1.4 Public Key Infrastructure Flashcards

1
Q

Public Key Infrastructure (PKI)

A

Policies, procedures, hardware, software, people
– Digital certificates: create, distribute, manage,
store, revoke
* This is a big, big, endeavor
– Lots of planning
* Also refers to the binding of public keys to
people or devices
– The certificate authority
– It’s all about trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Symmetric encryption

A

A single, shared key
– Encrypt with the key
– Decrypt with the same key
– If it gets out, you’ll need another key
* Secret key algorithm
– A shared secret
* Doesn’t scale very well
– Can be challenging to distribute
* Very fast to use
– Less overhead than asymmetric encryption
– Often combined with asymmetric encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Asymmetric encryption

A

Public key cryptography
– Two (or more) mathematically related keys
* Private key
– Keep this private
* Public key
– Anyone can see this key
– Give it away
* The private key is the only key that can decrypt data
encrypted with the public key
– You can’t derive the private key from the public key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The key pair

A

Asymmetric encryption
– Public Key Cryptography
* Key generation
– Build both the public and private key at the same time
– Lots of randomization
– Large prime numbers
– Lots and lots of math
* Everyone can have the public key
– Only Alice has the private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key escrow

A

Someone else holds your decryption keys
– Your private keys are in the hands of a 3rd-party
– This may be within your own organization
* This can be a legitimate business arrangement
– A business might need access to employee information
– Government agencies may need to decrypt
partner data
* Controversial?
– Of course
– But may still be required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

It’s all about the process

A

Need clear process and procedures
– Keys are incredibly important pieces of information
* You must be able to trust your 3rd-party
– Access to the keys is at the control of the 3rd-party
* Carefully controlled conditions
– Legal proceedings and court orders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Encrypting stored data

A

Protect data on storage devices
– SSD, hard drive, USB drive, cloud storage, etc.
– This is data at rest
* Full-disk and partition/volume encryption
– BitLocker, FileVault, etc.
* File encryption
– EFS (Encrypting File System), third-party utilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Database encryption

A

Protecting stored data
– And the transmission of that data
* Transparent encryption
– Encrypt all database information with a symmetric key
* Record-level encryption
– Encrypt individual columns
– Use separate symmetric keys for each column

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Transport encryption

A

Protect data traversing the network
– You’re probably doing this now
* Encrypting in the application
– Browsers can communicate using HTTPS
* VPN (Virtual Private Network)
– Encrypts all data transmitted over the network,
regardless of the application
– Client-based VPN using SSL/TLS
– Site-to-site VPN using IPsec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Encryption algorithms

A

There are many, many different ways to encrypt data
– The proper “formula” must be used during
encryption and decryption
* Both sides decide on the algorithm before encrypting the data
– The details are often hidden from the end user
* There are advantages and disadvantages between
algorithms
– Security level, speed, complexity of implementation, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cryptographic keys

A

There’s very little that isn’t known about the
cryptographic process
– The algorithm is usually a known entity
– The only thing you don’t know is the key
* The key determines the output
– Encrypted data
– Hash value
– Digital signature
* Keep your key private!
– It’s the only thing protecting your data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key lengths

A

Larger keys tend to be more secure
– Prevent brute-force attacks
– Attackers can try every possible key combination
* Symmetric encryption
– 128-bit or larger symmetric keys are common
– These numbers get larger and larger as time goes on
* Asymmetric encryption
– Complex calculations of prime numbers
– Larger keys than symmetric encryption
– Common to see key lengths of 3,072 bits or larger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key stretching

A

A weak key is a weak key
– By itself, it’s not very secure
* Make a weak key stronger by performing multiple
processes
– Hash a password. Hash the hash of the password.
And continue…
– Key stretching, key strengthening
* Brute force attacks would require reversing
each of those hashes
– The attacker has to spend much more time,
even though the key is small

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key exchange

A

A logistical challenge
– How do you share an encryption key across an insecure
medium without physically transferring the key?
* Out-of-band key exchange
– Don’t send the symmetric key over the ‘net
– Telephone, courier, in-person, etc.
* In-band key exchange
– It’s on the network
– Protect the key with additional encryption
– Use asymmetric encryption to deliver a symmetric key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Real-time encryption/decryption

