Applications of Cryptography Flashcards
FIPS Standards
FIPS 140: Cryptographic Modules
FIPS 186: Digital Signatures
FIPS 197: AES
FIPS 201: Identity Verification
Digital Signatures
Encryption of a message digest with the sender’s private key. Provides:
- Authentication
- Integrity
- Non-repudation
Digital Certificate
A digital document that contains a public key and some information to allow your system to verify where that key came from.
Uesd for web servers, Cisco Secure phones, E-Commerce.
PKI (Public Key Infrastructure)
Uses asymmetric key pairs and combines software, encryption and services to provide a means of protecting the security of business communication and transactions.
PKCS (Public Key Cryptography Standards)
Put in place by RSA to ensure uniform certificate management throughout the internet.
Trusted Third Party (TTP)
Certificate, a digital representation of the information that identifies you as a relevant entity.
CA (Certification Authority)
An entity trusted by one or more users to manage certificates.
RA (Registration Authority)
Used to take the burden off of a CA by handling verification prior to certificates being issued. Acts as a proxy between user and CA. Receives request, authenticates it and forwards it to the CA.
CP (Certificate Policy)
A set of rules that defines how a certificate may be used.
X.509
The most widely used digital certificate standard. First issued July 3, 1988. It is a digital document that contains a public key signed by the trusted third party, which is known as a Certificate Authority, or CA. Relied on by S/MIME. Contains your name, info about you, and a signature of a person who issued the certificate.
X.509 Certificate Content
Version Certificate holder's public key Serial number Certificate's validity period Unique name of certificate issuer Digital signature of issuer Signature algorithm identifier
X.509 Certificate File Extensions
.pem .cer, .crt., .der .p7b, .p7c .p12 .pfx
.pem
Privacy Enhanced Mail, a Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”
.cer, .crt, .der
Usually in binary DER form, but Base64-encoded certificates are common also (see .pem).
.p7b, .p7c
PKCS#7 SignedData structure without data, just certificate(s) or CRL(s).
.p12
PKCS#12, may contain certificate(s) (public) and private keys (password protected).
.pfx
Predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., w/ PFX files generated in IIS).
Certificate Authority (CA)
The primary role of this is to digitally sign and publish the public key bound to a given user. It is an entity trusted by one or more users to manage certificates. Verisign is an example.
Certificate Authority - Verisign - Class 1
For individuals, intended for email
Certificate Authority - Verisign - Class 2
For organizations for which proof of identity is required
Certificate Authority - Verisign - Class 3
For servers and software signing, for which independent verification and checking of identity and authority is done by the issuing CA
Certificate Authority - Verisign - Class 4
For online business transactions between companies
Certificate Authority - Verisign - Class 5
For private organizations or governmental security
Registration Authority (RA)
Used to take the burden off of a CA by handling verification prior to certificates being issued. Acts as a proxy between the user and the CA. Receives request, authenticates it, and forwards it to the CA.
Public Key Infrastructure (PKI)
)
Distributes digital certificates that contain public keys. A network of trusted certificate authority servers. An arrangement that binds public keys with user identities by means of a CA.
Certificate Revocation List (CRL)
A list of certificates that have been revoked.
Online Certificate Status Protocol (OCSP)
A real time protocol for verifying certificates (and a newer method than CRL)
Server-based Certificate Validation Protocol (SCVP)
An Internet protocol for determining the path between a X.509 digital certificate and a trusted root (Delegated Path Discovery) and the validation of that path (Delegated Path Validation) according to a particular validation policy.
Digital Certificate Management
Two types of systems:
Centralized key-management systems
Decentralized key-management systems
Three phases of key life cycle (Digital Certificate Management)
Setup and initialization
Administration
Cancellation
Setup and Initialization Phase (Digital Certificate Management, 3 phases)
Process components:
Registration
Key pair generation
Certificate Generation Certificate Dissemination
Cancellation and History Phase (Digital Certificate Management, 3 phases)
Expiration Renewal Revocation Suspension Destruction
Administration Phase (Digital Certificate Management, 3 phases)
Key Storage
Certificate retrieval and validation
Backup or escrow
Recovery
Update and Patch Vulnerabilities (Digital Certificate Management)
- Person who can recover keys from the keystore on behalf of a user
- Highly trusted person
- Issue recovery agent
·EFS recovery agent certificate
·Key recovery agent cert
Hierarchical Trust Model
Certificate Authority is at the top
Intermediate CAs are the next level
Users are the bottom level
Single Authority Trust Model
Certificate Authority is at the top
Users are directly below the CA
Web of Trust - Trust Model
Users all trust each other
Password Authentication Protocol (PAP)
One of the most basic authentication protocols. Passwords are sent over the network in clear text. The basic authentication feature built into HTTP uses this.