#CompTIA Security+ 501 exam Chapter09 Implementing Public Key Infrastructure Part 1
Posted by Superadmin on November 16 2018 16:10:04

Implementing Public Key Infrastructure

 

Certificates are used for both encryption and authentication, and in this chapter, we are going to look at different encryption types and how certificates are issued and used. This is the most difficult module for students to understand, so we have focused on making the most difficult aspects seem easy. If you are going to be successful in the Security+ exam, you must know this module thoroughly. We will start with the Public Key Infrastructure (PKI), both the public and private keys. It is an asymmetric form of encryption.

We will cover the following exam objectives in this chapter:

 

Public key infrastructure concepts

 

The public key infrastructure provides asymmetric techniques using two keys: a public key and a private key. There is a certificate hierarchy, which is called the certificate authority, that manages, signs, issues, validates, and revokes certificates. Let's first look at the components of the certificate hierarchy. A certificate is known as an X509 certificate.

 

 

Certificate hierarchy

 

The Certificate Authority (CA) is the ultimate authority as it holds the master key, also known as the root key, to sign all of the certificates that it gives the Intermediary, which then in turn issues to the requester:

Figure 1: Certificate hierarchy

Exam tip:
For Business-to-Business (B2B) transactions and working with other commercial companies, your X509 certificates need to come from a public CA.

There are different types of CA:

If you wish to trade and exchange certificates with other businesses, you need to get your certificate from a public CA. The certificate that follows has been issued to the Bank of Scotland from a public CA called DigiCert Global CA; you can see on the front of the certificate the purpose for use and also the dates that it is valid for. The X509 has an Object Identified (OID) that is basically the certificate's serial number—the same way that paper money has serial numbers:

Figure 2: Public CA issued certificate

Exam tip:
Certificate pinning prevents CA compromise and the issuing of fraudulent certificates.

 

 

Certificate trust

 

Certificates have some form of trust where the certificate can check whether or not it is valid. We are going to look at different trust models; you need to ensure that you know when each is used:

Exam tip:
When two separate CAs trust each other, they will use a trust model called the bridge of trust.

Exam tip:
A bridge trust model is used so that two separate CAs can work with each other.

 

 

Certificate validity

 

Each time a certificate, is used the first thing that must happen is that it must be checked for validity; there are three separate processes that you must know thoroughly, and these are as follows:

Figure 3: Certificate validity

The validation of a certificate is done by the CRL unless it is going slow—then it will be the OCSP doing this.

 

 

Certificate management concepts

 

We are now going to look at the different ways certificates are managed in a PKI environment, starting with the request for a new certificate and ending with different certificate formats. You must learn all of this information thoroughly as these aspects are heavily tested:

Figure 4: Key escrow

The key escrow stores private keys for third parties.

A web server will use certificate stapling to bypass the CRL and use the OCSP for faster certificate validity. This is also known as OCSP stapling.

Certificate type

Format

File extension

Private

P12

.pfx

Public

P7B

.cer

PEM

Base 64 format

.pem

DER

Extension for PEM

.der

The certificate equivalent of a serial number is the OID that is located on the X509 itself.

 

 

Certificate types

 

As a security professional, you will be responsible for purchasing new certificates, and therefore you must learn the certificates types thoroughly to ensure that you make the correct purchase. We will start with the self-signed certificate that can roll out with applications like Exchange Server or the Skype server and finish with extended validation where the certificate has a higher level of trust:

PEM uses a Base64 certificate.

A wildcard certificate can be used on several servers in the same domain. A SAN certificate can be used on servers in different domains.

Figure 5: Extended validation

 

 

Asymmetric and symmetric encryption

 

There are two main types of encryption that use certificates, and these are asymmetric and symmetric; we need to learn about each thoroughly. Let us start by explaining what encryption is; please remember you are taking plain text, and changing it into ciphertext.

 

 

Encryption explained

 

Encryption is where we take plaintext that can be easily read and convert it into ciphertext that cannot be read. For example, if we take the word pass in plain text, it may then be converted to UDVV; this way, it is difficult to understand:

Letter

A

B

C

D

E

F

G

H

I

J

K

L

M

ROT 13

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

 

Letter

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

ROT 13

A

B

C

D

E

F

G

H

I

J

K

L

M

When receiving the message—GVZR SBE GRN—then we would apply the ROT 13, but instead of going forward 13 places to decipher we would simply go back 13 places and the message would now be TIME FOR TEA.

Exam tip:
Encryption is taking plaintext and changing it into ciphertext so that it cannot be read.

There are two types of encryption that use certificates and these are asymmetric and symmetric; let us look at each of these in turn:

The first stage in encryption is the key exchange; you will always keep your private key and give away your Public Key. You will always use someone else's public key to encrypt:

Figure 6: Asymmetric key exchange

In the preceding diagram, there are two different key pairs: the black key pair and the white key pair. These work together. If you think of the private key as being your bank card, you will never give it away, but the Public Key is your deposit slip—you will give it away so that people can pay money into your account.

