Security+ Guide to Network Security Fundamentals, Third Edition - - PDF document

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives

• Define digital certificates
• List the various types of digital certificates and how they are used
• Describe the components of Public Key Infrastructure (PKI)
• List the tasks associated with key management
• Describe the different cryptographic transport protocols

Digital Certificates

• Using digital certificates involves:

– Understanding their purpose – Knowing how they are authorized, stored, and revoked – Determining which type of digital certificate is appropriate for different situations – Used to associate (“bind”) the user’s identity to a public key – User must provide proof of their identity to obtain a Public key from a Trusted Agent. – User’s public key is “digitally signed” by a reputable source entrusted to sign it (trusted Certificate Authority or CA) – Trusted CA’s are recognized by the operating system and provide a path for the verification (root certificate chain) – This provides a mechanism to validate the certificate is valid and not expired or revoked. – Digital Certificates provide an international standards mechanism to exchange messages that provide proof of integrity and non-repudiation

• A digital certificate typically contains the following information:

– Owner’s name or alias – Owner’s public key – Name of the Issuer – Digital signature of the issuer – Serial number of the digital certificate – Expiration date of the public key Certificate Authority (CA): – An entity that publishes digital certificates (typically for others) – Houses Root Certificate Server (offline) – Generates certificates for entities who provide verification of identity – Provides validation services for certificates issued – Provided services to notify users of certificates no longer valid (revoked or expired) – CA’s can be external trusted or internal locally issued Storing and Verifying Digital Certificates

• Private Key Storage

– Stored on the issued individuals system or token – Must be provided tight access controls to only the issued users – Private Key theft allows that user to impersonate the trusted user

• Certificate Repository (CR)

– A publicly accessible directory that contains the certificates and CRLs published by a CA

– Used to check the validity of the published certificate (e.g. serial #, etc…) – CRs are often available to all users through a Web browser interface – Location is published through the root certificate trust chain

• Certificate Trust Overview
• Commercial Certificate Authorities

– Must pass rigorous auditing – Provide publically accessible Cert Repositories and CRL’s – Are added to OS CA trust lists, allowing anyone who hold a cert instant trust when using. – Fees for certificate issuance and renewal

• Private Certificate Authorities

– Hosted internal to an organization – Require manual addition to the cert trust chain in each system. – Normally accomplished via GPO – No fee’s associated with issuance or renewal. – Certificate Trust Chains – During Verification

• Application attempts to determine if certificate is valid by walking the certificate

up the validation chain Revoking Digital Certificates

• Certificate Revocation List (CRL)

– Required to be published by the CA – Publically available information – Lists Invalidated (revoked) certificates

• Reasons can include compromised or expired private keys

– Most CRLs can either be viewed or downloaded directly into the user’s Web browser

• Size of CRL causes performance issues

– Can be used with security enforcement mechanisms to provide protection from questionable content. Digital Certificate Uses and Types

• Uses:

– Encrypt communications channels – Encrypt email messages – Verify the identity of clients and servers on the Web – Verify the source and integrity of signed executable code

• Digital Certificate Categories:

– Personal digital certificates – Server digital certificates – Software publisher digital certificates

• X.509 Digital Certificates

– The most widely accepted format for digital certificates – Web Transaction Overview Types of Digital Certificates

• Single-sided certificate

– Services of both Digital Signature and Encryption are support via single certificate

• Dual-sided certificates

– Certificates in which the functionality is split between two certificates

• Signing certificate
• Encryption certificate

– Advantages:

• Reduce need for storing multiple signing certificate copies
• Facilitate certificate handling in organizations

Public Key Infrastructure (PKI)

• Involves public-key cryptography standards, trust models, and key management
• Public-Key Cryptography Standards (PKCS)

– Based on RSA PKI algorithm – Standards are defined by RSA Corporation

• Public key infrastructure (PKI)

– Framework and Management mechanism to create, store, distribute, and revoke digital certificates

• Includes hardware, software, people, policies and procedures

Trust Models

• Trust may be defined as confidence in or reliance on another person or entity
• Trust Model

– Refers to the type of trusting relationship that can exist between individuals or entities

• Direct Trust

– A relationship exists between two individuals because one person knows the other person

• Third party trust (Trust Chain)

– Refers to a situation in which two individuals trust each other because each trusts a third party

• Trust Models (cont.)
• Direct trust is not feasible when dealing with multiple users who each have digital certificates
• 3 PKI Trust Models that use a CA

– Hierarchical trust model – Distributed trust model – Bridge trust model Public-Key Cryptography Standards (PKCS): Based on a standard and algorithm established by RSA.

• Public Key infrastructure (PKI): Framework and Management mechanism to create, store,

distribute, and revoke digital certificates.

• 15 PKCS standards, some of which have be deprecated and rolled into others.
• Trust: Confidence in or reliance of another person or entity
• Trust Model: Relationship that exists between individuals or entities
• Direct Trust: Relationship that exists between two individuals because one person knows the
• ther person
• Third party trust: A situation in which two individuals trust each other because each trusts a

third party

• Direct trust is not feasible when dealing with multiple users who each have digital certificates
• 3 PKI Trust Models:

– Hierarchical: Single root, not distributed infrastructure

– Distributed: Used Intermediate CA to distribute and balance workload, lowers risk of a single compromise affecting all issues certificates – Bridge: Hybrid model that combined best of both and allows for trust outside of a single

• rganization.

