Using and Managing Keys
Chapter 9: Using and Managing KeysSecurity+ Guide to Network Security Fundamentals Second Edition Objectives•Explain cryptography strengths and vulnerabilities•Define public key infrastructure (PKI)•Manage digital certificates•Explore key management Understanding Cryptography Strengths and Vulnerabilities•Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored•When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext Symmetric Cryptography Strengths and Weaknesses•Identical keys are used to both encrypt and decrypt the message•Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish•Disadvantages of symmetric encryption relate to the difficulties of managing the private key Asymmetric Cryptography Strengths and Vulnerabilities•With asymmetric encryption, two keys are used instead of one –The private key encrypts the message–The public key decrypts the message Asymmetric Cryptography Strengths and Vulnerabilities (continued)•Can greatly improve cryptography security, convenience, and flexibility•Public keys can be distributed freely•Users cannot deny they have sent a message if they have previously encrypted the message with their private keys•Primary disadvantage is that it is computing-intensive Digital Signatures•Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message•A digital signature helps to prove that:–The person sending the message with a public key is who they claim to be–The message was not altered–It cannot be denied the message was sent Digital Certificates•Digital documents that associate an individual with its specific public key•Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party Certification Authority (CA)•The owner of the public key listed in the digital certificate can be identified to the CA in different ways–By their e-mail address–By additional information that describes the digital certificate and limits the scope of its use •Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users Certification Authority (CA) (continued)•The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes•Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)•Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users [...]... (continued) X509 Digital Certificates (continued) Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition Key Storage (continued) • Storing keys in hardware is an alternative to software- based keys • Whether private keys are stored in hardware or software, it is important that they be adequately protected Managing Digital Certificates (continued) • Server... message was not altered – It cannot be denied the message was sent Public Key Cryptography Standards (PKCS) • Numbered set of standards that have been defined by the RSA Corporation since 1991 • Composed of 15 standards detailed on pages 318 and 319 of the text Understanding Cryptography Strengths and Vulnerabilities • Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized... cipher and key to produce the original plaintext Summary (continued) • PKCS is a numbered set of standards that have been defined by the RSA Corporation since 1991 • The three PKI trust models are based on direct and third-party trust • Digital certificates are managed through CPs and CPSs Exploring Key Management • Because keys form the very foundation of the algorithms in asymmetric and PKI... Weaknesses • Identical keys are used to both encrypt and decrypt the message • Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish • Disadvantages of symmetric encryption relate to the difficulties of managing the private key Certification Authority... PKI • Manages keys and identity information required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs • For a typical enterprise: – Provides end-user enrollment software – Integrates corporate certificate directories – Manages, renews, and revokes certificates – Provides related network services and security • Typically consists of one or more CA servers and digital... different PKI trust models are based on direct and third-party trust Asymmetric Cryptography Strengths and Vulnerabilities (continued) • Can greatly improve cryptography security, convenience, and flexibility • Public keys can be distributed freely • Users cannot deny they have sent a message if they have previously encrypted the message with their private keys • Primary disadvantage is that it is... cryptography strengths and vulnerabilities • Define public key infrastructure (PKI) • Manage digital certificates • Explore key management Asymmetric Cryptography Strengths and Vulnerabilities • With asymmetric encryption, two keys are used instead of one – The private key encrypts the message – The public key decrypts the message Symmetric Cryptography Strengths and Weaknesses • Identical keys are used... detail how the CA uses and manages certificates • Covers topics such as those listed on pages 325 and 326 of the text Trust Models (continued) • The web of trust model is based on direct trust • Single-point trust model is based on third-party trust – A CA directly issues and signs certificates • In an hierarchical trust model, the primary or root certificate authority issues and signs the certificates... in a CR for users to refer to Key Storage • It is possible to store public keys by embedding them within digital certificates • This is a form of software-based storage and doesn’t involve any cryptography hardware • Another form of software-based storage involves storing private keys on the user’s local computer Managing Digital Certificates (continued) Certificate Practice Statement (CPS) • More...Understanding Public Key Infrastructure (PKI) • Weaknesses associated with asymmetric cryptography led to the development of PKI • A CA is an important trusted party who can sign and issue certificates for users • Some of its tasks can also be performed by a subordinate function, the RA • Updated certificates and CRLs are kept in a CR for users to refer to . Chapter 9: Using and Managing KeysSecurity+ Guide to Network Security Fundamentals Second Edition Objectives•Explain cryptography strengths and vulnerabilities•Define. tasks PKI Standards and Protocols•A number of standards have been proposed for PKI–Public Key Cryptography Standards (PKCS)–X509 certificate standards Public