The person who is sending the data is on the From side and the person receiving the data is on the To side.

The way to remember the labels are on the left-hand side is South-East and on the right-hand side is distinguished-visitor. These labels stand for:

For example, Bob wants to encrypt data and send it to Carol; how is this done? Let us look at the following diagram. We can see that Bob owns the black key pair and Carol owns the white key pair. The first thing that needs to happen before encryption can happen is that they give the other person their public key:

Figure 7: Bob encrypting data

You can see the under the column for Bob that he has his private key, which he will always keep, and the public key that Carol has given him. In the preceding diagram, you can see the label E for encryption, and therefore Bob uses Carol's public key to encrypt the data. Then, under Carol, you can see the letter D for decryption; and therefore, when the encrypted data arrives, Carol uses the other half of the white key pair, the private key, to decrypt the data.

Exam tip:
Encryption stops the data being read by changing plaintext to ciphertext. A digital signature ensures that the data has not been altered as it creates a hash of the message, but the original data can be read.

 

 

Digital signature explained

 

When we send an email or document to someone, it could be intercepted in transit and altered. Your email address could be spoofed and someone could send an email as if it was from you, but there is no guarantee of integrity. Do you remember in Chapter 1, Understanding Security Fundamentals, that we used hashing to provide the integrity of data, however, in emails we use a Digital Signature? We sign the email or document with our private key and it is validated by our public key.

The first stage in digital signatures is to exchange public keys—the same principle as encryption.

For example, George wants to send Mary an email and he wants to ensure that it has not been altered in transit. See the following diagram:

Figure 8: Digital signature

In the preceding diagram, you can see that George is going to sign the email with his private key when he sends it to Mary; she validates it with the Public Key that George has already given to her. When the email has been validated, she knows that the email has not been tampered with.

When people are asked to sign contracts, they sometimes use a third-party provider that asks them to digitally sign the contract; this then makes the contract valid as the digital signature proves the identity of the signatory.

Non-repudiation: When I complete a digital signature, I am using my private key that I should never give away to sign the email or document, proving that it has come has come from me. Non-repudiation means that I cannot deny that it was me who signed the document. I could not say it was done by someone else. In the early sixth century, King Arthur would send messages to his knights on a parchment scroll and then would put his wax seal on the scroll to prove it came from him. The digital signature in modern life is doing the same—it is proving who it came from. The Digital Signature creates a one-way hash of the entire document, so it also provides integrity similar to hashing.

Exam tip:
I will always use someone else's public key to encrypt data. I will never give my private key away. It is like giving away my bank card; it will never happen.

 

 

Cryptography algorithms and their characteristics

 

If we look at symmetric and asymmetric keys, they use a cipher that has a number of bits attached to it—the lower the number, the faster and the higher the bits. The slower, however the one with the higher number of bit is stronger.

For example, we have two people who are going to complete a challenge—they are Usain Bolt, who is DES, a 56-bit key, and we have King Arthur wearing armor, who has an RSA of 4,096 bits. The first part of the challenge is a 100-meter dash and when Usain Bolt wins, King Arthur is held back by the weight of his armor and he is 90 meters behind. The second part of the challenge is a boxing match, and Usain keeps hitting King Arthur who keeps laughing at him as he is being protected by his armor. Then, out of the blue, King Arthur lands a knockout blow to Usain. Since the challenge was for charity and the result was a draw, they are both happy.

Concept:
The smaller the key, the faster it is, but it is more insecure. The higher the key, the slower it is, but it is more secure.

 

 

Symmetric algorithms

 

For the Security+ exam, you must know the characteristics of each of the symmetric algorithms, from when it is used to its key length. Remember, they will never ask you which key encrypts or decrypts, as the answer would always be the private key, also known as the shared key. Let us look at each of these in turn:

 

 

Asymmetric algorithms

 

Asymmetric algorithms use a PKI environment as they use two keys: a private key that is always kept and a Public key that is always given away. Let us now look at different asymmetric techniques:

Figure 9: Diffie Hellman

Diffie Hellman creates the keys used in the Internet Key Exchange (IKE); it uses UDP Port 500 to set up the secure session for the L2TP/IPSec VPN. Once the secure tunnel has been created, then the symmetric encrypted data flows down the tunnel.

 

 

Symmetric versus asymmetric analogy

 

If we think of encryption as playing table tennis where each person has just one bat and the pace is extremely fast, this is similar to asymmetric encryption as it uses one key.

Then, if we change the game and we give the players two bats, the first bat to stop the ball and then they must switch bats to return the ball, this would be much slower.

The same can be said for encryption; asymmetric is much more secure as it has two keys and uses Diffie Hellman, an asymmetric technique to set up a secure tunnel for the symmetric data. Symmetric encryption uses a block cipher where it encrypts large blocks of data much faster than the asymmetric technique.