Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Cryptography

Perfect Forward Secrecy (PFS)
PFS is a cryptographic technique that protects previously encrypted session data against unintended decryption,
even if the private key of the server is compromised

fig It employs key exchanging algorithms such as Diffie-Hellman (DH) key exchange to generate a unique session
figfi key (ephemeral key) for each session initiated between the client and server; the key can be used only for that
specific session

= -~ Key exchanging
o
Te EC8 B3 9 8
H — n | algorithm q \ m. @ | g, d @8
N. Application A@ Server

Ephemeral key

Copyright © by EC LI. All Rights Reserved. Reproductioniss Strictly Prohibited.
Prohibited |

Perfect Forward Secrecy (PFS)
In a digital envelope system, both the client and server exchanges secret keys using the RSA key
pair of the server. If an attacker can compromise the private key of the server, then the
confidential session data can be decrypted easily. To overcome risks associated with server-side
RSA key exchange, perfect forward secrecy (PFS) is used. PFS is a cryptographic technique that
protects previously encrypted session data against unintended decryption, even if the private
key of the server is compromised. It employs key exchanging algorithms such as Diffie-Hellman
(DH) key exchange to generate a unique session key (ephemeral key) for each session initiated
between the client and server; the key can be used only for that specific session. In this
manner, if the most recent key from the session is compromised, the rest of the data remains
safe. Only the data protected by that particular key is susceptible to the attack. Web
applications, messaging apps, and online voice calling applications use PFS, which changes the
secret key in each conversation or each time the web application is refreshed.
Key exchanging
algorithm

M 0. ;. Decryption
Application SICFypOc
e L : A
rxp Server

Ephemeral key

Figure 14.24: Perfect forward secrecy (PFS)

Module 14 Page 1692 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

O The digital certificates are used for dealing with the security concerns regarding
transmission of public keys securely to the receiver in the digital signature

Digit al OQ Atrusted intermediary solution is used for securing the public keys, where the
ol
gl public key is bound with the name of its owner

Certlflcates O Owners of the public key need to acquire their public keys certified from the
intermediary; the intermediary then issues certificates called digital certificates
to the owners, which they can use to send the public key to a number of users

PrivateKey (i

v

a
‘
— a

Signature Function Verification Function

Sender 4 4 Receiver
Sender signs a message digitally | (T. h
s Recelver extracts the publickey from
using his private key and sends it Public key the digital certificateand verifies the
to a receiver along with a digital digitally signed message from the
certificate Digital Certificate Digital Certificate sender using the extracted public key

Copyright © by EC-{ All Rights Reserved. ReproductionIs Strictly Prohibited.

Digital Certificates
Digital certificates allow a secure exchange of information between a sender and a receiver.
This enables the use of a public key by the sender to the receiver. A trusted intermediary
solution is used for securing the public keys, where the public key is bound with the name of its
owner. Owners of the public key need to acquire their public keys certified from the
intermediary; the intermediary then issues certificates called digital certificates to the owners,
which they can use to send the public key to a number of users.
The sender applies for a digital certificate from the certificate authority (CA). Along with the
encrypted message and the public key, the CA provides other identity validating information.
The receiver accepts the encrypted message and uses the CA’s public key to decode the digital
certificate. This allows the receiver to identify the digital signature and obtain the sender’s
public key and other identification details.
Private o
°
Key.o

v

g o ©7 L
Signature Function Verification Function
Sender A : Receiver
Sender signs a message digitally E ,,,,,, s
F b
* Recelver extracts
Receiver the public key from
using his private key and sends Public key the digital certificate and verifies the
It to a receiver along with a digitally signed message from the
digital certificate Digital Certificate Digital Certificate sender using the extracted public key

Figure 14.25: Working of digital certificates

A digital certificate can hold information such as the name of the sender who applied for the
certificate, expiration date, and a copy of the sender’s public key digital signature of the CA. The

Module 14 Page 1693 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

receivers who receive the digital certificate can check the validity of the certificate using the
signature attached from the approved authorities using the private key of the authority. Each
OS and web browser carries authorized certificates from the CA which enables easy validation.
The main aim of implementing a digital certificate is to ensure nonrepudiation.
Most of the secure sockets layer (SSL)/ transport layer security (TLS) protocols use certificates in
order to prevent attackers from changing or modifying the data. Digital certificates are used in
email servers and code signing.

