Download Chapter 12 - Cisco Networking Academy

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
Document related concepts

Airborne Networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 12
Applying Cryptography
Objectives
• Define digital certificates
• List the various types of digital certificates and how
they are used
• Describe the components of Public Key
Infrastructure (PKI)
• List the tasks associated with key management
• Describe the different cryptographic transport
protocols
Security+ Guide to Network Security Fundamentals, Third Edition
2
Digital Certificates
• Using digital certificates involves:
– Understanding their purpose
– Knowing how they are authorized, stored, and revoked
– Determining which type of digital certificate is
appropriate for different situations
Security+ Guide to Network Security Fundamentals, Third Edition
3
Defining Digital Certificates
• Digital certificate
– Can be used to associate or “bind” a user’s identity to
a public key
– The user’s public key that has itself been “digitally
signed” by a reputable source entrusted to sign it
• Digital certificates make it possible for Alice to verify
Bob’s claim that the key belongs to him
• When Bob sends a message to Alice he does not
ask her to retrieve his public key from a central site
– Instead, Bob attaches the digital certificate to the
message
Security+ Guide to Network Security Fundamentals, Third Edition
4
Security+ Guide to Network Security Fundamentals, Third Edition
5
Defining Digital Certificates
(continued)
• A digital certificate typically contains the following
information:
–
–
–
–
–
–
Owner’s name or alias
Owner’s public key
Name of the issuer
Digital signature of the issuer
Serial number of the digital certificate
Expiration date of the public key
Security+ Guide to Network Security Fundamentals, Third Edition
6
Authorizing, Storing, and Revoking
Digital Certificates
• Certificate Authority (CA)
– An entity that issues digital certificates for others
– A user provides information to a CA that verifies her
identity
– The user generates public and private keys and sends
the public key to the CA
– The CA inserts this public key into the certificate
• Registration Authority (RA)
– Handles some CA tasks such as processing certificate
requests and authenticating users
Security+ Guide to Network Security Fundamentals, Third Edition
7
Authorizing, Storing, and Revoking
Digital Certificates (continued)
• Certificate Revocation List (CRL)
– Lists revoked certificates
– Can be accessed to check the certificate status of
other users
– Most CRLs can either be viewed or downloaded
directly into the user’s Web browser
• Certificate Repository (CR)
– A publicly accessible directory that contains the
certificates and CRLs published by a CA
– CRs are often available to all users through a Web
browser interface
Security+ Guide to Network Security Fundamentals, Third Edition
8
Security+ Guide to Network Security Fundamentals, Third Edition
9
Authorizing, Storing, and Revoking
Digital Certificates (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
10
Types of Digital Certificates
• Digital certificates can also be used to:
– Encrypt channels to provide secure communication
– Encrypt messages for secure Internet e-mail
communication
– Verify the identity of clients and servers on the Web
– Verify the source and integrity of signed executable
code
• Categories of digital certificates
– Personal digital certificates
– Server digital certificates
– Software publisher digital certificates
Security+ Guide to Network Security Fundamentals, Third Edition
11
Security+ Guide to Network Security Fundamentals, Third Edition
12
Types of Digital Certificates
(continued)
• Single-sided certificate
– When Bob sends one digital certificate to Alice along
with his message
• Dual-sided certificates
– Certificates in which the functionality is split between
two certificates
• Signing certificate
• Encryption certificate
Security+ Guide to Network Security Fundamentals, Third Edition
13
Types of Digital Certificates
(continued)
• Dual-sided certificate advantages:
– Reduce the need for storing multiple copies of the
signing certificate
– Facilitate certificate handling in organizations
• X.509 Digital Certificates
– The most widely accepted format for digital certificates
Security+ Guide to Network Security Fundamentals, Third Edition
14
Types of Digital Certificates
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
15
Security+ Guide to Network Security Fundamentals, Third Edition
16
Security+ Guide to Network Security Fundamentals, Third Edition
17
Public Key Infrastructure (PKI)
• Public key infrastructure involves public-key
cryptography standards, trust models, and key
management
Security+ Guide to Network Security Fundamentals, Third Edition
18
What Is Public Key Infrastructure
(PKI)?
