1 / 17

Public Key Infrastructure (PKI) PKI is an ISO authentication “framework” that uses public key

Public Key Infrastructure (PKI) PKI is an ISO authentication “framework” that uses public key cryptography and X.509 standard protocols. The framework establishes a generalized architecture for exchanging secure communication across networks. (Internet, internal / external).

yestin
Télécharger la présentation

Public Key Infrastructure (PKI) PKI is an ISO authentication “framework” that uses public key

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Infrastructure (PKI) PKI is an ISO authentication “framework” that uses public key cryptography and X.509 standard protocols. The framework establishes a generalized architecture for exchanging secure communication across networks. (Internet, internal / external). PKI is a Hybrid Key System with an infrastructure allowing the PKI certificate authority to create, maintain and manage digital certificates. Each user is issued a Digital Certificate (DC) which contains the end users public key along with other identifying information. The Digital Certificate is signed / validated by a trusted third party / Certificate Authority (CA). The CA enables users who are not trusted to each other (unknown) to trust each other. The most popular DC is an X.509 v3 This is same type of certificate as an SSL / HTTPS Certificate.

  2. The certificate includes Serial Number Version Number Identity Information Algorithm / Encryption Information Lifetime Dates Signature of the Certificate Authority (CA) PKI through its “framework” can provide Confidentiality Access Control Integrity Authentication Nonrepudiation Each end user can have multiple certificates, depending on level of need, and users communicated with (64-bit 128-bit). This is similar to PGP where key exchange levels are generally matched.

  3. PKI is generally made up of the following entities / functions and roles Certificate Authority (CA) Issuer of Certificates Registration Authority (RA) Performs all functions of CA but cannot issue DC’s Certificate Repository Structure used to hold CA’s Certificate Revocation Part of CA / RA that manages DC’s Issuing System Key Management Backup, recovery, change, updating, histories Cross Certification Ring / Web of Trust with other CA’s Time Stamping Provides Timeline / Auditing Custom Application Software written with PKI logic included Software in application / coding

  4. One-Way Function Algorithm that is easier to compute in one direction than the other. (ex. Drinking glass that is dropped and broken.) RSA is an example of a real world implementation. (two prime numbers are difficult to derive from resultant) Public Key / Asymmetric Cryptography is based on a Trapdoor function – Algorithm in conjunction with Private Key has proper information to decrypt Public Key. Message Integrity The detection through cryptographic means of determining or ensuring that the message / data received is as sent – unaltered. Extremely critical when downloading patches and system level applications. Trojan attacks are extremely easy to unsuspecting users (ie OpenSSH).

  5. One-Way Hash / Message Digest Takes Cleartext in conjunction with a mathematical Algorithm and transforms it into a fixed length value commonly known as a Hash Value or Message Digest Algorithm is usually publicly available / known. Algorithm is also normally based on prime numbers concept. Receiver of Message and Hash run Message through Algorithm and compare results to Hash. If same – message can be taken as authentic and unaltered. One-Way hashing function does not use any type of key – is purely used for achieving same Hash Value on originally Hashed data stream / file. SHA (Secure Hash Algorithm), MD{2,4,5} are examples of Hashes. Message Authentication Code / Digital Signature Ensures that only the intended recipient can view the hash value. Uses a Symmetric Key to encrypt Hash Value. Message is still sent Cleartext. Hash Value is used similar to a checksum. RSA , DSA /SHA (Fed Standard – NIST) are most widely known.

  6. End Result Choices / Options • What are you trying to accomplish ? • Confidentiality Encrypt Message • Integrity Hash Message • Authentication / Digitally Signed • Integrity • Confidentiality / Encrypt Message and Digitally Sign • Authentication / • Integrity • A simpler solution to fill in the gaps (on both ends) ? • Readily available tools / program allow all of the above to be • accomplished for novice and non-technical users (ex. Atabok, • Amicus).

  7. Protocols / Applications / Definitions FIMAS Financial Institution Message Authentication Standard. Used to protect electronic fund transfers – using MAC ANSI X9.9. HTTP Hypertext Transfer Protocol. Is a stateless protocol that functions atop TCP/IP HTTPS HTTP-Secure. Is established at the Communication Layer of a session. This enables securing of both message and underlying Communication Channel. IOTP Internet Open Trading Protocol. C2B protocol. No real defined standard – uses any encryption method agreed upon by both parties. Payment methods and uses vary. IPSec Internet Protocol Security – method of setting up a secure channel for protected data exchange between two devices. MONDEX Proprietary application developed by MONDEX Int’l Corp. Uses Smart Cards with currency amount stored on the cards. Instant Cash – non smart card example – phone cards – gift cards.

