information security lesson 9 - keys - eric vanderburg

Information Security © 2006 Eric Vanderburg

Information Security

Chapter 9Using & Managing Keys


Problem with keys alone• How can we be sure that the public keys

we use for communication are really the real public keys?

• Certificates• Certificates contain keys• Issued by a trusted entity


PKI (Public Key Infrastructure)• PKI – A system for managing keys

– Issues digital certificates to users and computers

– Allows end users to apply for certificates– Integrates into the directory system used by

the organization– Manages and revokes certificates

• Microsoft max PKI key length: 4096 bits


Certificates• Have specific uses• Expire• Given by a CA• May require validation before they are issued• CA (Certification Authority) – creator and

distributor of certificates– Root– Subordinate

• RA (Registration Authority) – a subordinate CA of another company’s CA that issues certs to local users

• CRL (Certificate Revocation List)• CR (Certificate Repository)


PKCS (Public Key Cryptography Standards)

PKCS # Standard Name DescriptionPKCS #1 RSA Used for RSA digital

signatures

PKCS #2 Not used. Part of PKCS #1

RSA encrypted message digest

PKCS #3 Diffie Hellman key agreement standard

Key exchanges using Diffie-Hellman


PKCSPKCS # Standard Name Description

PKCS #4 Not used. Part of PKCS #1

RSA key syntax

PKCS #5 Password based encryption standard

Generates a secret key from a password

PKCS #6 Extended cert syntax standard

Phased out syntax


PKCSPKCS # Standard Name Description

PKCS #7 Cryptographic Message Syntax

Used for encrypting messages using digital signatures and encryption

PKCS #8 Private Key Information syntax standard

How to store keys

PKCS #9 Attribute types Defines the attribute types used in 6,7,8,& 10


PKCSPKCS # Standard

NameDescription

PKCS #10 Cert request syntax standard

How to ask for a cert

PKCS #11 Cryptographic token interface standard

Used for smart cards and other token devices

PKCS #12 Personal Information Exchange

Used for exporting keys


PKCSPKCS # Standard

NameDescription

PKCS #13 Elliptic Curve Cryptography standard

How to encrypt and sign using EC

PKCS #14 PRNG standard

How to generate a pseudo random number

PKCS #15 Cryptographic token information format

How to store information on tokens


X.509 standard• X509 is an international standard defined by the

International Telecommunication Union (ITU) that defines the format for the digital certificate

• Most widely used certificate format for PKI


Trusts• Direct trust – trust because of a personal

relationship. This trust is not verified. (friends sending email)

• Third party trust – 2 people trust each other because they each trust a 3rd party

• Trust model – the type of relationship that exists between entities– Web of trust – each user creates their own certificate

and shares it with the others – based on direct trust. – Single point trust – A CA issues and signs certificates.

Based on 3rd party trust. – Hierarchical trust – A root CA issues certificates to

subordinate CAs that issue certificates to users.


Trusted Certificates• Can be viewed in Internet Explorer• CA certificates – issued directly to users• Server certificates – issued form a web

server, FTP server, or mail server. • Software Publisher certificates – provided

by developers to take responsibility and provide credibility for their applications


Policy• CP (Certificate Policy) - High level

statement that defines how the CA and the certificates issued should be used and secured.

• CPS (Certificate Practice Statement) – More detailed document on how certificates are managed, registered for, issued, protected, and revoked.


Certificate Life Cycle• Creation

– Request is made– User is identified– CA fills in appropriate fields on the cert– CA signs the cert with its key– Certificate is published or sent to an RA

• Revocation– Certificate is added to the CRL– CRL is signed by the CA– CRL is published


Certificate Life Cycle• Expiration

– If a certificate is not renewed, it will expire– Usually the keys are not regenerated but they

can be. • Suspension

– A certificate is marked inactive and cannot be used until the suspension is lifted.


Key Management• Centralized

– Organization has control over keys, their uses, and their issuance

– Larger scope of trust– More responsibility and effort required

• Decentralized– Web of trust model– No central CR (Certificate Repository)– No control over keys– Responsibility is on the users


Private Key Storage• Stored inside a certificate• Stored on a token• Stored on the local machine• Backed up to file (PKCS #12)

• Destroy expired keys• Do not make excessive copies of keys• Make sure keys are encrypted


Key Handling• Key Escrow – Keys are managed by a third

party. – Keys are split into two parts and stored elsewhere. – Users authenticate and retrieve the key parts and

then use it. – Keys are vulnerable once retrieved.

• Keys also expire, and can be revoked. • Key recovery (M of N)

– Key is split into a number of parts (M) distributed to a number of people (N) that is larger than M. The group must agree to combine their parts to use the key.


Acronyms• CP, Certificate Policy• CPS, Certificate Practice Statement• CR, Certificate Repository• CRL, Certificate Revocation List• PKCS, Public Key Cryptography

Standards• PKI, Public Key Infrastructure• RA, Registration Authority

information security lesson 9 - keys - eric vanderburg

Technology