Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Published byShannon York Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition."— Presentation transcript:

1 Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition

2 Security+ Guide to Network Security Fundamentals, 2e 2 Objectives Explain cryptography strengths and vulnerabilities Define public key infrastructure (PKI) Manage digital certificates Explore key management

3 Security+ Guide to Network Security Fundamentals, 2e 3 Understanding Cryptography Strengths and Vulnerabilities Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext

4 Security+ Guide to Network Security Fundamentals, 2e 4 Symmetric Cryptography Strengths and Weaknesses Identical keys are used to both encrypt and decrypt the message Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish Disadvantages of symmetric encryption relate to the difficulties of managing the private key

5 Security+ Guide to Network Security Fundamentals, 2e 5 Asymmetric Cryptography Strengths and Vulnerabilities With asymmetric encryption, two keys are used instead of one –The private key encrypts the message –The public key decrypts the message

6 Security+ Guide to Network Security Fundamentals, 2e 6 Asymmetric Cryptography Strengths and Vulnerabilities (continued) Can greatly improve cryptography security, convenience, and flexibility Public keys can be distributed freely Users cannot deny they have sent a message if they have previously encrypted the message with their private keys Primary disadvantage is that it is computing-intensive

7 Security+ Guide to Network Security Fundamentals, 2e 7 Digital Signatures Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message A digital signature helps to prove that: –The person sending the message with a public key is who they claim to be –The message was not altered –It cannot be denied the message was sent

8 Security+ Guide to Network Security Fundamentals, 2e 8 Digital Certificates Digital documents that associate an individual with its specific public key Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party

9 Security+ Guide to Network Security Fundamentals, 2e 9 Certification Authority (CA) The owner of the public key listed in the digital certificate can be identified to the CA in different ways –By their e-mail address –By additional information that describes the digital certificate and limits the scope of its use Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users

10 Security+ Guide to Network Security Fundamentals, 2e 10 Certification Authority (CA) (continued) The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes Can provide the information in a publicly accessible directory, called a Certificate Repository (CR) Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users

11 Security+ Guide to Network Security Fundamentals, 2e 11 Understanding Public Key Infrastructure (PKI) Weaknesses associated with asymmetric cryptography led to the development of PKI A CA is an important trusted party who can sign and issue certificates for users Some of its tasks can also be performed by a subordinate function, the RA Updated certificates and CRLs are kept in a CR for users to refer to

12 Security+ Guide to Network Security Fundamentals, 2e 12 The Need for PKI

13 Security+ Guide to Network Security Fundamentals, 2e 13 Description of PKI Manages keys and identity information required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs For a typical enterprise: –Provides end-user enrollment software –Integrates corporate certificate directories –Manages, renews, and revokes certificates –Provides related network services and security Typically consists of one or more CA servers and digital certificates that automate several tasks

14 Security+ Guide to Network Security Fundamentals, 2e 14 PKI Standards and Protocols A number of standards have been proposed for PKI –Public Key Cryptography Standards (PKCS) –X509 certificate standards

15 Security+ Guide to Network Security Fundamentals, 2e 15 Public Key Cryptography Standards (PKCS) Numbered set of standards that have been defined by the RSA Corporation since 1991 Composed of 15 standards detailed on pages 318 and 319 of the text

16 Security+ Guide to Network Security Fundamentals, 2e 16 X509 Digital Certificates X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate Most widely used certificate format for PKI X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)

17 Security+ Guide to Network Security Fundamentals, 2e 17 X509 Digital Certificates (continued)

18 Security+ Guide to Network Security Fundamentals, 2e 18 Trust Models Refers to the type of relationship that can exist between people or organizations In the direct trust, a personal relationship exists between two individuals Third-party trust refers to a situation in which two individuals trust each other only because each individually trusts a third party The three different PKI trust models are based on direct and third-party trust

19 Security+ Guide to Network Security Fundamentals, 2e 19 Trust Models (continued)

20 Security+ Guide to Network Security Fundamentals, 2e 20 Trust Models (continued) The web of trust model is based on direct trust Single-point trust model is based on third-party trust –A CA directly issues and signs certificates In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates for CAs below it

21 Security+ Guide to Network Security Fundamentals, 2e 21 Managing Digital Certificates After a user decides to trust a CA, they can download the digital certificate and public key from the CA and store them on their local computer CA certificates are issued by a CA directly to individuals Typically used to secure e-mail transmissions through S/MIME and SSL/TLS

22 Security+ Guide to Network Security Fundamentals, 2e 22 Managing Digital Certificates (continued)

23 Security+ Guide to Network Security Fundamentals, 2e 23 Managing Digital Certificates (continued) Server certificates can be issued from a Web server, FTP server, or mail server to ensure a secure transmission Software publisher certificates are provided by software publishers to verify their programs are secure

24 Security+ Guide to Network Security Fundamentals, 2e 24 Certificate Policy (CP) Published set of rules that govern operation of a PKI Begins with an opening statement outlining its scope Should cover at a minimum the topics listed on page 325 of the text

25 Security+ Guide to Network Security Fundamentals, 2e 25 Certificate Practice Statement (CPS) More technical document compared to a CP Describes in detail how the CA uses and manages certificates Covers topics such as those listed on pages 325 and 326 of the text

26 Security+ Guide to Network Security Fundamentals, 2e 26 Certificate Life Cycle Typically divided into four parts: –Creation –Revocation –Expiration –Suspension

27 Security+ Guide to Network Security Fundamentals, 2e 27 Exploring Key Management Because keys form the very foundation of the algorithms in asymmetric and PKI systems, it is vital that they be carefully managed

28 Security+ Guide to Network Security Fundamentals, 2e 28 Centralized and Decentralized Management Key management can either be centralized or decentralized An example of a decentralized key management system is the PKI web of trust model Centralized key management is the foundation for single-point trust models and hierarchical trust models, with keys being distributed by the CA

29 Security+ Guide to Network Security Fundamentals, 2e 29 Key Storage It is possible to store public keys by embedding them within digital certificates This is a form of software-based storage and doesn’t involve any cryptography hardware Another form of software-based storage involves storing private keys on the user’s local computer

30 Security+ Guide to Network Security Fundamentals, 2e 30 Key Storage (continued) Storing keys in hardware is an alternative to software-based keys Whether private keys are stored in hardware or software, it is important that they be adequately protected

31 Security+ Guide to Network Security Fundamentals, 2e 31 Key Usage If you desire more security than a single set of public and private (single-dual) keys can offer, you can choose to use multiple pairs of dual keys One pair of keys may be used to encrypt information and the public key could be backed up to another location The second pair would be used only for digital signatures and the public key in that pair would never be backed up

32 Security+ Guide to Network Security Fundamentals, 2e 32 Key Handling Procedures Certain procedures can help ensure that keys are properly handled: –Escrow– Expiration –Renewal– Revocation –Recovery– Suspension –Destruction

33 Security+ Guide to Network Security Fundamentals, 2e 33 Summary One of the advantages of symmetric cryptography is that encryption and decryption using a private key is usually fast and easy to implement A digital signature solves the problem of authenticating the sender when using asymmetric cryptography With the number of different tools required for asymmetric cryptography, an organization can find itself implementing piecemeal solutions for different applications

34 Security+ Guide to Network Security Fundamentals, 2e 34 Summary (continued) PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991 The three PKI trust models are based on direct and third-party trust Digital certificates are managed through CPs and CPSs

Download ppt "Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services

Similar presentations

Ads by Google