Digital Certificates

Chapter 9: Using and
Managing Keys
Security+ Guide to Network
Security Fundamentals
Second Edition
Explain cryptography strengths and
 Define public key infrastructure (PKI)
 Manage digital certificates
 Explore key management
Understanding Cryptography
Strengths and Vulnerabilities
Cryptography is science of
“scrambling” data through encryption
so it cannot be viewed by
unauthorized users, making it secure
while being transmitted or stored
 When the recipient receives encrypted
text or another user wants to access
stored information, it must be
decrypted with the cipher and key to
produce the original plaintext
Symmetric Cryptography
Strengths and Weaknesses
Identical keys are used to both encrypt and
decrypt the message
Popular symmetric cipher algorithms include
Data Encryption Standard (DES), Triple Data
Encryption (3DES) Standard, Advanced
Encryption Standard (AES), Rivest Cipher
(RC), International Data Encryption
Algorithm (IDEA), and Blowfish
The advantage of symmetric ciphers is they
are fast.
Disadvantages of symmetric encryption
relate to the difficulties of managing the
private key
Asymmetric Cryptography Strengths
and Vulnerabilities
With asymmetric encryption, two keys
(key pair) are used instead of one
The private key encrypts the message
The public key decrypts the message
Remember, the public key can also be
used to encrypt and the private key can
be used to decrypt since the two keys are
mathematically related.
Asymmetric Cryptography Strengths
and Vulnerabilities
Asym keys can greatly improve
cryptography security, convenience, and
 Public keys can be distributed freely
 Users cannot deny they have sent a
message if they have previously
encrypted the message with their private
keys (non repudiation)
 Primary disadvantage is that it is
Digital Signatures
Asymmetric encryption allows you to use either
the public or private key to encrypt a message;
the receiver uses the other key to decrypt the
However, how can you be sure that the
message you received is from the actual
How can you prove your own identity?
A digital signature helps to prove that:
The person sending the message with a public key is
who they claim to be
(b/c I used my private key to encrypt the hash
used in the signature)
The message was not altered
It cannot be denied the message was sent
Digital Certificates
Digital documents that associate an
individual (identity) with its specific public
 A digital certificate is a Data structure
containing a public key, details about the
key owner, and other optional information
that is all digitally signed by a trusted
third party
Certification Authority (CA)
The owner of the public key listed in the
digital certificate can be identified to the
CA in different ways
By their e-mail address
By additional information that describes the
digital certificate and limits the scope of its
Revoked digital certificates are listed in a
Certificate Revocation List (CRL), which
can be accessed to check the certificate
status of other users
Certification Authority (CA)
The CA must publish the certificates and
CRLs to a directory immediately after a
certificate is issued or revoked so users
can refer to this directory to see changes
 This information is available in a publicly
accessible directory, called a Certificate
Repository (CR)
 Some organizations set up a Registration
Authority (RA) to handle some CA tasks
such as processing certificate requests
and authenticating users
Understanding Public Key
Infrastructure (PKI)
Weaknesses associated with asymmetric
cryptography led to the development of
PKI is a conceptual model, much like the
OSI model in which public keys are made
available and managed
PKI describes the means by which the
public key cryptography system is going
to be implemented
Description of PKI
PKI is a system that manages keys and identity
information required for asymmetric
cryptography, integrating digital certificates,
public keys, and CAs
For a typical enterprise:
Provides end-user enrollment software
Integrates corporate certificate directories
Manages, renews, and revokes certificates
Provides related network services and security
Uses protocol standards by which asym
cryptography could be used automatically
across all platforms and applications.
PKI Standards and Protocols
Two major standards are responsible for
Public Key Cryptography Standards (PKCS)
X.509 certificate standards
Public Key Cryptography
Standards (PKCS)
Numbered set of standards that have been
defined by the RSA Corporation since 1991
Based on the RSA public key algorithm
Composed of 15 standards detailed on
pages 318 and 319 of the text
For example:
PKCS#1 defines the RSA Encryption Standard
PKCS#3 defines the Diffie-Hellman key agreement
PKCS#11 defines Cryptographic Token Interface Standard
(Tokens and Smart Cards)
PKCS#13 defines the Elliptic Curve Cryptography Standard
X.509 Digital Certificates
X.509 is an international standard
defined by the International
Telecommunication Union (ITU) that
defines the format for the digital
 Most widely used certificate format for
 X.509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS),
IP Security (IPSec), and
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
X509 Digital Certificates
Trust Models
The foundation of PKI is based on trust
Refers to the type of relationship that can
exist between people or organizations
In the direct trust, a personal relationship
exists between two individuals
Third-party trust refers to a situation in which
two individuals trust each other only because
each individually trusts a third party
The three different PKI trust models are based
on direct and/or third-party trust
Trust Models (continued)
The web of trust model is based on direct
Single-point trust model is based on thirdparty trust
I trust you and you trust your brother and your
brother trusts you, so we all trust each other
You can send me your brother’s public key
A CA directly issues and signs certificates
In an hierarchical trust model, the primary or
root certificate authority issues and signs the
certificates for CAs below it
Also based on third party trust
Trust Models (continued)
Managing Digital Certificates
After a user decides to trust a CA, they
can download the digital certificate and
public key from the CA and store them
on their local computer
 CA certificates are issued by a CA directly
to individuals
 Typically used to secure e-mail
transmissions through S/MIME and web
transmissions through SSL/TLS
Managing Digital Certificates
Managing Digital Certificates
Server certificates can be issued from
a Web server, FTP server, or mail
server to ensure a secure transmission
 Software publisher certificates are
provided by software publishers to
verify their programs are secure
Certificate Life Cycle
Typically divided into four parts:
Exploring Key Management
Because keys form the very
foundation of the algorithms in
asymmetric and PKI systems, it is vital
that they be carefully managed
Centralized and Decentralized
Key management can either be
centralized or decentralized
 An example of a decentralized key
management system is the PKI web of
trust model
 Centralized key management is the
foundation for single-point trust
models and hierarchical trust models,
with keys being distributed by the CA
Key Storage
It is possible to store public keys by
embedding them within digital
 This is a form of software-based
storage and doesn’t involve any
cryptography hardware
 Another form of software-based
storage involves storing private keys
on the user’s local computer
Key Storage (continued)
Storing keys in hardware is an
alternative to software-based keys
Keys stored on hardware are stored on a
token (USB drive) or card
Whether private keys are stored in
hardware or software, it is important
that they be adequately protected
Password protected
Key Handling Procedures
Certain procedures can help ensure
that keys are properly handled:
Escrow - handled by third-party
Renewal – renew before expiration
Suspension – suspend but not revoke
Destruction – removes the key pair
Expiration – key pair expires
Revocation – key revoked and invalid
Recovery – key divided and given to
different parties for later recovery
One of the advantages of symmetric
cryptography is that encryption and
decryption using a private key is
usually fast and easy to implement
 A digital signature solves the problem
of authenticating the sender when
using asymmetric cryptography
 With the number of different tools
required for asymmetric cryptography,
an organization can find itself
implementing piecemeal solutions for
different applications
Summary (continued)
PKCS is a numbered set of standards
that have been defined by the RSA
Corporation since 1991
 The three PKI trust models are based
on direct and third-party trust
 Digital certificates are managed
through CPs and CPSs

similar documents