Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Types of Digital Certificates...

Certified Cybersecurity Technician Exam 212-82 Cryptography Types of Digital Certificates A wildcard certificate can be configured to a domain and all its subdomains to minimize the complexity and cost Y ‘\ |'/ Jfi’ J_| A Subjectfitve mf:::{: A SAN SAN certificate certificate isis used used toto protect protect multiple multiple websites websites with with aa y/ | W3 | I[_Pfl F. Alternative Name : single - SSL certificate Name (SAN) Code. - ItItisais a certificate that consists of a digital signature and is used to ‘ éi Si 5TT ’- sign executables or scripts used in code to prove the identity of R i m.gloxing ~ ~ the developer or publisher thedeveloper Self-signed A self-signed certificate is signed by the person or company that Selfsigned created it, instead of a trusted certificate authority Machine/ A machine certificate, also known as a computer certificate, is Computer generated at the time of activation of a computer Copyright © by [ L. All Rights Reserved. Reproduction Is Strictly Prohibited Email 1y * Email certificates are employed to sign and encrypt emails and protect the integrity ! of email data using secure protocols such as PGP and S/MIME User :I = AAuser user certificate is mapped to a user account on which access is controlled Root ;: * ltisself-signed |tis self-signed certificate that belongs to the issuing CA. A root certificate is the |] topmost certificate in the hierarchy and is used to sign other certificates s 1 " Aserver certificate is used to validate a server’s identity to the client and N - 1 ensures that the information provided by the user is safe and secure Domainand Domain and 1 = A domain certificate is issued to a user after they prove a degree of control over aa domain Adomain Extended !.« Extended validation certificates are issued by CAs and are the highest class of SSL validation certificates Copyright © by E EC{ | All Rights Reserved. ReproductionIs Strictly Prohibited. Prohibited Types of Digital Certificates A digital certificate allows enterprises to exchange data securely over the Internet with the help of public key infrastructure (PKI). It is used to verify the identity of the sender/receiver of a message and provides a method to encrypt or decrypt messages between the sender and receiver. Module 14 Page 1713 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Discussed below are various types of digital certificates. Wildcard: A wildcard certificate can be configured to a domain and all its subdomains to minimize complexity and cost. It is mostly used in SSL certificates to extend SSL certification to subdomains. It is represented by an asterisk and a period before the domain name. It enables users to secure a large number of subdomains on a single certificate. A one-time purchase of a certificate can cover any number of subdomains that may be included in the future. Subject alternative name (SAN): A SAN certificate is used to protect multiple websites with a single SSL certificate. It can also cover domains with distinct top-level domains and various levels of subdomains. It is also referred to as a unified communication certificate, exchange certificate, or multi-domain certificate. Using a SAN certificate, users can secure a primary domain and later add more domains to the subject alternative field of the certificate. Code signing: It is a certificate that consists of a digital signature and is employed to sign executables or scripts used in code to prove the identity of the developer or publisher and to check if the code has been altered since signing. These certificates ensure that users do not receive a warning during installation. Code signing is used to ensure that the code is trustworthy. Self-signed: A self-signed certificate is signed by the person or company that created it, instead of a trusted certificate authority. It is easy to create but cannot offer all the features of a CA-signed certificate. Self-signed certificates are suitable for internal sites and are used for encrypting incoming and outgoing data using identical ciphers, as in any other paid SSL certificate. Machine/computer: A machine certificate, also known as a computer certificate, is generated at the time of activation of a computer. These certificates can be issued to computing devices such as hosts and mobile devices, irrespective of their operation, and to network components such as firewalls and routing devices. A single certificate is installed for every user who has activated the computer into the hierarchy. It is mainly used for client- and server-side authentication. Email: Email certificates are employed to sign and encrypt emails and protect the integrity of email data using secure protocols such as PGP and S/MIME. If an email is encrypted using an email certificate, it can be decrypted only by the concerned receiver of the email. Email certificates are installed in the email application to ensure reliable communication. These certificates protect email data against common attacks such as email eavesdropping, phishing, and snooping. User: A user certificate is mapped to a user account on which access is controlled. User certificates are stored in smart cards. When a user wishes to access a system, the smart card is queried. The user unlocks the smart card to present the user certificate on it for authentication. The user certificates employ PKI for validating the user or device. User certificates are used only for authentication and not for encryption. These certificates allow access to only authorized individuals. Module 14 Page 1714 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Root: It is self-signed certificate that belongs to the issuing CA. A root certificate is the topmost certificate in the hierarchy and is used to sign other certificates. Certificates approved by a root CA are trusted by most web browsers. For such certificates to function as intended, they need to be installed on web servers where the domain is hosted. Server certificate: A server certificate is used to validate a server’s identity to the client and ensures that the information provided by the user is safe and secure. It performs data encryption during transit to ensure confidentiality. The major problem with asymmetric cryptography is that anybody can implement PKI. When a client blindly trusts the certificates for a visited website, confidential data can be exposed. These certificates can be used to offer different levels of security based on the grade and reputation of the website. Domain validation: A domain certificate is issued to a user after they prove some degree of control over a domain. It is necessary for the user to prove website ownership to the CA for its validation. It consists of 256-bit encryption and is compatible with most web browsers. It can be purchased by small or medium-level website owners who wish to encrypt their domain. Extended validation (EV): EV certificates are issued by CAs for securing online banking