Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 12 Advanced Cryptography Objectives • Define digital certificates • List the various types of digital certificates and how they are used • Describe the components of Public Key Infrastructure (PKI) • List the tasks associated with key management • Describe the different transport encryption algorithms Security+ Guide to Network Security Fundamentals, Fourth Edition 2 Digital Certificates • Common application of cryptography • Aspects of using digital certificates – Understanding their purpose – Knowing how they are managed – Determining which type of digital certificate is appropriate for different situations Security+ Guide to Network Security Fundamentals, Fourth Edition 3 Defining Digital Certificates • Digital signature – Used to prove a document originated from a valid sender • Weakness of using digital signatures – Imposter could post a public key under a sender’s name Security+ Guide to Network Security Fundamentals, Fourth Edition 4 Figure 12-1 Imposter public key © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 5 Defining Digital Certificates (cont’d.) • Trusted third party – Used to help solve the problem of verifying identity – Verifies the owner and that the public key belongs to that owner – Helps prevent man-in-the-middle attack that impersonates owner of public key • Information contained in a digital certificate – Owner’s name or alias – Owner’s public key – Issuer’s name Security+ Guide to Network Security Fundamentals, Fourth Edition 6 Defining Digital Certificates (cont’d.) • Information contained in a digital certificate (cont’d.) – Issuer’s digital signature – Digital certificate’s serial number – Expiration date of the public key Security+ Guide to Network Security Fundamentals, Fourth Edition 7 Managing Digital Certificates • Technologies used for managing digital certificates – – – – – Certificate Authority (CA) Registration Authority (RA) Certificate Revocation List (CRL) Certificate Repository (CR) Web browser • Certificate Authority – Trusted third party – Responsible for issuing digital certificates – Can be internal or external to an organization Security+ Guide to Network Security Fundamentals, Fourth Edition 8 Managing Digital Certificates (cont’d.) • Duties of a CA – – – – Generate, issue, an distribute public key certificates Distribute CA certificates Generate and publish certificate status information Provide a means for subscribers to request revocation – Revoke public-key certificates – Maintain security, availability, and continuity of certificate issuance signing functions Security+ Guide to Network Security Fundamentals, Fourth Edition 9 Managing Digital Certificates (cont’d.) • Subscriber requesting a digital certificate – – – – – Generates public and private keys Sends public key to CA CA may in some instances create the keys CA inserts public key into certificate Certificates are digitally signed with private key of issuing CA Security+ Guide to Network Security Fundamentals, Fourth Edition 10 Managing Digital Certificates (cont’d.) • Registration Authority – Subordinate entity designed to handle specific CA tasks • Offloading registration functions creates improved workflow for CA • General duties of an RA – Receive, authenticate, and process certificate revocation requests – Identify and authenticate subscribers Security+ Guide to Network Security Fundamentals, Fourth Edition 11 Managing Digital Certificates (cont’d.) • General duties of an RA (cont’d.) – Obtain a public key from the subscriber – Verify that the subscriber possesses the asymmetric private key corresponding to the public key submitted for certification • Primary function of an RA – Verify identity of an individual Security+ Guide to Network Security Fundamentals, Fourth Edition 12 Managing Digital Certificates (cont’d.) • Means for a digital certificate requestor to identify themselves to an RA – E-mail • Insufficient for activities that must be very secure – Documents • Birth certificate, employee badge – In person • Providing government-issued passport or driver’s license Security+ Guide to Network Security Fundamentals, Fourth Edition 13 Managing Digital Certificates (cont’d.) • Certificate Revocation List – Lists digital certificates that have been revoked • Reasons a certificate would be revoked – Certificate is no longer used – Details of the certificate have changed, such as user’s address – Private key has been lost or exposed (or suspected lost or exposed) Security+ Guide to Network Security Fundamentals, Fourth Edition 14 Figure 12-2 Certificate Revocation List (CRL) © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 15 Managing Digital Certificates (cont’d.) • Certificate Repository – Publicly accessible centralized directory of digital certificates – Used to view certificate status – Can be managed locally as a storage area connected to the CA server – Can be made available through a Web browser interface Security+ Guide to Network Security Fundamentals, Fourth Edition 16 Figure 12-3 Certificate Repository (CR) © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 17 Managing Digital Certificates (cont’d.) • Web browser management – Modern Web browsers preconfigured with default list of CAs • Advantages – Users can take advantage of digital certificates without need to manually load information – Users do not need to install a CRL manually • Automatic updates feature will install them automatically if feature is enabled Security+ Guide to Network Security Fundamentals, Fourth Edition 18 Figure 12-4 Web browser default CAs © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 19 Types of Digital Certificates • Different categories of digital certificates – Class 1 through Class 5 – Dual-key