Public Key Infrastructure and Encryption PDF

CHAPTER 11 Public Key Infrastructure and Encryption Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective and Key Concepts Learning Objective Key Concepts Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Implement PKI and encryption  PKI components and their roles solutions to ensure the  Nonrepudiation and digital confidentiality of business signatures communications.  PKI certificate authorities (CAs)  Encryption processes Public Key Infrastructure (PKI) Provides:  A framework that:  Consists of programs, procedures, Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Secure mechanisms for business and security policies and e-commerce transactions  Employs public key cryptography  A community of trust and the X.509 standard (digital certificates) for secure  An infrastructure to make the communications Internet safer  Is a hybrid system of symmetric  A level of security needed for a and asymmetric key algorithms multilayer security system Components of PKI Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Certificate Registration Certificate Certificate authority (CA) authority repository validation Key Recovery Time server Signing server Service Encryption and Cryptosystem (1 of 2) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Encryption Cryptosystem The process of applying an A hardware or software system algorithm to cleartext (or that provides encryption and plaintext) data, resulting in decryption made up of the ciphertext encryption algorithm, keys, software, and protocols The secret piece of the cryptosystem is the key Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-1 Encryption process. Encryption and Cryptography (2 of 2) Encryption and Cryptography—Symmetric (1 of 2)  Symmetric algorithms use shared secret keys for encrypting and decrypting Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com data  Symmetric encryption systems allow only the users who have the secret key to read the data  Symmetric key systems encrypt and decrypt information more quickly than an asymmetric system  Symmetric key systems require a secure method to create and exchange the secret key  Each pair of users requires a secure method to create and exchange the secret key, making key management difficult as the number of pairs of users increases Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Encryption and Cryptography—Symmetric (2 of 2) FIGURE 11-2 Symmetric key encryption process. Encryption and Cryptography—Asymmetric (1 of 3)  Asymmetric algorithms use pairs of related keys – public and private – for Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com encryption and decryption  Public key can be known by anyone  Public and private keys are related, and anything encrypted with one can only be decrypted with the other Encryption and Cryptography—Asymmetric (2 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-3 Example of asymmetric key encryption process: encrypting with public key for confidentiality. Encryption and Cryptography—Asymmetric (3 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-4 Example of asymmetric key encryption process: encrypting with private key for authentication. Number of Keys Needed for Different Group Sizes (FYI) Group Size (n) Symmetric Keys Needed Asymmetric Keys Needed Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 2 2 4 3 3 6 5 10 10 10 45 20 100 4,950 200 1,000 499,950 2,000 10,000 49,995,000 20,000 100,000 4,999,950,000 200,000 Business Requirements for Cryptography Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Ensuring software and data integrity Ensuring secure collaboration between entities inside and outside an organization Ensuring secure cloud computing Providing secure transactions with consumers Best Practices for PKI User Within Large Enterprises and Organizations  What are the business drivers for using PKI within the organization? Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  What applications will be using PKI? Is it being used for secure email, communications, or transactions?  What does the PKI architecture look like and how will it be used?  What impact will this implementation have on the users, customers, and business partners?  Where will the infrastructure reside?  Can the current organizational infrastructure support the technology? Digital Certificates and Key Management (1 of 5) Digital certificates Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Used by individuals and servers to provide unknown third parties with a known secure copy of their public encryption key Certificate authority (CA)  Issues digital certificates after verifying the identity of the end user Registration authority (RA)  Verifies the identity of an individual, initiates the certification process with a CA on behalf of the user, and performs certificate life-cycle management Digital Certificates and Key Management (2 of 5) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-5 Digital certificate details. Screen shot(s) reprinted with permission from Apple Inc. Digital Certificates and Key Management (3 of 5) Domain Validated (DV) – Certificates confirm that the Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com certification was issued to someone controlling the Domain Name System (DNS) domain included in the certificate Certificate Validation Organization Validated (OV) – Certificates go deeper and verify the identity of the business named on the certificate Extended Validation (EV) – Certificates provide the strongest Levels degree of trust, verifying the physical presence of the certificate subject Digital Certificates and Key Management (4 of 5) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Generation Distribution Storage Usage Recovery Termination Archival Components of Key Management Digital Certificates and Key Management (5 of 5) Key should be long enough to provide the necessary level of Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com protection Keys should be random, and algorithm should use the full Key Management keyspace Considerations Key’s lifetime should correspond with the sensitivity of the data The more a key is used, the shorter its lifetime should be Symmetric Versus Asymmetric Algorithms (1 of 2) Asymmetric cryptography Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Requires a longer key length than symmetric cryptography to achieve the same level of security Diffie-Hellman key exchange Enables two systems to receive symmetric keys without a previous communication Provides key distribution Does not provide encryption or digital capabilities Symmetric Versus Asymmetric Algorithms (2 of 2) RSA asymmetric encryption algorithm Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Developed to prevent man-in-the-middle attacks Most popular public key algorithm, can be used for digital signatures, key change, encrypt and decryption Elliptic curve cryptosystem (ECC) Provides same functionality as RSA More efficient than RSA Asymmetric Versus Symmetric Attributes Attribute Asymmetric Algorithms Symmetric