Chapter 9: Using and Managing Keys - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 9: Using and Managing Keys

Description:

Identical keys are used to both encrypt and decrypt the message ... Rivest Cipher (RC), International Data Encryption Algorithm (IDEA), and Blowfish ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 31
Provided by: lba4
Learn more at: https://hills.ccsf.edu
Category:

less

Transcript and Presenter's Notes

Title: Chapter 9: Using and Managing Keys


1
Chapter 9 Using and Managing Keys
  • Security Guide to Network Security Fundamentals
  • Second Edition

2
Objectives
  • Explain cryptography strengths and
    vulnerabilities
  • Define public key infrastructure (PKI)
  • Manage digital certificates
  • Explore key management

3
Understanding Cryptography Strengths and
Vulnerabilities
  • Cryptography is science of scrambling data
    through encryption so it cannot be viewed by
    unauthorized users, making it secure while being
    transmitted or stored
  • When the recipient receives encrypted text or
    another user wants to access stored information,
    it must be decrypted with the cipher and key to
    produce the original plaintext

4
Symmetric Cryptography Strengths and Weaknesses
  • Identical keys are used to both encrypt and
    decrypt the message
  • Popular symmetric cipher algorithms include Data
    Encryption Standard (DES), Triple Data Encryption
    (3DES) Standard, Advanced Encryption Standard
    (AES), Rivest Cipher (RC), International Data
    Encryption Algorithm (IDEA), and Blowfish
  • The advantage of symmetric ciphers is they are
    fast.
  • Disadvantages of symmetric encryption relate to
    the difficulties of managing the private key

5
Asymmetric Cryptography Strengths and
Vulnerabilities
  • With asymmetric encryption, two keys (key pair)
    are used instead of one
  • The private key encrypts the message
  • The public key decrypts the message
  • Remember, the public key can also be used to
    encrypt and the private key can be used to
    decrypt since the two keys are mathematically
    related.

6
Asymmetric Cryptography Strengths and
Vulnerabilities
  • Asym keys can greatly improve cryptography
    security, convenience, and flexibility
  • Public keys can be distributed freely
  • Users cannot deny they have sent a message if
    they have previously encrypted the message with
    their private keys (non repudiation)
  • Primary disadvantage is that it is
    computing-intensive

7
Digital Signatures
  • Asymmetric encryption allows you to use either
    the public or private key to encrypt a message
    the receiver uses the other key to decrypt the
    message
  • However, how can you be sure that the message you
    received is from the actual sender?
  • How can you prove your own identity?
  • A digital signature helps to prove that
  • The person sending the message with a public key
    is who they claim to be
  • (b/c I used my private key to encrypt the hash
    used in the signature)
  • The message was not altered
  • It cannot be denied the message was sent

8
Digital Certificates
  • Digital documents that associate an individual
    (identity) with its specific public key
  • A digital certificate is a Data structure
    containing a public key, details about the key
    owner, and other optional information that is all
    digitally signed by a trusted third party

9
Certification Authority (CA)
  • The owner of the public key listed in the digital
    certificate can be identified to the CA in
    different ways
  • By their e-mail address
  • By additional information that describes the
    digital certificate and limits the scope of its
    use
  • Revoked digital certificates are listed in a
    Certificate Revocation List (CRL), which can be
    accessed to check the certificate status of other
    users

10
Certification Authority (CA)
  • The CA must publish the certificates and CRLs to
    a directory immediately after a certificate is
    issued or revoked so users can refer to this
    directory to see changes
  • This information is available in a publicly
    accessible directory, called a Certificate
    Repository (CR)
  • Some organizations set up a Registration
    Authority (RA) to handle some CA tasks such as
    processing certificate requests and
    authenticating users

11
Understanding Public Key Infrastructure (PKI)
  • Weaknesses associated with asymmetric
    cryptography led to the development of PKI
  • PKI is a conceptual model, much like the OSI
    model in which public keys are made available and
    managed
  • PKI describes the means by which the public key
    cryptography system is going to be implemented

12
Description of PKI
  • PKI is a system that manages keys and identity
    information required for asymmetric cryptography,
    integrating digital certificates, public keys,
    and CAs
  • For a typical enterprise
  • Provides end-user enrollment software
  • Integrates corporate certificate directories
  • Manages, renews, and revokes certificates
  • Provides related network services and security
  • Uses protocol standards by which asym
    cryptography could be used automatically across
    all platforms and applications.

