330 likes | 515 Views
Chapter 5. USING A PUBLIC KEY INFRASTRUCTURE. CHAPTER OBJECTIVES. Explain what certificates are and how they are used. Describe how a public key infrastructure (PKI) distributes cryptographic keys. Describe the certificate life cycle. Explain how trust models allow a PKI to function.
E N D
Chapter 5 USING A PUBLIC KEY INFRASTRUCTURE
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CHAPTER OBJECTIVES • Explain what certificates are and how they are used. • Describe how a public key infrastructure (PKI) distributes cryptographic keys. • Describe the certificate life cycle. • Explain how trust models allow a PKI to function. • Describe practical applications of a PKI.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE PKI BASICS • Based on public key cryptography (asymmetric) • Employs trusts: trusted third party • Uses certificates and certificate authorities (CAs) • Is an infrastructure or framework, not a product
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING CERTIFICATE BASICS • A certificate • Is a digital document • Is used for authentication and secure information exchange • Must comply with the X.509 v.3 certificate standard
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE TRUSTS • PKI depends on a trust model. • PKI is a trusted third-party system. • Certificates are issued by a CA.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE COMPONENTS • Subject of the certificate • The subject’s public key • Valid lifetime dates • Subject identification and location details
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE COMPONENTS (CONT.) • The subject’s distinguished name • The subject’s e-mail address • The identification of the issuing CA • The signed hash from the issuing CA
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE OBTAINING A CERTIFICATE • Enrollment is the process of requesting and receiving a certificate. • The identity of the user or computer is physically proven. • A unique certificate is built. • A new certificate is signed using the CA’s private digital certificate.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE OBTAINING A CERTIFICATE (CONT.)
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES • Secure e-mail • Secure Web communications • Secure Web sites • Custom security solutions • Smart card logons
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES (CONT.) • Internet Protocol Security (IPSec) • 802.1x wireless • Encrypting File System (EFS) • Software code signing
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE USES OF CERTIFICATES (CONT.)
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE WHAT IS A PKI?
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ELEMENTS OF A PKI • Digital certificates • CA • Certificate revocation list (CRL) • CA policies
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ELEMENTS OF A PKI (CONT.) • Certificate and CRL distribution points • Management tools • Secured applications and services
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATION AUTHORITIES (CAs) • Commercial CA • Private CA
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CA POLICIES • Determine the level of trust • Define the CA’s best practices • Define the certificate’s acceptable use policies
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CRL PUBLICATION POINTS • A CRL publication point is a list of revoked certificates. • The CRL must be accessible to all certificate users. • CAs manage and distribute their own CRLs. • Certificates typically include the location of the CA’s CRL.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CRL DISTRIBUTION
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE ASPECTS OF THE CERTIFICATE LIFECYCLE • Validity period of a certificate • Renewal • Revocation before expiration • Reasons for revocations
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE PHASES OF THE CERTIFICATE LIFECYCLE
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE ISSUANCE • CAs require details about the subject to issue certificates. • Subjects request certificates using Web interfaces or a certificate request file.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE HOW TO REQUEST CERTIFICATES
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE RENEWAL • Subjects might need to use certificates even after they expire. • Renewed certificates don’t require a new request and identity proofing.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION • Revocation can occur • Before a certificate expires • Due to a change in subject identity • Due to misuse of certificates • Revoked certificates are made known through the CRL. • CAs publish CRLs for easy access by users.
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE KEY MANAGEMENT • Keeping keys private • Archival or escrow • Key recovery • Key recovery agents (KRAs) • M of N control
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE TRUST MODELS • Root CAs • Trust path • Subordinate CA • Hierarchical CA architecture • Mesh CA architecture • Bridge CA architecture
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE HIERARCHICAL CA ARCHITECTURE
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE MESH CA ARCHITECTURE
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE BRIDGE CA ARCHITECTURE
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE APPLYING PKI • Secure Sockets Layer (SSL) • Secure e-mail
Chapter 5: USING A PUBLIC KEY INFRASTRUCTURE SUMMARY • Certificates bind an identity to a public key and allow public keys to be delivered to users and applications. Certificates can verify the identity of a user or computer. • A PKI consists of all the components that enable the creation, distribution, and revocation of certificates, as well as any applications that use certificates for authentication and to encrypt data. • A certificate has a lifecycle that begins when the certificate is created. At the end of its lifecycle it can expire or be renewed. A CA can revoke a certificate at any point in its lifecycle. • Certificate trust models allow users and computers to trust certificates that are issued by multiple CAs without having to trust every CA. Common CA trust models are hierarchical, mesh, and bridge architectures. • Certificates are commonly used for authentication and to ensure confidentiality in communications; for example, by Web clients, servers, and in secure e-mail.