Security+ All-In-One Edition Chapter 5 – Public Key Infrastructure Brian E. Brzezicki Public Key Infrastructure So… Symmetric key (private key) encryption is fast and nice, but has what MAJOR problem? Symmetric Key encryption, also doesn’t provide integrity concerns ;( Asymmetric Key/public key encryption can be combined with Symmetric Key encryption to solve BOTH problems, but Symmetric Key encryption has what problem of it’s own? MiM (normal exchange) MiM Attack! (part 1) MiM Attack! Part 2 Public Key Infrastructure Wouldn’t it be nice if some one we could distribute public keys AND be assured that the public key we received was the actual public key of the person we expect to talk to? PKI to the rescue! PKI (109) PKIs are generally concerned with ensuring and managing identity trust, specifically using “digital certificates”. • Provides all the components necessary for users to be able to communicate securely in a managed method. • Includes hardware, software, policies, services, algorithms and protocols. • Enables C, and I of the CIA triad • Enables non-repudiation PKIs how do they work? (110) • In a PKI you are given a digital certificate, which contains your identity, and a key (public key) people can use to encrypt data securely to you OR verify items that you have digitally signed! • However we must have some way of ensuring that the digital certificate has not been “faked” so we have a entity called a Certificate Authority (CA) that digitally signs your digital certificate, proving that the digital certificate is really yours! – It is important that users trust the CA, otherwise there is no purpose!!! The entire PKI structure relies upon the fact that the CA can be trusted! If the CA is comprimised the whole PKI is useless. (more) PKIs how do they work? (110) • CAs are computer technology entities that issue/sign your digital certificates, however they rely on an entity to actually do a “background” check on you to prove you really are you you say you are before the CA will “vouch” for you. This “background” check entity is called an Registration Authority (RA) RA would take identifying information that proves I am who I say I am such as • Drivers license • Passport • Birth Certificate Once my identity is verified the RA will tell the CA to issue and sign a digital certificate for me (more) [...]... these backups • Use dual controls (m of n) concept to protect keys - explain (more) Key Recovery (133) • No need to backup public keys • The process of using backup keys is called key recovery • Key recovery should be highly audited! Key Escrow (1 35) Like Key archiving, but uses a third party to store your keys Clipper chip was a type of key escrow Certificate Extensions (123) Allow for further information... message with your old private key When renewing you can use the old public/ private key pair or generate a new key pair What is the advantage of generating a new pair? Certificate Revocation (126) We have a wonderful system of distributing and verifying Digital Identities (certificates) But we may need to revoke a users digital Identity? Why? 1 Hint – think encryption 2 Hint – think Human Resources (more)... Be aware of this term for the exam Key Recovery (133) When an organization uses encryption to protect data, we must also protect the keys For example if Bob encrypts all his work and then quits, we need to be able to retrieve his private key to unencrypt his work! • This is called key archiving” • Only backup the encryption private key in a multicertificate system – why? • Need to ensure the safety... are called subordinate CA Visualization next slide PKI hierarchy (142) CA concerns (112) • Every CA should have a Certification Practice Statement which outlines – – – – – How the RA verifies identities How the Certificates are transferred How keys are secured What data is in a Digital Certificate How revocations are handled… etc • Before using a 3rd party CA, you should understand and be comfortable... Clipper chip was a type of key escrow Certificate Extensions (123) Allow for further information to be inserted within a digital certificate • Introduced in X .50 9 v3 • Important extension is key usage” – which defines what the public key may be used for – Ex Use for S/MIME email, or for code signing ... Certificates There are 3 main types of certificates • End-entity certificates – Given to end users or servers or applications • CA certificates – Given to CAs, can be signed by another CA or “self signed” – What does it mean to be self signed, what does it imply? (more) Types of Certificates(1 45) • Cross-certification certificates – When two companies want to trust each other, their root CAs may issue a... (pentest1) PGP verify Multiple Certificates (133) Some PKIs use multiple certificates, and as such multiple public/ private key pairs • One for digitally signing data • One for encrypting data Why would we want to have two different keys? (Hint think key storage and nonrepudiation) Certificate Renewals (1 25) Certificates have a lifetime after which they expire Why? When a certificate expires you have to renew... they work? (1 15) • Once a digital certificate has been created and signed, they are stored in a “Certificate repository” which can be queried by users and applications in a PKI when someone wants to communicate with a user • These repositories are usually LDAP compliant databases So what’s in a Digital Certificate? (120) X .50 9 certificate standard • X .50 9 Version Number • Subject • Public Key! !! • Issuer... CA – why? (more) Certificate Revocation (126) • Client software must check the CRL before trusting a digital certificate • Once a certificate is revoked, it cannot be “un-revoked” • A certificate could be suspended, (or put on hold) this also goes on the CRL, however a special “reason” of suspended is used • Suspended certificates MAY be unsuspended OCSP (129) Online Certificate Status Protocol – a... Key! !! • Issuer (CA that vouched for you) • Serial Number • Validity dates • Certificate Usage • Signature Algorithm • Extensions Lets look at a digital Certificate together (n/b) • • • • • • • • Firefox – https://www.redhat.com Click on the yellow lock at the bottom In the pop-up click on “view certificate” What version is it? What’s the “Common Name” Who is the Issuing Certificate Authority When does . Security+ All-In-One Edition Chapter 5 – Public Key Infrastructure Brian E. Brzezicki Public Key Infrastructure So… Symmetric key (private key) encryption is fast. nice if some one we could distribute public keys AND be assured that the public key we received was the actual public key of the person we expect to talk