sided – Dual sided • Other uses for digital certificates – Provide secure communication between clients and servers by encrypting channels – Encrypt messages for secure Internet e-mail communication Security+ Guide to Network Security Fundamentals, Fourth Edition 20 Types of Digital Certificates (cont’d.) • Other uses for digital certificates (cont’d.) – Verify the identity of clients and servers on the Web – Verify the source and integrity of signed executable code • Common categories of digital certificates – Personal digital certificates – Server digital certificates – Software publisher digital certificates Security+ Guide to Network Security Fundamentals, Fourth Edition 21 Types of Digital Certificates (cont’d.) • Class 1: personal digital certificates – Issued by an RA directly to individuals – Frequently used to secure e-mail transmissions – Typically only require user’s name and e-mail address to receive • Class 2: server digital certificates – Issued from a Web server to a client – Ensure authenticity of the Web server – Ensure authenticity of the cryptographic connection to the Web server Security+ Guide to Network Security Fundamentals, Fourth Edition 22 Figure 12-5 Server digital certificate © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 23 Types of Digital Certificates (cont’d.) • Class 2: server digital certificates (cont’d.) – Server authentication and secure communication can be combined into one certificate • Displays padlock icon in the Web browser • Click padlock icon to display information about the digital certificate • Extended Validation SSL Certificate (EV SSL) – Requires more extensive verification of legitimacy of the business Security+ Guide to Network Security Fundamentals, Fourth Edition 24 Figure 12-6 Padlock icon and certificate information © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 25 Types of Digital Certificates (cont’d.) • Class 3: software publisher digital certificates – Provided by software publishers – Purpose: verify programs are secure and have not been tampered with • Dual-key digital certificates – Reduce need for storing multiple copies of the signing certificate – Facilitate certificate handling in organizations • Copies kept in central storage repository Security+ Guide to Network Security Fundamentals, Fourth Edition 26 Types of Digital Certificates (cont’d.) • Dual-sided certificates – Provides ability for client to authenticate back to the server – Both sides of the session validate themselves • X.509 digital certificates – Standard for most widely accepted format for digital certificates Security+ Guide to Network Security Fundamentals, Fourth Edition 27 Table 12-1 X.509 structure Security+ Guide to Network Security Fundamentals, Fourth Edition 28 Public Key Infrastructure (PKI) • Important management tool for the use of: – Digital certificates: – Asymmetric cryptography • Aspects of PKI – Public-key cryptography standards – Trust models – Key management Security+ Guide to Network Security Fundamentals, Fourth Edition 29 What is Public Key Infrastructure? • Need for consistent means to manage digital certificates • PKI: framework for all entities involved in digital certificates • Certificate management actions facilitated by PKI – – – – Create Store Distribute Revoke Security+ Guide to Network Security Fundamentals, Fourth Edition 30 Public-Key Cryptographic Standards (PKCS) • Numbered set of PKI standards defined by the RSA Corporation – Widely accepted in industry – Based on the RSA public-key algorithm Security+ Guide to Network Security Fundamentals, Fourth Edition 31 Table 12-2 PKCS standards (continues) Security+ Guide to Network Security Fundamentals, Fourth Edition 32 Table 12-2 PKCS standards (cont’d.) Security+ Guide to Network Security Fundamentals, Fourth Edition 33 Figure 12-7 Microsoft Windows PKCS support © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 34 Trust Models • Trust – Confidence in or reliance on another person or entity • Trust model – Refers to type of trusting relationship that can exist between individuals and entities • Direct trust – One person knows the other person • Third-party trust – Two individuals trust each other because each trusts a third party Security+ Guide to Network Security Fundamentals, Fourth Edition 35 Trust Models (cont’d.) • Hierarchical trust model – Assigns single hierarchy with one master CA called the root – Root signs all digital certificate authorities with a single key – Can be used in an organization where one CA is responsible for only that organization’s digital certificates • Hierarchical trust model has several limitations – Single CA private key may be compromised rendering all certificates worthless Security+ Guide to Network Security Fundamentals, Fourth Edition 36 Figure 12-8 Hierarchical trust model © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 37 Trust Models (cont’d.) • Distributed trust model – Multiple CAs sign digital certificates – Eliminates limitations of hierarchical trust model • Bridge trust model – One CA acts as facilitator to connect all other CAs • Facilitator CA does not issue digital certificates – Acts as hub between hierarchical and distributed trust model – Allows the different models to be linked Security+ Guide to Network Security Fundamentals, Fourth Edition 38 Figure 12-9 Distributed trust model © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 39 Figure 12-10 Bridge trust model © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 40 Trust Models (cont’d.) • Bridge trust application examples – Federal and state governments – Pharmaceutical industry – Aerospace industry Security+ Guide to Network Security Fundamentals, Fourth Edition 41 Managing PKI • Certificate Policy (CP) – Published set of