Chapter 9: Using and Managing Keys

1
Chapter 9 Using and Managing Keys

• Security Guide to Network Security Fundamentals
• Second Edition

2
Objectives

• Explain cryptography strengths and
  vulnerabilities
• Define public key infrastructure (PKI)
• Manage digital certificates
• Explore key management

3
Understanding Cryptography Strengths and
Vulnerabilities

• Cryptography is science of scrambling data
  through encryption so it cannot be viewed by
  unauthorized users, making it secure while being
  transmitted or stored
• When the recipient receives encrypted text or
  another user wants to access stored information,
  it must be decrypted with the cipher and key to
  produce the original plaintext

4
Symmetric Cryptography Strengths and Weaknesses

• Identical keys are used to both encrypt and
  decrypt the message
• Popular symmetric cipher algorithms include Data
  Encryption Standard (DES), Triple Data Encryption
  (3DES) Standard, Advanced Encryption Standard
  (AES), Rivest Cipher (RC), International Data
  Encryption Algorithm (IDEA), and Blowfish
• The advantage of symmetric ciphers is they are
  fast.
• Disadvantages of symmetric encryption relate to
  the difficulties of managing the private key

5
Asymmetric Cryptography Strengths and
Vulnerabilities

• With asymmetric encryption, two keys (key pair)
  are used instead of one
• The private key encrypts the message
• The public key decrypts the message
• Remember, the public key can also be used to
  encrypt and the private key can be used to
  decrypt since the two keys are mathematically
  related.

6
Asymmetric Cryptography Strengths and
Vulnerabilities

• Asym keys can greatly improve cryptography
  security, convenience, and flexibility
• Public keys can be distributed freely
• Users cannot deny they have sent a message if
  they have previously encrypted the message with
  their private keys (non repudiation)
• Primary disadvantage is that it is
  computing-intensive

7
Digital Signatures

• Asymmetric encryption allows you to use either
  the public or private key to encrypt a message
  the receiver uses the other key to decrypt the
  message
• However, how can you be sure that the message you
  received is from the actual sender?
• How can you prove your own identity?
• A digital signature helps to prove that
• The person sending the message with a public key
  is who they claim to be
• (b/c I used my private key to encrypt the hash
  used in the signature)
• The message was not altered
• It cannot be denied the message was sent

8
Digital Certificates

• Digital documents that associate an individual
  (identity) with its specific public key
• A digital certificate is a Data structure
  containing a public key, details about the key
  owner, and other optional information that is all
  digitally signed by a trusted third party

9
Certification Authority (CA)

• The owner of the public key listed in the digital
  certificate can be identified to the CA in
  different ways
• By their e-mail address
• By additional information that describes the
  digital certificate and limits the scope of its
  use
• Revoked digital certificates are listed in a
  Certificate Revocation List (CRL), which can be
  accessed to check the certificate status of other
  users

10
Certification Authority (CA)

• The CA must publish the certificates and CRLs to
  a directory immediately after a certificate is
  issued or revoked so users can refer to this
  directory to see changes
• This information is available in a publicly
  accessible directory, called a Certificate
  Repository (CR)
• Some organizations set up a Registration
  Authority (RA) to handle some CA tasks such as
  processing certificate requests and
  authenticating users

11
Understanding Public Key Infrastructure (PKI)

• Weaknesses associated with asymmetric
  cryptography led to the development of PKI
• PKI is a conceptual model, much like the OSI
  model in which public keys are made available and
  managed
• PKI describes the means by which the public key
  cryptography system is going to be implemented

12
Description of PKI

• PKI is a system that manages keys and identity
  information required for asymmetric cryptography,
  integrating digital certificates, public keys,
  and CAs
• For a typical enterprise
• Provides end-user enrollment software
• Integrates corporate certificate directories
• Manages, renews, and revokes certificates
• Provides related network services and security
• Uses protocol standards by which asym
  cryptography could be used automatically across
  all platforms and applications.

