Bài giảng Public Key Infrastructure

Public Key InfrastructureContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI management Cryptographic AttacksSpecific attacks on cryptographic systems can be divided into three types:Attacking the keyAttacking the algorithmIntercepting the transmission Cryptographic Attacks: Birthday attackA birthday attack is an example of an attack targeted at the key.It isn’t an attack on the algorithm itself, just on the results. If 25 people are in a room, there is some probability that two of those people will have the same birthday.The probability increases as additional people enter the room.It’s important to remember that probability doesn’t mean that something will occur, only that it’s more likely to occur. Cryptographic Attacks: Weak key attackBased on the premise that many common passwords are used by lots of people.If the key length is short, the resulting hash value will be easier to guess.Make sure your users use passwords and encryption keys that are hard to guess. You may even want to consider a random-password generating system. Cryptographic Attacks: Mathematical attackMathematical attacks can be focused on the encryption algorithm itself, the key mechanism, or any potential area of weakness in the algorithm.These attacks use mathematical modeling and statistical analysis to determine how the system operates. These types of attacks depend on intercepting large amounts of data and methodically attempting to decrypt the messages using one of the methods previously described.ContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI managementPublic Domain CryptographyPublic domain cryptography refers to the standards and protocols that emerge from individual or corporate efforts and are released to the general public for usePGP and RSA are two common public cryptographic initiatives.Pretty Good Privacy (PGP) - Bí mật tương đối tốtDeveloped by Phil ZimmermanIn 1991, he published the encryption system on the InternetPGP has become a de facto standard for e-mail encryption. PGP uses both symmetrical and asymmetrical encryptionPretty Good Privacy (PGP)RSARivest, Shamir, and AdlemanRSA has been very involved in developing Public-Key Cryptography Standards (PKCS), and it maintains a list of standards for PKCSPublic-Key Infrastructure X.509 (PKIX)Public-Key Cryptography Standards (PKCS) is a set of voluntary standards created by RSA and security leaders. Early members of this group included Apple, Microsoft, DEC (now HP), Lotus, Sun, and MIT.X.509The X.509 standard definesCertificate formats and fields for public keysThe procedures that should be used to distribute public keys. The X.509 version 2 certificate is still used as the primary method of issuing Certificate Revocation List (CRL) certificates.The current version of X.509 certificates is version 3, and it comes in two basic types:End-entity certificateThe CA certificate is issued by one CA to another CA. The second CA can, in turn, issue certificates to an end entity.So what’s in a X.509 Digital Certificate?X.509 certificate standardX.509 Version NumberSubjectPublic Key!!!Issuer (CA that vouched for you)Serial NumberValidity datesCertificate UsageSignature AlgorithmExtensionsSo what’s in a X.509 Digital Certificate?SSL and TLSSecure Sockets Layer (SSL):Establish a secure communication connection between two TCP-based machinesUses the handshake method of establishing a sessionThe number of steps is always between four and nine, inclusive, based on who is doing the documentation and TLSSecure Sockets Layer (SSL):SSL and TLSTransport Layer Security (TLS): Bảo mật lớp truyền dẫnExpands upon SSLTLS may replace SSL in the near futureThe TLS protocol is also referred to as SSL 3.1, but despite its name, it doesn’t interoperate with SSLCertificate Management Protocol (CMP)A messaging protocol used between PKI entities.XML Key Management Specification (XKMS) is designed to allow XML-based programs access to PKI servicesCMP is expected to be an area of high growth as PKI usage grows.Secure Multipurpose Internet Mail ExtensionsS/MIMEA standard used for encrypting e-mailUses the PKCS #7 standard (Cryptographic Message Syntax Standard) and is the most widely supported standard used to secure e-mail communications.Secure Electronic Transaction (SET)Provides encryption for credit card numbers that can be transmitted over the InternetDeveloped by Visa and MasterCardSecure Shell (SSH)A tunneling protocol originally used on Unix systemsNow available for both Unix and WindowsSSH connections are established in two phases:The first phase is a secure channel to negotiate the channel connectionThe second phase is a secure channel used to establish the connectionSecure Shell (SSH)HTTP SecureHypertext Transport Protocol Secure (HTTPS) is the secure version of HTTPUses SSL to secure the channel between the client and serverUses port 443 by default.Secure HTTPSecure Hypertext Transport Protocol (S-HTTP) is HTTP with message security (added by using RSA or a digital certificate).Whereas HTTPS creates a secure channel, S-HTTP creates a secure message.S-HTTP can use multiple protocols and mechanisms to protect the message. It also provides data integrity and authentication.IP Security (IPSec)Provides authentication and encryption across the InternetBecoming a standard for encrypting virtual private network (VPN) channelsOne of the primary uses of IPSec is to create VPNs. IPSec, in conjunction with Layer 2 Tunneling Protocol (L2TP) or Layer 2 Forwarding (L2F), creates packets that are difficult to read if intercepted by a third party.IPSec works at layer 3 of the OSI model.IP Security (IPSec)Protocols used by IPSec at the bottom layer areAuthentication Header (AH)Encapsulating