Public key infrastructure and cryptographic protocols
Defining digital certificates
• Asymmetric cryptography, has a public key known by everyone and an associated private key that is kept confidential
• A digital signature is proof of the sender but not true identity. See figure 7-1
• Digital certificate is a way to overcome this issue, associates their identity with the public key with the digital signature. Also contains other information.
Managing digital certificates
• Certificate authorities
• Each user must complete a certificate signing request (CSR) this then gets sent to a registration authority that verifies the credentials. A CA(certificate authority) then takes responsibility of the digital certificates. See table 7-1
• CAs are typically kept offline and safe.
• Certificate management
• Certificate repositories (CR) is a public directory of digital certificates
• Certificate revocation have and expiration date. They can also revoke certificates for other reasons
• To check the state of a certificate use a certificate revocation list (CRL) or use a online certificate status protocol (OCSP), this performs real-time lookups of certificate statuses.
• OCSP stapling reduces the high volumes of traffic that comes with the OCSP lookup process. See figure 7-3
• Web browsers certificate revocation procedures are a little different. See table 7-2
Types of digital certificates
• Root digital certificates
• Certificate changing creates a path between root Cas and intermediate Cas
• The start of the chain is the root digital certificate, which is verified by as CA, the end of the chain is the user digital certificate. See figure 7-4
• Pinning is digital certificates hard-coded within the app that uses the certificate.
• Domain digital certification
• Key exchange is the handshake between web browsers and web servers which are the most common digital certificates, web server digital certificates. See figure 7-6
• Domain validation is a domain digital certificate, one of the types of security web server digital certificates use. They verify the identity of entities that control a domain name.
• Extended validation, requires more information to verify a business, this includes Cas and other authorization
• Wildcard validates the main domain and sub domains
• Subject alternative name (SAN) also known as Unified communication certificate (UCC) is used my Microsoft exchange servers. It allows multiple servers or domain names to user the dame certificate.
• Hardware and software digital certificates
• Machine/computer digital certificate verifies the device
• Code signing digital certificate assures the identity of the producer of the program/code
• Email digital certificate signs and encrypts mail messages
• Digital certificate attributes and formats:
• Format X.509
• Attributes are certificate validation period, end-host id info, encryption keys , signature of CA and the common name (CN)
• CN is the name of the device. see figure 7-8 and table 7-3 for X.509 file formats
What is a public key infrastructure (PKI)?
• It is a key manager of public keys and digital certificated
Trust models
• Refers to the trust between individuals and entities, direct trust, 3rd party trust, web of trust
• Hierarchical trust model, one master CA, see figure 7-9
• Distributed trust model, multiple CAs, see figure 7-10
• Bridge trust model, interconnects CAs, see figure 7-11
Managing PKI
• Certificate policy (CP) is a public set of rules
• Certificate practice statement (CPS) is a technical document describing how a CA uses and manages certificates
• Certificate life cycle, is divided into 4 parts; creation, suspension, revocation, expiration
Key Management
• Key storage, can be stored software-based or hardware both have their vulnerabilities.
• Key usage, if more security is needed more keys can be created and functions separated.
• Key handling procedures, has a few procedures listed:
• Escow, managed by 3rd parties
• Expiration, date it expires
• Renewal, renews existing expired key
• Revocation, revoke key based on circumstances
• Recovery, certificate with private key can be recovered.
• Suspension, set period of revoked key
• Destruction, removes all data from the keys
Secure sockets layer (SSL)
• Establish a secure connection to the server.
• SSL stripping, attacker established an HTTPS connection between themselves and the server while having a HTTP connection to the user and the users plain text to the server is sent to the attacker.
Transport layer security (TLS)
• Replaces SSL
• Cipher suite, is used with TLS and SSL, established during handshake
Secure sell (SSH)
• Alternative to telnet
• Linux/UNIX based command interface for secure remote control/access
Hypertext Transport protocol secure (HTTPS)
• Communication between web browser and web server, sends communication with TLS or SSL
Secure/multipurpose internet mail extensions (S/MIME)
• Protocol for securing email messages
Secure real-time transport protocol (SRTP)
• Provides the same as S/MIME and secures VoIP communication, adds authentication and confidentiality.
IP security (IPsec)
• Encrypts and authenticates each packet between hosts or networks. It is transparent security protocol and used by: applications, users, and software.
• Provides 3 areas of protection: Authentication, confidentiality, key management
Weaknesses in cryptographic protocols
• Difficult to design (complex networks
• Cryptographic protocols have been used for a long time and changes are only made when issues arise
• Suffer from legacy issues
• Guaranteeing security for protocols are complicated
Key strength
• 3 characteristics determine its resilience; randomness, cryptoperiod, length
• See table 7-4
Secret algorithms
• Keys should be kept secret but algorithms not as they are most useful when widespread
Block cipher modes of operation
• Specifies how blocks should be handled by the block ciphers.
