3 - 5: Public Key Infrastructure Flashcards
Web of Trust
Based on not knowing everyone you might exchange keys with; participants sign for the people they trust forming indirect trust relationships
Problems with Web of Trust
Decentralized; high barrier of entry for new users; somewhat technical
Public Key Infrastructure
Introduces certificate authorities to build on trust relationships
Certificate Authorities
Third-party authorities who verify the identity of individuals or organizations and issue certs with both identity information and a copy of their public key.
Digital certificates
The certificate itself does not contain sensitive data, just a public key that can be checked against the CA itself. Only you have the private key to decrypt public-key encrypted data
Hash Function
A one-way function that transforms a variable length input into a unique, fixed-length output; cannot be reversed; outputs are always the same length; no two inputs should produce the same output
Hash Function fails
If: they are not reversible, not collision resistant (unique output)
Message Digest 5
Created in 1991, produces a 128-bit hash, considered insecure
Secure Hash Algorithm - 1
Produces a 160-bit hash value, considered insecure
Secure Hash Algorithm - 2
A family of six hash functions, outputs of 224, 256, 384, 512 bits; mathematically similar to SHA-1 and MD5
Secure Hash Algorithm - 3
Anticipating risks to SHA-2, NIST adopted SHA-3 using the Keccak algorithm to produce hashes of any length
RIPEMD
Created as an alternative to government hash functions, available as 128, 160, 256, and 320-bit hashes. The 128 bit is considered insecure.
Hash-based Message Authentication Code
Combines symmetric cryptography and hashing to provide authentication and integrity for messages. A message sender provides a secret key used with the hash function to create a message authentication code. The recipient uses that key to verify the message.
Digital signatures
Use asymmetric cryptography to verify a message: 1) owner of public key is the one who signed it; 2) the message was not altered after it was signed; 3) recipient can prove this to a third party. Use depends on collision-resistant has functions and asymmetric cryptography (1 to 1 public/private key pair). Encrypted by a private key to indicate a specific person created the message, unlike regular asymmetric crypto. Digital signing does not provide confidentiality
Digital Signature Standard
Supports 3 DS algorithms: 1) DSA, 2) RSA, 3) Elliptic Curve Digital Signature Algorithm
Older way of revoking certificate
The CA maintains a list with serial numbers of certificates it has revoked, and requires users to download the list
Online certificate status protocol
Users send a request to the CA to verify the certificate is still active, CA checks the serial number, then sends back a yes or no
Certificate stapling
Typically, OCSP consists of web browser submits an OCSP request, then sends results to the certificate authority. Certificate Stapling cuts a step out and requests a cert from the CA itself, who provides a timestamped and signed status to the OCSP, then returning it to the browser
Certificate Authorities
Trusted organizations who issue digital certificates
Self-signed certificates
An organization sets up its own certificate authority for internal use only
Certificate chaining
Having a self-signed certificate authority be trusted by an outside/commercial CA, making it an intermediary CA. Chaining also allows for offline certificate use as the private key is kept in an unconnected network
Certificate subject
Owner of the certificate’s public key
Object Identifier (OID)
A unique number sequence to identify elements in a digital certificate
Certificate Pinning
Tells certificate users to not expect a certificate to change, and that they should remember it for a long period of time. An unexpected certificate change may be an attack attempt