rules that govern operation of a PKI – Provides recommended baseline security requirements for use and operation of CA, RA, and other PKI components • Certificate Practice Statement (CPS) – Describes in detail how the CA uses and manages certificates Security+ Guide to Network Security Fundamentals, Fourth Edition 42 Managing PKI (cont’d.) • Certificate life cycle – Creation • Occurs after user is positively identified – Suspension • May occur when employee on leave of absence – Revocation • Certificate no longer valid – Expiration • Key can no longer be used Security+ Guide to Network Security Fundamentals, Fourth Edition 43 Key Storage • Means of public key storage – Embedding within digital certificates • Means of private key storage – Stored on user’s local system • Software-based storage may expose keys to attackers • Alternative: storing keys in hardware – Tokens – Smart-cards Security+ Guide to Network Security Fundamentals, Fourth Edition 44 Key Usage • Multiple pairs of dual keys – Created if more security needed than single set of public/private keys – One pair used to encrypt information • Public key backed up in another location – Second pair used only for digital signatures • Public key in that pair never backed up Security+ Guide to Network Security Fundamentals, Fourth Edition 45 Key-Handling Procedures • Key escrow – Keys managed by a third party – Private key is split and each half is encrypted – Two halves sent to third party, which stores each half in separate location – User can retrieve and combine two halves and use this new copy of private key for decryption • Expiration – Keys expire after a set period of time Security+ Guide to Network Security Fundamentals, Fourth Edition 46 Key-Handling Procedures (cont’d.) • Renewal – Existing key can be renewed • Revocation – Key may be revoked prior to its expiration date – Revoked keys may not be reinstated • Recovery – Need to recover keys of an employee hospitalized for extended period – Key recovery agent may be used – Group of people may be used (M-of-N control) Security+ Guide to Network Security Fundamentals, Fourth Edition 47 Figure 12-11 M-of-N control © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 48 Key-Handling Procedures (cont’d.) • Suspension – Suspended for a set period of time and then reinstated • Destruction – Removes all public and private keys and user’s identification from the CA Security+ Guide to Network Security Fundamentals, Fourth Edition 49 Transport Encryption Algorithms • Secure Sockets Layer (SSL) – Most common transport encryption algorithm – Developed by Netscape – Uses a public key to encrypt data transferred over the SSL connection • Transport Layer Security (TLS) – Protocol that guarantees privacy and data integrity between applications communicating over the Internet • Both provide server and client authentication, and data encryption Security+ Guide to Network Security Fundamentals, Fourth Edition 50 Secure Shell (SSH) • Encrypted alternative to Telnet protocol used to access remote computers • Linux/UNIX-based command interface and protocol • Suite of three utilities: slogin, ssh, and scp • Client and server ends of connection are authenticated using a digital certificate • Passwords are encrypted • Can be used as a tool for secure network backups Security+ Guide to Network Security Fundamentals, Fourth Edition 51 Table 12-3 SSH commands Security+ Guide to Network Security Fundamentals, Fourth Edition 52 Hypertext Transport Protocol over Secure Sockets Layer (HTTPS) • Common use of SSL – Secure Web Hypertext Transport Protocol (HTTP) communications between browser and Web server – Users must enter URLs with https:// • Secure Hypertext Transport Protocol (SHTTP) – Cryptographic transport protocol released as a public specification – Supports a variety of encryption types, including 3DES – Not as widely used as HTTPS Security+ Guide to Network Security Fundamentals, Fourth Edition 53 IP Security (IPsec) • Open System Interconnection (OSI) model – Security tools function at different layers • Operating at higher levels such as Application layer – Advantage: tools designed to protect specific applications – Disadvantage: multiple security tools may be needed • IPsec – Set of protocols developed to support secure exchange of packets – Operates at a low level in the OSI model Security+ Guide to Network Security Fundamentals, Fourth Edition 54 Figure 12-12 Security tools and the OSI model © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 55 IP Security (cont’d.) • IPsec considered transparent to: – Applications – Users – Software • Located in the operating system or communication hardware • Provides authentication, confidentiality, and key management • Supports two encryption modes: transport and tunnel Security+ Guide to Network Security Fundamentals, Fourth Edition 56 Figure 12-13 New IPsec packet using transport or tunnel mode © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 57 Summary • Digital certificate provides third party verification of public key owner’s identity • A Certificate Authority issues digital certificates for others • Personal digital certificates are issued by an RA to individuals • Server digital certificates ensure authenticity of a Web server and its cryptographic connection Security+ Guide to Network Security Fundamentals, Fourth Edition 58 Summary (cont’d.) • PKI is a framework for all entities involved in digital certificates • Three basic PKI trust models exist • Cryptography can protect data as it is being transported across a network – SSL/TLS is a widely used algorithm • IPsec supports a secure exchange of packets – Considered to be a transparent security protocol Security+ Guide to Network Security Fundamentals, Fourth Edition 59