SlideShare a Scribd company logo
1 of 22
Download to read offline
PKI 201 – Key Management
By Aman Hardikar
Agenda
• Basic Cryptosystem
• Types of Keys
• Key Life Cycle
• Pre Operational
• Creation
• Distribution
• Operation
• Post Operational
• Destruction
• Storage
• X509 Certificate Basics
An Example of a Basic Crypto System
• Three keys
• 1 symmetric key
• 1 public key
• 1 private key
• Three algorithms
• 1 symmetric cipher algorithm (block / stream)
• 1 asymmetric cipher algorithm
• 1 hashing algorithm
• Optional
• RNG (Random Number Generator)
Biggest Problem
Key Management
• Why?
• Easier to steal the key than to break the lock.
In general, majority of the attacks on a cryptosystem were on Key
Management.
Types of Keys
To mitigate key management issues, multiple keys were created according to
its designated purpose.
Private Signature Key Public Key Transport Key
Public Signature Key Symmetric Key Agreement Key
Symmetric Authentication Key Private Static Key Agreement Key
Private Authentication Key Public Static Key Agreement Key
Public Authentication Key Private Ephemeral Key Agreement Key
Symmetric Data Encryption Key Public Ephemeral Key Agreement Key
Symmetric Key Wrapping Key Symmetric Authorization Key
Symmetric Master Key Public Authorization Key
Private Key Transport Key Private Authorization Key
Cryptographic Strength & Key Size
Comparable Key Strength
Bits Symmetric
Algorithm
RSA ECC
80 2kTripleDEA 1024 160–223
112 3kTripleDEA 2048 224–255
128 AES-128 3072 256–383
192 AES-192 7680 384–511
256 AES-256 15360 512+
• Ephemeral or temporary keys
• Long life keys
OUP (Originator Usage Period)
Time during which cryptographic protection may be applied to data
Key Lifecycle
Key Lifecycle - Preoperational
• Installing key policies
• Selecting algorithms
• Registering attributes
• Key parameters
Keys are registered (binding them to subject’s identity).
In PKI, it is implemented using x509 certificate.
X.509 certificate binds a public key with subject name (user)
Key Lifecycle - Creation
• Avoid weak keys
• Avoid weak algorithms or weak implementations of algorithms
• Process of key generation
• Type, purpose and crypto applications of keys
Key Lifecycle – Creation (2)
Random Number Generators (RNG)
• Produce a sequence of 0s and 1s for use in cryptography
• Combined into sub-sequences or blocks of random numbers
• Types
• Deterministic
• Produces sequence based on a known value (seed)
• Nondeterministic
• Produces sequence based on an unpredictable source
Key Lifecycle - Distribution
• Based on the type of the key
• Requirements
• Availability of the keys
• Association of keys with intended use
• Integrity – detection of change during transit
• Confidentiality – split knowledge principle
• Distribution
• Private keys – split knowledge, trusted entities for distribution
• Public keys – X509 certificate
• Manual key distribution (encrypted using key wrapping keys)
• Wrapping keys are generally public keys
• If private keys are used, then a separate distribution channel should be
established
Keys used only for encrypting data in storage should not be distributed.
Key Lifecycle - Operation
• Backup and recovery mechanisms
• Compromised backups
• Controls for detecting a compromise
• Regeneration
• Updates and changes
• Crypto period expiration
• Suspected or real key compromise
• Rekeying
• Needs redistribution
• Updating the key
• No redistribution required
• Produced based on the old key
• Known to all parties
Key Lifecycle – Post-operation
• Key not operational
• Access to keys needed
• Decrypt data
• Verify signature
Key Lifecycle - Destruction
• Zeroization
• Replacing key material with ‘0’ or ‘o’ or something meaning less
• Not just the key material at rest, other places should also be considered
Key Storage
• Provide Integrity
• Provide Confidentiality
• Association with application and objects
• Assurance of domain parameters
Keys are protected with additional level of access control.
Destroying of key material using zeroization, if required.
Key Escrow
• Multiple parties/agencies storing part of the key.
• Generally operates with two components held with two independent agents.
• Risks
• Collusion
• Failure of reassembling
Ex: SKIPJACK and LEAF method.
Key States / Transitions
Digital Certificate
An electronic identity issued to a person, system, or an organization by a
competent authority after verifying the credentials of the entity.
In PKI, all digital certificates were issued based on the X.509 standard.
X.509v3 Certificate
SSL Certificate:
Version: 2
Serial Number: 4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
Not valid before: Dec 1 00:00:00 2010 GMT
Not valid after: Dec 4 12:00:00 2013 GMT
Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=*.bolton.gov.uk
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75:
7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f:
bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14:
…………
48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6:
d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63:
66:1f
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Authority Key Identifier:
keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7
X509v3 Subject Key Identifier:
08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC
X509v3 Subject Alternative Name:
DNS:*.bolton.gov.uk, DNS:bolton.gov.uk, DNS:ebiz.bolton.gov.uk
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
URI:http://crl3.digicert.com/ca3-g8.crl
URI:http://crl4.digicert.com/ca3-g8.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.3.0.1
CPS: http://www.digicert.com/ssl-cps-repository.htm
User Notice:
Explicit Text:
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt
X509v3 Basic Constraints: critical
CA:FALSE
X.509v3 Certificate Signing
Continued …..
PKI 202/203
• Trust Models
• CRL Models
• Working of SSL, SMIME
• Walk through using software
• Architectural Weaknesses
• Auditing a PKI Infrastructure