Algorithms Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Public key is available to all; private Sender and recipient share a Keys key is kept secret to the owner and secret key never shared Key length required Longer Shorter Example algorithms RSA, Diffie-Hellman, ECC DES, 3DES, AES Requires sharing keys in advance Key exchange Easy-to-deliver public key through another secure mechanism Encryption speeds Slower Faster Security services Confidentiality, integrity, Confidentiality, integrity, and provided authentication, and nonrepudiation authentication Certificate Authority (CA) (1 of 3)  A trusted organization that maintains, issues, and distributes digital certificates Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  CAs may be internal or provided by a third party  Certificate Revocation List (CRL)  A listing of invalid certificates  Online Certificate Status Protocol (OCSP)  A method for live, interactive verification of a certificate status  Certificate Practice Statement (CPS)  Provides details on the business processes used by the CA to verify the identify of certificate owners Certificate Authority (CA) (2 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-6 Trusted certificate authorities. Screen shot(s) reprinted with permission from Apple Inc. Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-7 CA in a PKI system. Certificate Authority (CA) (3 of 3) Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation Ensures that only the intended recipient can Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Confidentiality read a message Integrity Ensures message received was message sent Allows someone to prove his or her identity to Authentication another Ensures a third party can verify that a message Nonrepudiation came from the purported sender Use of Digital Signatures (1 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Digitally signing an Digital signatures can email allows the be used to identify if a receiver to verify the Digital signatures user has signed off or contents were not provide nonrepudiation approved a particular modified after the data document was sent Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-8 Digital signature process. Use of Digital Signatures (2 of 3) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com FIGURE 11-9 Digital signature verification. Use of Digital Signatures (3 of 3) What PKI Is and What It Is Not Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com PKI Is PKI Is Not A strong authentication An answer to all security questions mechanism or concerns Provides integrity, confidentiality, Does not provide authorization authentication, and nonrepudiation Does not ensure that the end user in a single framework can be trusted What Are the Potential Risks Associated with PKI? If PKI key management is mishandled, entire PKI system Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com could fail Managing a secure environment with multiple keys and multiple entities can be overwhelming Properly maintaining a PKI comes with a financial burden Implementations of Business Cryptography  Encrypting hard drives as a preventive measure in case a laptop or other Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com mobile device is stolen  Encrypting removable devices such as universal serial bus (USB) drives  Encrypting instant messaging communication  Encrypting file transfers within and outside of the network  Encrypting highly sensitive data  Encrypting information on mobile devices Distribution  Distribution of keys within an organization is a vital part of key management Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Organizations must ensure the keys are safe and distributed securely  Some organizations may choose to outsource these services  Outsourcing can be expensive if there are many systems, communication paths, or files that need to be encrypted within an organization In-House Key Management Versus Outsourced Key Management  Total cost associated with IT resources and knowledge Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Managing keys in-house requires an organization to manage the service level agreements with various business units  Can an organization trust an outsourced key management provider?  What level of support can the outsourced entity provide? Certificate Authorities (CAs) and Digital Certificate Management (1 of 2) All digital certification implementation are done Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com through a root CA A root CA signs every certificate Subordinate CAs can be established for more specific needs Certificate Authorities (CAs) and Digital Certificate Management (2 of 2) Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Certificate Revocation Policy authority Certificate issuer manufacturer manufacturer Registration Authentication Repository authority service Why Outsourcing a CA May Be Advantageous Communications with suppliers, customers, and Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com business partners should be seamless Organizations may be geographically dispersed, and it would be more advantageous to have multiple CAs available at these various locations Organizations do not want to take on the costs associated with managing a CA on-site Risks and Issues with Outsourcing a CA  An organization may want to control its own CA because of the higher security Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com requirements  Not possible when outsourcing a CA  Organizations with high security requirements more apt to manage the CA locally where they have more control Best Practices for PKI User Within Large Enterprises and Organizations  What databases will be used for PKI? Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  What are the legal and policy considerations for the CA?  What are the trust relationships and how are they established?  How will PKI be deployed?  Who will have access to the systems and how will this access be monitored? Case Studies and Examples Private Sector Public Sector Critical Infrastructure Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Perot Systems United States Patent and VeriSign Trademark Office (USPTO) Rollout of PKI and lessons Certificates issued to person learned Implemented PKI to achieve posing as Microsoft Choose recognized industry the following: employee leaders as vendors  Confidentiality for Example shows how the PKI Set clear expectations for information exchange process failed because the management and end users CA issued a certificate  Integrity of the patent without the appropriate Mare sure PKI can be application verification maintained  Authentication with whom Ensure ease of rollout and USPTO is dealing use, supportability, and electronically leveragability of resources Summary  PKI components and their roles Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com  Nonrepudiation and digital signatures  PKI certificate authorities (CAs)  Encryption processes

Public Key Infrastructure and Encryption PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue