CBROPS 200-201: Chapter 7 - Fundamentals of Cryptography & Public Key Infrastructure (PKI)

This mind map goes over key topics and definitions from Chapter 5 - Fundamentals of Cryptography

Get Started. It's Free
or sign up with your email address
CBROPS 200-201: Chapter 7 - Fundamentals of Cryptography & Public Key Infrastructure (PKI) by Mind Map: CBROPS 200-201: Chapter 7 - Fundamentals of Cryptography & Public Key Infrastructure (PKI)

1. Identity & account management life cycle management phases

1.1. Registration & Identity Validation

1.1.1. A user provides information and registers for digital identity. The issuer will verify the information and securely issue a unique and non-descriptive identity.

1.2. Privileges provisioning

1.2.1. The resource owner authorizes the access rights to a specific account, & privileges are associated with it.

1.3. Access Review

1.3.1. Access rights are constantly reviewed to avoid privilege creep.

1.4. Access Revocation

1.4.1. Access to a given resource may be revoked due, for example, to account termination.

2. Password Management

2.1. Password Creation

2.1.1. Organizations should have policies and standards for password creation: strength, age, reusability.

2.2. User-generated passwords

2.2.1. Users generate their own passwords which are simple to remember but easy to guess and often re-used across multiple systems.

2.3. System-generated passwords

2.3.1. Generated by the system, are strong and compliant with security policy but can be difficult to remember and users tend to write them down.

2.4. OTP & token

2.4.1. Passwords are generated by an external entity & synced with an internal resource.

2.4.2. Users don't need to remember complex passwords, this method requires more infrastructure and the software & hardware required generates deployment & maintenance costs.

3. Multifactor Authentication

3.1. The process of authentication requires a subject to supply verifiable credentials, these credentials are referred to as factors.

3.2. In multifactor-authentication two or more factors are presented.

3.3. Multilayer Authentication

3.3.1. In multilayer authentication more than one of the same type of factor is used.

3.4. Identification

3.4.1. Identification is establishing identity.

3.5. Authentication

3.5.1. Authentication is about proving identity.

4. Single Sign-On System

4.1. 1. A user is accessing resources on Server B; for example, the user sends an HTTP GET request for a web page (step 1)

4.2. 2,3. SSO is used to provide authentication service for Server B. When Server A receives the request for a web page, it redirects the user to the SSO server of the organization for authentication (steps 2 and 3)

4.3. 4, 5. The user will authenticate to the SSO server, redirecting the user back to Server B with proof of authentication—for example, a token (steps 4 and 5).

4.4. 6. Server B will validate the proof of authentication and grant access to resources.

5. Security Events & Log Management

5.1. Event (NIST SP 800-61r2)

5.1.1. An event is any observable occurrence in a network.

5.2. Security Incident

5.2.1. An event that violates the security policy of an organization.

5.3. Event Management

5.3.1. includes administrative, physical, & technical controls that allow the proper collection, storage, and analysis of events.

5.3.2. Many compliance frameworks such as ISO & PCI DSS mandate log management controls & practices.

6. Log Collection, Analysis, & Disposal

6.1. Log storage critical for maintaining log confidentiality & integrity.

6.2. Information Collected via Logs

6.2.1. User ID, system activities, timestamps, successful or unsuccessful access attempts, configuration changes, network addresses & protocols, file access activities.

6.3. NIST SP 800-92

6.3.1. Defines three categories of logs of interest for security professionals.

6.4. Logs generated by security software

6.4.1. Antivirus/antimalware, IPS/ICD, Web Proxies, remote access software, authentication servers, vulnerability management software, infrastructure devices (firewalls, routers, switches, wireless access points)

