Download XML: Part - Houston Community College System

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
Document related concepts

Computer and network surveillance wikipedia , lookup

One-time pad wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Information security wikipedia , lookup

Unix security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Airport security wikipedia , lookup

Wireless security wikipedia , lookup

Cryptanalysis wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Security printing wikipedia , lookup

Cryptography wikipedia , lookup

Mobile security wikipedia , lookup

Web of trust wikipedia , lookup

Computer security wikipedia , lookup

History of cryptography wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Security-focused operating system wikipedia , lookup

Certificate authority wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Transcript 
Chapter 9: Using and
Managing Keys
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
• Explain cryptography strengths and vulnerabilities
• Define public key infrastructure (PKI)
• Manage digital certificates
• Explore key management
Security+ Guide to Network Security
Fundamentals, 2e
2
Understanding Cryptography
Strengths and Vulnerabilities
• Cryptography is science of “scrambling” data so it
cannot be viewed by unauthorized users, making it
secure while being transmitted or stored
• When the recipient receives encrypted text or another
user wants to access stored information, it must be
decrypted with the cipher and key to produce the
original plaintext
Security+ Guide to Network Security
Fundamentals, 2e
3
Symmetric Cryptography
Strengths and Weaknesses
• Identical keys are used to both encrypt and decrypt
the message
• Popular symmetric cipher algorithms include Data
Encryption Standard, Triple Data Encryption
Standard, Advanced Encryption Standard, Rivest
Cipher, International Data Encryption Algorithm, and
Blowfish
• Disadvantages of symmetric encryption relate to the
difficulties of managing the private key
Security+ Guide to Network Security
Fundamentals, 2e
4
Asymmetric Cryptography Strengths
and Vulnerabilities
• With asymmetric encryption, two keys are used
instead of one
– The private key encrypts the message
– The public key decrypts the message
Security+ Guide to Network Security
Fundamentals, 2e
5
Asymmetric Cryptography Strengths
and Vulnerabilities (continued)
• Can greatly improve cryptography security,
convenience, and flexibility
• Public keys can be distributed freely
• Users cannot deny they have sent a message if they
have previously encrypted the message with their
private keys
• Primary disadvantage is that it is computing-intensive
Security+ Guide to Network Security
Fundamentals, 2e
6
Digital Signatures
• Asymmetric encryption allows you to use either the
public or private key to encrypt a message; the
receiver uses the other key to decrypt the message
• A digital signature helps to prove that:
– The person sending the message with a public key is
who they claim to be
– The message was not altered
– It cannot be denied the message was sent
Security+ Guide to Network Security
Fundamentals, 2e
7
Digital Certificates
• Digital documents that associate an individual with its
specific public key
• Data structure containing a public key, details about
the key owner, and other optional information that is
all digitally signed by a trusted third party
Security+ Guide to Network Security
Fundamentals, 2e
8
Certification Authority (CA)
• The owner of the public key listed in the digital
certificate can be identified to the CA in different ways
– By their e-mail address
– By additional information that describes the digital
certificate and limits the scope of its use
• Revoked digital certificates are listed in a Certificate
Revocation List (CRL), which can be accessed to
check the certificate status of other users
Security+ Guide to Network Security
Fundamentals, 2e
9
Certification Authority (CA)
(continued)
• The CA must publish the certificates and CRLs to a
directory immediately after a certificate is issued or
revoked so users can refer to this directory to see
changes
• Can provide the information in a publicly accessible
directory, called a Certificate Repository (CR)
• Some organizations set up a Registration Authority
(RA) to handle some CA, tasks such as processing
certificate requests and authenticating users
Security+ Guide to Network Security
Fundamentals, 2e
10
Understanding Public Key
Infrastructure (PKI)
• Weaknesses associated with asymmetric
cryptography led to the development of PKI
• A CA is an important trusted party who can sign and
issue certificates for users
• Some of its tasks can also be performed by a
subordinate function, the RA
• Updated certificates and CRLs are kept in a CR for
users to refer to
Security+ Guide to Network Security
Fundamentals, 2e
11
The Need for PKI
Security+ Guide to Network Security
Fundamentals, 2e
12
Description of PKI
• Manages keys and identity information required for
asymmetric cryptography, integrating digital
certificates, public key cryptography, and CAs
• For a typical enterprise:
– Provides end-user enrollment software
– Integrates corporate certificate directories
– Manages, renews, and revokes certificates
– Provides related network services and security
• Typically consists of one or more CA servers and
digital certificates that automate several tasks
Security+ Guide to Network Security
Fundamentals, 2e
13
PKI Standards and Protocols
• A number of standards have been proposed for PKI
– Public Key Cryptography Standards (PKCS)
– X509 certificate standards
Security+ Guide to Network Security
Fundamentals, 2e
14
Public Key Cryptography
Standards (PKCS)
• Numbered set of standards that have been defined
by the RSA Corporation since 1991
• Composed of 15 standards detailed on pages 318
and 319 of the text
Security+ Guide to Network Security
Fundamentals, 2e
15
X509 Digital Certificates
• X509 is an international standard defined by the
International Telecommunication Union (ITU) that
defines the format for the digital certificate
• Most widely used certificate format for PKI
• X509 is used by Secure Socket Layers
