Computer Fraud - Eric Vanderburg - China Resource Network Conference
Information Security Lesson 9 - Keys - Eric Vanderburg
-
Upload
eric-vanderburg -
Category
Technology
-
view
364 -
download
0
Transcript of Information Security Lesson 9 - Keys - Eric Vanderburg
![Page 1: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/1.jpg)
Information Security © 2006 Eric Vanderburg
Information Security
Chapter 9Using & Managing Keys
![Page 2: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/2.jpg)
Information Security © 2006 Eric Vanderburg
Problem with keys alone• How can we be sure that the public keys
we use for communication are really the real public keys?
• Certificates• Certificates contain keys• Issued by a trusted entity
![Page 3: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/3.jpg)
Information Security © 2006 Eric Vanderburg
PKI (Public Key Infrastructure)• PKI – A system for managing keys
– Issues digital certificates to users and computers
– Allows end users to apply for certificates– Integrates into the directory system used by
the organization– Manages and revokes certificates
• Microsoft max PKI key length: 4096 bits
![Page 4: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/4.jpg)
Information Security © 2006 Eric Vanderburg
Certificates• Have specific uses• Expire• Given by a CA• May require validation before they are issued• CA (Certification Authority) – creator and
distributor of certificates– Root– Subordinate
• RA (Registration Authority) – a subordinate CA of another company’s CA that issues certs to local users
• CRL (Certificate Revocation List)• CR (Certificate Repository)
![Page 5: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/5.jpg)
Information Security © 2006 Eric Vanderburg
PKCS (Public Key Cryptography Standards)
PKCS # Standard Name DescriptionPKCS #1 RSA Used for RSA digital
signatures
PKCS #2 Not used. Part of PKCS #1
RSA encrypted message digest
PKCS #3 Diffie Hellman key agreement standard
Key exchanges using Diffie-Hellman
![Page 6: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/6.jpg)
Information Security © 2006 Eric Vanderburg
PKCSPKCS # Standard Name Description
PKCS #4 Not used. Part of PKCS #1
RSA key syntax
PKCS #5 Password based encryption standard
Generates a secret key from a password
PKCS #6 Extended cert syntax standard
Phased out syntax
![Page 7: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/7.jpg)
Information Security © 2006 Eric Vanderburg
PKCSPKCS # Standard Name Description
PKCS #7 Cryptographic Message Syntax
Used for encrypting messages using digital signatures and encryption
PKCS #8 Private Key Information syntax standard
How to store keys
PKCS #9 Attribute types Defines the attribute types used in 6,7,8,& 10
![Page 8: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/8.jpg)
Information Security © 2006 Eric Vanderburg
PKCSPKCS # Standard
NameDescription
PKCS #10 Cert request syntax standard
How to ask for a cert
PKCS #11 Cryptographic token interface standard
Used for smart cards and other token devices
PKCS #12 Personal Information Exchange
Used for exporting keys
![Page 9: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/9.jpg)
Information Security © 2006 Eric Vanderburg
PKCSPKCS # Standard
NameDescription
PKCS #13 Elliptic Curve Cryptography standard
How to encrypt and sign using EC
PKCS #14 PRNG standard
How to generate a pseudo random number
PKCS #15 Cryptographic token information format
How to store information on tokens
![Page 10: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/10.jpg)
Information Security © 2006 Eric Vanderburg
X.509 standard• X509 is an international standard defined by the
International Telecommunication Union (ITU) that defines the format for the digital certificate
• Most widely used certificate format for PKI
![Page 11: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/11.jpg)
Information Security © 2006 Eric Vanderburg
Trusts• Direct trust – trust because of a personal
relationship. This trust is not verified. (friends sending email)
• Third party trust – 2 people trust each other because they each trust a 3rd party
• Trust model – the type of relationship that exists between entities– Web of trust – each user creates their own certificate
and shares it with the others – based on direct trust. – Single point trust – A CA issues and signs certificates.
Based on 3rd party trust. – Hierarchical trust – A root CA issues certificates to
subordinate CAs that issue certificates to users.
![Page 12: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/12.jpg)
Information Security © 2006 Eric Vanderburg
Trusted Certificates• Can be viewed in Internet Explorer• CA certificates – issued directly to users• Server certificates – issued form a web
server, FTP server, or mail server. • Software Publisher certificates – provided
by developers to take responsibility and provide credibility for their applications
![Page 13: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/13.jpg)
Information Security © 2006 Eric Vanderburg
Policy• CP (Certificate Policy) - High level
statement that defines how the CA and the certificates issued should be used and secured.
• CPS (Certificate Practice Statement) – More detailed document on how certificates are managed, registered for, issued, protected, and revoked.
![Page 14: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/14.jpg)
Information Security © 2006 Eric Vanderburg
Certificate Life Cycle• Creation
– Request is made– User is identified– CA fills in appropriate fields on the cert– CA signs the cert with its key– Certificate is published or sent to an RA
• Revocation– Certificate is added to the CRL– CRL is signed by the CA– CRL is published
![Page 15: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/15.jpg)
Information Security © 2006 Eric Vanderburg
Certificate Life Cycle• Expiration
– If a certificate is not renewed, it will expire– Usually the keys are not regenerated but they
can be. • Suspension
– A certificate is marked inactive and cannot be used until the suspension is lifted.
![Page 16: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/16.jpg)
Information Security © 2006 Eric Vanderburg
Key Management• Centralized
– Organization has control over keys, their uses, and their issuance
– Larger scope of trust– More responsibility and effort required
• Decentralized– Web of trust model– No central CR (Certificate Repository)– No control over keys– Responsibility is on the users
![Page 17: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/17.jpg)
Information Security © 2006 Eric Vanderburg
Private Key Storage• Stored inside a certificate• Stored on a token• Stored on the local machine• Backed up to file (PKCS #12)
• Destroy expired keys• Do not make excessive copies of keys• Make sure keys are encrypted
![Page 18: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/18.jpg)
Information Security © 2006 Eric Vanderburg
Key Handling• Key Escrow – Keys are managed by a third
party. – Keys are split into two parts and stored elsewhere. – Users authenticate and retrieve the key parts and
then use it. – Keys are vulnerable once retrieved.
• Keys also expire, and can be revoked. • Key recovery (M of N)
– Key is split into a number of parts (M) distributed to a number of people (N) that is larger than M. The group must agree to combine their parts to use the key.
![Page 19: Information Security Lesson 9 - Keys - Eric Vanderburg](https://reader036.fdocuments.in/reader036/viewer/2022062523/542ec76d8d7f72916e8b6b53/html5/thumbnails/19.jpg)
Information Security © 2006 Eric Vanderburg
Acronyms• CP, Certificate Policy• CPS, Certificate Practice Statement• CR, Certificate Repository• CRL, Certificate Revocation List• PKCS, Public Key Cryptography
Standards• PKI, Public Key Infrastructure• RA, Registration Authority