Security Guide to Network Security Fundamentals Third Edition
- Slides: 53
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography
Objectives • Define digital certificates • List the various types of digital certificates and how they are used • Describe the components of Public Key Infrastructure (PKI) • List the tasks associated with key management • Describe the different cryptographic transport protocols Security+ Guide to Network Security Fundamentals, Third Edition 2
Digital Certificates • Using digital certificates involves: – Understanding their purpose – Knowing how they are authorized, stored, and revoked – Determining which type of digital certificate is appropriate for different situations Security+ Guide to Network Security Fundamentals, Third Edition 3
Defining Digital Certificates • Digital certificate – Can be used to associate or “bind” a user’s identity to a public key – The user’s public key that has itself been “digitally signed” by a reputable source entrusted to sign it • Digital certificates make it possible for Alice to verify Bob’s claim that the key belongs to him • When Bob sends a message to Alice he does not ask her to retrieve his public key from a central site – Instead, Bob attaches the digital certificate to the message Security+ Guide to Network Security Fundamentals, Third Edition 4
Security+ Guide to Network Security Fundamentals, Third Edition 5
Defining Digital Certificates (continued) • A digital certificate typically contains the following information: – – – Owner’s name or alias Owner’s public key Name of the issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key Security+ Guide to Network Security Fundamentals, Third Edition 6
Authorizing, Storing, and Revoking Digital Certificates • Certificate Authority (CA) – An entity that issues digital certificates for others – A user provides information to a CA that verifies her identity – The user generates public and private keys and sends the public key to the CA – The CA inserts this public key into the certificate • Registration Authority (RA) – Handles some CA tasks such as processing certificate requests and authenticating users Security+ Guide to Network Security Fundamentals, Third Edition 7
Authorizing, Storing, and Revoking Digital Certificates (continued) • Certificate Revocation List (CRL) – Lists revoked certificates – Can be accessed to check the certificate status of other users – Most CRLs can either be viewed or downloaded directly into the user’s Web browser • Certificate Repository (CR) – A publicly accessible directory that contains the certificates and CRLs published by a CA – CRs are often available to all users through a Web browser interface Security+ Guide to Network Security Fundamentals, Third Edition 8
Security+ Guide to Network Security Fundamentals, Third Edition 9
Authorizing, Storing, and Revoking Digital Certificates (continued) Security+ Guide to Network Security Fundamentals, Third Edition 10
Types of Digital Certificates • Digital certificates can also be used to: – Encrypt channels to provide secure communication – Encrypt messages for secure Internet e-mail communication – Verify the identity of clients and servers on the Web – Verify the source and integrity of signed executable code • Categories of digital certificates – Personal digital certificates – Server digital certificates – Software publisher digital certificates Security+ Guide to Network Security Fundamentals, Third Edition 11
Security+ Guide to Network Security Fundamentals, Third Edition 12
Types of Digital Certificates (continued) • Single-sided certificate – When Bob sends one digital certificate to Alice along with his message • Dual-sided certificates – Certificates in which the functionality is split between two certificates • Signing certificate • Encryption certificate Security+ Guide to Network Security Fundamentals, Third Edition 13
Types of Digital Certificates (continued) • Dual-sided certificate advantages: – Reduce the need for storing multiple copies of the signing certificate – Facilitate certificate handling in organizations • X. 509 Digital Certificates – The most widely accepted format for digital certificates Security+ Guide to Network Security Fundamentals, Third Edition 14
Types of Digital Certificates (continued) Security+ Guide to Network Security Fundamentals, Third Edition 15
Security+ Guide to Network Security Fundamentals, Third Edition 16
Security+ Guide to Network Security Fundamentals, Third Edition 17
Public Key Infrastructure (PKI) • Public key infrastructure involves public-key cryptography standards, trust models, and key management Security+ Guide to Network Security Fundamentals, Third Edition 18
What Is Public Key Infrastructure (PKI)? • Public key infrastructure (PKI) – A framework for all of the entities involved in digital certificates to create, store, distribute, and revoke digital certificates • Includes hardware, software, people, policies and procedures • PKI is digital certificate management Security+ Guide to Network Security Fundamentals, Third Edition 19
Public-Key Cryptographic Standards (PKCS) • Public-key cryptography standards (PKCS) – A numbered set of PKI standards that have been defined by the RSA Corporation – These standards are based on the RSA public-key algorithm Security+ Guide to Network Security Fundamentals, Third Edition 20
Security+ Guide to Network Security Fundamentals, Third Edition 21
Security+ Guide to Network Security Fundamentals, Third Edition 22