• Public key infrastructure (PKI)
– A framework for all of the entities involved in digital
certificates to create, store, distribute, and revoke
digital certificates
• Includes hardware, software, people, policies and
procedures
• PKI is digital certificate management
Security+ Guide to Network Security Fundamentals, Third Edition
19
Public-Key Cryptographic Standards
(PKCS)
• Public-key cryptography standards (PKCS)
– A numbered set of PKI standards that have been
defined by the RSA Corporation
– These standards are based on the RSA public-key
algorithm
Security+ Guide to Network Security Fundamentals, Third Edition
20
Security+ Guide to Network Security Fundamentals, Third Edition
21
Security+ Guide to Network Security Fundamentals, Third Edition
22
Security+ Guide to Network Security Fundamentals, Third Edition
23
Trust Models
• Trust may be defined as confidence in or reliance on
another person or entity
• Trust model
– Refers to the type of trusting relationship that can exist
between individuals or entities
• Direct trust
– A relationship exists between two individuals because
one person knows the other person
• Third party trust
– Refers to a situation in which two individuals trust
each other because each trusts a third party
Security+ Guide to Network Security Fundamentals, Third Edition
24
Trust Models (continued)
• Direct trust is not feasible when dealing with multiple
users who each have digital certificates
• Three PKI trust models that use a CA
– Hierarchical trust model
– Distributed trust model
– Bridge trust model
Security+ Guide to Network Security Fundamentals, Third Edition
25
Trust Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
26
Trust Models (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
27
Security+ Guide to Network Security Fundamentals, Third Edition
28
Managing PKI
• Certificate policy (CP)
– A published set of rules that govern the operation of a
PKI
– Provides recommended baseline security
requirements for the use and operation of CA, RA,
and other PKI components
• Certificate practice statement (CPS)
– Describes in detail how the CA uses and manages
certificates
– A more technical document than a CP
Security+ Guide to Network Security Fundamentals, Third Edition
29
Managing PKI (continued)
• Certificate life cycle
–
–
–
–
Creation
Suspension
Revocation
Expiration
Security+ Guide to Network Security Fundamentals
30
Key Management
• Proper key management includes key storage, key
usage, and key handling procedures
Security+ Guide to Network Security Fundamentals, Third Edition
31
Key Storage
• Public keys can be stored by embedding them within
digital certificates
– While private keys can be stored on the user’s local
system
• The drawback to software-based storage is that it
may leave keys open to attacks
• Storing keys in hardware is an alternative to
software-based storage
• Private keys can be stored on smart cards or in
tokens
Security+ Guide to Network Security Fundamentals, Third Edition
32
Key Usage
• If more security is needed than a single set of public
and private keys
– Then multiple pairs of dual keys can be created
• One pair of keys may be used to encrypt information
– The public key could be backed up to another location
• The second pair would be used only for digital
signatures
– The public key in that pair would never be backed up
Security+ Guide to Network Security Fundamentals, Third Edition
33
Key Handling Procedures
• Procedures include:
–
–
–
–
–
Escrow
Expiration
Renewal
Revocation
Recovery
• Key recovery agent (KRA)
• M-of-N control
– Suspension
– Destruction
Security+ Guide to Network Security Fundamentals, Third Edition
34
Security+ Guide to Network Security Fundamentals, Third Edition
35
Cryptographic Transport Protocols
• Cryptographic transport protocols can be
categorized by the applications that they are
commonly used for:
– File transfer, Web, VPN, and e-mail
Security+ Guide to Network Security Fundamentals, Third Edition
36
File Transfer Protocols
• File Transfer Protocol (FTP)
– Part of the TCP/IP suite
– Used to connect to an FTP server
• Vulnerabilities
– Usernames, passwords, and files being transferred
are in cleartext
– Files being transferred by FTP are vulnerable to manin-the-middle attacks
• One of the ways to reduce the risk of attack is to use
encrypted Secure FTP (SFTP)
Security+ Guide to Network Security Fundamentals, Third Edition
37
File Transfer Protocols (continued)
• Secure Sockets Layer (SSL)
– A protocol developed by Netscape for securely
transmitting documents over the Internet
– Uses a public key to encrypt data that is transferred
over the SSL connection
• Transport Layer Security (TLS)
– A protocol that guarantees privacy and data integrity
between applications communicating over the Internet
– An extension of SSL
• Are often referred to as SSL/TLS or TLS/SSL
Security+ Guide to Network Security Fundamentals, Third Edition
38
File Transfer Protocols (continued)
• A second protocol that can be used with SFTP is
Secure Shell (SSH)
– Also called SFTP/SSH
• SSH
– A UNIX-based command interface and protocol for
securely accessing a remote computer
– Suite of three utilities: slogin, scp, and ssh
