Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Cryptography Exam 212-82 Perfect Forward Secrecy (PFS) PFS is a cryptographic technique that protects previously encrypted session data against unintended decryption, even if the private key of the server is compromised It employs key exchanging algorithms such as Diffie-Hellman (DH) key exchange to generate a unique session key (ephemeral key) for each session initiated between the client and server; the key can be used only for that specific session figfi = Te EC8 -~ o B3 9 8 | Application N A Server Ephemeral key Copyright © by EC I. All Rights Reserved. Reproductionis Strictly Prohibited Perfect Forward Secrecy (PFS) In a digital envelope system, both the client and server exchanges secret keys using the RSA key pair of the server. If an attacker can compromise the private key of the server, then the confidential session data can be decrypted easily. To overcome risks associated with server-side RSA key exchange, perfect forward secrecy (PFS) is used. PFS is a cryptographic technique that protects previously encrypted session data against unintended decryption, even if the private key of the server is compromised. It employs key exchanging algorithms such as Diffie-Hellman (DH) key exchange to generate a unique session key (ephemeral key) for each session initiated between the client and server; the key can be used only for that specific session. In this manner, if the most recent key from the session is compromised, the rest of the data remains safe. Only the data protected by that particular key is susceptible to the attack. Web applications, messaging apps, and online voice calling applications use PFS, which changes the secret key in each conversation or each time the web application is refreshed. Key exchanging algorithm M Application e ; L : 0 Decryption rxp Server Ephemeral key Figure 14.24: Perfect forward secrecy (PFS) Module 14 Page 1692 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography O The digital certificates are used for dealing with the security concerns regarding transmission of public keys securely to the receiver in the digital signature Digit al Q Atrusted intermediary solution is used for securing the public keys, where the Certlflcates O Owners of the public key need to acquire their public keys certified from the ol public key is bound with the name of its owner intermediary; the intermediary then issues certificates called digital certificates to the owners, which they can use to send the public key to a number of users PrivateKey (i v a ‘ a Signature Function Sender Verification Function 4 Sender signs a message digitally using his private key and sends it 4 | (T to a receiver along with a digital certificate Receiver. h Public key Digital Certificate Recelver extracts the publickey from the digital certificate and verifies the digitally signed message from the sender using the extracted public key Digital Certificate Copyright © by EC-{ All Rights Reserved. ReproductionIs Strictly Prohibited. Digital Certificates Digital certificates allow a secure exchange of information between a sender and a receiver. This enables the use of a public key by the sender to the receiver. A trusted intermediary solution is used for securing the public keys, where the public key is bound with the name of its owner. Owners of the public key need to acquire their public keys certified from the intermediary; the intermediary then issues certificates called digital certificates to the owners, which they can use to send the public key to a number of users. The sender applies for a digital certificate from the certificate authority (CA). Along with the encrypted message and the public key, the CA provides other identity validating information. The receiver accepts the encrypted message and uses the CA’s public key to decode the digital certificate. This allows the receiver to identify the digital signature and obtain the sender’s public key and other identification details. Private Key o o v g o Signature Function Sender Sender signs a message digitally using his private key and sends It to a receiver along with a digital certificate ©7 L Verification Function A : E ,,,,,, Digital Certificate s b Public key Digital Certificate Receiver Recelver extracts the public key from the digital certificate and verifies the digitally signed message from the sender using the extracted public key Figure 14.25: Working of digital certificates A digital certificate can hold information such as the name of the sender who applied for the certificate, expiration date, and a copy of the sender’s public key digital signature of the CA. The Module 14 Page 1693 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography receivers who receive the digital certificate can check the validity of the certificate using the signature attached from the approved authorities using the private key of the authority. Each OS and web browser carries authorized certificates from the CA which enables easy validation. The main aim of implementing a digital certificate is to ensure nonrepudiation. Most of the secure sockets layer (SSL)/ transport layer security (TLS) protocols use certificates in order to prevent attackers from changing or modifying the data. Digital certificates are used in email servers and code signing. Module 14 Page 1694 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Digital Certificate Attributes Subject: Represents the owner of the certificate which may be a person or an organization Key-usage: Specifies the purpose of the public