Chapter 14 - 04 - Discuss PKI and Certificate Management Concepts - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Types of Digital Certificates A wildcard certificate can be configured to a domain and all its subdomains to minimize the complexity and cost Y y | |'/ J_| W3 [_Pfl F. Subject A SAN certificate is used to protect multiple websites with a Alternative : Name Code éi T i m.g - single SSL certificate. - Itisa certificate that consists of a digital signature and is used to ’ sign executables or scripts used in code to prove the identity of ~ thedeveloper or publisher Self-signed A self-signed certificate is signed by the person or company that created it, instead of a trusted certificate authority A machine certificate, also known as a computer certificate, is generated at the time of activation of a computer Copyright © by [ L. All Rights Reserved. Reproduction Is Strictly Prohibited Email 1 ! * Email certificates are employed to sign and encrypt emails and protect the integrity of email data using secure protocols such as PGP and S/MIME User I = Auser certificate is mapped to a user account on which access is controlled Root ; ] * ltisself-signed certificate that belongs to the issuing CA. A root certificate is the topmost certificate in the hierarchy and is used to sign other certificates 1 " Aserver certificate is used to validate a server’s identity to the client and 1 ! = « Adomain certificate is issued to a user after they prove a degree of control over a domain Extended validation certificates are issued by CAs and are the highest class of SSL certificates s N Domain and Extended validation 1 ensures that the information provided by the user is safe and secure Copyright © by EC{ | All Rights Reserved. ReproductionIs Strictly Prohibited Types of Digital Certificates A digital certificate allows enterprises to exchange data securely over the Internet with the help of public key infrastructure (PKI). It is used to verify the identity of the sender/receiver of a message and receiver. Module 14 Page 1713 provides a method to encrypt or decrypt messages between the sender and Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Discussed below are various types of digital certificates. Wildcard: A wildcard certificate can be configured to a domain and all its subdomains to minimize complexity and cost. It is mostly used in SSL certificates to extend SSL certification to subdomains. It is represented by an asterisk and a period before the domain name. It enables users to secure a large number of subdomains on a single certificate. A one-time purchase of a certificate can cover any number of subdomains that may be included in the future. Subject alternative name (SAN): A SAN certificate is used to protect multiple websites with a single SSL certificate. It can also cover domains with distinct top-level domains and various levels of subdomains. It is also referred to as a unified communication certificate, exchange certificate, or multi-domain certificate. Using a SAN certificate, users can secure a primary domain and later add more domains to the subject alternative field of the certificate. Code signing: It is a certificate that consists of a digital signature executables or scripts used in code to prove the identity of the and to check if the code has been altered since signing. These users do not receive a warning during installation. Code signing the code is trustworthy. and is employed to sign developer or publisher certificates ensure that is used to ensure that Self-signed: A self-signed certificate is signed by the person or company that created it, instead of a trusted certificate authority. It is easy to create but cannot offer all the features of a CA-signed certificate. Self-signed certificates are suitable for internal sites and are used for encrypting incoming and outgoing data using identical ciphers, as in any other paid SSL certificate. Machine/computer: A machine certificate, also known as a computer certificate, is generated at the time of activation of a computer. These certificates can be issued to computing devices such as hosts and mobile devices, irrespective of their operation, and to network components such as firewalls and routing devices. A single certificate is installed for every user who has activated the computer into the hierarchy. It is mainly used for client- and server-side authentication. Email: Email certificates are employed to sign and encrypt emails and protect the integrity of email data using secure protocols such as PGP and S/MIME. If an email is encrypted using an email certificate, it can be decrypted only by the concerned receiver of the email. Email certificates are installed in the email application to ensure reliable communication. These certificates protect email data against common attacks such as email eavesdropping, phishing, and snooping. User: A user certificate is mapped to a user account on which access is controlled. User certificates are stored in smart cards. When a user wishes to access a system, the smart card is queried. The user unlocks the smart card to present the user certificate on it for authentication. The user certificates employ PKI for validating the user or device. User certificates are used only for authentication and not for encryption. These certificates allow access to only authorized individuals. Module 14 Page 1714 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Root: It is self-signed certificate that belongs to the issuing CA. A root certificate is the topmost certificate in the hierarchy and is used to sign other certificates. Certificates approved by a root CA are trusted by most web browsers. For such certificates to function as intended, they need to be installed on web servers where the domain is hosted. Server certificate: A server certificate is used to validate a server’s identity to the client and ensures that the information provided by the user is safe and secure. It performs data encryption during transit to ensure confidentiality. The major problem with asymmetric cryptography is that anybody can implement PKI. When a client blindly trusts the certificates for a visited website, confidential data can be exposed. These certificates can be used to offer different levels of security based on the grade and reputation of the website. Domain validation: A domain certificate is issued to a user after they prove some degree of control over a domain. It is necessary for the user to prove website ownership to the CA for its validation. It consists of 256-bit encryption and is compatible with most web browsers. It can be purchased by small or medium-level website owners who wish to encrypt their domain. Extended validation (EV): EV certificates are issued by CAs for securing online banking transactions, ecommerce, etc. It is the highest class of SSL