– Both the client and server ends of the connection are
authenticated using a digital certificate
• Passwords are protected by being encrypted
Security+ Guide to Network Security Fundamentals, Third Edition
39
File Transfer Protocols (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
40
Web Protocols
• Another use of SSL is to secure Web HTTP
communications between a browser and a Web
server
• Hypertext Transport Protocol over Secure
Sockets Layer
– “Plain” HTTP sent over SSL/TLS
• Secure Hypertext Transport Protocol
– Allows clients and the server to negotiate
independently encryption, authentication, and digital
signature methods, in any combination, in both
directions
Security+ Guide to Network Security Fundamentals, Third Edition
41
VPN Protocols
• Point-to-Point Tunneling Protocol (PPTP)
– Most widely deployed tunneling protocol
– Allows IP traffic to be encrypted and then
encapsulated in an IP header to be sent across a
public IP network such as the Internet
– Based on the Point-to-Point Protocol (PPP)
• Point-to-Point Protocol over Ethernet (PPPoE)
– Another variation of PPP that is used by broadband
Internet providers with DSL or cable modem
connections
Security+ Guide to Network Security Fundamentals, Third Edition
42
VPN Protocols (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
43
VPN Protocols (continued)
• Layer 2 Tunneling Protocol (L2TP)
– Merges the features of PPTP with Cisco’s Layer 2
Forwarding Protocol (L2F)
– L2TP is not limited to working with TCP/IP-based
networks, but supports a wide array of protocols
– An industry-standard tunneling protocol that allows IP
traffic to be encrypted
• And then transmitted over any medium that supports
point-to-point delivery
Security+ Guide to Network Security Fundamentals, Third Edition
44
VPN Protocols (continued)
• IP Security (IPsec)
– A set of protocols developed to support the secure
exchange of packets
• Because it operates at a low level in the OSI
model
– IPsec is considered to be a transparent security
protocol for applications, users, and software
• IPsec provides three areas of protection:
– Authentication, confidentiality, and key management
Security+ Guide to Network Security Fundamentals, Third Edition
45
Security+ Guide to Network Security Fundamentals, Third Edition
46
VPN Protocols (continued)
• IPsec supports two encryption modes:
– Transport mode encrypts only the data portion
(payload) of each packet yet leaves the header
unencrypted
– Tunnel mode encrypts both the header and the data
portion
• Both AH and ESP can be used with transport or
tunnel mode
– Creating four possible transport mechanisms
Security+ Guide to Network Security Fundamentals, Third Edition
47
Security+ Guide to Network Security Fundamentals, Third Edition
48
Security+ Guide to Network Security Fundamentals, Third Edition
49
VPN Protocols (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
50
E-mail Transport Protocol
• S/MIME (Secure/Multipurpose Internet Mail
Extensions)
– One of the most common e-mail transport protocols
– Uses digital certificates to protect the e-mail
messages
• S/MIME functionality is built into the vast majority of
modern e-mail software and interoperates between
them
Security+ Guide to Network Security Fundamentals, Third Edition
51
Summary
• Digital certificates can be used to associate a user’s
identity to a public key
• An entity that issues digital certificates for others is
known as a Certificate Authority (CA)
• Types of certificates
– Personal, server, and software publisher certificates
• PKI is digital certificate management
• One of the principal foundations of PKI is that of trust
Security+ Guide to Network Security Fundamentals, Third Edition
52
Summary (continued)
• An organization that uses multiple digital certificates
on a regular basis needs to properly manage those
digital certificates
• One cryptographic transport protocol for FTP is
Secure Sockets Layer (SSL)
• A secure version for Web communications is HTTP
sent over SSL/TLS and is called HTTPS (Hypertext
Transport Protocol over Secure Sockets Layer)
• There are several “tunneling” protocols (when a
packet is enclosed within another packet) that can be
used for VPN transmissions
Security+ Guide to Network Security Fundamentals, Third Edition
53
Related documents
Internet Marketing Fundamentals
Internet Marketing Fundamentals
sch1sec3fundamentalsofmarketing2
sch1sec3fundamentalsofmarketing2
PowerPoint ******
PowerPoint ******
Computer Systems Fundamentals
Computer Systems Fundamentals
DBAdminFund_PPT_2.1
DBAdminFund_PPT_2.1
Tappan Zee High School Virtual High School Course Offerings 2016
Tappan Zee High School Virtual High School Course Offerings 2016
Computer science
Computer science
Course Descriptions
Course Descriptions
Fundamentals of Speech Recognition
Fundamentals of Speech Recognition
Computer Networks [Opens in New Window]
Computer Networks [Opens in New Window]
Cpas - Madison Central High / Overview
Cpas - Madison Central High / Overview
- Canberra College Online
- Canberra College Online
Database Design for the Web
Database Design for the Web
Computing Fundamentals: Software
Computing Fundamentals: Software