13
PKI Standards and Protocols
  • Two major standards are responsible for PKI
  • Public Key Cryptography Standards (PKCS)
  • X.509 certificate standards

14
Public Key Cryptography Standards (PKCS)
  • Numbered set of standards that have been defined
    by the RSA Corporation since 1991
  • Based on the RSA public key algorithm
  • Composed of 15 standards detailed on pages 318
    and 319 of the text
  • For example
  • PKCS1 defines the RSA Encryption Standard
  • PKCS3 defines the Diffie-Hellman key agreement
  • PKCS11 defines Cryptographic Token Interface
    Standard
  • (Tokens and Smart Cards)
  • PKCS13 defines the Elliptic Curve Cryptography
    Standard

15
X.509 Digital Certificates
  • X.509 is an international standard defined by the
    International Telecommunication Union (ITU) that
    defines the format for the digital certificate
  • Most widely used certificate format for PKI
  • X.509 is used by Secure Socket Layers
    (SSL)/Transport Layer Security (TLS), IP Security
    (IPSec), and Secure/Multipurpose Internet Mail
    Extensions (S/MIME)

16
X509 Digital Certificates
17
Trust Models
  • The foundation of PKI is based on trust
  • Refers to the type of relationship that can exist
    between people or organizations
  • In the direct trust, a personal relationship
    exists between two individuals
  • Third-party trust refers to a situation in which
    two individuals trust each other only because
    each individually trusts a third party
  • The three different PKI trust models are based on
    direct and/or third-party trust

18
Trust Models (continued)
  • The web of trust model is based on direct trust
  • I trust you and you trust your brother and your
    brother trusts you, so we all trust each other
  • You can send me your brothers public key
  • Single-point trust model is based on third-party
    trust
  • A CA directly issues and signs certificates
  • In an hierarchical trust model, the primary or
    root certificate authority issues and signs the
    certificates for CAs below it
  • Also based on third party trust

19
Trust Models (continued)
20
Managing Digital Certificates
  • After a user decides to trust a CA, they can
    download the digital certificate and public key
    from the CA and store them on their local
    computer
  • CA certificates are issued by a CA directly to
    individuals
  • Typically used to secure e-mail transmissions
    through S/MIME and web transmissions through
    SSL/TLS

21
Managing Digital Certificates
22
Managing Digital Certificates
  • Server certificates can be issued from a Web
    server, FTP server, or mail server to ensure a
    secure transmission
  • Software publisher certificates are provided by
    software publishers to verify their programs are
    secure

23
Certificate Life Cycle
  • Typically divided into four parts
  • Creation
  • Revocation
  • Expiration
  • Suspension

24
Exploring Key Management
  • Because keys form the very foundation of the
    algorithms in asymmetric and PKI systems, it is
    vital that they be carefully managed

25
Centralized and Decentralized Management
  • Key management can either be centralized or
    decentralized
  • An example of a decentralized key management
    system is the PKI web of trust model
  • Centralized key management is the foundation for
    single-point trust models and hierarchical trust
    models, with keys being distributed by the CA

26
Key Storage
  • It is possible to store public keys by embedding
    them within digital certificates
  • This is a form of software-based storage and
    doesnt involve any cryptography hardware
  • Another form of software-based storage involves
    storing private keys on the users local computer

27
Key Storage (continued)
  • Storing keys in hardware is an alternative to
    software-based keys
  • Keys stored on hardware are stored on a token
    (USB drive) or card
  • Whether private keys are stored in hardware or
    software, it is important that they be adequately
    protected
  • Password protected
  • Backed-up

28
Key Handling Procedures
  • Certain procedures can help ensure that keys are
    properly handled
  • Escrow - handled by third-party
  • Renewal renew before expiration
  • Suspension suspend but not revoke
  • Destruction removes the key pair
  • Expiration key pair expires
  • Revocation key revoked and invalid
  • Recovery key divided and given to different
    parties for later recovery

29
Summary
  • One of the advantages of symmetric cryptography
    is that encryption and decryption using a private
    key is usually fast and easy to implement
  • A digital signature solves the problem of
    authenticating the sender when using asymmetric
    cryptography
  • With the number of different tools required for
    asymmetric cryptography, an organization can find
    itself implementing piecemeal solutions for
    different applications

30
Summary (continued)
  • PKCS is a numbered set of standards that have
    been defined by the RSA Corporation since 1991
  • The three PKI trust models are based on direct
    and third-party trust
  • Digital certificates are managed through CPs and
    CPSs
Write a Comment
User Comments (0)
About PowerShow.com