Title: Chapter 9: Using and Managing Keys
1Chapter 9 Using and Managing Keys
- Security Guide to Network Security Fundamentals
- Second Edition
2Objectives
- Explain cryptography strengths and
vulnerabilities - Define public key infrastructure (PKI)
- Manage digital certificates
- Explore key management
3Understanding Cryptography Strengths and
Vulnerabilities
- Cryptography is science of scrambling data
through encryption so it cannot be viewed by
unauthorized users, making it secure while being
transmitted or stored - When the recipient receives encrypted text or
another user wants to access stored information,
it must be decrypted with the cipher and key to
produce the original plaintext
4Symmetric Cryptography Strengths and Weaknesses
- Identical keys are used to both encrypt and
decrypt the message - Popular symmetric cipher algorithms include Data
Encryption Standard (DES), Triple Data Encryption
(3DES) Standard, Advanced Encryption Standard
(AES), Rivest Cipher (RC), International Data
Encryption Algorithm (IDEA), and Blowfish - The advantage of symmetric ciphers is they are
fast. - Disadvantages of symmetric encryption relate to
the difficulties of managing the private key
5Asymmetric Cryptography Strengths and
Vulnerabilities
- With asymmetric encryption, two keys (key pair)
are used instead of one - The private key encrypts the message
- The public key decrypts the message
- Remember, the public key can also be used to
encrypt and the private key can be used to
decrypt since the two keys are mathematically
related.
6Asymmetric Cryptography Strengths and
Vulnerabilities
- Asym keys can greatly improve cryptography
security, convenience, and flexibility - Public keys can be distributed freely
- Users cannot deny they have sent a message if
they have previously encrypted the message with
their private keys (non repudiation) - Primary disadvantage is that it is
computing-intensive
7Digital Signatures
- Asymmetric encryption allows you to use either
the public or private key to encrypt a message
the receiver uses the other key to decrypt the
message - However, how can you be sure that the message you
received is from the actual sender? - How can you prove your own identity?
- A digital signature helps to prove that
- The person sending the message with a public key
is who they claim to be - (b/c I used my private key to encrypt the hash
used in the signature) - The message was not altered
- It cannot be denied the message was sent
8Digital Certificates
- Digital documents that associate an individual
(identity) with its specific public key - A digital certificate is a Data structure
containing a public key, details about the key
owner, and other optional information that is all
digitally signed by a trusted third party
9Certification Authority (CA)
- The owner of the public key listed in the digital
certificate can be identified to the CA in
different ways - By their e-mail address
- By additional information that describes the
digital certificate and limits the scope of its
use - Revoked digital certificates are listed in a
Certificate Revocation List (CRL), which can be
accessed to check the certificate status of other
users
10Certification Authority (CA)
- The CA must publish the certificates and CRLs to
a directory immediately after a certificate is
issued or revoked so users can refer to this
directory to see changes - This information is available in a publicly
accessible directory, called a Certificate
Repository (CR) - Some organizations set up a Registration
Authority (RA) to handle some CA tasks such as
processing certificate requests and
authenticating users
11Understanding Public Key Infrastructure (PKI)
- Weaknesses associated with asymmetric
cryptography led to the development of PKI - PKI is a conceptual model, much like the OSI
model in which public keys are made available and
managed - PKI describes the means by which the public key
cryptography system is going to be implemented
12Description of PKI
- PKI is a system that manages keys and identity
information required for asymmetric cryptography,
integrating digital certificates, public keys,
and CAs - For a typical enterprise
- Provides end-user enrollment software
- Integrates corporate certificate directories
- Manages, renews, and revokes certificates
- Provides related network services and security
- Uses protocol standards by which asym
cryptography could be used automatically across
all platforms and applications.
