Security+ Guide to Network Security Fundamentals
Download
Report
Transcript Security+ Guide to Network Security Fundamentals
Cryptography
Chapter 14
Learning Objectives
Understand the basics of algorithms and
how they are used in modern cryptography
Identify the differences between
asymmetric and symmetric algorithms
Have a basic understanding of the concepts
of cryptography and how they relate to
network security
continued…
Learning Objectives
Discuss characteristics of PKI certificates
and the policies and procedures
surrounding them
Understand the implications of key
management and a certificate’s lifecycle
Cryptography
Study of complex mathematical formulas
and algorithms used for encryption and
decryption
Allows users to transmit sensitive
information over unsecured networks
Can be either strong or weak
Cryptography Terminology
Plaintext
Encryption
Data that can be read without any manipulation
Method of disguising plaintext to hide its substance
Ciphertext
Plaintext that has been encrypted and is an unreadable
series of symbols and numbers
How Encryption and Decryption Work
Algorithms
Mathematical functions that work in
tandem with a key
Same plaintext data encrypts into different
ciphertext with different keys
Security of data relies on:
Strength of the algorithm
Secrecy of the key
Hashing
Method used for verifying data integrity
Uses variable-length input that is converted
to a fixed-length output string (hash value)
Symmetric versus Asymmetric
Algorithms
Type of
Algorithm
Advantages
Disadvantages
Symmetric
Single key
Requires sender and receiver
to agree on a key before
transmission of data
Security lies only with the key
High cost
Asymmetric
Encryption and
decryption keys are
different
Decryption key cannot
be calculated from
encryption key
Security of keys can be
compromised when malicious
users post phony keys
Symmetric Algorithms
Usually use same key for encryption and
decryption
Encryption key can be calculated from
decryption key and vice versa
Require sender and receiver to agree on a key
before they communicate securely
Security lies with the key
Also called secret key algorithms, single-key
algorithms, or one-key algorithms
Encryption Using a
Symmetric Algorithm
Categories of Algorithms
Stream algorithms
Operate on the plaintext one bit at a time
Block algorithms
Encrypt and decrypt data in groups of bits,
typically 64 bits in size
Asymmetric Algorithms
Use different keys for encryption and
decryption
Decryption key cannot be calculated from
the encryption key
Anyone can use the key to encrypt data and
send it to the host; only the host can
decrypt the data
Also known as public key algorithms
Common Encryption Algorithms
Lucifer (1974)
Diffie-Hellman
(1976)
RSA (1977)
DES (1977)
Triple DES (1998)
IDEA (1992)
Blowfish (1993)
RC5 (1995)
Primary Functions of Cryptography
Confidentiality
Authentication
Integrity
Nonrepudiation
Digital Signatures
Based on asymmetric algorithms, allow the
recipient to verify whether a public key
belongs to its owner
Certificates
Credentials that allow a recipient to verify
whether a public key belongs to its owner
Verify senders’ information with identity
information that is bound to the public key
Components
Public key
One or more digital signatures
Certificate information (eg, user’s name, ID)
Public Key Infrastructure (PKI)
Certificates
Certificate storage facility that provides
certification management functionality (eg,
ability to issue, revoke, store, retrieve, and trust
certificates)
Certification authority (CA)
Primary feature of PKI
Trusted person or group responsible for issuing
certificates to authorized users on a system
Creates certificates and digitally signs them using a
private key
PKI Policies and Practices
Validity establishes that a public key
certificate belongs to its owner
CA issues certificates to users by binding a
public key to identification information of
the requester
User can manually check certificate’s
fingerprint
PKI Revocation
Certificates have a restricted lifetime; a
validity period is created for all certificates
Certificate revocation list (CRL)
Communicates which certificates within a PKI
have been revoked
Trust Models
Techniques that establish how users
validate certificates
Direct trust
Hierarchical trust
Web of trust
Direct Trust Model
User trusts a key because the user knows
where it came from
Hierarchical Trust Model
Based on a number of root certificates
Web of Trust
Combines concepts of direct trust and
hierarchical trust
Adds the idea that trust is relative to each
requester
Central theme: the more information
available, the better the decision
Key and Certificate Life Cycle
Management
Setup or initialization
Administration of issued keys and
certificates
Certificate cancellation and key history
Setup and Initialization
Registration
Key pair generation
Certificate creation
Certificate distribution
Certificate dissemination
Key backup
Registration
User requests certificate from CA
CA verifies identity and credentials of user
Certificate practice statement
Published document that explains CA structure to
users
Certificate policy establishes:
Who may serve as CA
What types of certificates may be issued
How they should be issued and managed
Key Pair Generation
Involves creation of one or more key pairs
using different algorithms
Dual or multiple keys are often utilized to
perform different roles to support distinct
services
Key pair can be restricted by policy to
certain roles based on usage factors
Multiple key pairs usually require multiple
certificates
Certificates
Distinguished name (DN)
Unique identifier that is bound to a certificate
by a CA
Uses a sequence of character(s) that is unique
to each user
Appropriate certificate policies govern
creation and issuance of certificates
Certificate Dissemination Techniques
Securely make certificate information
available to requester without too much
difficulty
Out-of-band distribution
In-band distribution
Publication
Centralized repositories with controlled access
Key Backup
Addresses lost keys
Helps recover encrypted data
Essential element of business continuity
and disaster recovery planning
Key Escrow
Key administration process that utilizes a
third party
Initialization phase involves:
Certificate retrieval and validation
Key recovery and key update
Cancellation Procedures
Certificate expiration
Certificate revocation
Key history
Key archive
Certificate Expiration
Occurs when validity period of a certificate
expires
Options upon expiration
Certificate renewal
Certificate update
Certificate Revocation
Implies cancellation of a certificate prior to
its natural expiration
Revocation delay
Delay associated with the revocation
requirement and subsequent notification
Certificate Revocation
How notification is accomplished
Certificate revocation lists (CRLs)
CRL distribution points
Certificate revocation trees (CRTs)
Redirect/Referral CRLs
Notification is unnecessary for:
Short certificate lifetimes
Single-entity approvals
Key History
Deals with secure and reliable storage of
expired keys for later retrieval to recover
encrypted data
Applies more to encryption keys than
signing keys
Key Archive
Service undertaken by a CA or third party
to store keys and verification certificates
Meets audit requirements and handles
resolution of disputes when used with other
services (eg, time stamping and
notarization)
Setting up an Enterprise PKI
Extremely complex task with enormous
demands on financial, human, hardware,
and software resources
Areas to explore
Basic support
Training
Documentation issues
Areas to Explore in Detail When
Setting up an Enterprise PKI
Support for standards, protocols, and thirdparty applications
Issues related to cross-certification,
interoperability, and trust models
Multiple key pairs and key pair uses
How to PKI-enable applications and clientside software availability
continued…
Areas to Explore in Detail When
Setting up an Enterprise PKI
Impact on end user for key backup, key or
certificate update, and nonrepudiation
services
Performance, scalability, and flexibility
issues regarding distribution, retrieval, and
revocation systems
Physical access control to facilities
Chapter Summary
Ways that algorithms and certificate
mechanisms are used to encrypt data flows
Concepts of cryptography
Key and certificate life cycle management