13
PKI Standards and Protocols

• Two major standards are responsible for PKI
• Public Key Cryptography Standards (PKCS)
• X.509 certificate standards

14
Public Key Cryptography Standards (PKCS)

• Numbered set of standards that have been defined
  by the RSA Corporation since 1991
• Based on the RSA public key algorithm
• Composed of 15 standards detailed on pages 318
  and 319 of the text
• For example
• PKCS1 defines the RSA Encryption Standard
• PKCS3 defines the Diffie-Hellman key agreement
• PKCS11 defines Cryptographic Token Interface
  Standard
• (Tokens and Smart Cards)
• PKCS13 defines the Elliptic Curve Cryptography
  Standard

15
X.509 Digital Certificates

• X.509 is an international standard defined by the
  International Telecommunication Union (ITU) that
  defines the format for the digital certificate
• Most widely used certificate format for PKI
• X.509 is used by Secure Socket Layers
  (SSL)/Transport Layer Security (TLS), IP Security
  (IPSec), and Secure/Multipurpose Internet Mail
  Extensions (S/MIME)

16
X509 Digital Certificates
17
Trust Models

• The foundation of PKI is based on trust
• Refers to the type of relationship that can exist
  between people or organizations
• In the direct trust, a personal relationship
  exists between two individuals
• Third-party trust refers to a situation in which
  two individuals trust each other only because
  each individually trusts a third party
• The three different PKI trust models are based on
  direct and/or third-party trust

18
Trust Models (continued)

• The web of trust model is based on direct trust
• I trust you and you trust your brother and your
  brother trusts you, so we all trust each other
• You can send me your brothers public key
• Single-point trust model is based on third-party
  trust
• A CA directly issues and signs certificates
• In an hierarchical trust model, the primary or
  root certificate authority issues and signs the
  certificates for CAs below it
• Also based on third party trust

19
Trust Models (continued)
20
Managing Digital Certificates

• After a user decides to trust a CA, they can
  download the digital certificate and public key
  from the CA and store them on their local
  computer
• CA certificates are issued by a CA directly to
  individuals
• Typically used to secure e-mail transmissions
  through S/MIME and web transmissions through
  SSL/TLS

21
Managing Digital Certificates
22
Managing Digital Certificates

• Server certificates can be issued from a Web
  server, FTP server, or mail server to ensure a
  secure transmission
• Software publisher certificates are provided by
  software publishers to verify their programs are
  secure

23
Certificate Life Cycle

• Typically divided into four parts
• Creation
• Revocation
• Expiration
• Suspension

24
Exploring Key Management

• Because keys form the very foundation of the
  algorithms in asymmetric and PKI systems, it is
  vital that they be carefully managed

25
Centralized and Decentralized Management

• Key management can either be centralized or
  decentralized
• An example of a decentralized key management
  system is the PKI web of trust model
• Centralized key management is the foundation for
  single-point trust models and hierarchical trust
  models, with keys being distributed by the CA

26
Key Storage

• It is possible to store public keys by embedding
  them within digital certificates
• This is a form of software-based storage and
  doesnt involve any cryptography hardware
• Another form of software-based storage involves
  storing private keys on the users local computer

27
Key Storage (continued)

• Storing keys in hardware is an alternative to
  software-based keys
• Keys stored on hardware are stored on a token
  (USB drive) or card
• Whether private keys are stored in hardware or
  software, it is important that they be adequately
  protected
• Password protected
• Backed-up

28
Key Handling Procedures

• Certain procedures can help ensure that keys are
  properly handled
• Escrow - handled by third-party
• Renewal renew before expiration
• Suspension suspend but not revoke
• Destruction removes the key pair
• Expiration key pair expires
• Revocation key revoked and invalid
• Recovery key divided and given to different
  parties for later recovery

29
Summary

• One of the advantages of symmetric cryptography
  is that encryption and decryption using a private
  key is usually fast and easy to implement
• A digital signature solves the problem of
  authenticating the sender when using asymmetric
  cryptography
• With the number of different tools required for
  asymmetric cryptography, an organization can find
  itself implementing piecemeal solutions for
  different applications

30
Summary (continued)

• PKCS is a numbered set of standards that have
  been defined by the RSA Corporation since 1991
• The three PKI trust models are based on direct
  and third-party trust
• Digital certificates are managed through CPs and
  CPSs