transactions, ecommerce, etc. It is the highest class of SSL certificate. A website protected by EV SSL will show a padlock and an HTTPS prefix to users to assure them that they are on an encrypted website and that their sensitive data are secured. The website owner must go through an identity verification process to receive this certificate. Module 14 Page 1715 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Internet Key Exchange (IKE) % é QQO Ipsec IPsec relies on IKE for secure key exchange and authentication 1{ QO O IKE establishes security associations (SAs) to share security parameters such as digital certificates, pre-shared keys, cipher algorithms, and key sizes @ The negotiation of the IKE SA is performed in the following two phases Phase 1 Phase 2 The IKE establishes a secure channel between two The hosts use the previously created secure hosts using the Diffie=Hellman Diffie-Hellman key-exchange channel to negotiate SA security parameters to algorithm for the hosts to authenticate each other by be used with IPsec sharing the private secret key and to encrypt the communication cll. All Rights Reserved. Reproduction is Strictly Prohibited Internet Key Exchange (IKE) IPsec relies on IKE for secure key exchange and authentication. IKE establishes security associations (SAs) to share security parameters such as digital certificates, pre-shared keys, cipher algorithms, and key sizes. IKE provides protection against man-in-the-middle (MITM) and replay attacks. IKE is used in Virtual Private Network (VPN) negotiation, remote network access, etc. to establish a secure tunnel between two hosts. The main benefit of using IKE is that it eliminates the manual specification of security parameters for both hosts. The negotiation of the IKE security association (SA) is performed in the following two phases. = Phase 1: In the first phase, the IKE establishes a secure channel between two hosts. The hosts use the Diffie-Hellman key-exchange algorithm to authenticate each other by sharing the private secret key and to encrypt the communication. Pre-shared keys and RSA signatures are also supported for authentication. The result of this phase is a bidirectional Internet Security Association and Key Management Protocol (ISAKMP) SA channel. = Phase 2: In the second phase of IKE, the hosts use the previously created secure channel to negotiate SA security parameters to be used with IPsec. The result of this phase is two bidirectional secure channels. Module 14 Page 1716 EC-Council Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Key Management 1 @ The key management process includes the generation, exchange, storage, usage, replacement, and destruction of keys using cryptographic algorithms It manages the complete lifecycle of the keys used in 02 a cryptosystem Key Management ‘ Key Lifecycle Key storage Key storage | () @l EreS K All Rights. All Reserved. Reproduction Rights Reserved. Reproduction isIs Strictly Strictly Prohibited Prohibited Key Management Key management is the process of managing cryptographic keys in a cryptosystem. The key management process includes the generation, exchange, storage, usage, archival, revocation, and destruction of keys using cryptographic algorithms. The key management process also involves key servers, cryptographic protocols, user procedures, and other relevant protocols. It manages the complete lifecycle of the keys used in the cryptosystem. The following are the main phases involved in the key management process include. Key generation: Strong and secure key pairs are generated using standard algorithms. Key establishment or registration: The generated key should be specific to the user, system, or process with a name and attributes. The key is submitted to the CA to identify the public part of the key pair. The CA verifies the client and registers the key. Once the key is registered, it can be used for its intended purpose. Key storage: The registered key will be used over the long term. Therefore, it needs to be stored in a protected storage space. It is imperative for client to ensure that the private key is stored securely and no unauthorized access is allowed Key usage: The key should be used for its intended purpose by the client. The registered key is used to sign and encrypt the data and other keys. Key archival: It is the backup or recovery mechanism used to obtain lost or stolen private key. Key revocation: If the private key is compromised, the key pair must be revoked as early as possible so that it cannot be used for new encryption and decryption. If the key has already been used for encryption, it must be retained for some time. The administrator Module 14 Page 1717 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography can restore the revoked key to decrypt the previously encrypted information. Key revocation is also performed when an organization closes its business activities, an employee leaves the organization, or the organization changes its domain name. = Key destruction The key is destroyed on the expiry date (it can also be renewed). When it needs to be removed permanently, the decommissioned key should be deleted along with all its associated data and instances. Key Generation Key Management Lifecycle Key storage Key archival Figure 14.39: Key management lifecycle The distribution of public keys is also a part of the key management process and can be achieved using the following methods. = Public announcement: In this method, the public key is broadcasted to all users. This is not a secure method because it has high chances of key forging. = Recipient 1 I~. Recipient 2 o} Recipient 3 Figure 14.40: Key exchange through public announcement Module 14 Page 1718 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography * Publicly available directory: In this method, the public key is stored in the public key directory. Every user should register a public key with the directory to establish their user ID and password. Public directories can also be subjected to forgery. [ Public key directory a - e - - B. -. -.... - - o -. o. o ". *. - User1l User 2 Figure 14.41: Key exchange through a publicly available directory = Public key authority: This method is similar to the method of publicly available directories but enhances security by hardening control over the key distribution from the directories. In this method, the public key has a timestamp and is signed by the authority to protect keys from forgery. = Public key certificates: In some cases, the public keys and directories maintained by the authority can be susceptible to forgery. To overcome this issue, the certification approach has been recommended. A certificate, incorporated with a public key, key owner identifier, and the entire block, is signed by a trusted entity such as a government agency or third party. The certificate also has a validity period and rights to use. The certificate can be verified by any user holding the CA’s public key. Module 14 Page 1719 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser