PKI Trust Models PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 01_ocred.pdf
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 02_ocred.pdf
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 03_ocred.pdf
- Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 05_ocred.pdf
- Chapter 14 - PKI and Certificate Management Concepts PDF
- Management of Asymmetric Key Pairs PDF
Summary
This document discusses PKI Trust Models. It covers peer-to-peer, hierarchical, and hybrid approaches. The document is focused on the concepts of trust models in PKI.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Cryptography PKI Trust Models @...
Certified Cybersecurity Technician Exam 212-82 Cryptography PKI Trust Models @ A trust model is a set of rules or constraints that instruct a client application on how to verify the authenticity of digital certificates Peer-to-Peer trust model Clients depend on their local CAs, which serve as a B starting point 4% It1tisis useful useful for for small small organizations organizations ll 2 Copyright © by EC-{ cll. All Rights Reserved. Reproduction ReproductionIss Strictly Pr DM - PKI Trust Models (Cont’d) - ’ ’ LL] I[} Hierarchical Trust Model !] |' [} It is an inverted tree-like structure in which one master L| :[} : 0B E &G E CA, called a root, is the initial point of trust [} ]! ] :[} g Subordinate g.. Subordinate The The root root CA CA sends sends all all the the information information to to its its descendants ]. I.*‘*. ; jd CA2 A2 CA1.*, descendants | ' [}[} FLCITTTTIIIN FLLITTEEIIIT Sesrsesinsecans CETTTTTTTTTTrrs. known as intermediate or subordinate CAs : e fRowe FReres |[} |' [!} Subordi Subordi Subordinate I[} gF’ CA11 gr‘ CA1l CA21 All nodes in this model trust the master CA and hold the |I ' I| bD public key certificate of the master CA [} I| 4 v - N} I[} [} Any problem in the root CA can impact the overall trust I[l v - ? ] N in the PKl infrastructure I| Users : H | Copyright © by EC- 1.| All Rights Reserved. Reserved., Reproduction ReproductionIsis Strictly Prohibited. Prohibited. Module 14 Page 1708 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography PKI Trust Models (Cont’d) Hybrid Trust Hybrid Trust Model Model :" Bridge Trust Bridge Trust Model Model Q I1tis It is a combination of peer-to-peer and hierarchical trust Q 1t reduces the number of cross-certificates needed to be models associated with PKIs Q The root CAs perform peer-to-peer tasks by sharing public In a bridge CA, one CA serves as a central hub for connecting Q Ina keys all other CAs and acts as a communication medium for them Q The intermediate CAs trust only only their respective respective root CAs and and other other intermediate intermediate CAs CAs within within the the hybrid hybrid environment environment == ACA Root Root cACA Root Root CAcA gf‘. g n gP g F ks bs i I >i I v. A Web Web of (WOT) Trust (WOT) of Trust [N.. P s Web of trust (WoT) is a trust [N S S sy S model of ]) ,and systems................. Everyone in the network is a ______ S certificate authority (CA) and authority (CA) and signs for other trusted entities N WoTis a in which individuals act as intermediaries to validate.,. p each other’s certificates using using - g, their signatures their signatures ot g Every user in the network has a to encrypt data, and they introduce many other users whom they trust PKI Trust Models A trust model is a set of rules or constraints that instruct client applications on how to verify the authenticity of digital certificates. The trust is built from different security policies, services, operations, and protocols that provide interoperability through public-key encryption and certificate management and together provide a certain level of security. In public key infrastructure (PKI), the trust originates from a third party known as the certificate authority (CA). The PKI architecture explains its certificates and the trust relationships among them. Module 14 Page 1709 Certified Cybersecurity Technician Copyright © by EG-Gouncil EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Discussed below are different types of trust models in PKI. Peer-to-peer trust model: In the peer-to-peer trust model, CAs do not have any intermediate CAs. There is no trust anchor between the CAs involved in the certificate process. In this model, clients usually depend