A

There’s a need for fast security
– Without compromising the security part
* Share a symmetric session key using
asymmetric encryption
– Client encrypts a random (symmetric) key with a
server’s public key
– The server decrypts this shared key and uses it to
encrypt data
– This is the session key
* Implement session keys carefully
– Need to be changed often (ephemeral keys)
– Need to be unpredictable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Symmetric key from asymmetric keys

A

Use public and private key cryptography to
create a symmetric key
– Math is powerful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Trusted Platform Module (TPM)

A

A specification for cryptographic functions
– Cryptography hardware on a device
* Cryptographic processor
– Random number generator, key generators
* Persistent memory
– Unique keys burned in during manufacturing
* Versatile memory
– Storage keys, hardware configuration information
– Securely store BitLocker keys
* Password protected
– No dictionary attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Hardware Security Module (HSM)

A

Used in large environments
– Clusters, redundant power
– Securely store thousands of cryptographic keys
* High-end cryptographic hardware
– Plug-in card or separate hardware device
* Key backup
– Secure storage in hardware
* Cryptographic accelerators
– Offload that CPU overhead from other devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Key management system

A

Services are everywhere
– On-premises, cloud-based
– Many different keys for many different services
* Manage all keys from a centralized manager
– Often provided as third-party software
– Separate the encryption keys from the data
* All key management from one console
– Create keys for a specific service or cloud provider
(SSL/TLS, SSH, etc.)
– Associate keys with specific users
– Rotate keys on regular intervals
– Log key use and important events

20
Q

Keeping data private

A

Our data is located in many different places
– Mobile phones, cloud, laptops, etc.
– The most private data is often physically closest to us
* Attackers are always finding new techniques
– It’s a race to stay one step ahead
* Our data is changing constantly
– How do we keep this data protected?

21
Q

Secure enclave

A

A protected area for our secrets
– Often implemented as a hardware processor
– Isolated from the main processor
– Many different technologies and names
* Provides extensive security features
– Has its own boot ROM
– Monitors the system boot process
– True random number generator
– Real-time memory encryption
– Root cryptographic keys
– Performs AES encryption in hardware
– And more…

22
Q

Obfuscation

A

The process of making something unclear
– It’s now much more difficult to understand
* But it’s not impossible to understand
– If you know how to read it
* Hide information in plain sight
– Store payment information without storing a
credit card number
* Hide information inside of an image
– Steganography

23
Q

Steganography

A

Greek for “concealed writing”
– Security through obscurity
* Message is invisible - But it’s really there
* The covertext - The container document or file

24
Q

Common steganography techniques

A

Network based - Embed messages in TCP packets
* Use an image - Embed the message in the image itself
* Invisible watermarks - Yellow dots on printers