• Electronic code book, most basic approach, encrypts separate block of pain text. Do not use
• Cipher block Channing (CBC), encrypts the next block based on fed back from the last block of plain text
• Counter (CTR), both sender and receiver must access the same counter to create a new value for each block exchanged.
• Galois/counter (GCM), encrypts plaintext and authenticates massage code to ensure the message is not tampered with.
Crypto service providers
• Enables implementation of encryption algorithms for execution, generate keys, provides key storage, and authenticates users.
Module summary:
Credit: see image for resource credit
• A digital certificate is the user’s public key that has been digitally signed by a trusted third party who verifies the owner and that the public key belongs to that owner. It also binds the public key to the certificate. A user who wants a digital certificate must generate the public and private keys to use and then complete a request known as a Certificate Signing Request (CSR). The user electronically signs the CSR by affixing the public key and then sending it to a registration authority, who verifies the authenticity of the user. The CSR is then sent to an intermediate certificate authority (CA), who processes the CSR. The intermediate CAs perform functions on behalf of a certificate authority (CA) that is responsible for digital certificates. A common method to ensure the security and integrity of a root CA is to keep it in an offline state from the network (offline CA) rather than having it directly connected to a network (online CA).
• A Certificate Repository (CR) is a list of approved digital certificates. Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users. The status also can be checked through the Online Certificate Status Protocol (OCSP). When using OCSP stapling, web servers send queries to the Responder OCSP server at regular intervals to receive a signed time-stamped OCSP response. Because digital certificates are used extensively on the Internet, all modern web browsers are configured with a default list of CAs and the ability to automatically update certificate information.
• The process of verifying that a digital certificate is genuine depends upon certificate chaining, or linking several certificates together to establish trust between all the certificates involved. The beginning point of the chain is a specific type of digital certificate known as a root digital certificate, which is created and verified by a CA and also self-signed. Between the root digital certificate and the user certificate can be one or more intermediate certificates that have been issued by intermediate CAs. Root digital certificates and intermediate certificates can be packaged as part of modern OSs, part of web browser software, or hard coded within the app (program) that is using the certificate. The endpoint of the chain is the user digital certificate itself.
• Domain validation digital certificates verify the identity of the entity that has control over the domain name but indicate nothing regarding the trustworthiness of the individuals behind the site. Extended Validation (EV) certificates require more extensive verification of the legitimacy of the business. A wildcard digital certificate is used to validate a main domain along with all subdomains. A Subject Alternative Name (SAN) digital certificate, also known as a Unified Communications Certificate (UCC), is primarily used for Microsoft Exchange servers or unified communications. A machine/computer digital certificate is used to verify the identity of a device in a network transaction. Code signing digital certificates are used by software developers to digitally sign a program and prove that the software comes from the entity that signed it and no unauthorized third party has altered or compromised it. The most widely accepted format for dig
• A public key infrastructure (PKI) is the underlying infrastructure for key management of public keys and digital certificates. It is a framework for all the entities involved in digital certificates—including hardware, software, people, policies, and procedures—to create, store, distribute, and revoke digital certificates. One of the principal foundations of PKI is that of trust. Three basic PKI trust models use a CA. The hierarchical trust model assigns a single hierarchy with one master CA called the root, who signs all digital certificate authorities with a single key. The bridge trust model is similar to the distributed trust model. No single CA signs digital certificates, and yet the CA acts as a facilitator to interconnect all other CAs. The distributed trust model has multiple CAs that sign digital certificates.
• An organization that uses multiple digital certificates on a regular basis needs to properly manage those digital certificates. Such management includes establishing policies and practices and determining the life cycle of a digital certificate. Because keys form the very foundation of PKI systems, they must be carefully stored and handled.
• Cryptography is commonly used to protect data in transit/motion. When cryptographic algorithms are used in networks, they are sometimes called cryptographic protocols. Secure Sockets Layer (SSL) was an early cryptographic transport protocol but was replaced with the more secure Transport Layer Security (TLS). Secure Shell (SSH) is a Linux/UNIX-based command interface and protocol for securely accessing a remote computer communicating over the Internet. Hypertext Transport Protocol Secure (HTTPS), a secure version for web communications, is HTTP sent over TLS or SSL. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol for securing email messages. The Secure Real-time Transport Protocol (SRTP) provides protection for Voice over IP (VoIP) communications. IP security (IPsec) is a set of protocols developed to support the secure exchange of packets. Security weaknesses are associated with cryptographic protocols.
• Cryptography that is improperly applied can lead to vulnerabilities that will be exploited; thus, it is necessary to understand the options that relate to cryptography so that it can be implemented correctly. A key must be strong to resist attacks. A strong key must be random with no predictable pattern. Keys should also be long, and the length of time for which a key is authorized for use should be limited. Any attempt to keep an algorithm secret will not result in strong security. A block cipher mode of operation specifies how block ciphers should handle blocks of plaintext. A crypto service provider allows an application to implement an encryption algorithm for execution