13PKI Standards and Protocols
- Two major standards are responsible for PKI
- Public Key Cryptography Standards (PKCS)
- X.509 certificate standards
14Public Key Cryptography Standards (PKCS)
- Numbered set of standards that have been defined
by the RSA Corporation since 1991 - Based on the RSA public key algorithm
- Composed of 15 standards detailed on pages 318
and 319 of the text - For example
- PKCS1 defines the RSA Encryption Standard
- PKCS3 defines the Diffie-Hellman key agreement
- PKCS11 defines Cryptographic Token Interface
Standard - (Tokens and Smart Cards)
- PKCS13 defines the Elliptic Curve Cryptography
Standard
15X.509 Digital Certificates
- X.509 is an international standard defined by the
International Telecommunication Union (ITU) that
defines the format for the digital certificate - Most widely used certificate format for PKI
- X.509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP Security
(IPSec), and Secure/Multipurpose Internet Mail
Extensions (S/MIME)
16X509 Digital Certificates
17Trust Models
- The foundation of PKI is based on trust
- Refers to the type of relationship that can exist
between people or organizations - In the direct trust, a personal relationship
exists between two individuals - Third-party trust refers to a situation in which
two individuals trust each other only because
each individually trusts a third party - The three different PKI trust models are based on
direct and/or third-party trust
18Trust Models (continued)
- The web of trust model is based on direct trust
- I trust you and you trust your brother and your
brother trusts you, so we all trust each other - You can send me your brothers public key
- Single-point trust model is based on third-party
trust - A CA directly issues and signs certificates
- In an hierarchical trust model, the primary or
root certificate authority issues and signs the
certificates for CAs below it - Also based on third party trust
19Trust Models (continued)
20Managing Digital Certificates
- After a user decides to trust a CA, they can
download the digital certificate and public key
from the CA and store them on their local
computer - CA certificates are issued by a CA directly to
individuals - Typically used to secure e-mail transmissions
through S/MIME and web transmissions through
SSL/TLS
21Managing Digital Certificates
22Managing Digital Certificates
- Server certificates can be issued from a Web
server, FTP server, or mail server to ensure a
secure transmission - Software publisher certificates are provided by
software publishers to verify their programs are
secure
23Certificate Life Cycle
- Typically divided into four parts
- Creation
- Revocation
- Expiration
- Suspension
24Exploring Key Management
- Because keys form the very foundation of the
algorithms in asymmetric and PKI systems, it is
vital that they be carefully managed
25Centralized and Decentralized Management
- Key management can either be centralized or
decentralized - An example of a decentralized key management
system is the PKI web of trust model - Centralized key management is the foundation for
single-point trust models and hierarchical trust
models, with keys being distributed by the CA
26Key Storage
- It is possible to store public keys by embedding
them within digital certificates - This is a form of software-based storage and
doesnt involve any cryptography hardware - Another form of software-based storage involves
storing private keys on the users local computer
27Key Storage (continued)
- Storing keys in hardware is an alternative to
software-based keys - Keys stored on hardware are stored on a token
(USB drive) or card - Whether private keys are stored in hardware or
software, it is important that they be adequately
protected - Password protected
- Backed-up
28Key Handling Procedures
- Certain procedures can help ensure that keys are
properly handled - Escrow - handled by third-party
- Renewal renew before expiration
- Suspension suspend but not revoke
- Destruction removes the key pair
- Expiration key pair expires
- Revocation key revoked and invalid
- Recovery key divided and given to different
parties for later recovery
29Summary
- One of the advantages of symmetric cryptography
is that encryption and decryption using a private
key is usually fast and easy to implement - A digital signature solves the problem of
authenticating the sender when using asymmetric
cryptography - With the number of different tools required for
asymmetric cryptography, an organization can find
itself implementing piecemeal solutions for
different applications
30Summary (continued)
- PKCS is a numbered set of standards that have
been defined by the RSA Corporation since 1991 - The three PKI trust models are based on direct
and third-party trust - Digital certificates are managed through CPs and
CPSs