6.5. Logs generated by the operating system

6.5.1. System events, audit logs

6.6. Logs generated by the applications

6.6.1. Connection & session info, usage info, significant operational action

6.7. Syslog (RFC 5424)

6.7.1. Event notification protocol with three main entities

6.7.1.1. Originator

6.7.1.1.1. The entity that generates a Syslog message

6.7.1.2. Collector

6.7.1.2.1. The entity that receives that info about an event in Syslog format

6.7.1.3. Relay

6.7.1.3.1. An entity that can receive messages from originators and forward them to other relays or collectors).

6.7.2. Syslog Facility

6.7.2.1. Kernel Messages (0)

6.7.2.2. User-level messages (1)

6.7.2.3. Mail system (2)

6.7.2.4. System daemons (3)

6.7.2.5. Security/Authorization messages (4)

6.7.2.6. Messages generated by Syslogd (5)

6.7.2.7. Line printer subsystem (6)

6.7.2.8. Network news subsystem (7)

6.7.2.9. UUCP subsystem (8)

6.7.2.10. Clock daemon (9)

6.7.2.11. Security/authorization messages (10)

6.7.2.12. FTP daemon (11)

6.7.2.13. NTP subsystem (12)

6.7.2.14. Log Audit (13)

6.7.2.15. Log alert (14)

6.7.2.16. Clock daemon (15)

6.7.2.17. Local use 0-7 (16-23)

7. Ciphers & Keys

7.1. Cipher

7.1.1. Also called an algorithm, which are rules on how to perform encryption & decryption

7.1.2. Common Cipher Methods

7.1.2.1. Substitution

7.1.2.1.1. Character substitution

7.1.2.2. Polyalphabetic

7.1.2.2.1. Similar to substitution but with more alphabets

7.1.2.3. Transposition

7.1.2.3.1. Any options including letter rearrangement

7.2. Key

7.2.1. Instructions on how to reassemble characters. For example, a one-time pad (OTP) could encrypt a 32-bit message with a 32-bit key called a pad.

7.2.2. Key Management

7.2.2.1. Deals with the relationship between users & keys.

7.2.2.2. Specifically deals with generating keys, verifying keys, exchanging keys, storing keys, and, at the end of their lifetime, destroying keys.

8. Block & Stream Ciphers

8.1. Block Cipher

8.1.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a group of bits called a block.

8.1.2. May add padding for a full block if necessary.

8.1.3. Examples

8.1.3.1. Advanced Encryption Standard (AES)

8.1.3.2. Triple Digital Encryption Standard (3DES)

8.1.3.3. Blowfish

8.1.3.4. Digital Encryption Standard (DES)

8.1.3.5. International Data Encryption Algorithm (IDEA)

8.2. Stream Cipher

8.2.1. Is a symmetric key pair (same key used to encrypt & decrypt) that operates on a bit at a time against the keystream, called a cipher digit stream.

8.2.2. May have slightly less overhead than a block cipher since it does not require a block.

9. Symmetric & Asymmetric Algorithms

9.1. Symmetric Encryption Algorithm / Symmetric Cipher

9.1.1. uses the same key to encrypt and decrypt the data

9.1.2. Examples

9.1.2.1. DES

9.1.2.2. 3DES

9.1.2.3. AES

9.1.2.4. IDEA

9.1.2.5. Blowfish

9.1.2.6. RC2

9.1.2.7. RC4

9.1.2.8. RC5

9.1.2.9. RC6

9.2. Asymmetric Algorithm

9.2.1. Is a public key pair. Two keys, private and public both work in tandem as a pair.

9.2.2. Public Key

9.2.2.1. The public key is available to anyone who wants to use it

9.2.3. Private Key

9.2.3.1. The private key is known only to the device that owns the key pair.

9.2.4. Examples

9.2.4.1. RSA (PKCS #1)

9.2.4.1.1. With a key length of 512 to 2048, min for security is at least 1024. Slower than Symmetric algorithms but can be used for signing and encryption. Uses integer factorization cryptography.

9.2.4.2. Diffie-Hellman (DH)

9.2.4.2.1. Allows the negotiation of a shared secret keying material (keys). The algorithm is asymmetric but the keys generated by the exchange are symmetric.

