Beruflich Dokumente
Kultur Dokumente
• Understanding Cryptography
• PKI Introduction
• Standard and Protocol
• Key Management Life Cycle
• Advantages:
- Speed
- Strength
• Disadvantages:
- Poor key distribution
mechanism
- Single key
• A symmetric algorithm uses the same key for encrypting and decrypting data,
and everyone that is allowed to encrypt and decrypt the data has a copy of the
key.
• This is also known as a shared secret. Symmetric algorithms provide
confidentiality by encrypting data or messages.
• Some of the past and current symmetric key encryption algorithms include
Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption
Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, and
RC4.
• Advantages:
- Provide a secure way to
communicate with an
individual
- Provide a method to
validate an individual
• Disadvantages:
- Asymmetric encryption
is relatively slow
11
12
• The PKI relies on the concept of a trusted third party (TTP). This
trusted third party and the associated enrollment protocol combine to
form a method that enables scalability.
• PKI provides scalability to cryptographic applications such as VPNs.
• The use of a trusted third-party protocol with public key cryptography is
also based on the digital signing of public keys. In this case, however,
one central authority signs all the public keys, and everybody trusts
that central authority.
• The authority's public key is distributed among the users, who can use
it to verify the signatures on public keys of other users.
13
• Certificates are a digital representation of information that identifies you and are
issued by CAs, which are often a TTP (Trusted Third Party).
• A TTP is an entity trusted by other entities with respect to security-related
services and activities.
• The certificate (Figure 3-4) includes the TTP, subscriber, subscriber's public
key, its operational period, and the digital signature of the TTP issuing it.
• The TTP is vouching that the person or process with the certificate can be
trusted.
• Certificates can be used with a variety of applications and security services to
provide authentication, data integrity, and security.
• Uses for certificates include the following:Secure mail, Secure Web
communications, Secure Web sites, Custom security solutions, Smart card
logon process.
15
16
• Digital signatures can also be used to certify that a public key belongs to a particular
entity. This is done by signing the combination of the public key and the information
about its owner by a trusted key.
• The resulting data structure is often called a public-key certificate (or simply, a
certificate).
• Certificates can be thought of as analogous to passports that guarantee the identity of
their bearers.
17
18
20
22
• Step 3The end host generates a certificate request and forwards the request to
the CA (or the RA, if applicable). The CA receives the certificate enrollment
request, and, depending on your network configuration, one of the following
options occurs:
– Manual intervention is required to approve the request.
– The end host is configured to automatically request a certificate from the
CA. Thus, operator intervention is no longer required at the time the
enrollment request is sent to the CA server.
• Step 4After the request is approved, the CA signs the request with the CA’s
private key.
• Step 5The CA returns the completed certificate to the end host. The end host
writes the certificate to a storage area such as NVRAM.
• Step 6The end host uses the certificate for communication with other
communication partners.
23
25
26
• A local registration authority (LRA) takes the process one step further:
– It can be used to identify or establish the identity of an individual for
certificate issuance.
• If the user in Seattle needs a new certificate, it would be impractical to
fly back to Washington, D.C. to get another one. An LRA can be used
to verify and certify the identity of the individual on behalf of the CA.
The LRA can then forward authentication documents to the CA to issue
the certificate.
28
29
30
31
32
33
34
35
36
• The mesh trust model expands the concepts of the bridge model by
supporting multiple paths and multiple root CAs.
• This arrangement is also referred to as a web structure.
• This structure may be useful in a situation where several
organizations must cross-certify certificates.
• The advantage is that you have more flexibility when you configure
the CA structures.
• The major disadvantage of a mesh is that each root CA must be
trustworthy in order to maintain security.
37
• A hybrid structure can use the capabilities of any or all of the structures
discussed in the previous sections. You can be extremely flexible when you
build a hybrid trust structure.
• The flexibility of this model also allows you to create hybrid environments.
• The major difficulty with hybrid models is that they can become complicated
and confusing.
38
39
40
41
42
44
47
50
56
57
59
• Key management refers to the process of working with keys from the
time they are created until the time they are retired or destroyed.
• Key management includes the following stages/areas:
– Centralized versus decentralized key generation
– Key storage and distribution
– Key escrow
– Key expiration
– Key revocation
– Key suspension
– Key recovery and archival
– Key renewal
– Key destruction
– Key usage
60
• The term key life cycle describes the stages a key goes
through during its entire life.
• You can think of this as a cradle-to-grave situation.
• By expressing these relationships in the terms of a life
cycle, evaluating each phase of a key’s use from its
creation to its destruction becomes easier.
• If any aspect of a key’s life isn’t handled properly, the entire
security system may become nonfunctional or
compromised.
61
• Key generation (the creation of the key) is an important first step in the
process of working with keys and certificates.
• Certificates are one of the primary methods used to deliver keys to
end entities.
• Key length and the method used to create the key also affect the
security of the system in use.
• The security of a key is measured by how difficult it is to break the key.
• The longer it takes to break the key, the more secure the key is
considered to be.
– According to RSA, it would take 3 million years and a $10 million
budget to break a key with a key length of 1,024 bits.
– The amount of time it would take to break a 2,048-bit key is virtually
incalculable.
62
64
65
• Where and how keys are stored affects how they are
distributed.
• Distributing keys is usually accomplished using a Key
Distribution Center (KDC), as used in Kerberos, or by using
a Key Exchange Algorithm (KEA), as in the case of PKI.
66
69
70
71
72
73
74
75
76
77
78