580 likes | 832 Views
Cryptography. Chapter 14. Learning Objectives. Understand the basics of algorithms and how they are used in modern cryptography Identify the differences between asymmetric and symmetric algorithms
E N D
Cryptography Chapter 14
Learning Objectives • Understand the basics of algorithms and how they are used in modern cryptography • Identify the differences between asymmetric and symmetric algorithms • Have a basic understanding of the concepts of cryptography and how they relate to network security continued…
Learning Objectives • Discuss characteristics of PKI certificates and the policies and procedures surrounding them • Understand the implications of key management and a certificate’s lifecycle
Cryptography • Study of complex mathematical formulas and algorithms used for encryption and decryption • Allows users to transmit sensitive information over unsecured networks • Can be either strong or weak
Cryptography Terminology • Plaintext • Data that can be read without any manipulation • Encryption • Method of disguising plaintext to hide its substance • Ciphertext • Plaintext that has been encrypted and is an unreadable series of symbols and numbers
Algorithms • Mathematical functions that work in tandem with a key • Same plaintext data encrypts into different ciphertext with different keys • Security of data relies on: • Strength of the algorithm • Secrecy of the key
Hashing • Method used for verifying data integrity • Uses variable-length input that is converted to a fixed-length output string (hash value)
Symmetric Algorithms • Usually use same key for encryption and decryption • Encryption key can be calculated from decryption key and vice versa • Require sender and receiver to agree on a key before they communicate securely • Security lies with the key • Also called secret key algorithms, single-key algorithms, or one-key algorithms
Categories of Algorithms • Stream algorithms • Operate on the plaintext one bit at a time • Block algorithms • Encrypt and decrypt data in groups of bits, typically 64 bits in size
Asymmetric Algorithms • Use different keys for encryption and decryption • Decryption key cannot be calculated from the encryption key • Anyone can use the key to encrypt data and send it to the host; only the host can decrypt the data • Also known as public key algorithms
Lucifer (1974) Diffie-Hellman (1976) RSA (1977) DES (1977) Triple DES (1998) IDEA (1992) Blowfish (1993) RC5 (1995) Common Encryption Algorithms
Primary Functions of Cryptography • Confidentiality • Authentication • Integrity • Nonrepudiation
Digital Signatures • Based on asymmetric algorithms, allow the recipient to verify whether a public key belongs to its owner
Certificates • Credentials that allow a recipient to verify whether a public key belongs to its owner • Verify senders’ information with identity information that is bound to the public key • Components • Public key • One or more digital signatures • Certificate information (eg, user’s name, ID)
Public Key Infrastructure (PKI) Certificates • Certificate storage facility that provides certification management functionality (eg, ability to issue, revoke, store, retrieve, and trust certificates) • Certification authority (CA) • Primary feature of PKI • Trusted person or group responsible for issuing certificates to authorized users on a system • Creates certificates and digitally signs them using a private key
PKI Policies and Practices • Validity establishes that a public key certificate belongs to its owner • CA issues certificates to users by binding a public key to identification information of the requester • User can manually check certificate’s fingerprint
PKI Revocation • Certificates have a restricted lifetime; a validity period is created for all certificates • Certificate revocation list (CRL) • Communicates which certificates within a PKI have been revoked
Trust Models • Techniques that establish how users validate certificates • Direct trust • Hierarchical trust • Web of trust
Direct Trust Model • User trusts a key because the user knows where it came from
Hierarchical Trust Model • Based on a number of root certificates
Web of Trust • Combines concepts of direct trust and hierarchical trust • Adds the idea that trust is relative to each requester • Central theme: the more information available, the better the decision
Key and Certificate Life Cycle Management • Setup or initialization • Administration of issued keys and certificates • Certificate cancellation and key history
Setup and Initialization • Registration • Key pair generation • Certificate creation • Certificate distribution • Certificate dissemination • Key backup
Registration • User requests certificate from CA • CA verifies identity and credentials of user • Certificate practice statement • Published document that explains CA structure to users • Certificate policy establishes: • Who may serve as CA • What types of certificates may be issued • How they should be issued and managed
Key Pair Generation • Involves creation of one or more key pairs using different algorithms • Dual or multiple keys are often utilized to perform different roles to support distinct services • Key pair can be restricted by policy to certain roles based on usage factors • Multiple key pairs usually require multiple certificates
Certificates • Distinguished name (DN) • Unique identifier that is bound to a certificate by a CA • Uses a sequence of character(s) that is unique to each user • Appropriate certificate policies govern creation and issuance of certificates
Certificate Dissemination Techniques • Securely make certificate information available to requester without too much difficulty • Out-of-band distribution • In-band distribution • Publication • Centralized repositories with controlled access
Key Backup • Addresses lost keys • Helps recover encrypted data • Essential element of business continuity and disaster recovery planning
Key Escrow • Key administration process that utilizes a third party • Initialization phase involves: • Certificate retrieval and validation • Key recovery and key update
Cancellation Procedures • Certificate expiration • Certificate revocation • Key history • Key archive
Certificate Expiration • Occurs when validity period of a certificate expires • Options upon expiration • Certificate renewal • Certificate update
Certificate Revocation • Implies cancellation of a certificate prior to its natural expiration • Revocation delay • Delay associated with the revocation requirement and subsequent notification
Certificate Revocation • How notification is accomplished • Certificate revocation lists (CRLs) • CRL distribution points • Certificate revocation trees (CRTs) • Redirect/Referral CRLs • Notification is unnecessary for: • Short certificate lifetimes • Single-entity approvals
Key History • Deals with secure and reliable storage of expired keys for later retrieval to recover encrypted data • Applies more to encryption keys than signing keys
Key Archive • Service undertaken by a CA or third party to store keys and verification certificates • Meets audit requirements and handles resolution of disputes when used with other services (eg, time stamping and notarization)
Setting up an Enterprise PKI • Extremely complex task with enormous demands on financial, human, hardware, and software resources • Areas to explore • Basic support • Training • Documentation issues
Areas to Explore in Detail When Setting up an Enterprise PKI • Support for standards, protocols, and third-party applications • Issues related to cross-certification, interoperability, and trust models • Multiple key pairs and key pair uses • How to PKI-enable applications and client-side software availability continued…
Areas to Explore in Detail When Setting up an Enterprise PKI • Impact on end user for key backup, key or certificate update, and nonrepudiation services • Performance, scalability, and flexibility issues regarding distribution, retrieval, and revocation systems • Physical access control to facilities
Chapter Summary • Ways that algorithms and certificate mechanisms are used to encrypt data flows • Concepts of cryptography • Key and certificate life cycle management