25
Other steganography types
Audio steganography – Modify the digital audio file – Interlace a secret message within the audio – Similar technique to image steganography * Video steganography – A sequence of images – Use image steganography on a larger scale – Manage the signal to noise ratio – Potentially transfer much more information
26
Tokenization
Replace sensitive data with a non-sensitive placeholder – SSN 266-12-1112 is now 691-61-8539 * Common with credit card processing – Use a temporary token during payment – An attacker capturing the card numbers can’t use them later * This isn’t encryption or hashing – The original data and token aren’t mathematically related – No encryption overhead
27
Data masking
Data obfuscation – Hide some of the original data * Protects PII – And other sensitive data * May only be hidden from view – The data may still be intact in storage – Control the view based on permissions * Many different techniques – Substituting, shuffling, encrypting, masking out, etc.
28
Hashes
Represent data as a short string of text – A message digest, a fingerprint * One-way trip – Impossible to recover the original message from the digest – Used to store passwords / confidentiality * Verify a downloaded document is the same as the original – Integrity * Can be a digital signature – Authentication, non-repudiation, and integrity
29
Collision
Hash functions – Take an input of any size – Create a fixed size string – Message digest, checksum * The hash should be unique – Different inputs should never create the same hash – If they do, it’s a collision * MD5 has a collision problem – Found in 1996 - Don’t use MD5 for anything important
30
Practical hashing
Verify a downloaded file – Hashes may be provided on the download site – Compare the downloaded file hash with the posted hash value * Password storage – Instead of storing the password, store a salted hash – Compare hashes during the authentication process – Nobody ever knows your actual password
31
Adding some salt
Salt – Random data added to a password when hashing * Every user gets their own random salt – The salt is commonly stored with the password * Rainbow tables won’t work with salted hashes – Additional random value added to the original password * This slows things down the brute force process – It doesn’t completely stop the reverse engineering
32
Salting the hash
Each user gets a different random hash – The same password creates a different hash
33
Digital signatures
Prove the message was not changed – Integrity * Prove the source of the message – Authentication * Make sure the signature isn’t fake – Non-repudiation * Sign with the private key – The message doesn’t need to be encrypted – Nobody else can sign this (obviously) * Verify with the public key – Any change in the message will invalidate the signature
34
Blockchain
distributed ledger – Keep track of transactions * Everyone on the blockchain network maintains the ledger – Records and replicates to anyone and everyone * Many practical applications – Payment processing – Digital identification – Supply chain monitoring – Digital voting
35
Digital certificates
A public key certificate – Binds a public key with a digital signature – And other details about the key holder * A digital signature adds trust – PKI uses Certificate Authorities for additional trust – Web of Trust adds other users for additional trust * Certificate creation can be built into the OS – Part of Windows Domain services – Many 3rd-party options
36
What’s in a digital certificate?
X.509 – Standard format * Certificate details – Serial number – Version – Signature Algorithm – Issuer – Name of the cert holder – Public key – Extensions – And more…
37
Root of trust
Everything associated with IT security requires trust – A foundational characteristic * How to build trust from something unknown? – Someone/something trustworthy provides their approval * Refer to the root of trust – An inherently trusted component – Hardware, software, firmware, or other component – Hardware security module (HSM), Secure Enclave, Certificate Authority, etc.
38
Certificate Authorities
You connect to a random website – Do you trust it? * Need a good way to trust an unknown entity – Use a trusted third-party – An authority * Certificate Authority (CA) has digitally signed the website certificate – You trust the CA, therefore you trust the website – Real-time verification
39
Third-party certificate authorities
Built-in to your browser – Any browser * Purchase your web site certificate – It will be trusted by everyone’s browser * CA is responsible for vetting the request – They will confirm the certificate owner – Additional verification information may be required by the CA
40
Certificate signing requests
Create a key pair, then send the public key to the CA to be signed – A certificate signing request (CSR) * The CA validates the request – Confirms DNS emails and website ownership * CA digitally signs the cert – Returns to the applicant
41
Private certificate authorities
You are your own CA – Build it in-house – Your devices must trust the internal CA * Needed for medium-to-large organizations – Many web servers and privacy requirements * Implement as part of your overall computing strategy – Windows Certificate Services, OpenCA
42
Self-signed certificates
Internal certificates don’t need to be signed by a public CA – Your company is the only one going to use it – No need to purchase trust for devices that already trust you * Build your own CA – Issue your own certificates signed by your own CA * Install the CA certificate/trusted chain on all devices – They’ll now trust any certificates signed by your internal CA – Works exactly like a certificate you purchased
43
Wildcard certificates
Subject Alternative Name (SAN) – Extension to an X.509 certificate – Lists additional identification information – Allows a certificate to support many different domains * Wildcard domain – Certificates are based on the name of the server – A wildcard domain will apply to all server names in a domain – *.professormesser.com
44
Key revocation
Certificate Revocation List (CRL) – Maintained by the Certificate Authority (CA) – Can contain many revocations in a large file * Many different reasons – Changes all the time * April 2014 - CVE-2014-0160 – Heartbleed – OpenSSL flaw put the private key of affected web servers at risk – OpenSSL was patched, every web server certificate was replaced – Older certificates were moved to the CRL
45
OCSP stapling
Online Certificate Status Protocol – Provides scalability for OCSP checks * The CA is responsible for responding to all client OCSP requests – This may not scale well * Instead, have the certificate holder verify their own status – Status information is stored on the certificate holder’s server * OCSP status is “stapled” into the SSL/TLS handshake – Digitally signed by the CA
46
Getting revocation details to the browser
OCSP (Online Certificate Status Protocol) – The browser can check certificate revocation * Messages usually sent to an OCSP responder via HTTP – Easy to support over Internet links – More efficient than downloading a CRL * Not all browsers/apps support OCSP – Early Internet Explorer versions did not support OCSP – Some support OCSP, but don’t bother checking