Information Security Lesson 9 - Keys - Eric Vanderburg

401 views

Published on

Information Security Lesson 9 - Keys - Eric Vanderburg

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
401
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security Lesson 9 - Keys - Eric Vanderburg

  1. 1. Information Security Chapter 9 Using & Managing Keys Information Security © 2006 Eric Vanderburg
  2. 2. Problem with keys alone • How can we be sure that the public keys we use for communication are really the real public keys? • Certificates • Certificates contain keys • Issued by a trusted entity Information Security © 2006 Eric Vanderburg
  3. 3. PKI (Public Key Infrastructure) • PKI – A system for managing keys – Issues digital certificates to users and computers – Allows end users to apply for certificates – Integrates into the directory system used by the organization – Manages and revokes certificates • Microsoft max PKI key length: 4096 bits Information Security © 2006 Eric Vanderburg
  4. 4. Certificates • • • • • Have specific uses Expire Given by a CA May require validation before they are issued CA (Certification Authority) – creator and distributor of certificates – Root – Subordinate • RA (Registration Authority) – a subordinate CA of another company’s CA that issues certs to local users • CRL (Certificate Revocation List) • CR (Certificate Repository) Information Security © 2006 Eric Vanderburg
  5. 5. PKCS (Public Key Cryptography Standards) PKCS # PKCS #1 Standard Name Description RSA Used for RSA digital signatures PKCS #2 Not used. Part of PKCS #1 RSA encrypted message digest PKCS #3 Diffie Hellman key agreement standard Key exchanges using Diffie-Hellman Information Security © 2006 Eric Vanderburg
  6. 6. PKCS PKCS # Standard Name Description PKCS #4 Not used. Part of PKCS #1 RSA key syntax PKCS #5 Password based encryption standard Generates a secret key from a password PKCS #6 Extended cert Phased out syntax syntax standard Information Security © 2006 Eric Vanderburg
  7. 7. PKCS PKCS # Standard Name Description PKCS #7 Cryptographic Message Syntax PKCS #8 Private Key How to store keys Information syntax standard PKCS #9 Attribute types Used for encrypting messages using digital signatures and encryption Defines the attribute types used in 6,7,8,& 10 Information Security © 2006 Eric Vanderburg
  8. 8. PKCS PKCS # Standard Name PKCS #10 Cert request syntax standard Description How to ask for a cert PKCS #11 Cryptographic Used for smart cards token interface and other token standard devices PKCS #12 Personal Information Exchange Used for exporting keys Information Security © 2006 Eric Vanderburg
  9. 9. PKCS PKCS # Standard Name Description PKCS #13 Elliptic Curve Cryptography standard How to encrypt and sign using EC PKCS #14 PRNG standard How to generate a pseudo random number PKCS #15 Cryptographic How to store token information on tokens information format Security © 2006 Eric Vanderburg Information
  10. 10. X.509 standard • X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate • Most widely used certificate format for PKI Information Security © 2006 Eric Vanderburg
  11. 11. Trusts • Direct trust – trust because of a personal relationship. This trust is not verified. (friends sending email) • Third party trust – 2 people trust each other because they each trust a 3rd party • Trust model – the type of relationship that exists between entities – Web of trust – each user creates their own certificate and shares it with the others – based on direct trust. – Single point trust – A CA issues and signs certificates. Based on 3rd party trust. – Hierarchical trust – A root CA issues certificates to subordinate CAs that issue certificates to users. Information Security © 2006 Eric Vanderburg
  12. 12. Trusted Certificates • Can be viewed in Internet Explorer • CA certificates – issued directly to users • Server certificates – issued form a web server, FTP server, or mail server. • Software Publisher certificates – provided by developers to take responsibility and provide credibility for their applications Information Security © 2006 Eric Vanderburg
  13. 13. Policy • CP (Certificate Policy) - High level statement that defines how the CA and the certificates issued should be used and secured. • CPS (Certificate Practice Statement) – More detailed document on how certificates are managed, registered for, issued, protected, and revoked. Information Security © 2006 Eric Vanderburg
  14. 14. Certificate Life Cycle • Creation – Request is made – User is identified – CA fills in appropriate fields on the cert – CA signs the cert with its key – Certificate is published or sent to an RA • Revocation – Certificate is added to the CRL – CRL is signed by the CA – CRL is published Information Security © 2006 Eric Vanderburg
  15. 15. Certificate Life Cycle • Expiration – If a certificate is not renewed, it will expire – Usually the keys are not regenerated but they can be. • Suspension – A certificate is marked inactive and cannot be used until the suspension is lifted. Information Security © 2006 Eric Vanderburg
  16. 16. Key Management • Centralized – Organization has control over keys, their uses, and their issuance – Larger scope of trust – More responsibility and effort required • Decentralized – Web of trust model – No central CR (Certificate Repository) – No control over keys – Responsibility is on the users Information Security © 2006 Eric Vanderburg
  17. 17. Private Key Storage • • • • Stored inside a certificate Stored on a token Stored on the local machine Backed up to file (PKCS #12) • Destroy expired keys • Do not make excessive copies of keys • Make sure keys are encrypted Information Security © 2006 Eric Vanderburg
  18. 18. Key Handling • Key Escrow – Keys are managed by a third party. – Keys are split into two parts and stored elsewhere. – Users authenticate and retrieve the key parts and then use it. – Keys are vulnerable once retrieved. • Keys also expire, and can be revoked. • Key recovery (M of N) – Key is split into a number of parts (M) distributed to a number of people (N) that is larger than M. The group must agree to combine their parts to use the key. Information Security © 2006 Eric Vanderburg
  19. 19. Acronyms • • • • • CP, Certificate Policy CPS, Certificate Practice Statement CR, Certificate Repository CRL, Certificate Revocation List PKCS, Public Key Cryptography Standards • PKI, Public Key Infrastructure • RA, Registration Authority Information Security © 2006 Eric Vanderburg

×