Issuu on Google+

Network Security Systems Chapter 12 Applying Cryptography KS Chua Lecture Singapore Polytechnic

Objectives  Define digital certificates  List the various types of digital certificates and how they are used  Describe the components of Public Key Infrastructure (PKI)  List the tasks associated with key management  Describe the different cryptographic transport protocols 2

1


Digital Certificates (pg 401)  Using digital certificates involves:   

Understanding their purpose Knowing how they are authorized, stored, and revoked Determining which type of digital certificate is appropriate for different situations

3

Digital Certificates (continued)  Defining Digital Certificates (pg 401) 

Digital certificate 



 

Can be used to associate or “bind” a user’s identity to a public key The user’s public key that has been “digitally signed” by a reputable source entrusted to sign it

Digital certificates make it possible for a recipient to verify a sender’s claim that the key belongs to him When a message is sent, the sender does not ask the recipient to retrieve his public key from a central site 

Instead, he attaches the digital certificate to the message

4

2


Digital Certificates (continued)  Defining Digital Certificates (continued)

5

Digital Certificates (continued)  Defining Digital Certificates (continued) 

A digital certificate typically contains the following information:      

Owner’s name or alias Owner’s public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key

6

3


Digital Certificates (continued)  Authorizing, Storing, and Revoking Digital Certificates (pg 403) 

Certificate Authority (CA)  







An entity that issues digital certificates for others A user provides information to a CA that verifies her identity The user generates public and private keys and sends the public key to the CA The CA inserts this public key into the certificate

Registration Authority (RA) 

Handles some CA tasks such as processing certificate requests and authenticating users 7

Digital Certificates (continued)  Authorizing, Storing, and Revoking Digital Certificates (continued) 

Certificate Revocation List (CRL)  





Lists revoked certificates Can be accessed to check the certificate status of other users Most CRLs can either be viewed or downloaded directly into the user’s Web browser

Certificate Repository (CR) 



A publicly accessible directory that contains the certificates and CRLs published by a CA CRs are often available to all users through a Web browser interface

8

4


Digital Certificates (continued)  Authorizing, Storing, and Revoking Digital Certificates (continued)

9

Digital Certificates (continued)  Authorizing, Storing, and Revoking Digital Certificates (continued)

10

5


Digital Certificates (continued)  Types of Digital Certificates (pg 405) 

Digital certificates can also be used to:  

 



Encrypt channels to provide secure communication Encrypt messages for secure Internet e-mail communication Verify the identity of clients and servers on the Web Verify the source and integrity of signed executable code

Categories of digital certificates   

Personal digital certificates Server digital certificates Software publisher digital certificates

11

Digital Certificates (continued)  Types of Digital Certificates (continued)

12

6


Digital Certificates (continued)  Types of Digital Certificates (continued) 

Single-sided certificate 



One digital certificate is sent along with a message

Dual-sided certificates 

Certificates in which the functionality is split between two certificates • Signing certificate • Encryption certificate

13

Digital Certificates (continued)  Types of Digital Certificates (continued) 

Dual-sided certificate advantages: 





Reduce the need for storing multiple copies of the signing certificate Facilitate certificate handling in organizations

X.509 Digital Certificates 

The most widely accepted format for digital certificates

14

7


Digital Certificates (continued)  Types of Digital Certificates (continued)

15

Digital Certificates (continued)  Types of Digital Certificates (continued)

16

8


Digital Certificates (continued)  Types of Digital Certificates (continued)

17

Public Key Infrastructure (PKI) (pg 410)  Public key infrastructure involves public-key cryptography standards, trust models, and key management

18

9


Public Key Infrastructure (PKI) (continued)  What Is Public Key Infrastructure (PKI)? (pg 410) 

Public key infrastructure (PKI) 

A framework for all of the entities involved in digital certificates to create, store, distribute, and revoke digital certificates • Includes hardware, software, people, policies and procedures



PKI is digital certificate management

19

Public Key Infrastructure (PKI) (continued)  Public-key cryptography standards (PKCS) (pg 411) 

Public-key cryptography standards (PKCS) 



A numbered set of PKI standards that have been defined by the RSA Corporation These standards are based on the RSA public-key algorithm

20

10


Public Key Infrastructure (PKI) (continued)  Public-key cryptography standards (PKCS) (continued)

21

Public Key Infrastructure (PKI) (continued)  Public-key cryptography standards (PKCS) (continued)

22

11


Public Key Infrastructure (PKI) (continued)  Public-key cryptography standards (PKCS) (continued)

23

Public Key Infrastructure (PKI) (continued)  Trust Models (pg 413)  

Trust may be defined as confidence in or reliance on another person or entity Trust model 



Direct trust 



Refers to the type of trusting relationship that can exist between individuals or entities A relationship exists between two individuals because one person knows the other person

Third party trust 

Refers to a situation in which two individuals trust each other because each trusts a third party 24

12


Public Key Infrastructure (PKI) (continued)  Trust Models (continued) 



Direct trust is not feasible when dealing with multiple users who each have digital certificates Three PKI trust models that use a CA   

