Security+
All-In-One Edition
Chapter 5 – Public Key
Infrastructure
Brian E. Brzezicki
Public Key Infrastructure
So… Symmetric key (private key) encryption is
fast and nice, but has what MAJOR
problem?
Symmetric Key encryption, also doesn’t
provide integrity concerns ;(
Asymmetric Key/public key encryption can be
combined with Symmetric Key encryption to
solve BOTH problems, but Symmetric Key
encryption has what problem of it’s own?
MiM (normal exchange)
MiM Attack! (part 1)
MiM Attack! Part 2
Public Key Infrastructure
Wouldn’t it be nice if some one we could
distribute public keys AND be assured that
the public key we received was the actual
public key of the person we expect to talk
to?
PKI to the rescue!
PKI (109)
PKIs are generally concerned with ensuring and
managing identity trust, specifically using
“digital certificates”.
•
Provides all the components necessary for
users to be able to communicate securely in a
managed method.
•
Includes hardware, software, policies,
services, algorithms and protocols.
•
Enables C, and I of the CIA triad
•
Enables non-repudiation
PKIs how do they work? (110)
•
In a PKI you are given a digital certificate, which contains
your identity, and a key (public key) people can use to
encrypt data securely to you OR verify items that you have
digitally signed!
•
However we must have some way of ensuring that the digital
certificate has not been “faked” so we have a entity called a
Certificate Authority (CA) that digitally signs your digital
certificate, proving that the digital certificate is really yours!
–
It is important that users trust the CA, otherwise there is no purpose!!!
The entire PKI structure relies upon the fact that the CA can be
trusted! If the CA is comprimised the whole PKI is useless.
(more)
PKIs how do they work? (110)
•
CAs are computer technology entities that issue/sign your
digital certificates, however they rely on an entity to actually do
a “background” check on you to prove you really are you you
say you are before the CA will “vouch” for you. This
“background” check entity is called an Registration Authority
(RA)
RA would take identifying information that proves I am who I say
I am such as
•
Drivers license
•
Passport
•
Birth Certificate
Once my identity is verified the RA will tell the CA to issue and
sign a digital certificate for me
(more)
PKIs how do they work? (115)
•
Once a digital certificate has been created
and signed, they are stored in a “Certificate
repository” which can be queried by users and
applications in a PKI when someone wants to
communicate with a user.
•
These repositories are usually LDAP
compliant databases.
So what’s in a Digital Certificate?
(120)
X.509 certificate standard
•
X.509 Version Number
•
Subject
•
Public Key!!!
•
Issuer (CA that vouched for you)
•
Serial Number
•
Validity dates
•
Certificate Usage
•
Signature Algorithm
•
Extensions
Lets look at a digital Certificate
together (n/b)
•
Firefox –
•
Click on the yellow lock at the bottom
•
In the pop-up click on “view certificate”
•
What version is it?
•
What’s the “Common Name”
•
Who is the Issuing Certificate Authority
•
When does the Certificate Expire
•
Why would a certificate expire?
(more)
Lets look at a digital Certificate
together (n/b)
Now click on the details tab
•
What is this “Certificate Hierarchy” stuff?
•
Who Signed the cert for www.redhat.com
•
Who signed the cert for that CA?
•
This “vouching” for CAs is called a
“certificate chain”
•
If someone signed for someone else…
who signed for them? When does this
end? Let’s explore this…
PKI hierarchy
PKI implementations are usually a hierarchy,
where one CA signs another CAs
certificate.
•
Parent Child relationship
•
Top parent is called a root CA
•
All others are called subordinate CA
Visualization next slide
PKI hierarchy (142)
CA concerns (112)
•
Every CA should have a Certification Practice
Statement which outlines
–
How the RA verifies identities
–
How the Certificates are transferred
–
How keys are secured
–
What data is in a Digital Certificate
–
How revocations are handled… etc
•
Before using a 3
rd
party CA, you should understand
and be comfortable with CPS and the security
controls they use. If the CA does not handle things
securely… there is no point in using them.
Advanced PKI concepts
Types of Certificates
There are 3 main types of certificates
•
End-entity certificates
–
Given to end users or servers or applications
•
CA certificates
–
Given to CAs, can be signed by another CA or
“self signed”
–
What does it mean to be self signed, what does
it imply?
(more)
Types of Certificates(145)
•
Cross-certification certificates
–
When two companies want to trust each
other, their root CAs may issue a certificate to
the root CAs for each other, allowing a “peer
to peer” trust model for CAs and allowing
users in one organization to trust users in
another.
Visualization next slide
Cross Certification
Web of Trust model
Web of Trust model (n/b)
Web of Trust is a PKI with no central hierarchy,
it’s literally a web. It’s like 6 degrees of
separation.
•
Bob vouches for Andy
•
Sarah trusts Bob, so she trusts the identity of
Andy
•
Sara vouches for Bob
•
Steve trusts Sara, therefore he trusts the
identities of Bob, and Andy via Sarah…
•
PGP uses web of trust
Web of Trust
Example PGP verification
Do an example of verifing the signature of
ClamAV (pentest1).