The content chapter 5 (part 1) include: Preparing for cryptographic attacks, cryptography standards and protocols, key management and key life cycle, introduction of PKI, trust models, PKI management.
Public Key Infrastructure Contents v Preparing for Cryptographic Attacks v Cryptography Standards and Protocols v Key management and Key life cycle v Introduction of PKI v Trust models v PKI management Cryptographic Attacks v Specific attacks on cryptographic systems can be divided into three types: v Attacking the key v Attacking the algorithm v Intercepting the transmission Cryptographic Attacks: Birthday attack v A birthday attack is an example of an attack targeted at the key v It isn’t an attack on the algorithm itself, just on the results v If 25 people are in a room, there is some probability that two of those people will have the same birthday v The probability increases as additional people enter the room v It’s important to remember that probability doesn’t mean that something will occur, only that it’s more likely to occur Cryptographic Attacks: Weak key attack v Based on the premise that many common passwords are used by lots of people v If the key length is short, the resulting hash value will be easier to guess v Make sure your users use passwords and encryption keys that are hard to guess You may even want to consider a random-password generating system Cryptographic Attacks: Mathematical attack v Mathematical attacks can be focused on the encryption algorithm itself, the key mechanism, or any potential area of weakness in the algorithm v These attacks use mathematical modeling and statistical analysis to determine how the system operates v These types of attacks depend on intercepting large amounts of data and methodically attempting to decrypt the messages using one of the methods previously described Contents v Preparing for Cryptographic Attacks v Cryptography Standards and Protocols v Key management and Key life cycle v Introduction of PKI v Trust models v PKI management Public Domain Cryptography v Public domain cryptography refers to the standards and protocols that emerge from individual or corporate efforts and are released to the general public for use v PGP and RSA are two common public cryptographic initiatives Pretty Good Privacy (PGP) - Bí mật tương đối tốt v Developed by Phil Zimmerman v In 1991, he published the encryption system on the Internet v PGP has become a de facto standard for e-mail encryption v PGP uses both symmetrical and asymmetrical encryption Pretty Good Privacy (PGP) Hierarchical Trust Models v A root CA at the top provides all the information v The intermediate CAs are next in the hierarchy, and they only trust information provided by the root CA v The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t v This arrangement allows a high level of control at all levels of the hierarchical tree Hierarchical Trust Models Bridge Trust Models Mesh Trust Models Hybrid Trust Model Web of Trust model Web of Trust model v Web of Trust is a PKI with no central hierarchy, it’s literally a web It’s like degrees of separation v Bob vouches for Andy v Sarah trusts Bob, so she trusts the identity of Andy v Sara vouches for Bob v Steve trusts Sara, therefore he trusts the identities of Bob, and Andy via Sarah… v PGP uses web of trust Web of Trust model Example PGP verification v Verifing the signature of ClamAV Contents v Preparing for Cryptographic Attacks v Cryptography Standards and Protocols v Key management and Key life cycle v Introduction of PKI v Trust models v PKI management Certificate Renewals v Certificates have a lifetime after which they expire Why? v When a certificate expires you have to renew it You don’t have to go through the RA again You just have to be able to sign a message with your old private key v When renewing you can use the old public/private key pair or generate a new key pair What is the advantage of generating a new pair? Certificate Revocation v Certificate revocation is the process of revoking a certificate before it expires v Why? v It was stolen v An employee moved to a new company v Someone has had their access revoked v… v A certificate revocation is handled either through a Certificate Revocation List (CRL) or by using the Online Certificate Status Protocol (OCSP) Certificate Revocation v Certificate Revocation List (CRL) v Certificate serial number that have been revoked v Reason for revocation v Date of revocation v The CRL is digitally signed by the CA Certificate Revocation v Client software must check the CRL before trusting a digital certificate v Once a certificate is revoked, it cannot be “un-revoked” v A certificate could be suspended, (or put on hold) this also goes on the CRL, however a special “reason” of suspended is used v Suspended certificates MAY be un-suspended Certificate Revocation v Online Certificate Status Protocol (OCSP) v A client server model v A client program actually queries a server to see if someone’s certificate is valid v This way the client does not need to know how to find the CRL for the given certificate Authority and doesn’t have to actually search through the CRL ... a list of standards for PKCS Public- Key Infrastructure X .50 9 (PKIX) v Public- Key Cryptography Standards (PKCS) is a set of voluntary standards created by RSA and security leaders v Early members... Lotus, Sun, and MIT X .50 9 v The X .50 9 standard defines v Certificate formats and fields for public keys v The procedures that should be used to distribute public keys v The X .50 9 version certificate... transport or tunnel mode v Port 50 is used for ESP v Port 51 is used for AH Tunneling Protocols v Point-to-Point Tunneling Protocol (PPTP) v Encapsulation in a single point-to-point environment v PPTP