Chapter 14 - PKI and Certificate Management Concepts PDF

Summary

This chapter discusses PKI (Public Key Infrastructure) and certificate management concepts, including key escrow, certificate chaining, and certificate pinning. It explains the processes and their importance in cybersecurity.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Cryptography Key Escrow and Certificate Chaining = |Itis the process of keeping secret keys with a certified third-party that serves as a backup for * = Also referred to as the chain of trust, certificate chaining is established by a set of certificates cryptographic keys starting from the server certificates and ending It ensures that critical keys are safe in case of with the root certificates disasters Organization’s o i certificate *. Sends copies of the private key to........................... >l Lz................... T................................................. > 9 Users can obtain these copies when keys are lost Third party tssuer Intermediate g CA's certificate o = Verifies R : i Issuer ) Encrypted user data :E Key Escrow Key escrow is the process of keeping secret keys with a certified third-party that serves as a backup for cryptographic keys. In this mechanism, the private key is split into two parts, each of which is encrypted. The two halves of the key are handed over to a third party that stores the key segments in a secure location. Users can obtain these two copies of keys and combine them to decrypt the data. Using this mechanism, organizations can ensure that their critical keys are safe in the case of a disaster or stolen/lost keys. These keys are often secured with additional encryption and can be accessed by users when required. ‘ Sends copies of the private key to the trusted third party srssssssssssssssssssssssassssssasasnnnnnnnnn) Users can obtain these copies when keys are lost Third party Encrypted user data Figure 14.42: lllustration of key escrow Certificate Chaining The certificate chain, also referred to as the chain of trust, is established by a set of certificates starting from the server certificates and ending with the root certificate is legitimate, the signature of the certificate should certificates. If the server be discoverable by its root certificate authority (CA). The chain of trust is formed when each certificate is signed by a party that is trusted by the next certified party. By default, users can discover Root CAs, but intermediate and server certificates should be signed by a CA that is not discoverable by the Module 14 Page 1720 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography client’s browser. In such cases, the root CA should validate and sign the intermediate CA, which then signs the server certificate. When a user attempts to connect with a server that holds a certificate signed by an intermediate CA, the server certificates can be tracked by the root CA through its intermediate CA, which is how the user gains trust. Certificate chaining makes key management and certificate tracking easy by forming a hierarchical structure of certificates in which validating the master or root CA automatically validates the rest of the chain. Organization’s certificate * Intermediate CA’s certificate Issuer llll.lllll.l.l'l.l"ll.l.) 1_ " ST Client Verify Server’sfiaPublicotyKey BN.e o=4 St " Valid Public Key Web Server Certificate Pinning Certificate pinning allows a client application to verify the corresponding server’s certificate using a pre-installed digital certificate. Upon pinning the server’s certificate to the client’s application, the client application follows the basic validation procedure using the server’s given public key and also verifies whether the server’s certificate matches its pinned certificate. To determine whether the server’s certificate matches the pinned certificate, the client must check the entire certificate or its public key. Instead of using a copy of the public key or certificate, the client can use fingerprints that serve the same purpose. Here, a fingerprint can be a hash form of the same public key or certificate. If fingerprints match between the server and client certificates, the connection is established; else, the client’s application denies the connection. The certificate integrated inside an application can eventually expire. Upon expiration, the client must update the application to a new version that is embedded with an updated certificate. How Certificate Pinning Works = A copy of the certificate integrated in the client’s application is used during the SSL/TLS handshake. = The client SDK checks whether the server certificate’s public key matches the application certificate’s public key. = |f the pinning process is successful, the public key inside the certificate is used to check the integrity of the server certificate. = |f the pinning process is unsuccessful, all SSL/TLS queries to the server are refused by the client application. Module 14 Page 1722 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography HTTP Exam 212-82 Public Key Pinning (HPKP) is an example of certificate pinning. It is a trust on first use (TOFU) technique used in an HTTP header that allows a web client to associate a specific public key certificate with a particular server to minimize the risk of MITM attacks based on fraudulent certificates. Send Public Keys Using HPKP ( e TLS Session Establishment LT PEPPE PR EEEPEERES > = Verify Server’s Public Key ¥ Invalid Public Key Web Server Figure 14.44: Certificate pinning using HPKP Module 14 Page 1723 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Cryptography Exam 212-82 Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP) Q Itis the list of all revoked certificates used for checking the certificate status O CAs maintain the CRL database, which stores all the suspended and revoked certificates - B & im CRserver The client contacts the CA CRL ca A i { @ The client downloads the CRL ? R €) The client attempts to access a website lllllllllllllllll Client O > - io5019590005009999908999909000000008880080rsssTIES The server responds with a digital e Server Copyright © by All Rights Reserved, Reproduction Is Strictly Prohibited Certificate Revocation List (CRL) CRL is the list of all revoked certificates and is used for checking certificate status in a process known as offline revocation check. CAs maintain the CRL database, in which all the suspended and revoked certificates are stored. The client should download the list to check whether the certificate is revoked. It is a time-consuming and complex process because the server must download and check the certificate status from the entire CRL list; Online Certificate Status Protocol (OCSP) was designed to overcome these issues. 8 & M 9 © The client downloads the CRL < The client contacts the CA CRL TETTETTTEEPERERED = CR server o S S Client = 9 The client attempts to access a website T P TP P EP PEP PEPPETEEPEETEETPEPTERD = R Ly L The server responds with a digital certificate L T F < Saraas Figure 14.45: Verification of certificate revocation Module 14 Page 1724 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Cryptography Online Certificate Status Protocol (OCSP) OSCP, also known as online revocation check, is an alternative to CRL for checking the status of certificate revocation. OCSP requests are sent to the CA using HTTP. The OCSP responder at the CA checks the certificate’s unique serial number and responds with its status. With this method, instead of going through the entire CRL, the client can check the certificate status using its unique serial number. The main disadvantage of this method is that the OSCP responder placed at the CA requires enormous processing resources to send responses to client requests. Moreover, the responder monitoring the client’s requests may have an impact on the client’s privacy. OSCP stapling has been introduced to solve these issues. 111} L=} ¢ CA CR server A The client contacts the CA 9 ;o ;o o The CA checks the certificate’s serial number and responds to the client - V Tl o The client attempts to access a website -. Client >