Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 17. Public Key Cryptography - Coggle Diagram
Module 17. Public Key Cryptography
Public Key Cryptography with Digital Signatures
Digital Signature Overview
Digital signatures are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.
In other words, the digital signature serves as legal proof that the data exchange did take place
Digital signatures use asymmetric cryptography.
Digital signatures are commonly used in:
Code signing
Digital certificates
There are three Digital Signature Standard (DSS) algorithms that are used for generating and verifying digital signatures:
Digital Signature Algorithm (DSA)
Rivest-Shamir Adelman Algorithm (RSA)
Elliptic Curve Digital Signature Algorithm (ECDSA)
Digital Signatures for Code Signing
Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code.
Digital signatures serve as verification that the code has not been tampered with by threat actors and malicious code has not been inserted into the file by a third party.
igital Signatures for Digital Certificates
A digital certificate is equivalent to an electronic passport. It enables users, hosts, and organizations to securely exchange information over the internet
Digital certificates are similar to physical certificates.
Authorities and the PKI Trust System
Public Key Management
nternet traffic consists of traffic between two parties. When establishing an asymmetric connection between two hosts, the hosts will exchange their public key information.
The Public Key Infrastructure (PKI) consists of specifications, systems, and tools that are used to create, manage, distribute, use, store, and revoke digital certificates.
The Public Key Infrastructure
PKI is needed to support large-scale distribution and identification of public encryption keys. The PKI framework facilitates a highly scalable trust relationship
PKI certificates contain an entity’s or individual’s public key, its purpose, the certificate authority (CA) that validated and issued the certificate, the date range during which the certificate is valid, and the algorithm used to create the signature.
The certificate store resides on a local computer and stores issued certificates and private keys.
The PKI Certificate of Authority (CA) is a trusted third party that issues PKI certificates to entities and individuals after verifying their identity. It signs these certificates using its private key.
The certificate database stores all certificates approved by the CA.
Issues PKI Certificate. Bob initially requests a certificate from the CA. The CA authenticates Bob and stores Bob’s PKI certificate in the certificate database
Exchanges PKI Certificate. Bob communicates with Alice using his PKI certificate.
Verifies PKI Certificate. Alice communicates with the trusted CA using the CA’s public key. The CA refers to the certificate database to validate Bob’s PKI certificate.
The PKI Trust System
PKIs can form different topologies of trust. The simplest is the single-root PKI topology.
Single-Root PKI Topology
Cross-Certified CA
Hierarchical CA
Interoperability of Different PKI Vendors
Interoperability between a PKI and its supporting services, such as Lightweight Directory Access Protocol (LDAP) and X.500 directories, is a concern because many CA vendors have proposed and implemented proprietary solutions instead of waiting for standards to develop.
X.509v3 Applications
SSL - Secure web servers use X.509.v3 for website authentication in the SSL and TLS protocols, while web browsers use X.509v3 to implement HTTPS client certificates. SSL is the most widely used certificate-based authentication.
IPsec - IPsec VPNs use X.509 certificates when RSA-based authentication is used for internet key exchange (IKE).
S/MIME - User mail agents that support mail protection with the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol use X.509 certificates.
EAP-TLS - Cisco switches can use certificates to authenticate end devices that connect to LAN ports using 802.1x between the adjacent devices. The authentication can be proxied to a central ACS via the Extensible Authentication Protocol with TLS (EAP-TLS).
Applications and Impacts of Cryptography
PKI Applications
SSL/TLS certificate-based peer authentication
Secure network traffic using IPsec VPNs
HTTPS Web traffic
Control access to the network using 802.1x authentication
Secure email using the S/MIME protocol
Secure instant messaging
Approve and authorize applications with Code Signing
Protect user data with the Encryption File System (EFS)
Implement two-factor authentication with smart cards
Encrypted Network Transactions
A security analyst must be able to recognize and solve potential problems related to permitting PKI-related solutions on the enterprise network.
Consider how the increase of SSL/TLS traffic poses a major security risk to enterprises because the traffic is encrypted and cannot be intercepted and monitored by normal means
Threat actors can use SSL/TLS to introduce regulatory compliance violations, viruses, malware, data loss, and intrusion attempts in a network.