Advanced Cryptography

Get Started. It's Free
or sign up with your email address
Rocket clouds
Advanced Cryptography by Mind Map: Advanced Cryptography

1. Digital Certificates

1.1. Defining

1.1.1. Technology used to associate a user's idenity to a public key that has been digitally signed by a trusted third-party.

1.1.2. Characteristics Owner's name Owner's public key Name of issuer Digital signature of the issuer Serial number of the digital certificate Expiration date of the public key

1.2. Managing

1.2.1. Certificate Authority (CA) Serves as the third-party agency that is responsible for issuing the digital certificate. Duties Generate, issue and distributed public key certificates. Distribute CA certificates Generate and publish certificate statue Provide a means for subscribers to request revocation Revoke public-key certificates Maintain the security, availability of the certificate issuance signing The subscriber will generate the public and private keys and send the public key to the CA

1.2.2. Registration Authority (RA) Subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users. Local Registration Authorities (LRA) "Off-loadin" these registration functions to one or more RAs that can be distributed in different geographic areas. Sometimes the CA does the duties of the RA. Duties Recieve, authenticate and process certificate revocation requests. Identify and authenticate subscribers Obtain a public key from the subscriber Verify that the subscriber possess the asymmetric private-key corresponding to the public-key submitted for certification. Primary function of the RA is to verify the identity of the individual. Authentication Email Documents In person

1.2.3. Certificate Revocation List (CRL) List all the revoked digital certificates. Revoked Reasons Certificate is no longer used. Details of the certificate have changed. Private-key has been exposed Private-key has been lost

1.2.4. Certificate Repository (CR) Web Browser Management View default loaded certificates for a web browser. Automatic updates will update the web browser automatically and download CRLs as needed. Publically accessible centralized directory of digital certificates that can be used to view the statues of digital certificates.

1.3. Types

1.3.1. Class 1: Personal Digital Certificates RA only requires the user's name and e-mail address in order to recieve certificate. Used for personal e-mails, digital signatures and documents.

1.3.2. Class 2: Server Digital Certificates Mainly used with webservers but can be used with other server types as well. Functions Ensure the authenticity of the server. Ensure the authenticity of the cryptographic connection to the server.

1.3.3. Class 3: Software Publisher Digital Certificates Verify that their programs are secure and have not been tampered with.

1.3.4. Class 4 is for online business transactions between companies.

1.3.5. Class 5 is for private organizations or governmental security.

1.3.6. Dual-Key Digital Certificates

1.3.7. Dual-Sided Digital Certificates

1.3.8. X.509 Digital Certificates Most widely accepted format/standard for digital certificates defined by International Telecommunication Union (ITU)

2. Public Key Infrastructure (PKI)

2.1. Is the framework for all the entities involved in digital certificates for digital certificate management

2.2. Public-Key Cryptographic Standards (PKCS)

2.2.1. See page 463 and 464 (PKS 7 & 10)

2.3. Trusted Models

2.3.1. Hierarchical Assigns a single hierarchy with one master CA called "root".

2.3.2. Distributed Has multiple CAs that sign digital certificates.

2.3.3. Bridge Acts as a "facilitator" to bridge Hierarchical and Distributed models. Does not issues digital certificates

2.3.4. Third-party trust refers to a situation in which two individuals trust each other because each trusts a third party.

2.4. Managing

2.4.1. Certificate Policy (CP) Published set of rules that govern the operation of PKI

2.4.2. Certificate Practice Statement (CPS) Describes in detail how a CA uses and manages certificates.

2.4.3. Certificate Life Cycle Creation Suspenstion Deactivates a certificate for a specific duration and can be reactivated. Revocation Revokes a certificate before its expiration date and is permanent.

3. Key Management

3.1. Handling

3.1.1. Escrow Third-party stores and manges the key

3.1.2. Expiration

3.1.3. Renewal An existing key can be renewed before it expires

3.1.4. Revocation Revokes a key before its expiration date and is permanent.

3.1.5. Recovery Key Recovery Agent (KRA) Highly trused person responsible for recovering lost or damaged digital certificates M-of-N Control N Group M Group

3.1.6. Suspension Deactivates a key for a specific duration and can be reactivated.

3.2. Storage

3.2.1. Private Smart cards or in tokens

3.2.2. Public Imbedding them in certificates Software repository

4. Transport Encryption Algorithms

4.1. Secure Socket Layer (SSL)

4.1.1. Transport Layer Security (TLS) Extension of SSL Protocol that guarantees privacy and data integrity between applications communicating over the internet

4.1.2. Developed by Netscape for securely transmitting documents over the internet.

4.1.3. Used for other application leve protocols such as FTP, LDAP and SMTP.

4.2. Secure Shell (SSH)

4.2.1. Encrypted alternative to Telnet protocol that is used to access remote computers.

4.2.2. Linux/UNIX based command interface.

4.3. Hypertext Transport Protocol over SSL (HTTPS)

4.3.1. Secure Hypertext Transport Protocol (SHTTP) Related to HTTPS Developed by Enterprise Integration Technology (EIT) Allows clients and servers to negotiate independently encryption and digital signature methods in any combination in both directions.

4.3.2. Uses port 443 instead of HTTP's port 80

4.4. IP Security (IPsec)

4.4.1. OSI Layer 7. Application PGP 6. Presentation 5. Session Kerberos SSL 4. Transport TCP 3. Network IP IPSec 2. Data Link 1. Physical

4.4.2. Two Encryption Modes Tunnel Encrypts the header and data postion. Transport Only encrypts the data portion (payload) Used for communications behind a firewall. When leaving through the firewall, it will be tunnel encryption for communications from firewall to firewall.

4.4.3. Protection 1. Authentication Achieved through Authentication Header (AH) protocol. 2. Confidentiality Achieved through the Encapsulating Security Payload (ESP) protocol. 3. Key Management Achieved through the Association and Key Management Protocol/Oakley (ISAKMP/Oakly) protocol.