Comptia Security+ 501
Total Page:16
File Type:pdf, Size:1020Kb
CompTIA Security+ 501 CompTIA Security+ SY0-501 Instructor: Ron Woerner, CISSP, CISM CompTIA Security+ Domain 6 – Cryptography & PKI 6.4 Given a scenario, implement public key infrastructure Cybrary - Ron Woerner 1 CompTIA Security+ 501 6.4 Public-Key Infrastructure (PKI) ● Components ● Types of certificates ○ Public / Private Key ○ User ○ Certificate ○ Root ○ CA ○ Wildcard ○ CRL ○ SAN ○ Code signing ● Concepts ○ Self-signed ○ Online vs Offline CA ○ Machine/computer ○ Stapling ○ Domain validation ○ Pinning ○ Trust model ● Certificate formats ○ Key escrow ○ Certificate chaining Public and Private Keys ● Encrypt a document with the recipient’s public key. Only their private key needs to be kept secret and only it can decrypt the message ● The sender’s private key is used to sign the message Cybrary - Ron Woerner 2 CompTIA Security+ 501 PKI Components Public Key Infrastructure ● Solves the issues with key management ● A set of roles, policies, and procedures needed to manage public- key(asymmetric) encryption ● The process of creating, managing, distributing, storing, using, and revoke keys and digital certificates. ● Public Key Infrastructure X.509 (PKIX) is the working group formed by the IETF to develop standards and models PKI PKI Components - Digital Certificate ● A digitally signed block of data used to prove the ownership of a public key issued by a Certificate Authority ● Includes ○ information about the key, ○ information about the identity of its owner (called the subject), ○ and the digital signature of an entity that has verified the certificate's contents (called the issuer) ● X.509 v3 standard defines the certificate formats and fields for public keys. Cybrary - Ron Woerner 3 CompTIA Security+ 501 Digital Certificate Components X.509 Certificate Types ● Root certificates: for root authorities. These are usually self-signed by that authority and often kept off-line. ● Domain validation (DV) : includes only the domain name ● Organizational validation (OV) : ○ Organizations are vetted against official government sources ○ Common for public-facing websites ● Extended validation (EV) : ○ Highest level of trust ○ Requires a comprehensive validation of the business Cybrary - Ron Woerner 4 CompTIA Security+ 501 X.509 Certificate Types ● Wildcard certificates: Allows subdomains for a single registered domain (*.example.com) ● Subject Alternate Name (SAN) : Special X.509 that allows additional items (IP addresses, domain names, and so on) ● Code signing certificates : Used to sign computer code ● Machine/computer certificates : X.509 certificates assigned to a specific computer ● Email certificates : Securing email – S/MIME ● User certificates : for individual users Certificate formats Common certificate extensions: ● DER Cert Format Encoding Systems Extensions ● PEM DER Binary Java .der, .cer, .crt ● PFX ● CER PEM Base64, ASCII Apache HTTP .pem, .cer, .crt ● P12 PFX (PKCS#12) Binary Windows .pfx, .p12 ● P7B P7B (PKCS#7) Base64, ASCII Windows & .p7b, p7c Java Tomcat Cybrary - Ron Woerner 5 CompTIA Security+ 501 PKI Components - Certificate Authority (CA) ● Trusted entities ● Internal – aka self-signed ● External / Third-party (Symantec, GoDaddy, etc.) ● Duties: ○ Issues certificates ○ Verifies the holder of a digital certificate ○ Ensures that holders of certificates are who they claim to be PKI Components - Registration Authorities (RA) Offloads work from the CA ● Validate user’s or end-point’s identities ● Accept registrations ● Distribute keys ● DOES NOT issue certificates Cybrary - Ron Woerner 6 CompTIA Security+ 501 PKI Components Certificate-Signing Request (CSR) ● Request from applicant to CA to apply for a digital certificate ● Includes: ○ Applicant’s public key ○ Fully qualified domain name ○ Legally incorporated name of the company ○ Address PKI Components – Certificate Revocation ● Certificate revocation is the process of invalidating a certificate before it’s expiration date, often due to private key loss or compromise ● Three Levels: valid, suspended, and revoked Certificate Revocation List (CRL) ● Method for distributing certificate revocation information. Must be often updated. ● Certificate compared against CRL ● CRL must be updated and maintained. Cybrary - Ron Woerner 7 CompTIA Security+ 501 PKI Certificate Revocation – OCSP Online Certificate Status Protocol (OCSP) ● Checks certificate status in real time OSCP Stapling ● Reduces load on CA ● Allows the web server to “staple” a time-stamped OCSP response as part of the TLS handshake with the client ● The web server is now responsible for handling OCSP requests instead of the CA PKI Components – Certificate Trust Models ● Single CA ○ Simplest, no redundancy ○ Self-signed certificate ● Hierarchical model ○ Root CA – Top of the hierarchy, May be offline ○ Intermediate CA – subordinate CAs provide redundancy and load balancing Cybrary - Ron Woerner 8 CompTIA Security+ 501 PKI Components – Certificate Trust Models ● Certificate chaining ● Web of Trust – a cross-certification model ○ A peer-to-peer trust relationship with other CAs ● Bridge CA – a cross-certification model using a central point of trust Key Escrow ● Trusted third party maintains keys ● Addresses the possibility that a cryptographic key may be lost If key is lost, then the data is lost. ● Key Recovery Agent is an entity that has the ability to recover a key, key components, or plain-text messages as needed Cybrary - Ron Woerner 9 CompTIA Security+ 501 Pinning ● Hashes of public keys for popular web servers are included with applications such as web browsers ● Mitigates the use of fraudulent certificates. ● HTTP Public Key Pinning (HPKP) , uses public key pins, which are essentially hashed values of the public key communicated to the browser client from the server in the HTTP header Exam Preparation The job of this service is to issue certificates, verify the holder of a digital certificate, and ensure that holders of certificates are who they claim to be. A. Certificate Authority B. Registration Authority C. Root Certificate D. Key Escrow Cybrary - Ron Woerner 10 CompTIA Security+ 501 Exam Preparation Which of the following is NOT contained in a standard X.509 certificate? A. Serial number B. Issuer name C. Subject’s private key D. Subject’s public key Security+ Lab Guide The Understanding PKI Concepts module provides you with the instruction and server hardware to develop your hands on skills in the defined topics.. Cybrary - Ron Woerner 11 CompTIA Security+ 501 Security+ Lab Guide The Manage Certificates module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. CompTIA Security+ Domain 6 – Cryptography & PKI 6.4 Given a scenario, implement public key infrastructure Cybrary - Ron Woerner 12.