(SSL)/Transport Layer Security (TLS), IP Security
(IPSec), and Secure/Multipurpose Internet Mail
Extensions (S/MIME)
Security+ Guide to Network Security
Fundamentals, 2e
16
X509 Digital Certificates (continued)
Security+ Guide to Network Security
Fundamentals, 2e
17
Trust Models
• Refers to the type of relationship that can exist
between people or organizations
• In the direct trust, a personal relationship exists
between two individuals
• Third-party trust refers to a situation in which two
individuals trust each other only because each
individually trusts a third party
• The three different PKI trust models are based on
direct and third-party trust
Security+ Guide to Network Security
Fundamentals, 2e
18
Trust Models (continued)
Security+ Guide to Network Security
Fundamentals, 2e
19
Trust Models (continued)
• The web of trust model is based on direct trust
• Single-point trust model is based on third-party trust
– A CA directly issues and signs certificates
• In an hierarchical trust model, the primary or root
certificate authority issues and signs the certificates
for CAs below it
Security+ Guide to Network Security
Fundamentals, 2e
20
Managing Digital Certificates
• After a user decides to trust a CA, they can download
the digital certificate and public key from the CA and
store them on their local computer
• CA certificates are issued by a CA directly to
individuals
• Typically used to secure e-mail transmissions through
S/MIME and SSL/TLS
Security+ Guide to Network Security
Fundamentals, 2e
21
Managing Digital Certificates (continued)
Security+ Guide to Network Security
Fundamentals, 2e
22
Managing Digital Certificates
(continued)
• Server certificates can be issued from a Web server,
FTP server, or mail server to ensure a secure
transmission
• Software publisher certificates are provided by
software publishers to verify their programs are
secure
Security+ Guide to Network Security
Fundamentals, 2e
23
Certificate Policy (CP)
• Published set of rules that govern operation of a PKI
• Begins with an opening statement outlining its scope
• Should cover at a minimum the topics listed on
page 325 of the text
Security+ Guide to Network Security
Fundamentals, 2e
24
Certificate Practice Statement (CPS)
• More technical document compared to a CP
• Describes in detail how the CA uses and manages
certificates
• Covers topics such as those listed on pages 325 and
326 of the text
Security+ Guide to Network Security
Fundamentals, 2e
25
Certificate Life Cycle
• Typically divided into four parts:
– Creation
– Revocation
– Expiration
– Suspension
Security+ Guide to Network Security
Fundamentals, 2e
26
Exploring Key Management
• Because keys form the very foundation of the
algorithms in asymmetric and PKI systems, it is vital
that they be carefully managed
Security+ Guide to Network Security
Fundamentals, 2e
27
Centralized and Decentralized
Management
• Key management can either be centralized or
decentralized
• An example of a decentralized key management
system is the PKI web of trust model
• Centralized key management is the foundation for
single-point trust models and hierarchical trust
models, with keys being distributed by the CA
Security+ Guide to Network Security
Fundamentals, 2e
28
Key Storage
• It is possible to store public keys by embedding them
within digital certificates
• This is a form of software-based storage and doesn’t
involve any cryptography hardware
• Another form of software-based storage involves
storing private keys on the user’s local computer
Security+ Guide to Network Security
Fundamentals, 2e
29
Key Storage (continued)
• Storing keys in hardware is an alternative to
software-based keys
• Whether private keys are stored in hardware or
software, it is important that they be adequately
protected
Security+ Guide to Network Security
Fundamentals, 2e
30
Key Usage
• If you desire more security than a single set of public
and private (single-dual) keys can offer, you can
choose to use multiple pairs of dual keys
• One pair of keys may be used to encrypt information
and the public key could be backed up to another
location
• The second pair would be used only for digital
signatures and the public key in that pair would never
be backed up
Security+ Guide to Network Security
Fundamentals, 2e
31
Key Handling Procedures
• Certain procedures can help ensure that keys are
properly handled:
– Escrow
– Expiration
– Renewal
– Revocation
– Recovery
– Suspension
– Destruction
Security+ Guide to Network Security
Fundamentals, 2e
32
Summary
• One of the advantages of symmetric cryptography is
that encryption and decryption using a private key is
usually fast and easy to implement
• A digital signature solves the problem of
authenticating the sender when using asymmetric
cryptography
• With the number of different tools required for
asymmetric cryptography, an organization can find
itself implementing piecemeal solutions for different
applications
Security+ Guide to Network Security
Fundamentals, 2e
33
Summary (continued)
• PKCS is a numbered set of standards that have been
defined by the RSA Corporation since 1991
• The three PKI trust models are based on direct and
third-party trust
• Digital certificates are managed through CPs and
CPSs
Security+ Guide to Network Security
Fundamentals, 2e
34
Related documents
Internet Marketing Fundamentals
Internet Marketing Fundamentals
sch1sec3fundamentalsofmarketing2
sch1sec3fundamentalsofmarketing2
PowerPoint ******
PowerPoint ******
Computer Systems Fundamentals
Computer Systems Fundamentals
DBAdminFund_PPT_2.1
DBAdminFund_PPT_2.1
Tappan Zee High School Virtual High School Course Offerings 2016
Tappan Zee High School Virtual High School Course Offerings 2016
Computer science
Computer science
Course Descriptions
Course Descriptions
Fundamentals of Speech Recognition
Fundamentals of Speech Recognition
Computer Networks [Opens in New Window]
Computer Networks [Opens in New Window]
Cpas - Madison Central High / Overview
Cpas - Madison Central High / Overview
- Canberra College Online
- Canberra College Online
Database Design for the Web
Database Design for the Web
Computing Fundamentals: Software
Computing Fundamentals: Software