Chapter 4 Security
Digital Certificates
A common application of cryptography.
What is public key infrastructure (PKI)?
A Framework for all the entities involved in digital certificates.
Secure Sockets Layer (SSL)
A Protocol developed by Netscape for securely transmitting documents over the Internet that uses a private key to encrypt data. Version 3.0 is the current version.
Length of Keys
A factor in determining the overall security of a transmission.
Public Key Infrastructure (PKI)
A framework for all entities involved in digital certificates. -Certificate management actions facilitated by PKI. (Create) (Store) (Distribute) (Revoke)
Transport Layer Security (TLS)
A protocol based on SSL 3.0 that provides authentication and encryption, used by most servers for secure exchanges over the Internet.
Certificate Policy (CP)
A published set of rules that govern operation of a PKI.
Certificate Practice Statement (CPS)
A technical document that describes in detail how the CA uses and manages certificates.
Direct trust
A type of trust model where one person knows the other person.
Salt
A value that can be used to ensure that plaintext, when hashed, will not consistently result in the same digest.
Nonce
A value that must be unique within some specified scope.
What is Certificate Authority (CA) responsible for?
Digital certificates
Three primary characteristics that determine the resiliency of the key to attacks.
- Randomness -Length of the key -Cryptoperiod
What are the different types of digital certificates?
- Root Certificates - Domain Certificates - Hardware Certificates - Software Certificates
Cipher suite
-A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with SSL and TLS. -Length of keys (a factor in determining the overall security of a transmission) -Keys of less than 2048 bits are considered weak. -Keys of 2048 bits are considered good. -Keys of 4096 bits are strong.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
-A protocol for securing email messages. -Allows users to send encrypted messages that are also digitally signed.
Hierarchical Trust Model
-Assigns a single hierarchy with one master CA called the root. -The root signs all digital certificate authorities with a single key.
Certificate life cycle
-Creation (Occurs after user is positively identified.) -Suspension (May occur when employee is on a leave of absence.) -Revocation (Certificate no longer valid.) -Expiration (Key can no longer be used.)
IP Security (IP sec)
-IP sec is considered to be a transparent security protocol. (Transparent to applications, users, and software) -IP sec provides three areas of protection that correspond to three IP sec protocols: (Authentication) (Confidentiality) (Key) (management) -Supports two encryption modes:: (Transport - encrypts only the data portion of each packet and leaves the header unencrypted) (Tunnel - encrypts both the header and the data portion) -Cryptography that is improperly applied can lead to vulnerabilities that will be exploited. -Cryptography that is improperly applied can lead to vulnerabilities that will be exploited. -A digital certificate is the user's public key that has been digitally signed by a trusted third party who verifies the owner and that the public key belongs to that owner. -A certificate repository (CR) is a list of approved digital certificates. -Revoked digital certificates are listed in a Certificate Revocation List( zCR L). -Status can also be checked through the Online Certificate Status Protocol (OCSP). -Domain validation digital certificates verify the identity of the entity that has control over the domain name but indicate nothing regarding the trustworthiness of the individuals behind the site. -A public key infrastructure (PKI) is a framework for all the entities involved in digital certificates to create, store, distribute, and revoke digital certificates. -An organization that uses multiple digital certificates on a regular basis needs to properly manage those digital certificates. -Cryptography is commonly used to protect data-in-transit. (SSL and TLS are widely used protocols) -IP sec is a set of protocols developed to support the secure exchange of packets.
Multiple pairs of dual keys can be created
-If more security is needed than a single set of public/private keys. -One pair used to encrypt information. (Public key backed up in another location) -Second pair used only for digital signatures. (Public key in that pair would never be backed up)
Key escrow
-Keys are managed by a third party, such as a trusted CA. -Private key is split and each half is encrypted. -Two halves sent to third party, which stores each half in separate location. -Everyone must agree in order to get the key back that's what M-of-N control is.
Key Management
-Means of public key storage (Embedding within digital certificates) -Means of private key storage (Stored on user's local system) -Software-based storage may expose keys to attackers. -Alternative storing keys in hardware -Smart-cards -Tokens
Domain Digital Certificates
-Most digital certificates are web server digital certificates issued from a web server to a client. -Web server digital certificates perform two primary functions: (Ensure the authenticity of the web server to the client.) (Ensure the authenticity of the cryptographic connection to the web server.)
Distributed Trust Model
-Multiple CA s sign digital certificates. -Eliminates limitations of hierarchical trust model.
Bridge Trust Model
-One CA acts as facilitator to interconnect all other CAs. Facilitator CA does not issue digital certificates, instead it acts as the hub between hierarchical and distributed trust model.
Certificate Repository (CR)
-Publicly accessible centralized directory of digital certificates. -Can be used to view certificate status.
Certificate authority (CA)
-Responsible for digital certificates. -May also be called root CA -The person requesting a digital certificate can be authenticated by: (Email, documents, in person.)
Types of Digital Certificates
-Root certificates -Domain certificates -Hardware and software certificates
Secure Shell (SSH)
-SSH is a suite of three utilities: slogin, ssh, and scp. -Can be used as a tool for secure network backups.
Root digital certificate
-The process of verifying a digital certificate is genuine depends upon certificate chaining. -Links several certificates together to establish trust between all the certificates involved. -Endpoint of the chain is the user digital certificate itself. -The beginning point of the chain is known as a root digital certificate. -Created and verified by a CA. -Self-signed and do not depend upon any higher-level authority.
Digital signature
-Used to prove a document originated from a valid sender. -Weakness of using digital signatures are often showed that the private key of the sender was used to encrypt the digital signature. -Imposter could post a public key under a sender's name.
Hypertext Transport Protocol Secure (HTTPS)
The secure version is actually "plain" HTTP sent over SSL or TLS.
Extended Validation (EV)
This type of certificate requires more extensive verification of the legitimacy of the business.
key strength
Transforms plaintext into ciphertext(and vice versa for decryption.)
Domain validation (digital certificate)
Verifies the identity of the entity that has control over the domain name.
Transport Layer Security (TLS)
Versions starting with v1.1 are significantly more secure than SSL v3.0.
Wildcard
(Digital Certificate) Used to validate a main domain along with all subdomains.
Trust
Confidence in or reliance on another person or entity.
Secret Algorithms
It does not enhance security the same way as keeping a key or password secret.
Certificate Revocation
Its a list of certificates that have been revoked or no longer used either b/c of changed information such as user`s address, phone number, basic info or the key has been lost or exposed.
Cryptoperiod
Length of time for which a key is authorized for use. The longer the key strength is the harder it is to break, the shorter it is the easy is going to break.
Initialization vector (IV)
Most widely used algorithm input.
Online Certificate Status Protocol (OCSP)
Performs a real-time lookup of a certificate's status.
Subject Alternative Name (SAN)
Primarily used for Microsoft Exchange servers or unified communications.
Trust model
Refers to the type of trust relationship that can exist between individuals and entities.
Secure Real-time Transport Protocol (SRTP)
SRTP provides protection for voice ip(voIP) communications.
what widely used protocols are used to protect data-in-transit?
SSL and TLS