Sie sind auf Seite 1von 45

NETWORK SECURITY

Ch. 6: Applying Cryptography


Contents
6.1 Digital Certificates
6.2 Pubic Key Infrastructure
6.3 Key Management
6.4 Cryptographic Transport Protocols

06 APPLYING CRYPTOGRAPHY 2
6.1 Digital Certificates
• Alice receives a package containing an encrypted
document from Bob. It is secure as it was encrypted.
• Yet how can she know that it came from Bob? Because
Alice’s asymmetric public key is widely available, anyone
could use it to encrypt the document.

• The answer is to use a digital signature.

06 APPLYING CRYPTOGRAPHY 3
6.1 Digital Certificates
6.1.1 Defining Digital Certificates
– Digital certificates can be used to associate or “bind” a user’s
identity to a public key.

– A digital certificate is the user’s public key that has itself been
“digitally signed” by a reputable source entrusted to sign it.

06 APPLYING CRYPTOGRAPHY 4
6.1 Digital Certificates
– Digital certificates prevent a man-in-the-middle attack that
impersonates the owner of the public key.

– Digital certificates can also be used to identify objects other


than users, such as servers and applications.

06 APPLYING CRYPTOGRAPHY 5
6.1 Digital Certificates
– A digital certificate typically contains the following information:
• Owner’s name or alias
• Owner’s public key
• Name of the issuer
• Digital signature of the issuer
• Serial number of the digital certificate
• Expiration date of the public key

06 APPLYING CRYPTOGRAPHY 6
6.1 Digital Certificates
6.1.2 Authorizing, Storing, Revoking
• Several entities and technologies are used for authorizing,
storing, and revoking digital certificates.
• These include the Certificate Authority (CA) and Registration
Authority (RA), a Certificate Repository (CR), and a
Certificate Revocation List (CRL).

06 APPLYING CRYPTOGRAPHY 7
6.1 Digital Certificates
Authority (CA) & Registration (RA)
• Instead of a user verifying his own identity, a third-party person or
agency is used.

• An entity that issues digital certificates for others is known as a


Certificate Authority (CA).

06 APPLYING CRYPTOGRAPHY 8
6.1 Digital Certificates
• A user provides information to a CA that verifies her
identity.
• Also, the user generates public and private keys and
sends the public key to the CA (or in some instances the
CA may create the keys).
• The CA inserts this public key into the certificate.

06 APPLYING CRYPTOGRAPHY 9
6.1 Digital Certificates
• A CA can be external to the organization, or it can be a
CA internal to the organization.
• Some organizations set up a subordinate entity, called a
Registration Authority (RA), to handle some CA tasks
such as processing certificate requests and
authenticating users.

06 APPLYING CRYPTOGRAPHY 10
6.1 Digital Certificates
Certificate Revocation List (CRL)
• Digital certificates normally have an expiration date.
• Expired digital certificates should then be revoked.
• Revoked digital certificates are listed in a Certificate Revocation
List (CRL), which can be accessed to check the certificate status
of other users.

06 APPLYING CRYPTOGRAPHY 11
6.1 Digital Certificates
Certificate Repository (CR)
• It is important that the CA publishes the certificates and CRLs to a
directory.
• This directory can be managed locally or in a publicly accessible
directory, which is called a Certificate Repository (CR).

06 APPLYING CRYPTOGRAPHY 12
6.1 Digital Certificates
6.1.3 Types of Digital Certificates
• There are different types of digital certificates.
• In addition, some digital certificates are single-side while others
can be dual-sided.
• Also, standards exist for digital certificates.

06 APPLYING CRYPTOGRAPHY 13
6.1 Digital Certificates
• In addition to being used to verify the sender’s identity, digital
certificates can also be used to:
– Encrypt channels to provide secure communication between clients and
servers
– Encrypt messages for secure Internet e-mail communication
– Verify the identity of clients and servers on the Web

06 APPLYING CRYPTOGRAPHY 14
6.1 Digital Certificates
– Verify the source and integrity of signed executable code
• There are three basic categories of digital certificates:
– personal digital certificates,
– Server digital certificates, and
– software publisher digital certificates.

06 APPLYING CRYPTOGRAPHY 15
6.1 Digital Certificates
Personal Digital Certificates
• Personal digital certificates are issued by a CA or RA directly to
individuals.
• Personal digital certificates are typically used to secure e-mail
transmissions.
• Digital certificates can also be used to authenticate the authors of
documents.

06 APPLYING CRYPTOGRAPHY 16
6.1 Digital Certificates
Server Digital Certificates
• Server digital certificates are often issued from a Web server to a
client.
• Typically perform two functions.
– First, they can ensure the authenticity of the Web server.
– Second, server certificates can ensure the authenticity of the cryptographic
connection to the Web server.

06 APPLYING CRYPTOGRAPHY 17
6.1 Digital Certificates

06 APPLYING CRYPTOGRAPHY 18
6.1 Digital Certificates
• Most server digital certificates combine both server
authentication and secure communication between
clients and servers on the Web.

06 APPLYING CRYPTOGRAPHY 19
6.1 Digital Certificates
• Software Publisher Digital Certificates

• Software publisher digital certificates are provided by


software publishers.

• The purpose of these certificates is to verify that their


programs are secure and have not been tampered with.