Security Payload (ESP).Both can operate in either the transport or tunnel mode. Port 50 is used for ESPPort 51 is used for AH.Tunneling ProtocolsPoint-to-Point Tunneling Protocol (PPTP)Encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts Point-to-Point Protocol (PPP) packetsPPTP uses port 1723 and TCP for connections.Layer 2 Forwarding (L2F)Created by CiscoCreating tunnels primarily for dial-up connections.Shouldn’t be used over WANs.Provides authentication, but doesn’t provide encryption. L2F uses port 1701 and TCP for connections.Tunneling ProtocolsLayer 2 Tunneling Protocol (L2TP)L2TP is a hybrid of PPTP and L2FPrimarily a point-to-point protocolSupports multiple network protocols so it can be used as a bridge across many types of systemsIPX, SNA, and IPL2TP doesn’t provide data security: The information isn’t encrypted. (Security can be provided by protocols such as IPSec.)L2TP uses port 1701 and UDP for connections.Wireless Transport Layer Security (WTLS)Provides an encrypted and authenticated connection between a wireless client and a serverWTLS is similar in function to TLS, Uses a lower bandwidthLess processing powerIt’s used to support wireless devicesContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI managementKey ManagementCentralized versus decentralized key generationKey storage and distributionKey escrowKey expirationKey revocationKey suspensionKey recovery and archivalKey renewalKey destructionKey usageKey generationKey length and the method used to create the key also affect the security of the system in use.The security of a key is measured by how difficult it is to break the keyAccording to RSA, it would take 3 million years and a $10 million budget to break a key with a key length of 1,024 bitsKey generationCentralized Key GenerationKey generationDecentralized Key GenerationStoring and Distributing KeysUsually accomplished using a Key Distribution Center (KDC), as used in Kerberos, or by using a Key Exchange Algorithm (KEA), as in the case of PKI.Storing and Distributing KeysUsually accomplished using a Key Distribution Center (KDC), as used in Kerberos, or by using a Key Exchange Algorithm (KEA), as in the case of PKI.Key EscrowA key escrow system stores keys for the purpose of law enforcement accessKey escrow systems can also be a part of the key recovery processKey ExpirationA key expiration date identifies when a key is no longer valid.Normally, a key is date stamped; this means that it becomes unusable after a specified date.A new key or certificate is normally issued before the expiration date.Revoking KeysKeys are revoked whenthey are compromisedthe authentication process has malfunctionedpeople are transferredother security risks occur. Revoking a key keeps it from being misused.A revoked key must be assumed to be invalid or possibly compromised.PKI use a CRL to perform a check on the status of revoked keysSuspending KeysA key suspension is a temporary situation.If an employee were to take a leave of absence, the employee’s key could be suspended until they came back to work.In a PKI system, a CRL would be checked to determine the status of a certificateRecovering and Archiving KeysKey archivingRecovering and Archiving KeysKey recoveryCurrent keysPrevious KeysArchived keysRenewing KeysKey renewal defines the process of enabling a key for use after its scheduled expiration date.A key would be reissued for a certain time in this situation. This process is called a key rolloverDestroying KeysKey destruction is the process of destroying keys that have become invalid.Many symmetrically based encryption systems use a dedicated device to carry the key for the encryption.This key would be physically delivered to the site using the encryption system.Old keys would be recovered and destroyed.ContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI managementMiM (normal exchange)MiM Attack! (part 1)MiM Attack! Part 2Public Key InfrastructureWouldn’t it be nice if some one we could distribute public keys AND be assured that the public key we received was the actual public key of the person we expect to talk to?Public Key InfrastructurePKIs are generally concerned with ensuring and managing identity trust, specifically using “digital certificates”.Provides all the components necessary for users to be able to communicate securely in a managed method.Includes hardware, software, policies, services, algorithms and protocols.Enables C, and I of the CIA triadEnables non-repudiationCIA TriadCIA TriadConfidentialityConfidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.IntegrityIn information security, integrity means that data cannot be modified without authorization.This is not the same thing as referential integrity in databases.AuthenticityIn computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.Public Key InfrastructureIn a PKI you are given a digital certificate, which contains your identity, and a key (public key) people can use to encrypt data securely to you OR verify items that you have digitally signed!However we must have some way of ensuring that the digital certificate has not been “faked” so we have a entity called a Certificate Authority (CA) that digitally signs your digital certificate, proving that the digital certificate is really yours!It is important that users trust the CA, otherwise there is no purpose!!! The entire PKI structure relies upon the fact that the CA can be trusted! If the CA is comprimised the whole PKI is useless.Public Key InfrastructureCAs are computer technology entities that issue/sign your digital certificates, however they rely on an entity to actually do a “background” check on you to prove you really are you you say you are before the CA will “vouch” for