Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Cryptography

Types of Digital Certificates
A wildcard certificate can be configured to a domain and all its
subdomains to minimize the complexity and cost

Y
‘\ |'/ Jfi’
J_| A Subjectfitve
mf:::{: A SAN
SAN certificate
certificate isis used
used toto protect
protect multiple
multiple websites
websites with
with aa
y/
| W3 | I[_Pfl F. Alternative
Name
:
single -
SSL certificate
Name (SAN)

Code. - ItItisais a certificate that consists of a digital signature and is used to
‘ éi
Si 5TT ’- sign executables or scripts used in code to prove the identity of
R i m.gloxing ~
~ the developer or publisher
thedeveloper

Self-signed A self-signed certificate is signed by the person or company that
Selfsigned created it, instead of a trusted certificate authority

Machine/ A machine certificate, also known as a computer certificate, is
Computer generated at the time of activation of a computer

Copyright © by [ L. All Rights Reserved. Reproduction Is Strictly Prohibited

Email 1y * Email certificates are employed to sign and encrypt emails and protect the integrity
! of email data using secure protocols such as PGP and S/MIME

User :I = AAuser
user certificate is mapped to a user account on which access is controlled

Root ;: * ltisself-signed
|tis self-signed certificate that belongs to the issuing CA. A root certificate is the
|] topmost certificate in the hierarchy and is used to sign other certificates

s 1 " Aserver certificate is used to validate a server’s identity to the client and
N
- 1 ensures that the information provided by the user is safe and secure

Domainand
Domain and 1 = A domain certificate is issued to a user after they prove a degree of control over aa domain
Adomain
Extended !.« Extended validation certificates are issued by CAs and are the highest class of SSL
validation certificates

Copyright © by E EC{ | All Rights Reserved. ReproductionIs Strictly Prohibited.
Prohibited

Types of Digital Certificates
A digital certificate allows enterprises to exchange data securely over the Internet with the help
of public key infrastructure (PKI). It is used to verify the identity of the sender/receiver of a
message and provides a method to encrypt or decrypt messages between the sender and
receiver.

Module 14 Page 1713 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Discussed below are various types of digital certificates.

Wildcard: A wildcard certificate can be configured to a domain and all its subdomains to
minimize complexity and cost. It is mostly used in SSL certificates to extend SSL
certification to subdomains. It is represented by an asterisk and a period before the
domain name. It enables users to secure a large number of subdomains on a single
certificate. A one-time purchase of a certificate can cover any number of subdomains
that may be included in the future.
Subject alternative name (SAN): A SAN certificate is used to protect multiple websites
with a single SSL certificate. It can also cover domains with distinct top-level domains
and various levels of subdomains. It is also referred to as a unified communication
certificate, exchange certificate, or multi-domain certificate. Using a SAN certificate,
users can secure a primary domain and later add more domains to the subject
alternative field of the certificate.
Code signing: It is a certificate that consists of a digital signature and is employed to sign
executables or scripts used in code to prove the identity of the developer or publisher
and to check if the code has been altered since signing. These certificates ensure that
users do not receive a warning during installation. Code signing is used to ensure that
the code is trustworthy.

Self-signed: A self-signed certificate is signed by the person or company that created it,
instead of a trusted certificate authority. It is easy to create but cannot offer all the
features of a CA-signed certificate. Self-signed certificates are suitable for internal sites
and are used for encrypting incoming and outgoing data using identical ciphers, as in
any other paid SSL certificate.
Machine/computer: A machine certificate, also known as a computer certificate, is
generated at the time of activation of a computer. These certificates can be issued to
computing devices such as hosts and mobile devices, irrespective of their operation, and
to network components such as firewalls and routing devices. A single certificate is
installed for every user who has activated the computer into the hierarchy. It is mainly
used for client- and server-side authentication.

Email: Email certificates are employed to sign and encrypt emails and protect the
integrity of email data using secure protocols such as PGP and S/MIME. If an email is
encrypted using an email certificate, it can be decrypted only by the concerned receiver
of the email. Email certificates are installed in the email application to ensure reliable
communication. These certificates protect email data against common attacks such as
email eavesdropping, phishing, and snooping.
User: A user certificate is mapped to a user account on which access is controlled. User
certificates are stored in smart cards. When a user wishes to access a system, the smart
card is queried. The user unlocks the smart card to present the user certificate on it for
authentication. The user certificates employ PKI for validating the user or device. User
certificates are used only for authentication and not for encryption. These certificates
allow access to only authorized individuals.

Module 14 Page 1714 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Root: It is self-signed certificate that belongs to the issuing CA. A root certificate is the
topmost certificate in the hierarchy and is used to sign other certificates. Certificates
approved by a root CA are trusted by most web browsers. For such certificates to
function as intended, they need to be installed on web servers where the domain is
hosted.

Server certificate: A server certificate is used to validate a server’s identity to the client
and ensures that the information provided by the user is safe and secure. It performs
data encryption during transit to ensure confidentiality. The major problem with
asymmetric cryptography is that anybody can implement PKI. When a client blindly
trusts the certificates for a visited website, confidential data can be exposed. These
certificates can be used to offer different levels of security based on the grade and
reputation of the website.
Domain validation: A domain certificate is issued to a user after they prove some
degree of control over a domain. It is necessary for the user to prove website ownership
to the CA for its validation. It consists of 256-bit encryption and is compatible with most
web browsers. It can be purchased by small or medium-level website owners who wish
to encrypt their domain.

