Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modulo 17: Public Key Cryptography - Coggle Diagram
Modulo 17: Public Key Cryptography
17.1 Public Key Cryptography with Digital Signatures
17.1.1 Digital Signature Overview
Digital signatures are commonly used in the following two situations:
Code signing -
This is used for data integrity and authentication purposes. Code signing is used to verify the integrity of executable files downloaded from a vendor website. It also uses signed digital certificates to authenticate and verify the identity of the site that is the source of the files.
Digital certificates -
These are similar to a virtual ID card and used to authenticate the identity of system with a vendor website and establish an encrypted connection to exchange confidential data.
17.1.2 Digital Signatures for Code Signing
Digitally signing code provides several assurances about the code:
The code is authentic and is actually sourced by the publisher.
The code has not been modified since it left the software publisher.
The publisher undeniably published the code. This provides nonrepudiation of the act of publishing.
17.1.3 Digital Signatures for Digital Certificates
A digital certificate is equivalent to an electronic passport.
Refer to the figure to see how the digital signature is used.
17.2 Authorities and the PKI Trust System
17.2.1 Public Key Management
The SSL Certificate provider and Certificate Authorities are trusted third parties that provide services similar to governmental licensing bureaus.
17.2.2 The Public Key Infrastructure
The figure shows the main elements of the PKI
The next figure shows how the elements of the PKI interoperate:
17.2.3 The PKI Authorities System
Any certificates signed by any of the CAs in the list will be seen by the browser as legitimate and will be trusted automatically.
17.2.4 The PKI Trust System
Single-Root PKI Topology
Cross-Certified CA
17.2.5 Interoperability of Different PKI Vendors
X.509v3 Applications
17.2.6 Certificate Enrollment, Authentication, and Revocation
Here are two of the most common methods of revocation:
Certificate Revocation List (CRL) - A list of revoked certificate serial numbers that have been invalidated because they expired. PKI entities regularly poll the CRL repository to receive the current CRL.
Online Certificate Status Protocol (OCSP) - An internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate. Revocation information is immediately pushed to an online database.
17.3 Applications and Impacts of Cryptography
17.3.1 PKI Applications
SSL/TLS certificate-based peer authentication
Secure network traffic using IPsec VPNs
HTTPS Web traffic
Control access to the network using 802.1x authentication
Secure email using the S/MIME protocol
Secure instant messaging
Approve and authorize applications with Code Signing
Protect user data with the Encryption File System (EFS)
Implement two-factor authentication with smart cards
Securing USB storage devices
17.3.2 Encrypted Network Transactions
Other SSL/TLS-related issues may be associated with validating the certificate of a web server. When this occurs, web browsers will display a security warning. PKI-related issues that are associated with security warnings include:
Validity date range - The X.509v3 certificates specify “not before” and “not after” dates. If the current date is outside the range, the web browser displays a message. Expired certificates may simply be the result of administrator oversight, but they may also reflect more serious conditions.
Signature validation error - If a browser cannot validate the signature on the certificate, there is no assurance that the public key in the certificate is authentic. Signature validation will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate store.
17.3.3 Encryption and Security Monitoring
Network monitoring becomes more challenging when packets are encrypted. However, security analysts must be aware of those challenges and address them as best as possible. For instance, when site-to-site VPNs are used, the IPS should be positioned so it can monitor unencrypted traffic.
However, the increased use of HTTPS in the enterprise network introduces new challenges. Since HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to peek into user traffic.
Security analysts must know how to circumvent and solve these issues. Here is a list of some of the things that a security analyst could do:
Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS SSL traffic.
Enhance security through server certificate validation using CRLs and OCSP.
Implement antimalware protection and URL filtering of HTTPS content.