on their local CAs, which serve as a starting point. The two CAs here are separate trust domains; only domain users can validate a domain user using their public key, which creates bi-directional trust. This type of trust model is useful for small organizations. Figure 14.34: Peer-to-peer trust model Hierarchical trust model: This trust model is an inverted tree-like structure in which one master CA called a root is the initial point of trust. The root CA sends all the information to its descendants known as intermediate CAs or subordinate CAs, which only trust the information sent by the master CA. The master CA also trusts the intermediate CAs in the hierarchical structure. The leaf nodes are the users. All nodes in this model trust the master CA and hold the public key certificate of the master CA. The interaction between two users to validate themselves using the public key certificate should be performed through the root or master CA. The entire trust can be achieved from the root CA; any problem in the root CA can impact the overall trust in the PKI infrastructure. ' v N Subordinate. Subordinate = ca1 =Y ca2 H H v g' Subordinate gr Subordinate gr Subordinate % CA11 W CA11 W CA21 Figure 14.35: Hierarchical trust model Module 14 Page 1710 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography * Hybrid trust model: This trust model is a combination of peer-to-peer and hierarchical trust models, in which root CAs perform peer-to-peer tasks by sharing public keys. The intermediate CAs trust only the respective root CAs and other intermediate CAs within the hybrid environment. Each root CA forms a separate trust domain with its child classes (nodes). This model is useful for cross-certification, where one domain user can verify another domain user. This is a widely used and easy operable model, in which two organizations or departments need to be combined. Root CA Root CA..................................... > Gorrornennsntiancensensessessensensanns v v o Intermediate CA Intermediate CA g a 22 23 - - *e - % Figure 14.36: Hybrid trust model = Bridge trust model: This model supports PKI apps across organizations and avoids conditions where clients need to hold the information of numerous trust points or enterprises wish to build crosslinks to various other enterprises (or departments). Bridge CAs (BCAs) reduce the number of cross-certificates needed to be associated with PKls. In a BCA, one CA serves as a central hub for connecting all other CAs and acts as a communication medium for them. Every intermediate CA trusts only the CAs that are connected above and below it, but an additional CA can be constructed without generating extra layers of CAs. The major advantage of this model includes its flexibility and support for smooth interoperability between enterprises or departments. CA CA L] L] — E ':1 —...A b.- 4 B V!,' " Bridge CA *e. 5 QA o o CA CA Figure 14.37: Bridge trust model Module 14 Page 1711 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Web of trust (WoT): WoT is a trust model of PGP-, OpenPGP-, and GnuPG-accessible systems. It is based on the idea of decentralizing key distribution among PGP users. In PKI, only a centralized power such as the CA signs certificates in the network, ensuring authenticity between the public key and its owner. In WoT, everyone in the network is a CA and can sign for other trusted entities. WoT is a network chain in which individuals act as intermediaries to validate each other’s certificates using their signatures. These signatures verify the ownership of keys from various trust levels. There are various similar trust levels through direct or indirect references in WoT. Alen lllllllllllll Dired......... BOb (Friend) Trust (Friend) o7.4 A e b ‘e, ,-"’.... : *, s« Indirect *°..?‘ : < :. Trust :. Direct : oy 0e**™ QT Direct Trust o &, Trust r ¢ , '..-"'.‘.‘.... i,. N b' oot*. :.’o..o.. ‘e ‘..d e’ : -, & : LN AliceUser) 'sessssnnansannsn (Maln Indirect Trust PELTTTTT «. Indirect Trust sessssscsss ' Indirect Trust CEETERT TR > Henry (Outsidar) P,. k e, ‘e i é...o 0‘.. - L Direct "‘.;If.,.' Direct Trust : & " Indirect ", Trust., i & Trust -, * S 0,3 v._.o..."-A u v b: Smith Indirect John (Friend) lllllllllllll Trust lllllllllll > (outsider) Figure 14.38: Working of WOT Module 14 Page 1712 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.