9.2.4.3. ElGamal

9.2.4.3.1. Is based on the DH exchange.

9.2.4.4. DSA

9.2.4.4.1. The Digital Signature Algorithm was developed by the US National Security Agency.

9.2.4.5. ECC

9.2.4.5.1. Elliptic curve cryptography is public-key cryptography based on the algebraic structure of elliptic curves over finite fields.

10. Hashes

10.1. Used to verify data integrity, also called a digest, message digest, or hash. A cryptographic hash function takes a block of data and creates a small-sized hash value.

11. The three most popular types of hashes

11.1. Message Digest 5 (MD5)

11.1.1. Creates a 128-bit digest

11.2. Secure Hash Algorithm 1 (SHA-1)

11.2.1. Creates a 160-bit hash digest.

11.3. Secure Hash Algorithm 2 (SHA-2)

11.3.1. Options of 224-bit digest & 512-bit digest.

12. Hashed Message Authentication Code (HMAC)

12.1. uses the mechanism of hashing with a secret key. Thus, only the other party who also knows the secret key and can calculate the resulting hash can correctly verify the hash. Interception and modification unrealistic since the attacker does not have the secret key.

12.2. MD5

12.2.1. Is an insecure hash function.

12.3. SHA-256

12.3.1. Provides adequate protection for sensitive information.

12.4. SHA-384

12.4.1. Used to protect classified information.

13. Digital Signatures

13.1. Proves that you are who you say you are.

13.2. Core Benefits

13.2.1. Authentication, Data Integrity, Nonrepudiation

14. Digital Signatures in Action

14.1. Digital Signature

14.1.1. 1. For example, Batman takes a packet, generates a hash, and then encrypts it with his private key.

14.1.2. 2. Batman attaches this encrypted hash ( digital signature ) to the packet and sends it to Robin.

14.1.3. 3. Robin decrypts the packet with Batman's public key and runs the hash function, if a match we know Batman is who he says he is, this is authentication using digital signatures.

14.1.4. The keys are exchanged with the certificate exchange, these certificates are trusted if they are signed by a CA they both trust.

14.1.5. Certificate Authority (CA)

14.1.5.1. A trusted entity that hands out digital certificates.

15. Description of next-generation encryption protocols

15.1. Suite B

15.1.1. algorithms designed to meet future security needs, approved for protecting classified info at secret & top-secret levels.

15.1.2. Examples

15.1.2.1. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)

15.1.2.2. DH → ECDH

15.1.2.3. AES in GaRobin/Counter Mode (GCM)

15.1.2.4. ECC digital signature algorithm

15.1.2.5. SHA-256

15.1.2.6. SHA-384

15.1.2.7. SHA-512

15.1.2.8. Elliptic curve cryptography replaces RSA signatures with the ECDSA (EC variant of DSA)

16. Description of IPsec & SSL

16.1. IPsec

16.1.1. A suite of protocols to protect IP packets. Typically in remote-access VPNs & site-to-site VPNs

16.2. SSl/TLS

16.2.1. Is typically used for remote-access VPNs & secure communications with web services.

17. Public & Private Key pairs

17.1. A key pair is a set of two keys that work in combination as a team.

17.2. A public key may be shared with everyone, a private key is known only to the owner.

17.3. The private key can encrypt, the public key can decrypt and the inverse is also true. This process is also called public-key cryptography or asymmetric key cryptography.

18. RSA Algorithm, the Keys, & Digital Signatures

18.1. Keys

18.1.1. Secrets that allow cryptography to provide confidentiality.

18.1.2. With RSA digital signatures, each party has a public-private key pair because both parties intend on authenticating the other side.

18.1.3. A CA takes each of their public keys as well as their names and IP addresses and created individual digital certificates, and the CA issued these certificates back to each party respectively. The CA also digitally signed each certificate.

18.2. Digital Signature

18.2.1. 1. Batman takes some data, generates a hash, and then encrypts the hash with Batman’s private key.

18.2.2. 2. This encrypted hash is inserted into the packet and sent to Robin. This encrypted hash is Batman’s digital signature.