  8. MOSS MIME Object Security Services. Provides flexible email security with trust models. Introduced in 1995. (See Email Security) PEM Privacy Enhanced Mail. Standard Proposed by the IETF to be compatible with PKCS. (See Email Security) SET Secure Electronic Transaction. Developed by MC and Visa in 1997 as a means of preventing fraud using electronic payments. SET provides confidentiality for transactions using a DES Symmetric Key System. Developed to encrypt Credit Card Numbers across the internet. S-HTTP Secure Hypertext Transfer Protocol. Protects individual documents as opposed to a full session like HTTPS. SSH Secure Shell. A suite of applications that provide encrypted and secure protocols (telnet, ftp, r services, X 11) SSID Service Set Identifier. All devices on a WLAN must use the same SSID (Network Name). Sent 32 character plaintext with data. SSL Secure Socket Layer. Developed by Netscape in 1994. When using HTTPS you are using SSL. S/MIME Secure Multipurpose Internet Mail Extensions. Provides authentication via digital signatures and the confidentiality of encryption. Uses PKCS standards and uses X.509 standard for digital certificates. (See Email Security)

  9. TLS Transport Layer Security. Is the new name / standard for SSL. When using HTTPS you are now using TLS. WAP Wireless Application Protocol. Cell phone / non 802.11 type architecture / standard. WEP Wired Equivalent Privacy. Part of the 802.11 standard. WML Wireless Markup Language. Used on WAP phones to display information in a browser / display. Similar to HTML. WTLS Wireless Transport Layer Security. Is the layer of WAP that provides privacy, data integrity and authentication in a WAP Services / Session Architecture. Is part of the WAP Gap issue in WAP 1.0 .

  10. Digital Certificates Used to ensure that the entity you are transacting with is valid and “theoretically” secure. Used by the entity you are transacting with to ensure you are valid, reputable, and in some instances authenticated. Defined by the X.509 standard. The X.509 standard defines the format of public key certificates. Used with SSL, TLS, LDAP and PKI but can be used anywhere a CA (Certificate Authority) is maintained. Server Gated Certificates (SGC) are used to elevate 40-bit SSL certificates to 128-bit for the duration of the SSL session. Most SSL certificates are managed and maintained server side – the client is superfluous. Export restrictions are no longer an issue to non Terrorist – Watch List entities. Verisign is a digital certificate issuing authority.

  11. Wireless Security • WEP … just plain wrong • Wired versus Wireless Security • Hackability of Wireless • Sniffing snooping and eavesdropping • Wireless Attack Methods • PDA’s, RIM’s, Cell Phones, GUI Gadgets and Portables • Your Privacy / Your Rights

  12. WEP … Just Plain Wrong Wired Equivalent Privacy … need we say more ? RC4 is a stream cipher – and it produces random output / ciphertext based on a fixed key size. RC4 rule is cipher can never be reused. Data is unencrypted by XOR’ing Data with Key on the other end of the transmission. Since packets cannot be out of sync we need to either reset key to beginning to compensate for missed packets or do a key per packet (which should be a good idea). Add Intialization Vector (Random Number / Seed 24-bits long) to Key to give new per packet key. Feel safer ?? Without going into all the logic (and way too much math) of why … 5k packets and random pooling having a 50 % repeat chance at 4800 packets. Starting at a Key of 0 the climb lasts an hour (if you want to wait that long) or … with simple XOR logic we can guess the key. Or just download Airsnort and relax. FYI … 802.11i does not fix the problem (cannot fix structural flaw).

  13. Wired versus Wireless Security Wired networks are logically defined and can be secured with physical / logical security boundaries and best practices. Wireless networks are not defined by physical or logical security methods (users are mobile) . Network staff and Info Security tend to gravitate to wired security solutions for Wireless networks – ie change router passwords but not default SSID’s. Lack of understanding of issues and 802.11. Anyone can bring in a wireless access point and hide it anywhere. IT staff does not do perimeter sweeps or connectivity ranges. First thought is to turn off broadcasts on wireless. MAC Address restriction is a double edged sword. Allows users / network more security but is limiting to visiting users. Defeated by card cracking / switch flooding. Concept of putting internal users in DMZ for wireless causes issues. Tools used in wired security generally not used in wireless. Users / Management and the oh it’s so cool factor (new toy mentality)

  14. Hackability of Wireless Denial of Service Similar to a Access Point Denial but more broad ranged (users, network, multiple points). Man in the Middle Since packets destination is on outside of encryted data stream, you can disrupt, reroute, read, deny or generally cause failures to all levels of business. Access Point Denial Removing an Access Point from use by frequency jam, TCP Resets, key count resetting. Wireless NIC Denial Sending erroneous or disrupting information (done at BlackHat briefings and does work). Data Manipulation Man in the Middle with Data Change.

  15. Sniffing snooping and eavesdropping Airsnort Passively monitors the network and helps “recover” lost encryption keys. Once enough packets have been gathered – key recovery is less than a second. GPS capable. Kismet Wireless sniffer similar to Airsnort – provides card details of Prism2, Orinco, Cisco, D-Link etc. Graphical plotting. NetStumbler Another Sniffer – works with a variety of wireless cards. Second in use only to Airsnort. WarDriving Traveling in a vehicle searching for wireless access points using a tool or tools listed above. WarChalking Marking a spot / building where wireless access is found / located. WarParking Catching data / credit card numbers in a parking lot. (ie looking for the best buy). Dinty Moore / Under 20 dollars – and with instructions – work better Pringles than purchased antennas. Card Cracking Open the card – modify the MAC address / attach an antenna.

  16. PDA’s, RIM’s GUI Gadgets, Cell Pones and Portables A world of information in the palm of your (anyone’s) hands Device Encryption / Password locking / Virus Protection Network / Cradle Synchronization Port 80 and your Cell Phone RIM Devices SIM / Cell phone Security Windows / Linux Handhelds

  17. Your Privacy / Your rights Enhanced 911 SmartChips / Speed Pass / EZ-Pass GPS Tracking HIPPA – Doctors on the move SPAM – Lunch is ahead

More Related