CompTIA® Security+ Exam Notes : Given a scenario, implement public key infrastructure

6. Cryptography and PKI

6.4 Given a scenario, implement public key infrastructure

In Public Key Infrastructure parlance, the term Principal means an entity whose identity can be verified.

Trust Model:

Three basic types of distributed trust models are:

1. Hierarchical trust model: Here one root CA and one or more subordinate CAs will be present. The subordinate CAs provide redundancy and load balancing. The root CA is usually off-line. Here even if a subordinate CA is compromised, the root CA can revoke the subordinate CA, thus providing redundancy.

2. Web of Trust: This is also called cross-certification model. Here CAs form peer-to-peer relationship. This model is difficult to manage as the number of CAs grow larger. This kind of trust relationship may happen when different divisions of a company has different CAs, and need to work together. Here CAs must trust one another.

3. Bridge CA architecture: Bridge CA overcomes the complexity involved with Web of Trust model. Here Bridge CA act as the central co-ordinate point. All other CAs (known as principals) must trust only the Bridge CA.

If the CA's private key is compromised, certificates' private key is compromised, certificates issued by that CA issued by that CA are affected. This will lead to issuance of new certificates to all users, and registration. These problems can be overcome by use of a distributed trust model, in which multiple CAs are involved.

In public key infrastructure:

  • A key is required to encode/decode a message, and the security of a message depends on the security of key.
  • A cipher text is the encoded message, and
  • A certificate is a digitally signed document by a trusted authority.

CRL: A certificate revocation list (CRL) is a list of certificates, which have been revoked, and are no longer valid. The client requests a copy of the CRL from the CA and then checks the CRL to see if the certificate is on the list. If it's on the list, it's considered invalid and wouldn't be used.

Online Certificate Status Protocol (OCSP): Here, instead of the client requesting a copy of the CRL, the client queries the CA about the certificate, identified uniquely by a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA. A certificate authority uses a CSR to create your SSL certificate.

Key escrow: Key escrow (also known as a fair cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, an authorized third party may gain access to those keys. These third parties may include the government or an employer wanting to see the communication of an employee.

A digital certificate is a credential issued by a trusted authority that binds you (and individual or an organization) to an identity that can be recognized and verified electronically by other agencies. Locally issued digital certificates are valid only within an organizations network (like intranet). Therefore, any secure pages or digital signatures containing local registration will not work on the Internet.

SAN: A Storage Area Network (SAN) provides a pool of storage resources that can be centrally managed and allocated as needed. Instead of having isolated storage capacities across different servers, you can share a pool of capacity across a bunch of different workloads and carve it up as you need. It's easier to protect, it's easier to manage.

A SAN consists of interconnected hosts, switches and storage devices. The devices are typically connected using Fibre Channel, though other protocols are possible. SAN and NAS (short for network-attached storage) are both network-based storage solutions. A SAN typically uses Fibre Channel connectivity, while NAS typically ties into to the network through a standard Ethernet connection. A SAN stores data at the block level, while NAS accesses data as files. To a client OS, a SAN typically appears as a disk and exists as its own separate network of storage devices, while NAS appears as a file server.

Previous   Contents   

Security+ Cram Notes Contents ad