Cryptography Lesson 10 © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances © (ISC)2 ® 2010, All Rights Reserved For Personal Use of (ISC)2 Seminar Attendee Only Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances CISSP-ISSEP® Bootcamp Seminar v10 Technical Management Public Key Infrastructure Chapter 7 © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 2 Key Management © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 3 2 Usage Control 5 6 7 Storage Recovery Escrow 8 Zeroization 1 3 Creation Change and Expiry 4 Distribution Creation Automated key generation Truly random Suitable length Key encrypting keys © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 4 Key Usage Control Management has a vested interest in what activities or content may be hidden in cryptographically protected communications or files They may create a policy that allows management to audit or decrypt encrypted data at their discretion © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 5 Key Change and Expiry In any environment, plans should be made to update keys periodically Generating symmetric keys is easy, but delivering them is expensive since you will be delivering [N*(N-1)]/2 keys to N users Expiry Expiry ensures that a key is never overused Expiry based upon: Amount of traffic Amount of traffic over time Time-in-use © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 6 Distribution Out of band Public key encryption Secret key construction Secret key delivery Key Distribution Centers (KDC) Certificates © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 7 Storage Trusted hardware Smartcards © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances 8 Recovery Split knowledge Multi-party key recovery (MPR) © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved. For Personal Use of (ISC)2 Seminar Attendee Only. Contents May Not Be Copied or Otherwise.

1. Cryptography
Lesson 10
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
© (ISC)2 ® 2010, All Rights Reserved
For Personal Use of (ISC)2 Seminar Attendee Only
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
CISSP-ISSEP® Bootcamp Seminar v10
Technical Management
Public Key Infrastructure
Chapter 7
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
2
Key Management
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under

2. Any Circumstances
3
2
Usage Control
5
6
7
Storage
Recovery
Escrow
8
Zeroization
1

3. 3
Creation
Change and Expiry
4
Distribution
Creation
Automated key generation
Truly random
Suitable length
Key encrypting keys
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
4
Key Usage Control
Management has a vested interest in what activities or content

4. may be hidden in cryptographically protected communications
or files
They may create a policy that allows management to audit or
decrypt encrypted data at their discretion
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
5
Key Change and Expiry
In any environment, plans should be made to update keys
periodically
Generating symmetric keys is easy, but delivering them is
expensive since you will be delivering [N*(N-1)]/2 keys to N
users
Expiry
Expiry ensures that a key is never overused
Expiry based upon:
Amount of traffic
Amount of traffic over time
Time-in-use
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances

5. 6
Distribution
Out of band
Public key encryption
Secret key construction
Secret key delivery
Key Distribution Centers (KDC)
Certificates
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
7
Storage
Trusted hardware
Smartcards
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
8
Recovery
Split knowledge
Multi-party key recovery (MPR)

6. © Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
9
Escrow
A process, mechanism, or entity that can recover a lost or
destroyed cryptographic key
Key escrow systems are typically made up of three components:
A user component that handles the generation and use of
cryptographic keys
An escrow component that saves the keys
A recovery component that provides the restoration services
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
10
Law Enforcement Issues
Commonly available commercial and open source encryption
can hinder law enforcement in executing investigations
Many countries have laws concerning the import, export, and
use of encryption (Wassenaar Arrangement)
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances

7. 11
Key Zeroization
Erasure of keys to prevent disclosure — especially when
equipment is to be discarded or if stolen
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
12
Public Key Infrastructure (PKI)
Public Key Infrastructure binds a people/entities to their public
keys
Public keys are published and certified by digital signatures
Cross-Certification (Xcert)
Certificate Revocation Lists (CRLs)
X.509 standard
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
13
Certification
Trust and Trust Models

8. Certification establishes trustworthiness of public keys
Certification Authority (CA)
Certificate Policy (CP)
Certificate Practice Statement (CPS)
Registration Authority (RA)
Validate Certification Path
14
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
Applications and Encryption Issues
Third-party CAs:
Allow business partners to trust (to some level) your public key
certificates
Have a mutual trust in the CA (e.g., VeriSign)
If we choose to run our own CA, will anyone trust us?
© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
© Copyright 2012-2013 (ISC)², Inc. All Rights Reserved.
For Personal Use of (ISC)2 Seminar Attendee Only.
Contents May Not Be Copied or Otherwise Distributed Under
Any Circumstances
15