Chapter 6
Certificate life cycle
1. Creation 2. suspension 3. revocation 4. expiration
Certificate Revocation list (CRL)
a list of certificate serial numbers that have been revoked.
Certificate Repository (CR)
a publicly accessible centralized directory of digital certificates used to view the status of digital certificates.
Authentication Header Protocol (AH)
authenticates that packets received were sent from their source.
IPsec areas of protection?
authentication confidentiality key management
Transport mode is used when?
device must see source and destination addresses to route a packet.
Transport mode
encrypts only data portion (payload) of each packet, and leaves the header unencrypted.
Internet Security Association and Key (ISAKMP/Oakley)
generates the key and authenticates user utilizing tools such as digital certificates.
M-of-N control
key is divided into specific number of parts, parts are distributed to other people (with an overlap so that multiple people have the same part) know as N group. If recovery is necessary then a smaller part of N group meets (M group) and agrees that it needs to be recovered.
Recovery
key recovery agent (KRA), or M-of-N control are two methods of recovery.
Cipher suit
named combination of the encryption, authentication, and message authentication code (MAC) algorithms used with SSL and TLS.
Online certificate status protocol (OCSP)
performs a real time certificate status check.
Key Escrow
process by which 3rd parties manage keys.
Strong key length?
4096 length = best 2048 length = ok length < 2048 = not secure
Define a passport
A document provided by a trusted 3rd party
Managing PKI
A method to managing multiple public keys consistently.
Registration authority (RA)
A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.
Digital certificate
A technology that used to associate a user's identity to a public key and that has been digitally signed by a trusted third party.
Certificate authority
A trusted third party who is responsible for issuing digital certificates
Transport Layer Security (TLS)
Another cryptographic transport algorithm. TLS is much more secure than SSL
Local registration authorities (LRA's)
Another for of RA designed to help lessen congestion
IPsec is transparent to?
Applications Users Software
Hierarchical trust model
Assigns a single hierarchy with one master CA called the root.
Extended Validation SSL Certificate (EV SSL) requirements are?
CA must pass independent audit verifying that is follows EV standards. Legal existence of the owner must be verified. Website if the registered owner and has exclusive control of the domain name Authorizing individuals applying for a certificate must be verified by CA, and valid signature from an officer of the company must be provided
Distribution trust model
Multiple CA's signing DC's. This prevents total loss if one private key is stolen since there are still many CA's left.
Hypertext Transport Protocol Secure (HTTPS)
Common use of TLS and SSL to secure communications between a browser and a web server.
Public Key infrastructure (PKI)
Digital certificate managment
Secure Shell (SSH)
Encrypted alternative to Telnet protocol used to access remote computers.
Tunnel mode
Encrypts both data and header.
What do Server digital certificates do (SDC)?
Ensure authenticity of web server Ensure authenticity of cryptographic connection to web server
Duties of a CA
Generate, issue, and distribute public key certificates. Distribute CA certificates. Generate and publish certificate status information. Provide a means for subscribers to request revocation. Revoke public key certificates. Maintain the security, availability, and continuity of certificate issuance signing functions.
Suspension
Key suspension is set for a specific amount of time.
Certificate practice statement (CPS)
More technical document than a (CP) describing the management of certificates.
X.509 Digital Certificates
Most widely accepted format for digital certificates, and internationally recognized.
Tunnel mode is used more with?
Network to network
Bridge Trust model
No single CA, but on CA that facilitates interconnection to all other CA's.
Server digital certificates (SDC)
Often this is a web server to client
Secure Sockets Layer (SSL)
One of the most common cryptographic transport algorithms.
What information does a digital certificate contain?
Owners name or alias, Owners public key, name of the issuer, digital signature of the issuer, serial number of the digital certificate, and the expiration date of the public key.
Public key cryptography standards (PKCS)
PKI standards defined by RSA corporation.
Duties of an RA
Receive, authenticate, and process certificate revocation requests. Identify and authenticate subscribers. Obtain a public key from the subscriber. Verify that the subscriber processes the asymmetric private key corresponding to the public key submitted for certification. (mainly they verify the identity of an individual)
3 most common categories of Digital Certificates (DC)
Personal DC's Server DC's software publisher DC's
Digital signature
Proof utilizing asymmetric cryptography, that the senders personal key was used to encrypt the digest.
Certificate Policy (CP)
Published set of governing rules for a PKI
Personal digital certificates (PDC)
RA assigns directly to individual
Destruction
Removes all private and public keys along with user's identification information in the CA.
Certificate Revocation
Removing certificate rights.
Renewal
Some existing keys can be renewed.
Revocation
Sometimes keys need to be revoked. (these cannot be reinstated)
Encapsulating security payload (ESP)
Supports authentication of sender and encryption of data
IPsec supports which two encryption modes?
Transport mode, and Tunnel mode.
Third party trust
Trust is mutual because they trust the third party moderator
OCSP stapling
Web servers send queries to the OSCP responder at regular intervals to receive signed time-stamped responses. This is to help with real time verification congestion.
Certificate repository
a digital certificate manager
Expiration
some keys have expiration dates
Certificate signing request (CSR)
specially formatted encrypted message that validates the information that the CA requires to issue a digital certificate.
IP Security (IPsec)
suit for securing Internet Protocol (IP) communications.
Software publisher digital certificates
these are provided by software publishers to verify their programs are secure and un tampered with.
Trust model
they type of true relationship that can exist between individuals or entities.