certificate. A website protected by EV SSL will show a padlock and an HTTPS prefix to users to assure them that they are on an encrypted website and that their sensitive data are secured. The website owner must go through an identity verification process to receive this certificate. Module 14 Page 1715 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Internet Key Exchange (IKE) é { @ Q Ipsec relies on IKE for secure key exchange and authentication QO IKE establishes security associations (SAs) to share security parameters such as digital certificates, pre-shared keys, cipher algorithms, and key sizes The negotiation of the IKE SA is performed in the following two phases Phase 1 Phase 2 The IKE establishes a secure channel between two hosts using the Diffie=Hellman key-exchange algorithm for the hosts to authenticate each other by sharing the private secret key and to encrypt the The hosts use the previously created secure channel to negotiate SA security parameters to be used with IPsec communication cll. All Rights Reserved. Reproduction is Strictly Prohibited Internet Key Exchange (IKE) IPsec relies on IKE for secure key exchange and authentication. IKE establishes security associations (SAs) to share security parameters such as digital certificates, pre-shared keys, cipher algorithms, and key sizes. IKE provides protection against man-in-the-middle (MITM) and replay attacks. IKE is used in Virtual Private Network (VPN) negotiation, remote network access, etc. to establish a secure tunnel between two hosts. The main benefit of using IKE is that it eliminates the manual specification of security parameters for both hosts. The security association (SA) is performed in the following two phases. = negotiation Phase 1: In the first phase, the IKE establishes a secure channel between two hosts. The hosts use the Diffie-Hellman key-exchange algorithm to authenticate each other by sharing the private secret key and to encrypt the communication. RSA signatures are also supported for authentication. The Pre-shared keys and result of this phase bidirectional Internet Security Association and Key Management channel. = of the IKE is a Protocol (ISAKMP) SA Phase 2: In the second phase of IKE, the hosts use the previously created secure channel to negotiate SA security parameters to be used with IPsec. The result of this phase is two bidirectional secure channels. Module 14 Page 1716 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Key Management @ 02 The key management process includes the generation, exchange, storage, usage, replacement, and destruction of keys using cryptographic algorithms 1 It manages the complete lifecycle of the keys used in a cryptosystem Key Management Key ‘ Lifecycle Key storage EreS K | All Rights Reserved. Reproduction Is Strictly Prohibited Key Management Key management management is the process of managing cryptographic keys in a cryptosystem. The key process includes the generation, exchange, storage, usage, archival, revocation, and destruction of keys using cryptographic algorithms. The key management process also involves key servers, cryptographic protocols, user procedures, and other relevant protocols. It manages the complete lifecycle of the keys used in the cryptosystem. The following are the main phases involved in the key management process include. Key generation: Strong and secure key pairs are generated using standard algorithms. Key establishment or registration: The generated key should be specific to the user, system, or process with a name and attributes. The key is submitted to the CA to identify the public part of the key pair. The CA verifies the client and registers the key. Once the key is registered, it can be used for its intended purpose. Key storage: The registered key will be used over the long term. Therefore, it needs to be stored in a protected storage space. It is imperative for client to ensure that the private key is stored securely and no unauthorized access is allowed Key usage: The key should be used for its intended purpose by the client. The registered key is used to sign and encrypt the data and other keys. Key archival: It is the backup or recovery mechanism used to obtain lost or stolen private key. Key revocation: If the private key is compromised, the key pair must be revoked as early as possible so that it cannot be used for new encryption and decryption. If the key has already been used for encryption, it must be retained for some time. The administrator Module 14 Page 1717 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography can restore the revoked key to decrypt the previously encrypted information. Key revocation is also performed when an organization closes its business activities, an employee leaves the organization, or the organization changes its domain name. = Key destruction The key is destroyed on the expiry date (it can also be renewed). When it needs to be removed permanently, the decommissioned key should be deleted along with all its associated data and instances. Key Generation Key Management Lifecycle Key storage Key archival Figure 14.39: Key management lifecycle The distribution of public keys is also a part of the key management achieved using the following methods. = process and can be Public announcement: In this method, the public key is broadcasted to all users. This is not a secure method because it has high chances of key forging. = Recipient 1 I~. Recipient 2 o} Recipient 3 Figure 14.40: Key exchange through public announcement Module 14 Page 1718 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography * Publicly available directory: In this method, the public key is stored in the public key directory. Every user should register a public key with the directory to establish their user ID and password. Public directories can also be subjected to forgery. [ a Public key directory - * o o - -.. - - B - - e -.... - o.. ". User1l. User 2 Figure 14.41: Key exchange through a publicly available directory = Public key authority: This method is similar to the method of publicly available directories but enhances security by hardening control over the key distribution from the directories. In this method, the public key has a timestamp and is signed by the authority to protect keys from forgery. = Public key certificates: In some cases, the public keys and directories maintained by the authority can be susceptible to forgery. To overcome this issue, the certification approach has been recommended. A certificate, incorporated with a public key, key owner identifier, and the entire block, is signed by a trusted entity such as a government agency or third party. The certificate also has a validity period and rights to use. The certificate can be verified by any user holding the CA’s public key. Module 14 Page 1719 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.