Security+ Guide to Network Security Fundamentals, Third Edition 23
Trust Models • Trust may be defined as confidence in or reliance on another person or entity • Trust model – Refers to the type of trusting relationship that can exist between individuals or entities • Direct trust – A relationship exists between two individuals because one person knows the other person • Third party trust – Refers to a situation in which two individuals trust each other because each trusts a third party Security+ Guide to Network Security Fundamentals, Third Edition 24
Trust Models (continued) • Direct trust is not feasible when dealing with multiple users who each have digital certificates • Three PKI trust models that use a CA – Hierarchical trust model – Distributed trust model – Bridge trust model Security+ Guide to Network Security Fundamentals, Third Edition 25
Trust Models (continued) Security+ Guide to Network Security Fundamentals, Third Edition 26
Trust Models (continued) Security+ Guide to Network Security Fundamentals, Third Edition 27
Security+ Guide to Network Security Fundamentals, Third Edition 28
Managing PKI • Certificate policy (CP) – A published set of rules that govern the operation of a PKI – Provides recommended baseline security requirements for the use and operation of CA, RA, and other PKI components • Certificate practice statement (CPS) – Describes in detail how the CA uses and manages certificates – A more technical document than a CP Security+ Guide to Network Security Fundamentals, Third Edition 29
Managing PKI (continued) • Certificate life cycle – – Creation Suspension Revocation Expiration Security+ Guide to Network Security Fundamentals 30
Key Management • Proper key management includes key storage, key usage, and key handling procedures Security+ Guide to Network Security Fundamentals, Third Edition 31
Key Storage • Public keys can be stored by embedding them within digital certificates – While private keys can be stored on the user’s local system • The drawback to software-based storage is that it may leave keys open to attacks • Storing keys in hardware is an alternative to software-based storage • Private keys can be stored on smart cards or in tokens Security+ Guide to Network Security Fundamentals, Third Edition 32
Key Usage • If more security is needed than a single set of public and private keys – Then multiple pairs of dual keys can be created • One pair of keys may be used to encrypt information – The public key could be backed up to another location • The second pair would be used only for digital signatures – The public key in that pair would never be backed up Security+ Guide to Network Security Fundamentals, Third Edition 33
Key Handling Procedures • Procedures include: – – – Escrow Expiration Renewal Revocation Recovery • Key recovery agent (KRA) • M-of-N control – Suspension – Destruction Security+ Guide to Network Security Fundamentals, Third Edition 34
Security+ Guide to Network Security Fundamentals, Third Edition 35
Cryptographic Transport Protocols • Cryptographic transport protocols can be categorized by the applications that they are commonly used for: – File transfer, Web, VPN, and e-mail Security+ Guide to Network Security Fundamentals, Third Edition 36
File Transfer Protocols • File Transfer Protocol (FTP) – Part of the TCP/IP suite – Used to connect to an FTP server • Vulnerabilities – Usernames, passwords, and files being transferred are in cleartext – Files being transferred by FTP are vulnerable to manin-the-middle attacks • One of the ways to reduce the risk of attack is to use encrypted Secure FTP (SFTP) Security+ Guide to Network Security Fundamentals, Third Edition 37
File Transfer Protocols (continued) • Secure Sockets Layer (SSL) – A protocol developed by Netscape for securely transmitting documents over the Internet – Uses a public key to encrypt data that is transferred over the SSL connection • Transport Layer Security (TLS) – A protocol that guarantees privacy and data integrity between applications communicating over the Internet – An extension of SSL • Are often referred to as SSL/TLS or TLS/SSL Security+ Guide to Network Security Fundamentals, Third Edition 38
File Transfer Protocols (continued) • A second protocol that can be used with SFTP is Secure Shell (SSH) – Also called SFTP/SSH • SSH – A UNIX-based command interface and protocol for securely accessing a remote computer – Suite of three utilities: slogin, scp, and ssh – Both the client and server ends of the connection are authenticated using a digital certificate • Passwords are protected by being encrypted Security+ Guide to Network Security Fundamentals, Third Edition 39
File Transfer Protocols (continued) Security+ Guide to Network Security Fundamentals, Third Edition 40
Web Protocols • Another use of SSL is to secure Web HTTP communications between a browser and a Web server • Hypertext Transport Protocol over Secure Sockets Layer – “Plain” HTTP sent over SSL/TLS • Secure Hypertext Transport Protocol – Allows clients and the server to negotiate independently encryption, authentication, and digital signature methods, in any combination, in both directions Security+ Guide to Network Security Fundamentals, Third Edition 41
VPN Protocols • Point-to-Point Tunneling Protocol (PPTP) – Most widely deployed tunneling protocol – Allows IP traffic to be encrypted and then encapsulated in an IP header to be sent across a public IP network such as the Internet – Based on the Point-to-Point Protocol (PPP) • Point-to-Point Protocol over Ethernet (PPPo. E) – Another variation of PPP that is used by broadband Internet providers with DSL or cable modem connections Security+ Guide to Network Security Fundamentals, Third Edition 42
VPN Protocols (continued) Security+ Guide to Network Security Fundamentals, Third Edition 43
VPN Protocols (continued) • Layer 2 Tunneling Protocol (L 2 TP) – Merges the features of PPTP with Cisco’s Layer 2 Forwarding Protocol (L 2 F) – L 2 TP is not limited to working with TCP/IP-based networks, but supports a wide array of protocols – An industry-standard tunneling protocol that allows IP traffic to be encrypted • And then transmitted over any medium that supports point-to-point delivery Security+ Guide to Network Security Fundamentals, Third Edition 44
VPN Protocols (continued) • IP Security (IPsec) – A set of protocols developed to support the secure exchange of packets • Because it operates at a low level in the OSI model – IPsec is considered to be a transparent security protocol for applications, users, and software • IPsec provides three areas of protection: – Authentication, confidentiality, and key management Security+ Guide to Network Security Fundamentals, Third Edition 45
Security+ Guide to Network Security Fundamentals, Third Edition 46
VPN Protocols (continued) • IPsec supports two encryption modes: – Transport mode encrypts only the data portion (payload) of each packet yet leaves the header unencrypted – Tunnel mode encrypts both the header and the data portion • Both AH and ESP can be used with transport or tunnel mode – Creating four possible transport mechanisms Security+ Guide to Network Security Fundamentals, Third Edition 47
Security+ Guide to Network Security Fundamentals, Third Edition 48
Security+ Guide to Network Security Fundamentals, Third Edition 49
VPN Protocols (continued) Security+ Guide to Network Security Fundamentals, Third Edition 50
E-mail Transport Protocol • S/MIME (Secure/Multipurpose Internet Mail Extensions) – One of the most common e-mail transport protocols – Uses digital certificates to protect the e-mail messages • S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them Security+ Guide to Network Security Fundamentals, Third Edition 51
Summary • Digital certificates can be used to associate a user’s identity to a public key • An entity that issues digital certificates for others is known as a Certificate Authority (CA) • Types of certificates – Personal, server, and software publisher certificates • PKI is digital certificate management • One of the principal foundations of PKI is that of trust Security+ Guide to Network Security Fundamentals, Third Edition 52
Summary (continued) • An organization that uses multiple digital certificates on a regular basis needs to properly manage those digital certificates • One cryptographic transport protocol for FTP is Secure Sockets Layer (SSL) • A secure version for Web communications is HTTP sent over SSL/TLS and is called HTTPS (Hypertext Transport Protocol over Secure Sockets Layer) • There are several “tunneling” protocols (when a packet is enclosed within another packet) that can be used for VPN transmissions Security+ Guide to Network Security Fundamentals, Third Edition 53
- Guide to network security
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Fundamentals of corporate finance third canadian edition
- Fundamentals of corporate finance 3rd canadian edition
- Computer security fundamentals 4th edition
- William stallings network security essentials 5th edition
- Cryptography and network security 6th edition
- Cryptography and network security 6th edition pdf
- Cryptography and network security 4th edition
- Cryptographic systems are generically classified by
- Pearson cryptography and network security
- Odontoclasia meaning
- Caries profunda definition
- Fundamentals of information systems 9th edition
- Fundamentals of information systems 9th edition
- Fluid mechanics fundamentals and applications 3rd edition
- Digital fundamentals answers
- Machining fundamentals 10th edition
- Fundamentals of organizational communication
- Fundamentals of organizational communication 9th edition
- Digital fundamentals 10th edition
- Floyd digital fundamentals 10th edition pdf
- Dc/ac fundamentals a systems approach
- Management fundamentals 8th edition
- Fundamentals of information systems 9th edition
- Fundamentals of corporate finance fifth edition
- Fundamentals of corporate finance 6th edition
- Abnormal psychology ronald j comer 9th edition
- Fundamentals of information systems 9th edition
- Thermal conduction resistance
- The fundamentals of political science research 2nd edition
- Principles of economics third edition
- Organic chemistry third edition david klein
- Organic chemistry third edition david klein
- Business mathematics third edition
- Modern operating systems tanenbaum
- Lifespan development third edition
- Lifespan development third edition
- Essential cell biology
- Graphical display
- Osi security architecture model
- Wireless security in cryptography and network security
- Electronic mail security in network security
- Mis chapter 6
- Zulily case study
- Provate security
- Ccna exploration network fundamentals
- Campus network design fundamentals
- Florida real estate broker's guide 6th edition
- Florida real estate broker's guide
- Pocket guide to public speaking
- Guide to wireless communications 4th edition
- Guide to computer forensics and investigations