More Related Content

What's hot

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedArash Ramez
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse EngineeringSatria Ady Pradana
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsSam Bowne
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP FRSecure
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionSachintha Gunasena
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Edureka!
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)Sam Bowne
 

What's hot (20)

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
 
Cyber security
Cyber securityCyber security
Cyber security
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
 

Viewers also liked

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202   Architechture Models and CRLsPki 202   Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances   presentation  v1.1-vids-removedExploiting appliances   presentation  v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network securitybabak danyal
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 

Viewers also liked (20)

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Pki 202 Architechture Models and CRLs
Pki 202   Architechture Models and CRLsPki 202   Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances   presentation  v1.1-vids-removedExploiting appliances   presentation  v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 

Similar to Pki 201 Key Management

Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 -  UnlimitedEdited.pptxCompTIASecPLUS-Part6 -  UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxmohedkhadar60
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniquesMohitManna
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki conceptMostafa El Lathy
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013ssleuropa
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Cryptography
CryptographyCryptography
CryptographyPPT4U
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project ManagersJoseph Wojowski
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]SISA Information Security Pvt.Ltd
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 

Similar to Pki 201 Key Management (20)

Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 -  UnlimitedEdited.pptxCompTIASecPLUS-Part6 -  UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Cryptography
CryptographyCryptography
Cryptography
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Slidecast - Workshop
Slidecast - WorkshopSlidecast - Workshop
Slidecast - Workshop
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Are your crypto keys safe?
Are your crypto keys safe?Are your crypto keys safe?
Are your crypto keys safe?
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Cryptography
CryptographyCryptography
Cryptography
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 

Recently uploaded

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?Paolo Missier
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 

Recently uploaded (20)

Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Pki 201 Key Management

  • 1. PKI 201 – Key Management By Aman Hardikar
  • 2. Agenda • Basic Cryptosystem • Types of Keys • Key Life Cycle • Pre Operational • Creation • Distribution • Operation • Post Operational • Destruction • Storage • X509 Certificate Basics
  • 3. An Example of a Basic Crypto System • Three keys • 1 symmetric key • 1 public key • 1 private key • Three algorithms • 1 symmetric cipher algorithm (block / stream) • 1 asymmetric cipher algorithm • 1 hashing algorithm • Optional • RNG (Random Number Generator)
  • 4. Biggest Problem Key Management • Why? • Easier to steal the key than to break the lock. In general, majority of the attacks on a cryptosystem were on Key Management.
  • 5. Types of Keys To mitigate key management issues, multiple keys were created according to its designated purpose. Private Signature Key Public Key Transport Key Public Signature Key Symmetric Key Agreement Key Symmetric Authentication Key Private Static Key Agreement Key Private Authentication Key Public Static Key Agreement Key Public Authentication Key Private Ephemeral Key Agreement Key Symmetric Data Encryption Key Public Ephemeral Key Agreement Key Symmetric Key Wrapping Key Symmetric Authorization Key Symmetric Master Key Public Authorization Key Private Key Transport Key Private Authorization Key
  • 6. Cryptographic Strength & Key Size Comparable Key Strength Bits Symmetric Algorithm RSA ECC 80 2kTripleDEA 1024 160–223 112 3kTripleDEA 2048 224–255 128 AES-128 3072 256–383 192 AES-192 7680 384–511 256 AES-256 15360 512+ • Ephemeral or temporary keys • Long life keys OUP (Originator Usage Period) Time during which cryptographic protection may be applied to data
  • 8. Key Lifecycle - Preoperational • Installing key policies • Selecting algorithms • Registering attributes • Key parameters Keys are registered (binding them to subject’s identity). In PKI, it is implemented using x509 certificate. X.509 certificate binds a public key with subject name (user)
  • 9. Key Lifecycle - Creation • Avoid weak keys • Avoid weak algorithms or weak implementations of algorithms • Process of key generation • Type, purpose and crypto applications of keys
  • 10. Key Lifecycle – Creation (2) Random Number Generators (RNG) • Produce a sequence of 0s and 1s for use in cryptography • Combined into sub-sequences or blocks of random numbers • Types • Deterministic • Produces sequence based on a known value (seed) • Nondeterministic • Produces sequence based on an unpredictable source
  • 11. Key Lifecycle - Distribution • Based on the type of the key • Requirements • Availability of the keys • Association of keys with intended use • Integrity – detection of change during transit • Confidentiality – split knowledge principle • Distribution • Private keys – split knowledge, trusted entities for distribution • Public keys – X509 certificate • Manual key distribution (encrypted using key wrapping keys) • Wrapping keys are generally public keys • If private keys are used, then a separate distribution channel should be established Keys used only for encrypting data in storage should not be distributed.
  • 12. Key Lifecycle - Operation • Backup and recovery mechanisms • Compromised backups • Controls for detecting a compromise • Regeneration • Updates and changes • Crypto period expiration • Suspected or real key compromise • Rekeying • Needs redistribution • Updating the key • No redistribution required • Produced based on the old key • Known to all parties
  • 13. Key Lifecycle – Post-operation • Key not operational • Access to keys needed • Decrypt data • Verify signature
  • 14. Key Lifecycle - Destruction • Zeroization • Replacing key material with ‘0’ or ‘o’ or something meaning less • Not just the key material at rest, other places should also be considered
  • 15. Key Storage • Provide Integrity • Provide Confidentiality • Association with application and objects • Assurance of domain parameters Keys are protected with additional level of access control. Destroying of key material using zeroization, if required.
  • 16. Key Escrow • Multiple parties/agencies storing part of the key. • Generally operates with two components held with two independent agents. • Risks • Collusion • Failure of reassembling Ex: SKIPJACK and LEAF method.
  • 17. Key States / Transitions
  • 18. Digital Certificate An electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. In PKI, all digital certificates were issued based on the X.509 standard.
  • 20. SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 Not valid before: Dec 1 00:00:00 2010 GMT Not valid after: Dec 4 12:00:00 2013 GMT Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=*.bolton.gov.uk Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75: 7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f: bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14: ………… 48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6: d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63: 66:1f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: 08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC X509v3 Subject Alternative Name: DNS:*.bolton.gov.uk, DNS:bolton.gov.uk, DNS:ebiz.bolton.gov.uk X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl3.digicert.com/ca3-g8.crl URI:http://crl4.digicert.com/ca3-g8.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.3.0.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt X509v3 Basic Constraints: critical CA:FALSE
  • 22. Continued ….. PKI 202/203 • Trust Models • CRL Models • Working of SSL, SMIME • Walk through using software • Architectural Weaknesses • Auditing a PKI Infrastructure