Hierarchical trust model Distributed trust model Bridge trust model

25

Public Key Infrastructure (PKI) (continued)  Trust Models (continued)

26

13


Public Key Infrastructure (PKI) (continued)  Trust Models (continued)

27

Public Key Infrastructure (PKI) (continued)  Trust Models (continued)

28

14


Public Key Infrastructure (PKI) (continued)  Managing PKI (pg 416) 

Certificate policy (CP) 





A published set of rules that govern the operation of a PKI Provides recommended baseline security requirements for the use and operation of CA, RA, and other PKI components

Certificate practice statement (CPS) 



Describes in detail how the CA uses and manages certificates A more technical document than a CP 29

Public Key Infrastructure (PKI) (continued)  Managing PKI (continued) 

Certificate life cycle    

Creation Suspension Revocation Expiration

30

15


Key Management (pg 417)  Proper key management includes key storage, key usage, and key handling procedures

31

Key Management (continued)  Key Storage (pg 418) 

Public keys can be stored by embedding them within digital certificates 

While private keys can be stored on the user’s local system

The drawback to software-based storage is that it may leave keys open to attacks  Storing keys in hardware is an alternative to software-based storage  Private keys can be stored on smart cards or in tokens 

32

16


Key Management (continued)  Key Usage (pg 418) 

If more security is needed than a single set of public and private keys 



One pair of keys may be used to encrypt information 



Then multiple pairs of dual keys can be created

The public key could be backed up to another location

The second pair would be used only for digital signatures 

The public key in that pair would never be backed up 33

Key Management (continued)  Key Handling Procedures (pg 418) 

Procedures include:     

Escrow Expiration Renewal Revocation Recovery • Key recovery agent (KRA) • M-of-N control

 

Suspension Destruction 34

17


Key Management (continued)  Key Handling Procedures (continued)

35

Cryptographic Transport Protocols (pg 420)  Cryptographic transport protocols can be categorized by the applications that they are commonly used for: 

File transfer, Web, VPN, and e-mail

36

18


Cryptographic Transport Protocols (continued)  File Transfer Protocols (pg 420) 

File Transfer Protocol (FTP)  



Vulnerabilities 





Part of the TCP/IP suite Used to connect to an FTP server Usernames, passwords, and files being transferred are in cleartext Files being transferred by FTP are vulnerable to manin-the-middle attacks

One of the ways to reduce the risk of attack is to use encrypted Secure FTP (SFTP) 37

Cryptographic Transport Protocols (continued)  File Transfer Protocols (continued) 

Secure Sockets Layer (SSL) 





A protocol developed by Netscape for securely transmitting documents over the Internet Uses a public key to encrypt data that is transferred over the SSL connection

Transport Layer Security (TLS) 

 

A protocol that guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL Are often referred to as SSL/TLS or TLS/SSL 38

19


Cryptographic Transport Protocols (continued)  File Transfer Protocols (continued) 

A second protocol that can be used with SFTP is Secure Shell (SSH) 



Also called SFTP/SSH

SSH 

 

A UNIX-based command interface and protocol for securely accessing a remote computer Suite of three utilities: slogin, scp, and ssh Both the client and server ends of the connection are authenticated using a digital certificate • Passwords are protected by being encrypted 39

Cryptographic Transport Protocols (continued)  File Transfer Protocols (continued)

40

20


Cryptographic Transport Protocols (continued)  Web Protocols (pg 422) Another use of SSL is to secure Web HTTP communications between a browser and a Web server  Hypertext Transport Protocol over Secure Sockets Layer 





“Plain” HTTP sent over SSL/TLS

Secure Hypertext Transport Protocol 

Allows clients and the server to negotiate independently encryption, authentication, and digital signature methods, in any combination, in both directions 41

Cryptographic Transport Protocols (continued)  VPN Protocols (pg 422)  

Before transmitting documents over an open network, they can be encrypted through SFTP Drawbacks of using SFTP  

User must consciously perform the encryption Protect only documents that are transmitted • Not other communications such as Web surfing, instant messaging, etc.



Solution 

Use a virtual private network (VPN) 42

21


Cryptographic Transport Protocols (continued)  VPN Protocols (continued)



VPN will be covered in more detail in Firewall Technologies (ET0531) 43

Cryptographic Transport Protocols (continued)  E-mail Transport Protocol (pg 427) 

S/MIME (Secure/Multipurpose Internet Mail Extensions) 





One of the most common e-mail transport protocols Uses digital certificates to protect the e-mail messages

S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them 44

22


Summary  Digital certificates can be used to associate a user’s identity to a public key  An entity that issues digital certificates for others is known as a Certificate Authority (CA)  Types of certificates 

Personal, server, and software publisher certificates

 PKI is digital certificate management  One of the principal foundations of PKI is that of trust  An organization that uses multiple digital certificates on a regular basis needs to properly manage those digital certificates 45

Summary (continued)  One cryptographic transport protocol for FTP is Secure Sockets Layer (SSL)  A secure version for Web communications is HTTP sent over SSL/TLS and is called HTTPS (Hypertext Transport Protocol over Secure Sockets Layer)  VPN is solution used to secure various communications over a public network

46

23


ET0522_Chap12_2in1