Lesson 6
Certificate Enrollment Process
1. Entity requests certificate 2. RA authenticates entity 3. Policy applied to request 4. Request sent to CA 5. CA issues certificate 6. Entity notified 7. Certificate installed
Certificate Life Cycle
1. Issuance - Root CA issues its self-signed key pair. Then sub CAs start to issue their certificates. 2. Enrollment 3a. Renewal 3b. Revocation 3c. Expiration 3d. Suspension
Private Key Replacement
1. Recover private key 2. Decrypt any encrypted data 3. Destroy the original private key 4. Obtain a new key pair 5. Re-encrypt the data using the new private key.
SSL Enrollment Process
1. Request - client requests session with server 2. Response - server responds by sending its digital certificate and public key to the client 3. Negotiation - server and client then negotiate encryption level 4. Encryption - once agreed on a level, the client generates a session key, encrypts it, and sends it with the public key from the server 5. Communication - the session key then becomes the key used in the conversation
Digital Certificate
An electronic document that associates credentials with a public key. Validates holder's identity and is a way to distribute the holder's public key.
Private Key Protection Methods
Back it up to removable media and store media securely Delete it from insecure media Require a password to store the private key Never share a key Never transmit a key on the network or across the Internet after it is issued Consider using key escrow to store a private key with trusted third parties
Enterprise CA
CA that is integrated with AD
Standalone CA
CA that is not integrated with AD
What stores digital certificates?
Certificate repository database
PKCS #7
Cryptographic Message Syntax Standard. Describes the general syntax used for cryptographic data, such as digital signatures.
PKCS #10
Cryptographic Request Syntax Standard. Describes the syntax used to request certification of a public key and other info.
PKI Components
Digital certificates - to verify the identity of entities One or more CA's - to issue digital certificates to computers, users, or apps Registration Authority (RA) - responsible for verifying users' identities and approving or denying requests for digital certificates. Certificate repository database - to store the digital certificates Certificate management system - to provide software tools to perform the day-to-day functions of the PKI Certificate signing request (CSR) - a message sent to a CA in which a resource applies for a certificate
What does a CA Hierarchy help?
It distributes the workload and provides certificate services more efficiently.
If a CA is compromised, which certificates are invalid?
It's own and it's children's.
Certificate Life Cycle Factors
Length of private key Strength of crytography used Physical security of the CA and private key Security of issued certificates and their private keys Risk of attack User Trust Administrative involvement
Two types of Root CAs
Private and public
Certificate Management System
Provide software tools to perform the day-to-day functions of the PKI
PKI
Public Key Infrastructure. A system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and entities.
What are OCSP servers called?
Responders
Which CA issues and self-signs the first certificate in the hierarchy?
Root CA
What is the most secure way to configure a root CA?
Take it offline and let the subordinate CAs issue certificates.
What does the responder use to search for a certificate in a CA's database?
The certificate's serial number
What happens if the root CA's certificate expires?
The entire CA becomes inactive.
Public Key Crytography Standards (PKCS)
The most common CSR format, developed to send info over the internet in a secure manner using a PKI
Certificate Authentication
The process of identifying end users in a transaction that involves a series of steps to be carried out before the user's identity is confirmed.
What happens when certificates are revoked before their expiration date?
They are rendered permanently invalid
M of N Control
Used to prevent a single authorized agent from recovering a key. A mathematical control that takes into account the total number of recovery agents (N) along with the number of agents required to perform a key recovery (M). If the number of agents attempting to recover a key does not meet or exceed M, then the key will not be recovered.
Certificate Signing Request (CSR)
a message sent to a CA in which a resource applies for a certificate
CA Hierarchy/Trust Model
a single CA or group of CAs that work together to issue digital certificates. Each CA in the hierarchy has a parent-child relationship with the CA directly above it.
Online Certificate Status Protocol (OCSP)
an HTTP-based alternative to a CRL for checking the status of revoked certificates.
Key escrow
an alternative to key backups, can be used to store private keys securely, while allowing one or more trusted third parties access to the keys under predefined conditions. the third party is called the key escrow agent
Subordinate CAs
any CAs below the root in the hierarchy. Issue certificates and provide day-to-day management of the certificates, including renewal, suspension, and revocation.
Private Root CA
created by a company for use primarily within the company itself. The root can be set up and configured in-house or contracted to a third-party vendor.
Public Root CA
created by a third-party or commercial vendor for general access by the public.
Certificate Revocation List (CRL)
list of certificates that were revoked before the expiration date. Contains requester's name, request ID number, the reason why the certificate was revoked and other pertinent info.
Registration Authority (RA)
responsible for verifying users' identities and approving or denying requests for digital certificates.
Root CA
the topmost CA in the hierarchy and the most trusted authority.
File encryption keys
used to encrypt files and stored by the public key.
Encrypting File System (EFS)
uses Microsoft NTFS-based public key encryption.