Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 05_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Cryptography Exam 212-82 PKI Trust Models @ A trust model is a set of rules or constraints that instruct a client application on how to verify the authenticity of digital certificates Peer-to-Peer trust model Clients depend on their local CAs, which serve as a starting point 4% 1tis useful for small organizations l Copyright © by EC-{ cll. All Rights Reserved. Reproduction s Strictly Pr PKI Trust Models (Cont’d) M L] I ] It is an inverted tree-like structure in which one master CA, called a root, is the initial point of trust [} | [} [} ] 0 E & E Hierarchical Trust Model The root CA sends all the information to its descendants known as intermediate or subordinate CAs All nodes in this model trust the master CA and hold the public key certificate of the master CA Any problem in the root CA can impact the overall trust in the PKl infrastructure ' ] Subordinate [} | ' [} [} | ! [} | | [} | [} [} [l ] Subordinate.*, CA2 FLLITTEEIIIT CETTTTTTTTTTrrs. Subordi gF’ CA11 Subordi gr‘ CA1l 4 v Subordinate CA21 - bD N} - | | Copyright © by Module 14 Page 1708..*‘ CA1 EC- | All Rights Reserved. ReproductionIs Strictly Prohibited. Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography PKI Trust Models (Cont’d) Hybrid Trust Model Q " Bridge Trust Model I1tis a combination of peer-to-peer and hierarchical trust models Q Q The root CAs perform peer-to-peer tasks by sharing public Q keys 1t reduces the number of cross-certificates needed to be associated with PKIs Ina bridge CA, one CA serves as a central hub for connecting all other CAs and acts as a communication medium for them Q The intermediate CAs trust only their respective root CAs and other intermediate CAs within the hybrid environment Root CA Root CA Web of Trust (WOT) Web of trust (WoT) is a trust model of ] S [N g n g F s S sy S ,and systems......... Everyone in the network is a certificate authority (CA) and S signs for other trusted entities WoTis a CA P.. [N = ______........ N in which individuals act as intermediaries to validate each other’s certificates using their signatures., -. g, p ot g Every user in the network has a to encrypt data, and they introduce many other users whom they trust PKI Trust Models A trust model is a set of rules or constraints that instruct client applications on how to verify the authenticity of digital certificates. The trust is built from different security policies, services, operations, and protocols that provide interoperability through public-key encryption and certificate management and together provide a certain level of security. In public key infrastructure (PKI), the trust originates from a third party known as the certificate authority (CA). The PKI architecture explains its certificates and the trust relationships among them. Module 14 Page 1709 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Discussed below are different types of trust models in PKI. Peer-to-peer trust model: In the peer-to-peer trust model, CAs do not their local CAs, which have any intermediate CAs. There is no trust anchor between the CAs involved in the certificate process. In this model, clients usually depend on serve as a starting point. The two CAs here are separate trust domains; only domain users can validate a domain user using their public key, which creates bi-directional trust. This type of trust model is useful for small organizations. Figure 14.34: Peer-to-peer trust model Hierarchical trust model: This trust model is an inverted tree-like structure in which one master CA called a root is the initial point of trust. The root CA sends all the information to its descendants known as intermediate CAs or subordinate CAs, which only trust the information sent by the master CA. The master CA also trusts the intermediate CAs in the hierarchical structure. The leaf nodes are the users. All nodes in this model trust the master CA and hold the public key certificate of the master CA. The interaction between two users to validate themselves using the public key certificate should be performed through the root or master CA. The entire trust can be achieved from the root CA; any problem in the root CA can impact the overall trust in the PKI infrastructure. N ' Subordinate =. ca1 H Subordinate % CA11 Subordinate =Y H g' v ca2 v gr Subordinate gr W CA11 Subordinate W CA21 Figure 14.35: Hierarchical trust model Module 14 Page 1710 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography * Hybrid trust model: This trust model is a combination of peer-to-peer and hierarchical trust models, in which root CAs perform peer-to-peer tasks by sharing public keys. The intermediate CAs trust only the respective root CAs and other intermediate CAs within the hybrid environment. Each root CA forms a separate trust domain with its child classes (nodes). This model is useful for cross-certification, where one domain user can verify another domain user. This is a widely used and easy operable model, in which two organizations or departments need to be combined. Root CA Root CA..................................... > Gorrornennsntiancensensessessensensanns v v o Intermediate CA Intermediate CA 22 - = Bridge trust model: conditions where This g a 23 *e - - % Figure 14.36: Hybrid trust model model supports PKI apps across clients need to hold the information organizations of numerous and avoids trust points or enterprises wish to build crosslinks to various other enterprises (or departments). Bridge CAs (BCAs) reduce the number of cross-certificates needed to be associated with PKls. In a BCA, one CA serves as a central hub for connecting all other CAs and acts as a communication medium for them. Every intermediate CA trusts only the CAs that are connected above and below it, but an additional CA can be constructed without generating extra layers of CAs. The major advantage of this model includes its flexibility and support for smooth interoperability between enterprises or departments. CA CA L] — L] E ':1...A " 5 o 4 — b.- B V!,' Bridge CA *e. QA o CA CA Figure 14.37: Bridge trust model Module 14 Page 1711 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Web of trust (WoT): WoT is a trust model of PGP-, OpenPGP-, and GnuPG-accessible systems. It is based on the idea of decentralizing key distribution among PGP users. In PKI, only a centralized power such as the CA signs certificates in the network, ensuring authenticity between the public key and its owner. In WoT, everyone in the network is a CA and can sign for other trusted entities. WoT is a network chain in which individuals act as intermediaries to validate each other’s certificates using their signatures. These signatures verify the ownership of keys from various trust levels. There similar trust levels through direct or indirect references in WoT. Alen lllllllllllll (Friend).4 Direct A : < : : Trust oot* e’. AliceUser) 'sessssnnansannsn (Maln P, b *, e,. k Direct Trust., o s«. & "‘.;If.,.'._.o &.. : :. Indirect Trust Indirect Trust sessssscsss ' -, Trust ‘e ‘. LN ",..."-A.d Henry CEETERT TR > - (Outsidar) L Direct * Indirect lllllllllllll N. : 0‘.. " Direct Trust i,.o.. Indirect Trust Smith (Friend) -,..o &...?‘ QT. PELTTTTT « ‘e i é. v Trust o7....’o. i *°.‘.‘. : Indirect Trust Indirect ,-"’. BOb (Friend) &, : : 0,3 ‘e,......... Trust oy 0e**™ , '..-"' r ¢ b' e Dired are various u v b: S Trust John lllllllllll > (outsider) Figure 14.38: Working of WOT Module 14 Page 1712 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.