PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange
Certificate Authority (CA) PKI requires a digital certificate CA creates and digitally signs it Entrust and VeriSign Registration Authority (RA) – Verifies identity – Ask CA for certificate Certificate (X.509 standard) – Figure 7-25 on page 838
Key Management Keys should not be available in cleartext If a user loses the key, data is encrypted forever. Key escrow
TPM Trusted Platform Module Microchip installed on the motherboard and dedicated to security functions: symmetric and asymmetric keys, hashing, digital certificates Encrypting the hard disk – Key stored on TPM encrypted with another key
Sealing a System Particular hardware and software configuration TPM generates a hash based on system configuration files. TPM verifies the integrity by computing the hash and comparing it with the “sealing” value.
Link Encryption Encrypts all data – User data, header, addresses Protects against packet sniffing Packets must be decrypted at each hop so routers can read routing and address information Takes place at the data link and physical layer
End-to-End Encryption The header, addresses, routing, and trailer are not encrypted Enables attackers to learn more about a captured packet Happens within the application
E-Mail Multipurpose Internet Mail Extension (MIME) – how multimedia data and e-mail binary attachments are to be transferred. What program should process it.
Secure MIME (S/MIME) A standard for encrypting and digitally signing email and for providing secure data transmission. Follows PKCS (Public Key Cryptography Standard) Confidentiality, Integrity (Hashing), Authentication (X.509 Public Key Certificates), Non-repudiation (Signed Message Digest)
PGP Pretty Good Privacy Phil Zimmerman 1991 RSA public key encryption for key management IDEA for symmetric key for bulk encryption MD5 hash for authentication of public key certificate
PGP “Web of Trust” User’s Key Ring – collection of public keys Does not use centralized CA No CRL – What if private key is compromised? http://www.gpg4win.org/
Internet Security HTTP Secure (HTTPS) – SSL (Secure Socket Layer) works at Transport Layer – Provides data encryption, server authentication, message integrity – Server send digital certificate signed by CA containing it public key – Client uses public key to encrypt symmetric session keys
SSL SSL 3.0 Transport Layer Security (TLS) – open source version
Cookies Text file that the browser maintains in memory or on disk HTTP is stateless. – Save login, shopping cart, etc. Sometimes kept to keep track on the user’s browsing and spending for advertising. Cookies that contain sensitive information should be encrypted by the server or stored in memory.