Module 4: Adavanced Cryptography

Digital Signature

A technology used to prove a document originated from a valid sender.

Weakness of Digital Signature

It can only prove that the private key of the sender was used to encrypt the signature.

Weakness of Digital Signature

An imposter could post a public key under a sender's name.

Digital Certificate

A technology used to associate a user's identity to a public key that has been "digitally signed" by a trusted third party.

Certificate Authority (CA)

An entity used to manage digital certificates.

Registration Authority (RA)

An entity responsible for verifying the authenticity of the user during a certificate request.

Certificate Signing Request (CSR) Generation

The process where a certificate request is processed and a digital certificate is issued after verification.

Intermediate Certificate Authority (CA)

Subordinate entities designed to handle specific CA tasks, such as processing certificate requests and verifying the identity of the individual.

Certificate Request Authentication Methods

These include verification via email, documents, or in person.

Certificate Repository (CR)

A publicly accessible centralized directory of digital certificates used to view certificate status.

Certificate Repository (CR) Management

This directory can be managed locally by setting it up as a storage area connected to the CA server.

Certificate Revocation Circumstances

Reasons for revocation include a certificate no longer being used, details of the certificate changing (such as user address), or a private key being lost or exposed.

Certificate Revocation List (CRL)

A list of digital certificates that have been revoked.

Online Certificate Status Protocol (OCSP)

A protocol that performs a real-time lookup of a certificate's status.

OCSP Responder

A trusted entity to which a browser sends certificate information to receive immediate revocation information.

OCSP Stapling

A variation of OCSP where web servers query the OCSP Responder at regular intervals to receive a signed, time-stamped response.

Certificate Chaining

The process used to verify that a digital certificate is genuine.

Root Digital Certificate

The beginning point of a certificate chain, which is self-signed, created and verified by a CA, and does not depend on higher-level authorities.

User Digital Certificate

The endpoint of a certificate chain.

Web Server Digital Certificate Functions

These ensure the authenticity of the web server to the client and ensure the authenticity of the cryptographic connection to the web server.

Domain Digital Certificate Types

Common types include domain validation, extended validation (EV), wildcard, and subject alternative name (SAN) certificates.

Machine/Computer Digital Certificate

A specific type of digital certificate relating to hardware.

Code Signing Digital Certificate

A specific type of digital certificate relating to software.

Email Digital Certificate

A specific type of digital certificate relating to software for securing email.

X.509 Version 3

The standard format for digital certificates.

X.509 Digital Certificate Attributes

These include the certificate validity period, end-host identity information, encryption keys for secure communications, the signature of the issuing CA, and the common name (CN) of the protected device.

Public Key Infrastructure (PKI)

A framework for all entities involved in digital certificates.

Public Key Infrastructure (PKI) Components

The set of software, hardware, processes, procedures, and policies needed to create, manage, distribute, use, store, and revoke digital certificates across large user populations.

Trust

Confidence in or reliance on another person or entity.

Trust Model

Refers to the type of trust relationship that can exist between individuals and entities.

Direct Trust

A trust model where one person knows the other person.

Third-party Trust

A situation where two individuals trust each other because each trusts a third party.

Web of Trust Model

A model based on direct trust where each user signs a digital certificate and then exchanges certificates with all other users.

Hierarchical Trust Model

A model that assigns a single hierarchy with one master CA called the root, which signs all digital certificate authorities with a single key.

Distributed Trust Model

A model with multiple CAs that sign digital certificates to eliminate the limitations of the hierarchical trust model.

Bridge Trust Model

A model where one CA acts as a facilitator to interconnect all other CAs, allowing different trust models to be linked together.

Certificate Policy (CP)

A published set of rules governing the operation of a PKI and providing recommended baseline security requirements.

Certificate Practice Statement

A technical document describing in detail how the CA uses and manages certificates, including registration, issuance, and revocation.

Certificate Life Cycle

Typically divided into four parts

Public Key Storage

Public keys can be stored by embedding them within digital certificates.

Private Key Storage

Private keys can be stored on the user's local system (software-based) or in hardware such as smart-cards or tokens.

Dual Key Pairs (Encryption)

One pair used to encrypt information, where the public key can be backed up to another location.

Dual Key Pairs (Digital Signatures)

A pair used only for digital signatures, where the public key is never backed up.

Key Management Procedures

Standard procedures include escrow, expiration, renewal, revocation, recovery, suspension, and destruction.

M-of-N Control

A key management control illustrated by splitting key parts among several users.

Tunneling

A process used by cryptographic protocols that relies on "encapsulating" or enveloping the data to be transmitted inside something else.

Transport Layer Security (TLS)

A replacement for Secure Sockets Layer (SSL) that provides a higher degree of protection; the current version is TLS v1.3.

Cipher Suite

A named combination of the encryption, authentication, and message authentication code (MAC) algorithms used with TLS.

IP Security (IPSec)

A protocol suite for securing IP communications that is transparent to applications, users, and software.

IPSec Protection Areas

These correspond to three protocols

IPSec Encryption Modes

These include transport mode and tunnel mode.

Robustness of IPSec

IPSec is considered more robust than TLS because it protects IP, the basis for all other TCP/IP protocols.

Hypertext Transport Protocol Secure (HTTPS)

Plain HTTP sent over TLS using port 443.

Secure Shell (SSH)

An encrypted alternative to the Telnet protocol used to access remote computers.

Secure/Multipurpose Internet Mail Extensions (S/MIME)

A protocol for securing email messages.

Secure Real-time Transport Protocol (SRTP)

A secure extension protecting transmission using the Real-Time Transport Protocol (RTP).

Cryptographic Key

A value that serves as input to an algorithm to transform plaintext into ciphertext and vice versa.

Key Strength

The resiliency of a key to attacks, determined by randomness, cryptoperiod, and key length.

Cryptoperiod

The length of time for which a key is authorized for use.

Block Cipher

An algorithm that manipulates an entire block of plaintext at one time, encrypting each block independently.

Block Cipher Mode of Operation

Specifies how block ciphers should handle blocks of plaintext.

Common Block Cipher Modes

These include Electronic Code Book (ECB), Cipher Block Chaining (CBC), Counter (CTR), and Galois/Counter (GCM)