Chapter 6 Advanced Cryptography
Secure Sockets Layer (SSL):
A common cryptographic transport algorithm developed by Netscape in 1994 that takes advantage of AES. The current version is 3.0.
Transport Layer Security (TLS):
A cryptographic transport algorithm that is often used interchangeably or in conjunction with SSL. Its current versions are 1.0, 1.1, and 1.2.
Secure Hypertext Transport Protocol (SHTTP):
A cryptographic transport protocol for HTTP that is less secure than HTTPS and is considered obsolete.
Certificate Practice Statement (CPS):
A document that describes in detail how the CA uses and manages certificates, how end users register for digital certificates, how to issue digital certificates, when to revoke them, procedural controls, key pair generation and installation, and private key protection.
Certificate Revocation List (CRL):
A list of certificate serial numbers that have been revoked.
Cipher Suite:
A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with SSL and TLS.
Key Escrow:
A process in which keys are managed by a third party, where the private key is split and each half is encrypted. The two halves are registered and sent to the third party which stores each half in a separate location.
Internet Protocol Security (IPsec):
A protocol suite for securing IP communications (transparent), encrypting and authenticating each IP packet of a session between hosts or networks. It provides protection to a much wider range of applications than SSL or TLS and runs in the OS or the communication hardware at faster speeds.
HTTPS:
A protocol that uses HTTP over SSL or TLS on port 443.
Certificate Repository (CR):
A publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate, that can be managed locally by setting it up as a storage area that is connected to the CA server.
Certificate Policy (CP):
A published set of rules that govern the operation of a PKI, providing recommended baseline security requirements for the use and operation of CA, RA, and other PKI components.
Online Certificate Status Protocol (OCSP):
A request-response protocol that performs a real time lookup of a certificate's status, sending the certificate's information to a OCSP Responder.
Public Key Cryptography Standards (PKCS):
A set of 15 PKI standards that have been defined and the RSA Corporation.
Certificate Signing Request (CRS):
A specially formatted encrypted message generated by the subscriber requesting a digital certificate that validates information the CA requires to issue the digital certificate (after the public and private keys are made).
Registration Authority (RA):
A subordinate entity designed to handle specific CA tasks, primarily processing certificate requests and authenticating users. This helps take load off of CAs that may have bottlenecks.
M-of-N Control:
A technique of private key management that encrypts and splits up a private key across 'N' number of people (N Group) with 'M' number of pieces. The people needed to construct the key are the M Group.
Digital Certificate:
A technology used to associate a user's identity to a public key and that has been "digitally signed" by a trusted third party (that verifies the owner and that the public key belongs to the owner).
Hierarchical Trust Model:
A trust model that assigns a single hierarchy with one master CA called the root, which signs all digital certificate authorities with a single key.
Bridge Trust Model:
A trust model that has a facilitator CA to interconnect all other CAs but does not issue digital certificates. It functions as a hub between hierarchical trust models and distributed trust models.
Web of Trust:
A trust model that is based on direct trust where each user signs his digital certificate and then exchanges certificates with all other users. This is less secure and does not use a CA.
Distributed Trust Model:
A trust model used by most end users that has multiple CAs that sign digital certificates, allowing workload balancing and sectional security.
Direct Trust:
A trust relationship that exists between two individuals because one person knows the other person.
Third-Party Trust:
A trust relationship where two individuals trust each other because each trusts a third party.
OCSP Responder:
A trusted entity like a CA that browsers send certificate information to in order to provide immediate revocation information.
Certificate Authority (CA):
A trusted third-party agency that is responsible for issuing the digital certificates (either as an external or internal organization).
Extended Validation SSL Certificate (EV SSL):
A type of server digital certificate that requires more extensive verification of the legitimacy of a business, turning the browser address bar green when visiting a site that uses this.
Trust Model:
A type of trust relationship that can exist between individuals or entities.