Managing PKI

• Certificate Policy (CP)

– Published set of rules that govern the operation of a PKI – Provides recommended baseline security requirements for the use and operation of CA, RA, and other PKI components

• Certificate Practice Statement (CPS)

– Detail how issuing CA uses and manages certificates – A more technical document than a CP – Viewable by anyone who can see your public certificate

• Certificate Life Cycle

– Creation – Suspension – Revocation – Expiration

• Key Management
• Proper Key Management includes procedures for:

– Key Storage – Key Usage – Key Handling Improper key management places the entire Key set at risk of compromise Key Storage

• Public keys are stored by embedding within digital certificates and published
• Private keys are stored on the user’s local system (software) or Devices (Hardware)
• Software-based storage may leave keys open to attacks (e.g. on OS of a system)
• Storing keys in hardware is an alternative to software-based storage
• Private keys stored in devices such as smart cards or in tokens are harder to compromise
• Key Usage
• If more security is needed than a single set of public and private keys

– Then multiple pairs of dual keys can be created

• Pair One:

– Encryption Keys » Public Key - Backed up to another location

• Pair Two:

– Used only for Digital Signatures » Pair would never be backed up Key Handling Procedures

• 7 States with Key Handling Procedures process:

– Escrow: Managed by 3rd Party – Expiration: Sets period key is value, reduces time compromised by can be used – Renewal: Provides for renewing key vs. issuing new key; makes key more susceptible to misuse or theft

– Revocation: Mechanism to invalidate the key prior to expiration if compromised or lost. This is a permanent event.

• Key Handling Procedures (Cont.)

– Recovery:

• Key Recovery Agent (KRA): Trusted individuals able to recover encrypted data if

data is encrypted using expired or revoked keys

• M-of-N control: Divides KRA role into multiple users

– Suspension: Suspends use for a specified time period – Destruction: Permanently removes all data about the key from the CA Certificate Life Cycle: Creation; Suspension; Revocation; Expiration

• Proper Key Management includes procedures for:

– Key Storage: Soft-certificates, Hardware Certificates, – Key Usage: Security can be addressed using either the one-pair or two-pair model – Key Handling

• Escrow: Managed by 3rd Party
• Expiration: Sets period key is valid
• Renewal: Provides for renewing key vs. issuing new key
• Revocation: Mechanism to invalidate the key prior to expiration; Permanent

Action

• Recovery: allows Trusted individuals (KRA’s) to recover encrypted files; role can

be divided into multiple users for enhanced security

• Suspension: Suspends use for a specified time period
• Destruction: Permanently removes all data about the key from the CA
• N of M Key Recovery Agent process:

– KRA Role divided into multiple Trusted persons – Certificate created with N# of KRA users for recovery designated – CA randomly assigns each new certificate recovery part to N number of active KRA personnel – Create higher level of security Cryptographic Transport Protocols

• Cryptographic transport protocols can be categorized by the applications that they are

commonly used for: – File transfer – Web – VPN – E-mail File Transfer Protocols

• File Transfer Protocol (FTP)

– Part of the TCP/IP suite – Used to connect to an FTP server – Vulnerabilities

• Usernames, passwords, and files being transferred are in clear text
• Files being transferred by FTP are vulnerable to man-in-the-middle attacks

– Mitigation

• One of the ways to reduce the risk of attack is to use encrypted Secure FTP

(SFTP)

• Leverages SSL protocol for encryption
• Secure Sockets Layer (SSL)

– Developed by Netscape – Used for secure transmission of documents over the public Internet – Uses PKI to encrypt data that is transferred over the SSL connection

• Transport Layer Security (TLS)

– Protocol guarantees privacy and data integrity between applications communicating

• ver the Internet

– An extension of SSL – Are often referred to as SSL/TLS or TLS/SSL

• Second protocol that can be used with SFTP is Secure Shell (SSH)

– Also called SFTP/SSH – SSH

• UNIX-based command interface / protocol
• Used for securely accessing a remote computer
• Suite of 3 utilities: slogin, scp, and ssh
• Client and server are authenticated using a digital certificate

– Passwords are protected by being encrypted Web Protocols

• Another use of SSL is to secure Web HTTP communications between a browser and a Web

server

• Hypertext Transport Protocol over Secure Sockets Layer (HTTPS)

– “Plain” HTTP sent over SSL/TLS

• Secure Hypertext Transport Protocol (SHTTP)

– Allows clients and the server to negotiate independently encryption, authentication, and digital signature methods, in any combination, in both directions – Supports 3DES – Not widely used E-mail Transport Protocol

• S/MIME (Secure/Multipurpose Internet Mail Extensions)

– One of the most common e-mail transport protocols – Uses digital certificates to protect the e-mail messages

• S/MIME functionality is built into the vast majority of modern e-mail software and interoperates

between them VPN Protocols

• Point-to-Point Tunneling Protocol (PPTP)

– Most widely deployed tunneling protocol – Allows IP traffic encryption and encapsulation across a public IP network – Based on Point-to-Point Protocol (PPP) – Point-to-Point Protocol over Ethernet (PPPoE) – Variation of PPP that is used by broadband Internet providers with DSL or cable modem connections

• Layer 2 Tunneling Protocol (L2TP)

– Merges PPTP with Cisco’s Layer 2 Forwarding Protocol (L2F) – L2TP is not limited to working with TCP/IP-based networks, but supports a wide array of protocols – An industry-standard tunneling protocol that allows IP traffic to be encrypted

• And then transmitted over any medium that supports point-to-point delivery

– On Certification test, 8 out of 10 times this is the right answer.

• IP Security (IPsec)

– A set of protocols developed to support the secure exchange of packets – Operates at a low level in the OSI model

• IPsec is considered a transparent security protocol for:

– Applications – Users – Software – Provides 3 areas of protection:

• Authentication
• Confidentiality
• Key Management
• IPsec supports 2 Encryption Modes:

– Transport: Encrypts only the data portion (payload) of each packet yet leaves the header unencrypted – Tunnel: Encrypts both the header and the data

• Both AH and ESP can be used with transport or tunnel mode