Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security Lesson 9 - Keys - Eric Vanderburg

498 views

Published on

Information Security Lesson 9 - Keys - Eric Vanderburg

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Information Security Lesson 9 - Keys - Eric Vanderburg

  1. 1. Information Security Chapter 9 Using & Managing Keys Information Security © 2006 Eric Vanderburg
  2. 2. Problem with keys alone • How can we be sure that the public keys we use for communication are really the real public keys? • Certificates • Certificates contain keys • Issued by a trusted entity Information Security © 2006 Eric Vanderburg
  3. 3. PKI (Public Key Infrastructure) • PKI – A system for managing keys – Issues digital certificates to users and computers – Allows end users to apply for certificates – Integrates into the directory system used by the organization – Manages and revokes certificates • Microsoft max PKI key length: 4096 bits Information Security © 2006 Eric Vanderburg
  4. 4. Certificates • • • • • Have specific uses Expire Given by a CA May require validation before they are issued CA (Certification Authority) – creator and distributor of certificates – Root – Subordinate • RA (Registration Authority) – a subordinate CA of another company’s CA that issues certs to local users • CRL (Certificate Revocation List) • CR (Certificate Repository) Information Security © 2006 Eric Vanderburg
  5. 5. PKCS (Public Key Cryptography Standards) PKCS # PKCS #1 Standard Name Description RSA Used for RSA digital signatures PKCS #2 Not used. Part of PKCS #1 RSA encrypted message digest PKCS #3 Diffie Hellman key agreement standard Key exchanges using Diffie-Hellman Information Security © 2006 Eric Vanderburg
  6. 6. PKCS PKCS # Standard Name Description PKCS #4 Not used. Part of PKCS #1 RSA key syntax PKCS #5 Password based encryption standard Generates a secret key from a password PKCS #6 Extended cert Phased out syntax syntax standard Information Security © 2006 Eric Vanderburg
  7. 7. PKCS PKCS # Standard Name Description PKCS #7 Cryptographic Message Syntax PKCS #8 Private Key How to store keys Information syntax standard PKCS #9 Attribute types Used for encrypting messages using digital signatures and encryption Defines the attribute types used in 6,7,8,& 10 Information Security © 2006 Eric Vanderburg
  8. 8. PKCS PKCS # Standard Name PKCS #10 Cert request syntax standard Description How to ask for a cert PKCS #11 Cryptographic Used for smart cards token interface and other token standard devices PKCS #12 Personal Information Exchange Used for exporting keys Information Security © 2006 Eric Vanderburg
  9. 9. PKCS PKCS # Standard Name Description PKCS #13 Elliptic Curve Cryptography standard How to encrypt and sign using EC PKCS #14 PRNG standard How to generate a pseudo random number PKCS #15 Cryptographic How to store token information on tokens information format Security © 2006 Eric Vanderburg Information
  10. 10. X.509 standard • X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate • Most widely used certificate format for PKI Information Security © 2006 Eric Vanderburg
  11. 11. Trusts • Direct trust – trust because of a personal relationship. This trust is not verified. (friends sending email) • Third party trust – 2 people trust each other because they each trust a 3rd party • Trust model – the type of relationship that exists between entities – Web of trust – each user creates their own certificate and shares it with the others – based on direct trust. – Single point trust – A CA issues and signs certificates. Based on 3rd party trust. – Hierarchical trust – A root CA issues certificates to subordinate CAs that issue certificates to users. Information Security © 2006 Eric Vanderburg
  12. 12. Trusted Certificates • Can be viewed in Internet Explorer • CA certificates – issued directly to users • Server certificates – issued form a web server, FTP server, or mail server. • Software Publisher certificates – provided by developers to take responsibility and provide credibility for their applications Information Security © 2006 Eric Vanderburg
  13. 13. Policy • CP (Certificate Policy) - High level statement that defines how the CA and the certificates issued should be used and secured. • CPS (Certificate Practice Statement) – More detailed document on how certificates are managed, registered for, issued, protected, and revoked. Information Security © 2006 Eric Vanderburg
  14. 14. Certificate Life Cycle • Creation – Request is made – User is identified – CA fills in appropriate fields on the cert – CA signs the cert with its key – Certificate is published or sent to an RA • Revocation – Certificate is added to the CRL – CRL is signed by the CA – CRL is published Information Security © 2006 Eric Vanderburg
  15. 15. Certificate Life Cycle • Expiration – If a certificate is not renewed, it will expire – Usually the keys are not regenerated but they can be. • Suspension – A certificate is marked inactive and cannot be used until the suspension is lifted. Information Security © 2006 Eric Vanderburg
  16. 16. Key Management • Centralized – Organization has control over keys, their uses, and their issuance – Larger scope of trust – More responsibility and effort required • Decentralized – Web of trust model – No central CR (Certificate Repository) – No control over keys – Responsibility is on the users Information Security © 2006 Eric Vanderburg
  17. 17. Private Key Storage • • • • Stored inside a certificate Stored on a token Stored on the local machine Backed up to file (PKCS #12) • Destroy expired keys • Do not make excessive copies of keys • Make sure keys are encrypted Information Security © 2006 Eric Vanderburg
  18. 18. Key Handling • Key Escrow – Keys are managed by a third party. – Keys are split into two parts and stored elsewhere. – Users authenticate and retrieve the key parts and then use it. – Keys are vulnerable once retrieved. • Keys also expire, and can be revoked. • Key recovery (M of N) – Key is split into a number of parts (M) distributed to a number of people (N) that is larger than M. The group must agree to combine their parts to use the key. Information Security © 2006 Eric Vanderburg
  19. 19. Acronyms • • • • • CP, Certificate Policy CPS, Certificate Practice Statement CR, Certificate Repository CRL, Certificate Revocation List PKCS, Public Key Cryptography Standards • PKI, Public Key Infrastructure • RA, Registration Authority Information Security © 2006 Eric Vanderburg

×