CompTIA® Security+ Exam Notes : Given a scenario, implement public key infrastructure

6. Cryptography and PKI

6.4 Given a scenario, implement public key infrastructure

In Public Key Infrastructure parlance, the term Principal means an entity whose identity can be verified.

Trust Model:

Three basic types of distributed trust models are:

1. Hierarchical trust model: Here one root CA and one or more subordinate CAs will be present. The subordinate CAs provide redundancy and load balancing. The root CA is usually off-line. Here even if a subordinate CA is compromised, the root CA can revoke the subordinate CA, thus providing redundancy.

2. Web of Trust: This is also called cross-certification model. Here CAs form peer-to-peer relationship. This model is difficult to manage as the number of CAs grow larger. This kind of trust relationship may happen when different divisions of a company has different CAs, and need to work together. Here CAs must trust one another.

3. Bridge CA architecture: Bridge CA overcomes the complexity involved with Web of Trust model. Here Bridge CA act as the central co-ordinate point. All other CAs (known as principals) must trust only the Bridge CA.

If the CA's private key is compromised, certificates' private key is compromised, certificates issued by that CA issued by that CA are affected. This will lead to issuance of new certificates to all users, and registration. These problems can be overcome by use of a distributed trust model, in which multiple CAs are involved.

In public key infrastructure:

  • A key is required to encode/decode a message, and the security of a message depends on the security of key.
  • A cipher text is the encoded message, and
  • A certificate is a digitally signed document by a trusted authority.

CRL: A certificate revocation list (CRL) is a list of certificates, which have been revoked, and are no longer valid. The client requests a copy of the CRL from the CA and then checks the CRL to see if the certificate is on the list. If it's on the list, it's considered invalid and wouldn't be used.

Online Certificate Status Protocol (OCSP): Here, instead of the client requesting a copy of the CRL, the client queries the CA about the certificate, identified uniquely by a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA. A certificate authority uses a CSR to create your SSL certificate.

Key escrow: Key escrow (also known as a fair cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, an authorized third party may gain access to those keys. These third parties may include the government or an employer wanting to see the communication of an employee.

A digital certificate is a credential issued by a trusted authority that binds you (and individual or an organization) to an identity that can be recognized and verified electronically by other agencies. Locally issued digital certificates are valid only within an organizations network (like intranet). Therefore, any secure pages or digital signatures containing local registration will not work on the Internet.

SAN: A Storage Area Network (SAN) provides a pool of storage resources that can be centrally managed and allocated as needed. Instead of having isolated storage capacities across different servers, you can share a pool of capacity across a bunch of different workloads and carve it up as you need. It's easier to protect, it's easier to manage.

A SAN consists of interconnected hosts, switches and storage devices. The devices are typically connected using Fibre Channel, though other protocols are possible. SAN and NAS (short for network-attached storage) are both network-based storage solutions. A SAN typically uses Fibre Channel connectivity, while NAS typically ties into to the network through a standard Ethernet connection. A SAN stores data at the block level, while NAS accesses data as files. To a client OS, a SAN typically appears as a disk and exists as its own separate network of storage devices, while NAS appears as a file server.

Online vs. offline Certification Authority

Stapling: Stapling is the process of combining related items to reduce communication steps. An example is when someone requests a certificate, stapling sends both the certificate and OCSP responder information in the same request to avoid the additional fetches the client would have to perform during path validations.

Pinning: When a certificate is presented for a host, either identifying the host or providing a public key, this information can be saved in an act called pinning, which is the process of associating a host with a previously provided X.509 certificate or public key. This can be important for mobile applications that move between networks frequently and are much more likely to be associated with hostile networks where levels of trust are low and risks of malicious data are high. Pinning assists in security through the avoidance of the use of DNS and its inherent risks when on less-than-secure networks.

Certificate chaining: Certificate chain, a chain of trust from one certificate to another, based on signing by an issuer, until the chain ends with a certificate that the user trusts.

Code signing: Code signing, which involves applying a digital signature to code, providing a mechanism where the end user can verify the code integrity.

Secure Cookies: Cookies are text files sent with every request to a website. They have been used for a variety of functions, including maintaining state, preferences,usage parameters, and so on

Public key Infrastructure:

One of the protocols used for online revocation services is the Online Certificate Status Protocol (OCSP), a request and response protocol that obtains the serial number of the certificate that is being validated and reviews CRLs for the client.

Certificate Signing Request (CSR): A certificate signing request (CSR) is the actual request to a CA containing a public key and the requisite information needed to generate a certificate. The CSR contains all the identifying information that is to be bound to the key by the certificate-generation process. A message sent from an applicant to a certificate authority in order to apply for a digital identity certificate

.pfx file: Digital certificates are defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. This RFC describes the X.509 v3 digital certificate format in detail. There are numerous ways to encode the information in a certificate before instantiation as a file, and the different methods result in different file extensions. Common extensions include .der, .pem, .crt, .cer, .pfx, .p12, and .p7b.

Certificate Revocation List (CRL): A digitally signed object that lists all of the current but revoked certificates issued by a given certification authority. This allows users to verify whether a certificate is currently valid even if it has not expired. A CRL is analogous to a list of stolen charge card numbers that allows stores to reject bad credit cards.

Certificate formats:Certificates can have various file extension types, some extension types are interchangeable, but not all are. Below table provides a brief comparison of common certificate formats.

Certificate Format Encoding Systems Extensions
DER Binary Java .der,.cer,.crt
PEM Base64 ASCII Apache HTTP .pem,.cer,.crt. .key
PFX(PKCS#12) Binary Windows pfx, .p12
P7B (PKCS#7) Base64 ASCII Windows and Java Tomcat p7b,.p7c

The most common format and extension for certificates is PEM, which is mostly associated with Apache web servers. Another Base64-encoded certificate format is P7B, also known as PKCS#7. It uses .p7b and .p7c extensions. Most servers (Ex: Apache) expect the certificates and private key to be in a separate files.

A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key.

Another binary certificate format is PFX, also known as PKCS#12. Extensions for PFX encoded certificates include .pfx or .p12. This type of certificate is common to the windows operating system for importing and exporting private keys. PFX supports a private key and can store one or more certificates within a single binary file.

Previous   Contents   

Security+ Cram Notes Contents
certexams ad

simulationexams ad