Heartbleed:
A vulnerability in OpenSSL's Heartbeat Extension that allowed attackers to access data in web server's memory and steal the cryptographic keys used to encrypt and decrypt communications.
X.509:
A widely accepted standard format for digital certificates (defined by the ITU) with v3 as the current version.
OCSP Stapling:
Allows web servers to send queries to an OCSP Responder server at regular intervals to receive a signed time-stamped OCSP response.
Tunnel Mode:
An IPsec encryption mode that encrypts both the header and the data portion of IP packets. This is used usually in network-to-network communications.
Transport Mode:
An IPsec encryption mode that encrypts only the data portion of IP packets.
Key Recovery Agent (KRA):
An embedded key recovery system in some CAs that highly trusted persons are responsible for recovering lost or damaged digital certificates.
Secure Shell (SSH):
An encryption alternative to Telnet that is used to access remote computers that is a Linux/UNIX based command interface and protocol that is a combination of 3 utilities (slogin, ssh, and scp).
Public Key Infrastructure (PKI):
An underlying infrastructure for the management of public key used in digital certificates as a framework for all the entities involved in digital certificates for digital certificate management to create, store, distribute, and revoke digital certificates.
IPsec's Areas of Protection
Authentication - using Authentication Header (AH) protocol. Confidentiality - using Encapsulating Security Payload (ESP) Key Management - using Internet Security Associations and Key Management Protocol/Oakley (ISAKMP/Oakley).
Handshake between web browser and web server:
Browser sends a message to the server listing cryptographic algorithms that the client supports. Web server responds with the cryptographic algorithm to use and its digital certificate. Browser verifies the digital certificate and generates a pre-master secret (encrypted with the server's public key) to send to the server. The server decrypts the pre-master secret for both to make a master secret and a session key.
Methods of checking for revoked certificates:
CRL OCSP
Entities that manage digital certificates:
Certificate Authority (CA) Registration Authority (RA) Certificate Repository (CR)
Life Cycle of a Certificate:
Creation Suspension Revocation Expiration
Server Digital Certificate (Class 2):
Digital Certificates issued by any type of server (though usually from web servers to a client) that both ensure the authenticity of the web server and the authenticity of the cryptographic connection to the web server.
Personal Digital Certificate (Class 1):
Digital Certificates that are issued by an RA directly to individuals, used to secure email transmissions usually and requires only the user's name and email address.
Software Publisher Digital Certificate (Class 3):
Digital certificates that verify that developer's programs are secure and have bot been tampered with
Identification Methods of a RA:
Email Address Personal Documentation In Person
Procedures to Handle Keys:
Escrow Expiration Renewal Revocation Recovery Suspension Destruction
Duties of a CA:
Generate, issue, and distribute public key certificates. Distribute CA certificates. Generate and publish certificate status information. Provide a means of subscribers to request revocation. Revoke public key certificates. Maintain the security, availability, and continuity of the certificate issuance signing functions.
Proper Key Management Includes:
Key Storage Key Usage Key Handling Procedures
Contents of a Digital Certificate:
Owner's name Owner's public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key
Different categories of digital certificates:
Personal Server Software Publisher
Duties of a RA:
Receive, authenticate, and process certificate revocation requests. Identify and authenticate subscribers. Obtain a public key from the subscriber. Verify that the subscriber possesses the asymmetric private key corresponding to the public key submitted fro certification.
Most Common Cryptographic Transport Protocols:
SSL TLS SSH HTTPS IPsec
EV SSL Requrirements:
The CA must pass an independent audit, following EV standards. The existence and identity of the website owner must be verified. The website is the registered holder and has exclusive control of the domain name. Verification of the authorization of the individual applying for a certificate and a valid signature form an officer of the company.
IPsec Supported Encryption Modes:
Transport Tunnel
Class 4 Digital Certificate:
Used for online business transactions between companies.
Class 5 Digital Certificate:
Used for private organizations or governmental security.