you. This “background” check entity is called an Registration Authority (RA)RA would take identifying information that proves I am who I say I am such asDrivers licensePassportBirth CertificateOnce my identity is verified the RA will tell the CA to issue and sign a digital certificate for meHow PKI works?Once a digital certificate has been created and signed, they are stored in a “Certificate repository” which can be queried by users and applications in a PKI when someone wants to communicate with a user.These repositories are usually LDAP compliant databases.Lets look at a digital Certificate togetherFirefox – https://www.redhat.comClick on the yellow lock at the bottomIn the pop-up click on “view certificate”What version is it?What’s the “Common Name”Who is the Issuing Certificate AuthorityWhen does the Certificate ExpireWhy would a certificate expire?Lets look at a digital Certificate togetherNow click on the details tabWhat is this “Certificate Hierarchy” stuff?Who Signed the cert for www.redhat.comWho signed the cert for that CA? This “vouching” for CAs is called a “certificate chain”If someone signed for someone else who signed for them? When does this end? Let’s explore thisPKI hierarchy – Phân cấp PKIPKI implementations are usually a hierarchy, where one CA signs another CAs certificate.Parent - Child relationshipTop parent is called a root CAAll others are called subordinate CAPKI hierarchyCA concernsEvery CA should have a Certification Practice Statement which outlinesHow the RA verifies identitiesHow the Certificates are transferredHow keys are securedWhat data is in a Digital CertificateHow revocations are handled etcBefore using a 3rd party CA, you should understand and be comfortable with CPS and the security controls they use. If the CA does not handle things securely there is no point in using them.Types of CertificatesThere are 3 main types of certificatesEnd-entity certificatesGiven to end users or servers or applicationsCA certificatesGiven to CAs, can be signed by another CA or “self signed”What does it mean to be self signed, what does it imply?Cross-certification certificatesWhen two companies want to trust each other, their root CAs may issue a certificate to the root CAs for each other, allowing a “peer to peer” trust model for CAs and allowing users in one organization to trust users in another.Certificate Practice StatementsA Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and implement its policies of the CA.If a CA is unwilling to provide this information to a user, the CA itself may be untrustworthy, and the trustworthiness of that CA’s users should be questioned.Multiple CertificatesSome PKIs use multiple certificates, and as such multiple public/private key pairs.One for digitally signing dataOne for encrypting dataWhy would we want to have two different keys? (Hint. think key storage and non-repudiation)ContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI managementTrust modelsFour main types of trust models are used with PKI:HierarchicalBridgeMeshHybridPKI was designed to allow all of these trust models to be created. They can be fairly granular from a control perspective. Granularity refers to the ability to manage individual resources in the CA network.Hierarchical Trust ModelsA root CA at the top provides all the information.The intermediate CAs are next in the hierarchy, and they only trust information provided by the root CAThe root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t.This arrangement allows a high level of control at all levels of the hierarchical tree.Hierarchical Trust ModelsBridge Trust ModelsMesh Trust ModelsHybrid Trust ModelWeb of Trust modelWeb of Trust modelWeb of Trust is a PKI with no central hierarchy, it’s literally a web. It’s like 6 degrees of separation.Bob vouches for AndySarah trusts Bob, so she trusts the identity of AndySara vouches for BobSteve trusts Sara, therefore he trusts the identities of Bob, and Andy via SarahPGP uses web of trustWeb of Trust modelExample PGP verificationVerifing the signature of ClamAVContentsPreparing for Cryptographic AttacksCryptography Standards and ProtocolsKey management and Key life cycleIntroduction of PKITrust modelsPKI managementCertificate RenewalsCertificates have a lifetime after which they expire. Why?When a certificate expires you have to renew it. You don’t have to go through the RA again. You just have to be able to sign a message with your old private key.When renewing you can use the old public/private key pair or generate a new key pair. What is the advantage of generating a new pair?Certificate RevocationCertificate revocation is the process of revoking a certificate before it expiresWhy?It was stolenAn employee moved to a new companySomeone has had their access revokedA certificate revocation is handled either through a Certificate Revocation List (CRL) or by using the Online Certificate Status Protocol (OCSP).Certificate RevocationCertificate Revocation List (CRL)Certificate serial number that have been revokedReason for revocationDate of revocationThe CRL is digitally signed by the CACertificate RevocationClient software must check the CRL before trusting a digital certificateOnce a certificate is revoked, it cannot be “un-revoked”A certificate could be suspended, (or put on hold) this also goes on the CRL, however a special “reason” of suspended is used.Suspended certificates MAY be un-suspendedCertificate RevocationOnline Certificate Status Protocol (OCSP)A client server modelA client program actually queries a server to see if someone’s certificate is valid.This way the client does not need to know how to find the CRL for the given certificate Authority and doesn’t have to actually search through the CRL.