Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 03_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
EC-Council
Tags
Related
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 03_ocred.pdf
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 06_ocred.pdf
- Applied Cryptography 6COSC019W- Cyber Security PDF
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 06_ocred_fax_ocred.pdf
- Resumen Tema 2 (1) PDF
- Introduction to Cryptography PDF
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Cryptography Digital Certificate Formats Distinguished Encoding...
Certified Cybersecurity Technician Exam 212-82 Cryptography Digital Certificate Formats Distinguished Encoding DER is a binary encoding for both certificates and private keys, and the encoded files Rules (DER) have the extensions.der and.cer Privacy Enhanced A PEM file consists of Base64-encoded ASCII data with the extensions.crt,.pem,.cer, Mail (PEM) and.key Personal Information PFX, also referred to as PKCS#12, is a binary format to store a main host certificate and Exchange (PFX) derived intermediate certificate with an associated private key in an encrypted file CER ‘ » CER files are security files issued by a third-party CA to check website authenticity PIB The P7B or PKCS#7 format employs Base64 ASCII encoding and uses the file extensions.p7band.p7c PRCS#8 The PKCS#8 format consists of private keys and securely encrypted private key data with the extension.p8 Copyright © byby EC-CEC-Councll. cl. All Rights Reserved. Reproductionis Strictly Prohibited Prohibited. Digital Certificate Formats A digital certificate format comprises details related to the owner and authority of the certificate. Digital certificate files have distinct extensions depending on the format and encoding used. Extension: Extensions are present in version 3 certificates and consist of an extension identifier, criticality flag, and extension value, all of which are conventional file extensions and not standard. Extensions often do not provide information about the type of encoding used or type of content in the certificate file. It can be viewed only by opening a text editor. The following are some of the types of certificate formats: = Distinguished Encoding Rules (DER): DER is a binary encoding for both certificates and private keys, and the encoded files have the extensions.der and.cer. A DER file can be read with a text editor. These files are commonly seen in Java platforms. * Privacy Enhanced Mail (PEM): It is a common file format used by CAs to provide certificates. AA PEM file consists of Base64-encoded ASCII data with the extensions.crt,.pem,.cer, and.key. The ASCIlI format data contains a plaintext header and footer such CERTIFICATE-----."” These files are as the lines “-----BEGIN CERTIFICATE-----" and “-----END CERTIFICATE-----.” commonly seen in Linux/Unix platforms. = Personal Information Exchange (PFX): PFX, also referred to as PKCS#12, is a binary format used to store a main host certificate and derived intermediate certificate with an associated private key in an encrypted file with the extensions.pfx and.p12. PFX follows Public Key Cryptography Standards (PKCS). In Windows platforms, it commonly uses the extension.pfx, and in iOS platforms, it uses.p12. It can be employed to import/export digital certificates along with private keys. Module 14 Page 1698 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography = CER: CER files are security files issued by a third-party CA to check website authenticity. These files have the extension.cer. CER certificates are configured on a web server to set the validity of a specific website hosted on the server. These files can be seen by clicking on the lock symbol at the browser’s edge while visiting a secure website. When a user enters the URL to a website hosted on the same server, the browser verifies the validity of the website using the certificate attached to it. = P7B: P7B or PKCS#7 is a format that employs Base64 ASCIlI encoding and uses the file extensions.p7b and.p7c. It comprises only main certificates and intermediate (chain) certificates but not the private key. It contains header and footer statements such as “-- BEGIN PKCS--“ and “--END PKCS7--". It is commonly seen in Microsoft Windows and Java Tomcat. = PKCS#8: This format consists of private keys and securely encrypted private key data with the extension.p8. Data are stored in the Base64 encoded form, generally using the encrypted, then the header is “-----BEGIN ENCRYPTED PRIVATE KEY-----", and the footer is “-----END ENCRYPTED PRIVATE KEY-----". PKCS#8 is the recognized syntax to store private key information. Module 14 Page 1699 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Public Key Infrastructure (PKI) L L CHIE S A | b= t1 1 =« m B g ' o=ey O e = O A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures required for creating, managing, distributing, using, storing, and revoking digital certificates Components of a PKI ( A certificate authority (CA) that issues and verifies (‘ A certificate management system for generation, \ ~digital digital certificates distribution, storage, and verification of certificates , A registration authority (RA) that acts as the I/""x @ : ‘\-‘ One or more directories where the certificates '\ -- verifier for the CA @Y 4 A\’ (along with their public keys) are stored.......................... ©# Validation of electronic signature # Enquires about public key certificate validity to validation authority Public Key