Module 14 Page 1694 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Digital Certificate Attributes
Serial number: Represents the unique certificate Valid from: Denotes the date from which the
identity certificate is valid

00000
Subject: Represents the owner of the certificate Valid to: Denotes the date till which the
which may be a person or an organization certificate is valid

Signature algorithm: States the name of the Thumbprint algorithm: Specifies the hashing
algorithm used for creating the signature algorithm used for digital signatures

Key-usage: Specifies the purpose of the public key, Thumbprint: Specifies the hash value for the
whether it should be used for encryption, certificate, which is used for verifying the certificate’s
signature verification, or both integrity

Subject Alternative Name (SAN): Secures multiple
Public key: Used for encrypting a message or
domains/subdomains or hostnames with a single
verifying the signature of the owner
certificate

Issuer: Provides the identity of the —
intermediary who issued the certificate : —

Digital Certificate Attributes
Serial number: Represents the unique certificate identity.

Subject: Represents the owner of the certificate which may be a person or an
organization.

Signature algorithm: States the name of the algorithm used for creating the signature.
Key-usage: Specifies the purpose of the public key, whether it should be used for
encryption, signature verification, or both.
Public key: Used for encrypting a message or verifying the signature of the owner.
Issuer: Provides the identity of the intermediary who issued the certificate.

Valid from: Denotes the date from which the certificate is valid.
Valid to: Denotes the date till which the certificate is valid.
Thumbprint algorithm: Specifies the hashing algorithm used for digital signatures.
Thumbprint: Specifies the hash value for the certificate, which is used for verifying the
certificate’s integrity.
Subject Alternative Name (SAN): SAN is also known as a multi-domain SSL certificate. It
can secure multiple domains/subdomains or hostnames with a single certificate. It can
also secure websites, intranet, email servers, etc., without dealing with individual
certificates.

Module 14 Page 1695 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Digital Certificate Standard: X.509
< B c.

A A A
Version

O X.509 is the most widely used digital : Certificate Serial Number
certificate standard ; Signature Algorithm Identifier
H P i N m
H - c
Q In the X.509 system, a certification i Sl § ‘?; §
authority issues a certificate binding a i Period of Validity R R R
public key to a particular distinguished ;
name. A distinguished name is a unique § Subject Name
name such as an email address or a i Public Key Information Vo
domain name
Issuer Unique ID
A distinguished name contains information Subject Unique ID v
about the certificate holder and signature i
of the entity that issued the certificate Extensions v
i A -
i All Versions v Signature

Digital Certificate Standard: X.509
X.509 is the most widely used digital certificate standard. In the X.509 system, a certificate
authority (CA) issues a certificate binding a public key to a particular distinguished name. A
distinguished name is a unique name such as an email address or a domain name. It contains
information about the certificate holder and signature of the entity that issued the certificate.
X.509 is a standard that defines the structure of a digital certificate. The data fields that should
be included in an SSL certificate are defined by this standard. These certificate formats are
defined by Abstract Syntax Notation One (ASN.1), which is an ISO format used to accomplish
interoperability among platforms. Certificate files have distinct extensions depending on the
format and encoding used. X.509 is a widely used digital certificate structure, and version 3 of
this standard is currently in use.

Version A A 4
Certificate Serial Number i
Signature Algorithm Identifier

Issuer Name g E g
i§i§ 18
Period of Validity ’ > -
Subject Name
Public Key Information v

Issuer Unique ID :
Subject Unique ID v

Extensions v
All Versions : Signature

Figure 14.26: X.509 digital certificate format

Module 14 Page 1696 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

The following are the basic fields included in the format.
Version: This field specifies the version number of the certificate; its value can be 1, 2,
or 3.
Certificate serial number: It is a distinct positive number assigned for each certificate
and is assigned by the issuer to identify the certificate.
Signature algorithm identifier: It indicates the algorithm that the issuer uses for signing
the certificate.
Issuer name: It indicates the X.500 distinguished name of the trusted third party that
signed and issued the certificate.
Period of validity: This field indicates the dates from and till which the certificate is
valid.
Subject name: It is the name of the entity that owns the certificate. It can be CA, RA, a
person, or a company.
Public key information: This field contains the public key of the subject and the
corresponding algorithm identifier.
Issuer unique ID: It is the unique identifier used to facilitate the reuse of the issuer
name over time.
Subject unique ID: It is the unique identifier used to facilitate the reuse of the subject
name over time.
Extension: It is present in version 3 certificates and consists of an extension identifier,
criticality flag, and extension value. The extension identifier specifies the format of the
extension value and criticality flag, which indicates the importance level of the
extension.
Signature: It contains the issuer’s digital signature, which is used for verifying the
authenticity of the digital certificate.

Module 14 Page 1697 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.