Chapter 9: Using and Managing Keys
-
Upload
preston-william -
Category
Documents
-
view
37 -
download
3
description
Transcript of Chapter 9: Using and Managing Keys
![Page 1: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/1.jpg)
Chapter 9: Using and Managing Keys
Security+ Guide to Network Security Fundamentals
Second Edition
![Page 2: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/2.jpg)
Security+ Guide to Network Security Fundamentals, 2e
2
Objectives
• Explain cryptography strengths and vulnerabilities
• Define public key infrastructure (PKI)
• Manage digital certificates
• Explore key management
![Page 3: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/3.jpg)
Security+ Guide to Network Security Fundamentals, 2e
3
Understanding Cryptography Strengths and Vulnerabilities
• Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored
• When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext
![Page 4: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/4.jpg)
Security+ Guide to Network Security Fundamentals, 2e
4
Symmetric Cryptography Strengths and Weaknesses
• Identical keys are used to both encrypt and decrypt the message
• Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish
• Disadvantages of symmetric encryption relate to the difficulties of managing the private key
![Page 5: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/5.jpg)
Security+ Guide to Network Security Fundamentals, 2e
5
Asymmetric Cryptography Strengths and Vulnerabilities
• With asymmetric encryption, two keys are used instead of one
– The private key encrypts the message
– The public key decrypts the message
![Page 6: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/6.jpg)
Security+ Guide to Network Security Fundamentals, 2e
6
Asymmetric Cryptography Strengths and Vulnerabilities (continued)
• Can greatly improve cryptography security, convenience, and flexibility
• Public keys can be distributed freely
• Users cannot deny they have sent a message if they have previously encrypted the message with their private keys
• Primary disadvantage is that it is computing-intensive
![Page 7: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/7.jpg)
Security+ Guide to Network Security Fundamentals, 2e
7
Digital Signatures
• Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message
• A digital signature helps to prove that:
– The person sending the message with a public key is who they claim to be
– The message was not altered
– It cannot be denied the message was sent
![Page 8: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/8.jpg)
Security+ Guide to Network Security Fundamentals, 2e
8
Digital Certificates
• Digital documents that associate an individual with its specific public key
• Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party
![Page 9: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/9.jpg)
Security+ Guide to Network Security Fundamentals, 2e
9
Certification Authority (CA)
• The owner of the public key listed in the digital certificate can be identified to the CA in different ways
– By their e-mail address
– By additional information that describes the digital certificate and limits the scope of its use
• Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users
![Page 10: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/10.jpg)
Security+ Guide to Network Security Fundamentals, 2e
10
Certification Authority (CA) (continued)
• The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes
• Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)
• Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users
![Page 11: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/11.jpg)
Security+ Guide to Network Security Fundamentals, 2e
11
Understanding Public Key Infrastructure (PKI)
• Weaknesses associated with asymmetric cryptography led to the development of PKI
• A CA is an important trusted party who can sign and issue certificates for users
• Some of its tasks can also be performed by a subordinate function, the RA
• Updated certificates and CRLs are kept in a CR for users to refer to
![Page 12: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/12.jpg)
Security+ Guide to Network Security Fundamentals, 2e
12
The Need for PKI
![Page 13: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/13.jpg)
Security+ Guide to Network Security Fundamentals, 2e
13
Description of PKI• Manages keys and identity information required for
asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs
• For a typical enterprise:
– Provides end-user enrollment software
– Integrates corporate certificate directories
– Manages, renews, and revokes certificates
– Provides related network services and security
• Typically consists of one or more CA servers and digital certificates that automate several tasks
![Page 14: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/14.jpg)
Security+ Guide to Network Security Fundamentals, 2e
14
PKI Standards and Protocols
• A number of standards have been proposed for PKI
– Public Key Cryptography Standards (PKCS)
– X509 certificate standards
![Page 15: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/15.jpg)
Security+ Guide to Network Security Fundamentals, 2e
15
Public Key Cryptography Standards (PKCS)
• Numbered set of standards that have been defined by the RSA Corporation since 1991
• Composed of 15 standards detailed on pages 318 and 319 of the text
![Page 16: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/16.jpg)
Security+ Guide to Network Security Fundamentals, 2e
16
X509 Digital Certificates
• X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate
• Most widely used certificate format for PKI
• X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)
![Page 17: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/17.jpg)
Security+ Guide to Network Security Fundamentals, 2e
17
X509 Digital Certificates (continued)
![Page 18: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/18.jpg)
Security+ Guide to Network Security Fundamentals, 2e
18
Trust Models
• Refers to the type of relationship that can exist between people or organizations
• In the direct trust, a personal relationship exists between two individuals
• Third-party trust refers to a situation in which two individuals trust each other only because each individually trusts a third party
• The three different PKI trust models are based on direct and third-party trust
![Page 19: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/19.jpg)
Security+ Guide to Network Security Fundamentals, 2e
19
Trust Models (continued)
![Page 20: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/20.jpg)
Security+ Guide to Network Security Fundamentals, 2e
20
Trust Models (continued)
• The web of trust model is based on direct trust
• Single-point trust model is based on third-party trust
– A CA directly issues and signs certificates
• In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates for CAs below it
![Page 21: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/21.jpg)
Security+ Guide to Network Security Fundamentals, 2e
21
Managing Digital Certificates
• After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer
• CA certificates are issued by a CA directly to individuals
• Typically used to secure e-mail transmissions through S/MIME and SSL/TLS
![Page 22: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/22.jpg)
Security+ Guide to Network Security Fundamentals, 2e
22
Managing Digital Certificates (continued)
![Page 23: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/23.jpg)
Security+ Guide to Network Security Fundamentals, 2e
23
Managing Digital Certificates (continued)
• Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure transmission
• Software publisher certificates are provided by software publishers to verify their programs are secure
![Page 24: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/24.jpg)
Security+ Guide to Network Security Fundamentals, 2e
24
Certificate Policy (CP)
• Published set of rules that govern operation of a PKI
• Begins with an opening statement outlining its scope
• Should cover at a minimum the topics listed on page 325 of the text
![Page 25: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/25.jpg)
Security+ Guide to Network Security Fundamentals, 2e
25
Certificate Practice Statement (CPS)
• More technical document compared to a CP
• Describes in detail how the CA uses and manages certificates
• Covers topics such as those listed on pages 325 and 326 of the text
![Page 26: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/26.jpg)
Security+ Guide to Network Security Fundamentals, 2e
26
Certificate Life Cycle
• Typically divided into four parts:
– Creation
– Revocation
– Expiration
– Suspension
![Page 27: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/27.jpg)
Security+ Guide to Network Security Fundamentals, 2e
27
Exploring Key Management
• Because keys form the very foundation of the algorithms in asymmetric and PKI systems, it is vital that they be carefully managed
![Page 28: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/28.jpg)
Security+ Guide to Network Security Fundamentals, 2e
28
Centralized and Decentralized Management
• Key management can either be centralized or decentralized
• An example of a decentralized key management system is the PKI web of trust model
• Centralized key management is the foundation for single-point trust models and hierarchical trust models, with keys being distributed by the CA
![Page 29: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/29.jpg)
Security+ Guide to Network Security Fundamentals, 2e
29
Key Storage
• It is possible to store public keys by embedding them within digital certificates
• This is a form of software-based storage and doesn’t involve any cryptography hardware
• Another form of software-based storage involves storing private keys on the user’s local computer
![Page 30: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/30.jpg)
Security+ Guide to Network Security Fundamentals, 2e
30
Key Storage (continued)
• Storing keys in hardware is an alternative to software-based keys
• Whether private keys are stored in hardware or software, it is important that they be adequately protected
![Page 31: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/31.jpg)
Security+ Guide to Network Security Fundamentals, 2e
31
Key Usage
• If you desire more security than a single set of public and private (single-dual) keys can offer, you can choose to use multiple pairs of dual keys
• One pair of keys may be used to encrypt information and the public key could be backed up to another location
• The second pair would be used only for digital signatures and the public key in that pair would never be backed up
![Page 32: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/32.jpg)
Security+ Guide to Network Security Fundamentals, 2e
32
Key Handling Procedures
• Certain procedures can help ensure that keys are properly handled:
– Escrow – Expiration
– Renewal – Revocation
– Recovery – Suspension
– Destruction
![Page 33: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/33.jpg)
Security+ Guide to Network Security Fundamentals, 2e
33
Summary
• One of the advantages of symmetric cryptography is that encryption and decryption using a private key is usually fast and easy to implement
• A digital signature solves the problem of authenticating the sender when using asymmetric cryptography
• With the number of different tools required for asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications
![Page 34: Chapter 9: Using and Managing Keys](https://reader035.fdocuments.net/reader035/viewer/2022062304/56812b13550346895d8f06a9/html5/thumbnails/34.jpg)
Security+ Guide to Network Security Fundamentals, 2e
34
Summary (continued)
• PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991
• The three PKI trust models are based on direct and third-party trust
• Digital certificates are managed through CPs and CPSs