Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Managing Certificates

    Загружено:

    Bob Polo
    28 просмотров25 страниц
    Managing Certificates

    Оригинальное название

    6. Managing Certificates (25)

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PPTX, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Managing Certificates

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    28 просмотров25 страниц

    Managing Certificates

    Загружено:

    Bob Polo
    Managing Certificates

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 25

    Comptia SECURITY +

    Module 06

    Managing Certificates

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 1


    Managing Certificates

     Install a CA Hierarchy
     Enroll Certificates
     Secure Network Traffic by Using Certificates
     Renew Certificates
     Back Up and Restore Certificates and Private Keys
     Revoke Certificates

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 2


    Digital Certificates

    User with Certificate Device with Certificate

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 3


    Certificate Authentication

    CA

    Validates and
    Issues certificate
    accepts certificate

    Presents
    certificate

    Certificate Holder Client

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 4


    PKI

    CA issuing
    user certificates

    CA

    CA CA

    Certificates Software Services Other Cryptographic


    Components

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 5


    PKI Components

     Digital certificates
     Certificate authorities
     Registration authority
     Certificate repository database
     Certificate management system
     Certificate signing request

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 6


    CA Hierarchies

    Parent

    Child Child

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 7


    The Root CA

    Self-signed
    certificate

    Root CA

    Subordinate CA Subordinate CA

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 8


    Public and Private Roots

    Private Root CA Public Root CA

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 9


    Subordinate CAs

    Root CA

    Manage
    certificates

    Subordinate CA Subordinate CA

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 10


    Offline Root CAs

     The root CA remains offline.


     Subordinate CAs will issue certificates.
     All updates are made only to subordinate CAs.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 11


    CA Hierarchy Design Options

    Company Profile CA Hierarchy Implementation

    The subordinate CAs are designated by geographic location to


    Thousands of employees
    balance the number of issued certificates among the individual
    worldwide
    CAs.

    The subordinate CAs are designated by function or department so


    Individuals need to access
    the individual CAs serve groups of people with specific resource
    specific applications only
    needs.

    Tight security allows The subordinate CAs are designated by the security required to
    individuals to have differing obtain a certificate. Some CAs may be set up to issue a certificate
    levels of access to the same with a network ID and password; other CAs may require a person
    resources to present a valid driver's license.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 12


    The Certificate Enrollment Process

    2 Authentication 3 Policy applied 4 Request sent to CA

    6 Entity notified

    1 Certificate request 7 Certificate installed 5 Certificate issued

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 13


    The Certificate Life Cycle

    3c Certificate expires 3d Certificate is suspended

    2 Certificate is enrolled 1 Root issues self-signed certificate

    3a Certificate is renewed 3b Certificate is revoked

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 14


    Certificate Life Cycle Management

     Longer life cycles give attackers an advantage.


     Shorter life cycles allow for renewal of more secure certificates.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 15


    The SSL Enrollment Process

    SSL Enrollment Step Explanation

    1. Request The client requests a session with the server.

    The server responds by sending its digital certificate and public key to
    2. Response
    the client.

    3. Negotiation The server and client then negotiate an encryption level.

    Once they agree on an encryption level, the client generates a session


    4. Encryption
    key, encrypts it, and sends it with the public key from the server.

    5. Communication The session key then becomes the key used in the conversation.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 16


    Certificate Renewal

     Certificates expire and need to be renewed.


     Renewal process upholds security and accessibility.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 17


    Private Key Protection Methods

     Back up to removable media


     Delete from insecure media
     Require restoration password
     Never share
     Never transmit on network
     Use key escrow

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 18


    Key Escrow

     Alternative to key backup.


     Allows one or more trusted third parties access to the keys
    under predefined conditions.
     Third party is called the key escrow agent.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 19


    Private Key Restoration Methods

     Key escrow:
     One or more escrow agents can restore

     Key backup:
     Restore from backup media

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 20


    The Private Key Replacement Process

    1. Recover key
    2. Decrypt data
    3. Destroy original key
    4. Obtain new key pair
    5. Encrypt data with new key

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 21


    Certificate Revocation

     Private key compromised


     Fraudulent certificate
     Holder no longer trusted

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 22


    A CRL

    Revoked certificate

    Contents of CRL

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 23


    OCSP

     Alternative to CRL
     HTTP-based
     Checks specific certificate based on request
     Sends response with certificate’s status
     Lower overhead than CRL
     Lacks encryption

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 24


    Reflective Questions

    1. What types of certificate management functions have you


    performed or do you plan on performing at your job?

    2. What method of backing up private keys would you prefer to


    use? Why?

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 6 - 25

    Вам также может понравиться