Infrastructure (PKI) A public key infrastructure (PKI) is a security architecture developed for increasing the confidentiality of the information exchanged over the Internet. It includes hardware, software, people, policies, and procedures required for creating, managing, distributing, using, storing, and revoking digital certificates. In cryptography, a PKI helps to bind the public keys with the corresponding user identities by means of a CA. Module 14 Page 1700 Certified Cybersecurity Technician Copyright © by EC-Council EG-Bouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography PKI is a comprehensive system that allows the use of public-key encryption and digital signature services across a wide variety of applications. PKI authentication depends on digital certificates (also known as public-key certificates) that CAs sign and provide. A digital certificate is a digitally signed statement with a public key and the subject’s (i.e., a user, company, or system) name on it. The components of a PKl include, = A certificate authority (CA) that issues and verifies digital certificates = Aregistration authority (RA) that acts as the verifier for the CA. = A certificate management system for generation, distribution, storage, and verification of certificates. = One or more directories where the certificates (along with their public keys) are stored. Auctfr:rl-f;\cra (tg; ) lal;fl 7...o.f’.‘!‘.’i’f?.‘.'!‘.f?.’f‘f?f'.".']....) I N < ul ‘ | I' > Requestforissuing =gy © Wdation \ certificate.+ A « Authority (VA) :’ Public Key Public Key 5 Determined v Certificate Certificate 5 Result L H - : Registration [. H Authority (RA) : 9 : User applies for o : R 4 Issuing certificate O.9'..'.'.@'..'...'.".) Message with digital signature User and copy of public key certificate Public Key w © Validation of electronic signature Private Key 4 © Enquires about publickey certificate validity to validation authority Figure 14.27: PKI Components PKI is widely recognized as a best practice for ensuring digital verification for electronic transactions. These are the most effective methods for providing verification during electronic transactions. The digital signatures supported by PKI include the following: = With whom you are dealing (identification) = Who is authorized to access what information (entitlements) = Averifiable record of the transaction (verification) Module 14 Page 1701 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Uses of PKI PKI does not serve only as a business function; it provides the foundation for other security services. The primary use of PKI is to allow the distribution and use of public keys and certificates with security. The security mechanisms that are based on PKI include email, chip card application, value exchange with e-commerce, home banking, and electronic postal systems. PKI enables basic security services for a variety of systems as listed below: = |t uses the SSL, internet protocol security (IPsec), and the hypertext transfer protocol secure (HTTPS) protocols for communication security. * |t uses the secure/multipurpose internet mail extensions (S/MIME) and pretty good privacy (PGP) protocols for email security. = |t uses the secure electronic transaction (SET) protocol for value exchange. The following are the key benefits of PKI: = |t reduces the transactional processing expenses. = |t reduces risk. = |t improves the efficiency and performance of systems and networks. = |t reduces the difficulty of security systems with binary symmetrical methods. Certificate Authority (CA) and Registration Authority (RA) The primary role of CA is to digitally sign and publish the public key bound to a given user. It is an entity trusted by one or more users to manage certificates. Often, a registration authority (RA) is used for handling verification prior to the issue of certificates to reduce the burden of a CA. An RA acts as a proxy between the user and the CA. The RA receives a request, authenticates it, and forwards it to the CA. An RA is a type of licensed certificate distributor or intermediary between users and the CA, and it performs CA activities such as accepting and processing certificate requests and checking identity and revoking credentials, if necessary. This authority can generate keys on behalf of users and can also be used for key backup and recovery. Intermediate CA Another way of issuing a certificate is using intermediary CAs that allow the hierarchical distribution of certificates, where the main CA represented as a root CA. Under the root CA, there may be many intermediate authorities (subordinate CAs), among which the load of certificate creation is distributed, and these intermediate authorities provide facilities for organizations in different regions to create and handle their own certificates. Creating intermediate CAs can also make the certificate revocation process easy. If an attacker managed to gain access to the key used on an intermediate CA, it is possible to revoke only the certificates under that specific CA. Module 14 Page 1702 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography oo =i Root Root CA ao 2 L].° —= Intermediate CA = Intermediate CA — Intermediate CA ‘lllllll;lllllll.: ‘onnnuo-;-u----u-‘ :"""":".""'t l"""'s""""\' ‘Illl..l;llll.lll‘ ‘ll.lll.;ll.l.ll.‘ Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Figure 14.28: CA hierarchy Module 14 Page 1703 Certified Cybersecurity Technician Copyright © by EC-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.