key, whether it should be used for encryption, signature verification, or both Issuer: Provides the identity of the intermediary who issued the certificate Valid to: Denotes the date till which the certificate is valid Thumbprint algorithm: Specifies the hashing algorithm used for digital signatures Signature algorithm: States the name of the algorithm used for creating the signature Public key: Used for encrypting a message or verifying the signature of the owner Valid from: Denotes the date from which the certificate is valid 00000 Serial number: Represents the unique certificate identity Thumbprint: Specifies the hash value for the certificate, which is used for verifying the certificate’s integrity Subject Alternative Name (SAN): Secures multiple domains/subdomains or hostnames with a single certificate : Digital Certificate Attributes Serial number: Represents the unique certificate identity. Subject: Represents organization. the owner of the certificate which may be a person or an Signature algorithm: States the name of the algorithm used for creating the signature. Key-usage: Specifies the purpose of the encryption, signature verification, or both. public key, whether it should be used for Public key: Used for encrypting a message or verifying the signature of the owner. Issuer: Provides the identity of the intermediary who issued the certificate. Valid from: Denotes the date from which the certificate is valid. Valid to: Denotes the date till which the certificate is valid. Thumbprint algorithm: Specifies the hashing algorithm used for digital signatures. Thumbprint: Specifies the hash value for the certificate, which is used for verifying the certificate’s integrity. Subject Alternative Name (SAN): SAN is also known as a multi-domain SSL certificate. It can secure multiple domains/subdomains or hostnames with a single certificate. It can also secure websites, intranet, email servers, etc., without dealing with individual certificates. Module 14 Page 1695 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Digital Certificate Standard: X.509 < B c. Version O X.509 is the most widely used digital : certificate standard Signature Algorithm Identifier H H i authority issues a certificate binding a Sl i public key to a particular distinguished name. A distinguished name is a unique name such as an email address or a ; § i domain name A A Certificate Serial Number ; Q In the X.509 system, a certification A P - i N § Period of Validity R Subject Name Public Key Information Vo m c ‘?; § R R Issuer Unique ID A distinguished name contains information Subject Unique ID about the certificate holder and signature of the entity that issued the certificate i Extensions A - v i v Signature i All Versions v Digital Certificate Standard: X.509 X.509 is the most widely used digital certificate standard. In the X.509 system, a certificate authority (CA) issues a certificate binding a public key to a particular distinguished name. A distinguished name is a unique name such as an email address or a domain name. It contains information about the certificate holder and signature of the entity that issued the certificate. X.509 is a standard that defines the structure of a digital certificate. The data fields that should be included in an SSL certificate are defined by this standard. These certificate formats are defined by Abstract Syntax Notation One (ASN.1), which is an ISO format used to accomplish interoperability among platforms. Certificate files have distinct extensions depending on the format and encoding used. X.509 is a widely used digital certificate structure, and version 3 of this standard is currently in use. Version A Certificate Serial Number A 4 i Signature Algorithm Identifier Issuer Name g E g Period of Validity ’ > - i§i§ 18 Subject Name Public Key Information v Issuer Unique ID : Subject Unique ID v Extensions All Versions : v Signature Figure 14.26: X.509 digital certificate format Module 14 Page 1696 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography The following are the basic fields included in the format. Version: This field specifies the version number of the certificate; its value can be 1, 2, or 3. Certificate serial number: It is a distinct positive number assigned for each certificate and is assigned by the issuer to identify the certificate. Signature algorithm identifier: It indicates the algorithm that the issuer uses for signing the certificate. Issuer name: It indicates the X.500 distinguished name of the trusted third party that signed and issued the certificate. Period of validity: This field indicates the dates from and till which the certificate is valid. Subject name: It is the name of the entity that owns the certificate. It can be CA, RA, a person, or a company. Public key information: This field contains the public key of the subject and the corresponding algorithm identifier. Issuer unique ID: It is the unique identifier used to facilitate the reuse of the issuer name over time. Subject unique ID: It is the unique identifier used to facilitate the reuse of the subject name over time. Extension: It is present in version 3 certificates and consists of an extension identifier, criticality flag, and extension value. The extension identifier specifies the format of the extension value extension. Signature: and criticality flag, which indicates the It contains the issuer’s digital signature, which importance is used level of the for verifying the authenticity of the digital certificate. Module 14 Page 1697 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.