06 APPLYING CRYPTOGRAPHY 20
6.1 Digital Certificates
Single Side and Dual Side
• Digital certificates can be either single-sided or dual-sided.
• When Bob sends one digital certificate to Alice along with his
message, that is known as a single-sided certificate.

06 APPLYING CRYPTOGRAPHY 21
6.1 Digital Certificates
• Dual-sided certificates are certificates in which the
functionality is split between two certificates.
– The signing certificate is used to sign a message to prove that
that sender is authentic.
– The encryption certificate is used for the actual encryption of
the message.

06 APPLYING CRYPTOGRAPHY 22
6.1 Digital Certificates
• Dual-sided certificates have two advantages.
– First, dual-sided certificates reduce the need for storing
multiple copies of the signing certificate.
– Second, dual-sided certificates facilitate certificate handling in
organizations.

06 APPLYING CRYPTOGRAPHY 23
6.1 Digital Certificates
X.509 Digital Certificates
• The most widely accepted format for digital certificates is defined
by the International Telecommunication Union (ITU) X.509
international standard.
• X.509 V1 first appeared in 1988. X.509 V2 supported new issuer
and subject identifier fields that were absent from Version 1.

06 APPLYING CRYPTOGRAPHY 24
6.1 Digital Certificates
• The current version, X.509 V3, was defined in 1996, and
introduced the extension field.

06 APPLYING CRYPTOGRAPHY 25
6.1 Digital Certificates

06 APPLYING CRYPTOGRAPHY 26
6.2 Public Key Infrastructure
• One of the important management tools for the use of
digital certificates and asymmetric cryptography is public
key infrastructure.
• Public key infrastructure involves public-key
cryptography standards, trust models, and key
management.

06 APPLYING CRYPTOGRAPHY 27
6.2 Public Key Infrastructure
6.2.1 What is Public Key Infrastructure
• In an organization where multiple users have multiple digital
certificates, it quickly can become overwhelming to manage all of
these entities.
• In short, there needs to be a consistent means to manage digital
certificates.
• Public key infrastructure (PKI) is just that.

06 APPLYING CRYPTOGRAPHY 28
6.2 Public Key Infrastructure
• It is a framework for all of the entities involved in digital
certificates—including hardware, software, people, policies and
procedures—to create, store, distribute, and revoke digital
certificates.
• In short, PKI is digital certificate management.

06 APPLYING CRYPTOGRAPHY 29
6.2 Public Key Infrastructure
• PKI is often erroneously applied to a broader range of
cryptography topics beyond managing digital certificates.

• It is sometimes defined as that which supports “other


public key-enabled security services” or “certifying users
of a security application.”

06 APPLYING CRYPTOGRAPHY 30
6.2 Public Key Infrastructure
6.2.2 Public-Key Cryptographic Standards (PKCS)
• Public-key cryptography standards (PKCS) is a numbered set of
PKI standards that have been defined by the RSA Corporation.
• These standards are based on the RSA public-key algorithm.

06 APPLYING CRYPTOGRAPHY 31
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 32
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 33
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 34
6.2 Public Key Infrastructure
• Applications and products that are developed by vendors
may choose to support the PKCS standards.
• For example, Microsoft Windows Vista provides native
support for exporting digital certificates based on PKCS
#7 and #12.

06 APPLYING CRYPTOGRAPHY 35
6.2 Public Key Infrastructure
6.2.3 Trust Model
• Trust may be defined as confidence in or reliance on another
person or entity.
• A trust model refers to the type of trusting relationship that can
exist between individuals or entities.

06 APPLYING CRYPTOGRAPHY 36
6.2 Public Key Infrastructure
• In one type of trust model, direct trust, a relationship
exists between two individuals because one person
knows the other person.
• Direct trust is not feasible when dealing with multiple
users who each have digital certificates.

06 APPLYING CRYPTOGRAPHY 37
6.2 Public Key Infrastructure
• A third party trust refers to a situation in which two
individuals trust each other because each trusts a third
party.
• This is the role that a CA plays: for example, it verifies
Mary, Amanda, and Javier to Alice.

06 APPLYING CRYPTOGRAPHY 38
6.2 Public Key Infrastructure
• There are essentially three PKI trust models that use a
CA. These are
– the hierarchical trust model,
– the distributed trust model, and
– the bridge trust model.

06 APPLYING CRYPTOGRAPHY 39
6.2 Public Key Infrastructure
Hierarchical Trust Model
• The hierarchical trust model assigns a single hierarchy with one
master CA called the root.
• This root signs all digital certificate authorities with a single key.
• A hierarchical trust model can be used in an organization where
one CA or RA is responsible.

06 APPLYING CRYPTOGRAPHY 40
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 41
6.2 Public Key Infrastructure
Distributed Trust Model
• Instead of having a single CA as in the hierarchical trust model,
the distributed trust model has multiple CAs that sign digital
certificates.
• The distributed trust model is the basis for digital certificates
issued by Internet users.

06 APPLYING CRYPTOGRAPHY 42
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 43
6.2 Public Key Infrastructure
Bridge Trust Model
• The bridge trust model is similar to the distributed trust model in
that there is no single CA that signs digital certificates.
• However, with the bridge trust model there is one CA that acts as
a “facilitator” to interconnect all other CAs.

06 APPLYING CRYPTOGRAPHY 44
6.2 Public Key Infrastructure

06 APPLYING CRYPTOGRAPHY 45

Das könnte Ihnen auch gefallen