technologies, and services that an organization needs to
deploy asymmetric cryptography. ANSWER: Public Key Infrastructure (PKI)
PKI Standards and Protocols
A number of standards have been proposed for PKI.
Public Key Cryptography Standards (PKCS)
Public Key Cryptography Standards (PKCS) is a numbered set of standards that have been defined by the RSA
Corporation since 1991. Currently, PKCS is composed of the 15 standards detailed in Table 9-1 on pages 318 and
319 of the text.
X.509 Digital Certificates
X.509 is an international standard defined by the International Telecommunication Union (ITU) that defines the
format for the digital certificate and is the most widely used certificate format for PKI. X.509 is used by Secure
Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail
Extensions (S/MIME). Table 9-2 on page 320 of the text shows the structure of an X.509 certificate.
Trust Models
The term trust model refers to the type of relationship that can exist between people or organizations. In one type of
trust model, the direct trust, a personal relationship exists between two individuals. Third-party trust refers to a
situation in which two individuals trust each other only because each individually trusts a third party.
Security+ Guide to Network Security Fundamentals, 2e
The three different PKI trust models are based on direct and third-party trust. The first, the web of trust model, is
based on direct trust. The web of trust model is illustrated in Figure 9-10 on page 321 of the text. The second PKI
trust model, the single-point trust model, is based on third-party trust. In this model, a CA directly issues and signs
certificates. The final PKI trust model is a hierarchical trust model. In this model, the primary or root certificate
authority issues and signs the certificates for CAs below it.
Managing Digital Certificates
After a user decides to trust a CA, she can download the digital certificate and public key from the CA and store
them on her local computer. The list of approved root and intermediate CAs in Microsoft Internet Explorer 6 is
shown in Figure 9-13 on page 323 of the text.
CA certificates are issued by a CA directly to individuals. They are typically used to secure e-mail transmissions
through S/MIME and SSL/TLS. Server certificates can be issued from a Web server, FTP server, or mail server to
ensure a secure transmission. Software publisher certificates are provided by software publishers to verify that
their programs are secure. A typical trusted software publisher digital certificate is seen in Figure 9-14 on page 324
of the text.
Certificate Policy
A certificate policy (CP) is a published set of rules that govern the operation of a PKI. A CP begins with an
opening statement outlining its scope.
Quick Reference
Discuss the topics that a CP should cover at minimum as shown on page 325 of
the text.
Certificate Practice Statement (CPS)
A Certificate Practice Statement (CPS) is a more technical document compared to a CP. A CPS describes in detail
how the CA uses and manages certificates.
Quick Reference
Discuss the topics that CPS covers as shown on pages 325 and 326 of the text.
Certificate Life Cycle
Quick Reference
Discuss the four parts of the life cycle of a certificate as illustrated on pages 326
and 327 of the text.
Exploring Key Management
Because keys form the very foundation of the algorithms in asymmetric and PKI systems, it is vital that they be
carefully managed.
Security+ Guide to Network Security Fundamentals, 2e
Centralized and Decentralized Management
Key management can either be centralized or decentralized. An example of a decentralized key management system
is the PKI web of trust model. Centralized key management is the foundation for single-point trust models and
hierarchical trust models, with the keys being distributed by the CA.
Key Storage
It is possible to store public keys by embedding them within digital certificates. This is a form of software-based
storage and doesn’t involve any cryptography hardware. Another form of software-based storage involves storing
private keys on the user’s local computer. Storing keys in hardware is an alternative to software-based keys.
Whether private keys are stored in hardware or software, it is important that they be adequately protected.
Key Usage
If you desire more security than a single set of public and private (single-dual) keys can offer, you can choose to use
multiple pairs of dual keys. In this scenario, one pair of keys may be used to encrypt information and the public key
could be backed up to another location. The second pair would be used only for digital signatures and the public key
in that pair would never be backed up.
Key Handling Procedures
Certain procedures can help ensure that keys are properly handled.
Quick Reference
Discuss the procedures included in properly handled keys per pages 328 and
329 of the text.
Quick Quiz
The _____________ standard outlines the syntax of a request format for a certificate request.
ANSWER: Certification Request Syntax (PKCS #10)
____________ is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and
Secure/Multipurpose Internet Mail Extensions (S/MIME). ANSWER: X.509
With ____________ , a person receives an e-mail from someone and trusts that it came from them, even though
he cannot verify it. ANSWER: direct trust
____________ certificates can be issued from a Web server, FTP server, or mail server to ensure a secure
transmission. ANSWER: Server
The term ___________ refers to a situation in which keys are managed by a third party. ANSWER: key escrow
Discussion Questions
Why have digital certificates become almost a necessity?
Discuss the advantages and disadvantages of centralized and decentralized management.
Security+ Guide to Network Security Fundamentals, 2e
Additional Activities
Have students conduct an interview with an IT professional whose specialty is security.
Have students recreate the certificate policy for your institution.