The document discusses encryption and certificate management. It describes how certificates expire after a validity period, but can be renewed if the keys are still valid. Certificates can also be revoked for reasons like a user leaving a company or a private key being compromised. A Certificate Revocation List tracks revoked certificates. The document also outlines best practices for backing up keys and setting up a Microsoft Root Certificate Authority.
2. Expiration, Revocation, and
Suspension of Certificates
A period of validity is assigned to each certificate
After that date, the certificate expires
A certificate can be renewed with a new expiration date assigned
If the keys are still valid and remain uncompromised
Reasons to suspend or revoke a certificate
A user leaves the company
A hardware crash causes a key to be lost
A private key is compromised
3. Expiration, Revocation, and
Suspension of Certificates
(continued) Certificate Revocation List (CRL)
Contains all revoked and suspended certificates
Issued by CAs
Suspension of a certificate might be done when one or more parties
fail to honor agreements
Suspension makes it easier to restore if the parties come to an
agreement at a later date
4. Backing Up Keys
Backing up keys is critical
If keys are destroyed and not backed up properly, encrypted business-critical
information might be irretrievable
The CA is usually responsible for backing up keys
A key recovery policy is also part of the CA’s responsibility
5. Microsoft Root CA
Available in Windows Server 2003 and Windows 2000 Server
Steps for setting up a Microsoft Root CA
Install the Certificate Services
Note that after installing this service the name of the domain or
computer cannot change
Configuring a Windows server as a CA (four options)
Enterprise root CA
Enterprise subordinate CA
Stand-alone root CA
Stand-alone subordinate CA
6. Microsoft Root CA (continued)
Steps for setting up a Microsoft Root CA (continued)
Specify options to generate certificates, including
Cryptographic Service Provider
Hash algorithm
Key length
7. Understanding Cryptographic
Attacks
Attacks studied so far are passive attacks
Active attacks attempt to determine the secret key being used to
encrypt plaintext
Cryptographic algorithms are usually public
Follows the open-source culture
8. Birthday Attack
Old adage
If 23 people are in a room, two will share the same birthday
Birthday attacks are used to find the same hash value for two
different inputs
A birthday attack is used to reveal any mathematical
weaknesses in hashing algorithms
SHA-1 uses a 160-bit key
Theoretically, it would require 280 computations to break
SHA-1 has already been broken
9. Mathematical Attacks
Properties of the algorithm are attacked by using mathematical
computations
Categories
Ciphertext-only attack
The attacker has the ciphertext of several messages but not the plaintext
Attacker tries to find out the key used to encrypt the messages
Attacker can capture ciphertext using a sniffer program such as Ethereal or
Tcpdump
10. Mathematical Attacks (continued)
Categories (continued)
Known plaintext attack
The attacker has messages in both encrypted form and decrypted forms
This attack is easier to perform than the ciphertext-only attack
Looks for patterns in both plaintext and ciphertext
Chosen-plaintext attack
The attacker has access to plaintext and ciphertext
Attacker has the ability to choose which message to encrypt
11. Mathematical Attacks (continued)
Categories (continued)
Chosen-ciphertext attack
The attacker has access to the ciphertext to be decrypted and to the
resulting plaintext
Attacker needs access to the cryptosystem to perform this type of attack
12. Brute Force Attack
An attacker tries to guess passwords by attempting every possible
combination of letters
Requires lots of time and patience
Password-cracking program
John the Ripper
13. Man-in-the-Middle Attack
Attackers place themselves between the victim computer and
another host computer
They then intercept messages sent from the victim to the host and
pretend to be the host computer
This type of attack follows this process
Gloria sends her public key to Bruce, and you, the attacker, intercept
the key and send Bruce your public key
Bruce sends Gloria his public key. You intercept this key and send your
public key to Gloria
14. Man-in-the-Middle Attack
(continued)
This type of attack follows this process (continued)
Gloria sends an encrypted message to Bruce but uses your key
You can decrypt the message with your private key
You reencrypt the message using Bruce’s public key and send it to
Bruce
Bruce answers Gloria with another encrypted message with your public
key
You can decrypt the message with your private key
You reencrypt the message using Gloria’s public key and send it to
Gloria
15. Dictionary Attack
Attacker uses a dictionary of known words to try to guess passwords
There are programs that can help attackers run a dictionary attack
16. Replay Attack
The attacker captures data and attempts to resubmit the
captured data
The device thinks a legitimate connection is in effect
If the captured data was logon information, the attacker
could gain access to a system and be authenticated
17. Understanding Password Cracking
Password cracking is illegal in the United States
It is legal to crack your own password if you forgot it
You must first obtain the password file from the system that
stores user names and passwords
File is stored in the /Etc/Passwd or /Etc/Shadow directory for *NIX
systems
A dictionary attack can be performed on the file by using
automated programs
18. Understanding Password Cracking
(continued)
Password cracking programs
John the Ripper
Hydra (THC)
EXPECT
L0phtcrack
Pwdump3v2
Steps for cracking passwords
Run the Pwdump2 program to get hash values of user accounts
Perform a brute force attack using John the Ripper
19. Summary
Cryptography has been in existence since the dawn of
civilization
Ciphertext: data that has been encrypted
Cleartext or plaintext: data than can be intercepted and read
by anyone
Symmetric cryptography: uses one key to encrypt and decrypt
data
Examples: DES, DEA, 3DES, and AES
Asymmetric cryptography: uses two keys, one key to encrypt
and another to decrypt data
Examples: RSA, Elgamal, Diffie-Hellman
20. Summary (continued)
Digital Signature Standard (DSS): ensures that digital signatures
can be verified
PGP: free public key encryption program to encrypt e-mail
messages
Hashing algorithms are used to verify data integrity
Public key infrastructure (PKI): structure made up of many
different components used to encrypt data
Digital certificate: binds a public key to information about its
owner
Issued by a Certificate Authority (CA)