Extended validation (EV): EV certificates are issued by CAs for securing online banking
transactions, ecommerce, etc. It is the highest class of SSL certificate. A website
protected by EV SSL will show a padlock and an HTTPS prefix to users to assure them
that they are on an encrypted website and that their sensitive data are secured. The
website owner must go through an identity verification process to receive this
certificate.

Module 14 Page 1715 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Internet Key Exchange (IKE)

%
é QQO Ipsec
IPsec relies on IKE for secure key exchange and authentication
1{
QO
O IKE establishes security associations (SAs) to share security parameters such as digital certificates,
pre-shared keys, cipher algorithms, and key sizes

@ The negotiation of the IKE SA is performed in the following two phases

Phase 1 Phase 2
The IKE establishes a secure channel between two The hosts use the previously created secure
hosts using the Diffie=Hellman
Diffie-Hellman key-exchange channel to negotiate SA security parameters to
algorithm for the hosts to authenticate each other by be used with IPsec
sharing the private secret key and to encrypt the
communication

cll. All Rights Reserved. Reproduction is Strictly Prohibited

Internet Key Exchange (IKE)
IPsec relies on IKE for secure key exchange and authentication. IKE establishes security
associations (SAs) to share security parameters such as digital certificates, pre-shared keys,
cipher algorithms, and key sizes. IKE provides protection against man-in-the-middle (MITM) and
replay attacks.

IKE is used in Virtual Private Network (VPN) negotiation, remote network access, etc. to
establish a secure tunnel between two hosts. The main benefit of using IKE is that it eliminates
the manual specification of security parameters for both hosts. The negotiation of the IKE
security association (SA) is performed in the following two phases.
= Phase 1: In the first phase, the IKE establishes a secure channel between two hosts. The
hosts use the Diffie-Hellman key-exchange algorithm to authenticate each other by
sharing the private secret key and to encrypt the communication. Pre-shared keys and
RSA signatures are also supported for authentication. The result of this phase is a
bidirectional Internet Security Association and Key Management Protocol (ISAKMP) SA
channel.

= Phase 2: In the second phase of IKE, the hosts use the previously created secure channel
to negotiate SA security parameters to be used with IPsec. The result of this phase is
two bidirectional secure channels.

Module 14 Page 1716 EC-Council
Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

Key Management
1
@ The key management process includes the generation,
exchange, storage, usage, replacement, and
destruction of keys using cryptographic algorithms

It manages the complete lifecycle of the keys used in
02 a cryptosystem

Key Management ‘
Key Lifecycle
Key storage
Key storage

|
() @l
EreS
K

All Rights. All Reserved. Reproduction
Rights Reserved. Reproduction isIs Strictly
Strictly Prohibited
Prohibited

Key Management
Key management is the process of managing cryptographic keys in a cryptosystem. The key
management process includes the generation, exchange, storage, usage, archival, revocation,
and destruction of keys using cryptographic algorithms. The key management process also
involves key servers, cryptographic protocols, user procedures, and other relevant protocols. It
manages the complete lifecycle of the keys used in the cryptosystem.
The following are the main phases involved in the key management process include.
Key generation: Strong and secure key pairs are generated using standard algorithms.

Key establishment or registration: The generated key should be specific to the user,
system, or process with a name and attributes. The key is submitted to the CA to
identify the public part of the key pair. The CA verifies the client and registers the key.
Once the key is registered, it can be used for its intended purpose.
Key storage: The registered key will be used over the long term. Therefore, it needs to
be stored in a protected storage space. It is imperative for client to ensure that the
private key is stored securely and no unauthorized access is allowed
Key usage: The key should be used for its intended purpose by the client. The registered
key is used to sign and encrypt the data and other keys.
Key archival: It is the backup or recovery mechanism used to obtain lost or stolen
private key.
Key revocation: If the private key is compromised, the key pair must be revoked as early
as possible so that it cannot be used for new encryption and decryption. If the key has
already been used for encryption, it must be retained for some time. The administrator

Module 14 Page 1717 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

can restore the revoked key to decrypt the previously encrypted information. Key
revocation is also performed when an organization closes its business activities, an
employee leaves the organization, or the organization changes its domain name.
= Key destruction The key is destroyed on the expiry date (it can also be renewed). When
it needs to be removed permanently, the decommissioned key should be deleted along
with all its associated data and instances.

Key
Generation

Key Management
Lifecycle
Key storage

Key
archival

Figure 14.39: Key management lifecycle

The distribution of public keys is also a part of the key management process and can be
achieved using the following methods.
= Public announcement: In this method, the public key is broadcasted to all users. This is
not a secure method because it has high chances of key forging.

=
Recipient 1

I~. Recipient 2

o}
Recipient 3

Figure 14.40: Key exchange through public announcement

Module 14 Page 1718 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Cryptography

* Publicly available directory: In this method, the public key is stored in the public key
directory. Every user should register a public key with the directory to establish their
user ID and password. Public directories can also be subjected to forgery.
[
Public key
directory

a
- e
- -
B.
-.
-.... -
- o
-.
o.
o ".
*.
-

User1l User 2

Figure 14.41: Key exchange through a publicly available directory

= Public key authority: This method is similar to the method of publicly available
directories but enhances security by hardening control over the key distribution from
the directories. In this method, the public key has a timestamp and is signed by the
authority to protect keys from forgery.
= Public key certificates: In some cases, the public keys and directories maintained by the
authority can be susceptible to forgery. To overcome this issue, the certification
approach has been recommended. A certificate, incorporated with a public key, key
owner identifier, and the entire block, is signed by a trusted entity such as a government
agency or third party. The certificate also has a validity period and rights to use. The
certificate can be verified by any user holding the CA’s public key.

Module 14 Page 1719 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.