Lesson 6 Public and Private Keys, CAs Flashcards
CA
Certification Authority
Stores public keys for users, ensuring valid keys are available for users
If CA fails then PKI falls apart
Certification from CA
A cert is your public key signed by the CA
PKI
Public Key Infrastructure
Relies on Cert Authorities to manage public keys
RA
Registration Authority
CSR
Certificate Signing Request
Registration Authorities and CSRs
A process of identification and authentication for end users to create an account with the CA
A users want to get a cert it completes a certificate signing request (CSR) and submits it to the CA
Registration can be delegated by the CA to a registration authority (RA), which perform the identity checking
the CA issues the certificate
Digital certificate
Issued by the CA and is a wrapper for the subjects public key
The CA digitally signs (private key) the certificate
X509.1 standard
standard used to create digital certificates
PKCS (Public Key Cryptography Standards)
Public Key Cryptography Standards (PKCS)
promotes the use of the public key infrastructure
DV (Domain Validation)
Domain Validation (DV) a web server cert type proving the ownership of a particular domain
Highly vulnerable to compromise
process is to respond to an email to the authorized domain contact or by publishing a text record to the domain
EV (Extended Validation)
Extended Validation (EV), a web server cert with even more rigorous identity checks than DV
This standard is maintained by the CA/Browser forum
An EV cannot be issued for a wildcard domain
Other Cert Type Uses
Certificate to identify:
Machine/computer - used to keep machines off of networks
Email/User - used to secure emails
Code signing - sw publishers as to the validity of the application
Root - identifies the Root CA itself, and is self signed
Self signed Cert - used for one device only
Key life cycle
- Key generation
- Certificate generation
- Storage
- Revocation
- Expiration and renewal
Cert management vulnerabilities
A private key compromise puts the confidentiality and identification/authorization at risk
If an attacker can perform the CA functions, he can have trusted nodes on the network to utilize in other attacks, as they are trusted nodes
Destruction of the key used for encryption will cause encrypted data to be inaccessible
M-of-N
M-of-N is a process for maintaining the CA root private key, due to it’s importance
M-of-N means keeping people honest by requiring some number of admins allowed to access the key
M must be less than N and N must be more than 2