18.2.3. 3. Having received the packet with the digital signature attached, Robin first decodes or decrypts the encrypted hash using Batman’s public key.

18.2.4. 4. It then sets the decrypted hash to the side for a moment and runs a hash against the same data that Batman did previously. If the hash that Robin generates matches the decrypted hash, which was sent as a digital signature from Batman, then Robin has just authenticated Batman—because only Batman has the private key used for the creation of Batman’s digital signature.

19. Description of Certificate Authorities

19.1. A certificate authority is a computer or entity that issues digital certificates.

19.2. Inside of digital certificates there contains information about the device.

20. Root Certificates

20.1. A root certificate contains the public key of the CA server and other details about the CA server.

20.2. Certificate Parts

20.2.1. Serial Number

20.2.1.1. This is the number issued and tracked by the CA that issued the certificate.

20.2.2. Issuer

20.2.2.1. This is the CA that issued this certificate. (Need to have their certificates issued from someone, could be themselves.)

20.2.3. Validity Dates

20.2.3.1. These dates indicate the time window during which the certificate is considered valid.

20.2.4. The subject of the certificate

20.2.4.1. Includes organizational unit (OU), organization (O), country (C), other details commonly found in an X.500 structured directory.

20.2.5. Public Key

20.2.5.1. Contents of the public key and the length of the key.

20.2.6. Thumbprint algorithm and thumbprint

20.2.6.1. Hash of certificate.

21. Identity Certificates

21.1. An identity certificate describes the client and contains the public key of an individual host (the client). Identity certificates are used by web servers, APIs, VPN clients, and web browsers (in some cases).

21.2. X.500 & X.509v3

21.2.1. X.500 is a series of standards focused on directory services and how those directories are organized. Example, CN=Batman (CN stands for common name), OU=engineering (OU stands for organizational unit), O=cisco.com (O stands for organization)

21.3. Enrollment with a CA

21.3.1. 1. Authenticate with root CA, request own identity certificate with public-private key pair.

21.3.2. 2. CA signs your certificate, you can verify the digital certificate of CA with the signature provided in the authentication step.

22. Simple Certificate Enrollment Protocol (SCEP)

22.1. Cisco, in association with a few other vendors, developed the Simple Certificate Enrollment Protocol (SCEP), which can automate most of the process for requesting and installing an identity certificate.

23. Methods to check if certificates have been revoked

23.1. Certificate Revocation List (CRL)

23.1.1. This is a list of certificates, based on their serial numbers, that had initially been issued by a CA but have since been revoked and as a result should not be trusted.

23.2. Online Certificate Status Protocol (OCSP)

23.2.1. This is an alternative to CRLs. Using this method, a client simply sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates.

23.3. Authentication, Authorization, & Accounting

23.3.1. isco AAA services also provide support for validating digital certificates, including a check to see whether a certificate has been revoked. Because this is a proprietary solution, it is not often used in PKI.

24. Key Terms

24.1. Block Ciphers

24.1.1. A symmetric key cipher that operates on a group of bits called a block. The same key is used to encrypt and decrypt.

24.2. Symmetric Algorithms

24.2.1. An encryption algorithm that uses the same key to encrypt and decrypt.

24.3. Asymmetric Algorithms

24.3.1. An encryption algorithm that uses two different keys: private & public, these make a key-pair.

24.4. Hashing Algorithms

24.4.1. An algorithm used to verify data integrity.

24.5. Digital Certificates

24.5.1. A digital entity used to verify that the user is who he or she claims to be and provide the receiver a means to encode a reply. Can apply to systems as well.

24.6. Certificate Authority

24.6.1. A system that generates and issues digital certificates to users and systems.

24.7. Advanced Encryption Standard (AES)

24.7.1. A symmetric-key encryption algorithm used by most modern crypto implementations. Defined in FIPS PUB 197: "Advanced Encryption Standard (AES)" and ISO/IEC 18033-3: "Block Ciphers".

24.8. Online Certificate Status Protocol (OCSP)

24.8.1. A protocol used to perform certificate validation.