Scribd Logo
Upload

Welcome to Scribd!

  • 4.12 PKI Overview

    Uploaded by

    Islam Deif
    11 views5 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views5 pages

    4.12 PKI Overview

    Uploaded by

    Islam Deif

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    4.12 Understanding Basic Cryptography Concepts

    PKI Overview

    Open Transcript

    A substantial challenge with both asymmetric encryption and digital certificates is the secure distribution of public keys. How
    do you know that you have the real public key of the other system and not the public key of an attacker who is trying to
    deceive you? In this scenario, the public key infrastructure comes to play. Entities enroll with a PKI and receive identity
    certificates that are signed by a certificate authority. Among the identity information included in the certificate is the entity's
    public key. The certificate authority’s digital signature on the identity certificate validates that the included public key is the
    real public key belonging to the associated entity. A system will only accept the signed digital certificate if it trusts the CA.
    The CA plays the role of a trusted third party.

    Trusted Third-Party Example


    In the figure below, Alice applies for a driver’s license. As part of this process, Alice submits evidence of identity and
    qualifications to drive. Once the application is approved, a license is issued.

    35%

    Initializing...
    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/4/pages/12 1/5
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals
    Initializing...

    Later, Alice needs to cash a check at the bank. Upon presenting the check to the bank teller, the bank teller asks for ID. The
    bank, because it trusts the government agency that issued the driver’s license, verifies the identity with the license and
    cashes the check.

    Note

    Certificate authorities function like the driver’s license bureau in this example. The driver’s license is analogous to a
    certificate in a PKI or a technology that supports certificates.

    PKI Terminology and Components


    A PKI is the service framework that is used to support large-scale public key-based technologies. It provides the base for
    security services such as encryption, authentication, and nonrepudiation. A PKI allows for very scalable solutions which
    require the management of systems identities, user identities, or both, and is an important authentication solution for VPNs.
    A PKI uses specific terminology to name its components.

    Two very important terms must be defined when talking about a PKI:

    • CA: The trusted third party that signs the public keys of entities in a PKI-based system.

    • Certificate: A document, which in essence binds together the name of the entity and its public key, which has been
    signed by the CA.

    Many vendors offer CA servers as a managed service or as an end-user product: VeriSign, Entrust Technologies, and
    GoDaddy are some examples. Organizations may also implement private PKIs using Microsoft Server or Open SSL.

    PKI has been standardized to allow interoperability across a wide variety of applications and vendors. In the early 1990s,
    RSA Security Inc. devised and published a set of standards that are known as PKCS. While not true industry standards, as
    they were specified and maintained by a single organization, several of the standards have been accepted into the
    standards track processes of recognized standards organizations.

    Some of the PKCSs include:

    • PKCS #1: RSA Cryptography Standard

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/4/pages/12 2/5
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    • PKCS #3: D-H Key Agreement Standard

    • PKCS #5: Password-Based Cryptography Standard

    • PKCS #6: Extended-Certificate Syntax Standard

    • PKCS #7: Cryptographic Message Syntax Standard

    • PKCS #8: Private-Key Information Syntax Standard

    • PKCS #10: Certification Request Syntax Standard

    • PKCS #12: Personal Information Exchange Syntax Standard

    • PKCS #13: Elliptic Curve Cryptography Standard

    • PKCS #15: Cryptographic Token Information Format Standard

    X.509 is an ITU-T standard for PKI which specifies, among other things, the formats for identity certificates and certificate
    validation algorithms. The IETF formed the PKIX working group to support standards development of X.509.

    Currently, digital identity certificates use the X.509 version 3 structure:

    • Version

    • Serial number

    • Algorithm ID

    • Issuer

    • Validity

    – Not before

    – Not after

    • Subject

    • Subject public key info

    – Public key algorithm

    – Subject public key

    • Issuer unique identifier (optional)

    • Subject unique identifier (optional)

    • Extensions (optional)

    – ...

    • Certificate signature algorithm

    • Certificate signature

    As you can see, digital identity certificates contain a set of identity information about an entity, including that entity's public
    key. The last element in the certificate is a signature. The CA signs the certificate. It takes all the certificate data and runs it
    through the specified hash algorithm to compute a fingerprint of the certificate data. It then encrypts the hash using its
    private key. The encrypted hash is the signature and it is appended to the certificate. Any system can then validate a
    certificate using the CA’s public key. The system takes the certificate data and runs it through the specified hash algorithm
    to produce a fingerprint of the certificate which it received. It then decrypts the certificate signature using the CA’s public
    key. If the computed hash and the decrypted signature match, then the signature is valid.

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/4/pages/12 3/5
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    Content Review Question

    When using PKI which two of the following are true? (Choose two.)

    Currently, PKI digital identity certificates use the X.509 version 3 structure.

    Currently, the PKI architecture requires that the client devices stay in constant contact with the CA in
    order to trust a certificate that is issued by the CA.

    A client device must trust the CA in order to validate another device certificate that is issued by the
    same CA.

    The CA does not sign the user or device certificate; it only signs its own root certificate.

    Submit

    Content Review Question

    Which five of the following options are components of the X.509 v3 certificate standard? (Choose five.)

    serial number

    user name

    issuer

    validity date range

    subject

    subject public key info

    department name

    Submit

    Answer
    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/4/pages/12 4/5
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    The correct answers are "serial number," "issuer," " validity date range," "subject," and "subject public key info."

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/4/pages/12 5/5

    You might also like