reflection 2

profiletamerrabee3
sy0-601-06v1.0.pptx

Implementing Public Key Infrastructure

Lesson 6

1

Implement Certificates and Certificate Authorities

Topic 6A

2

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

3.9 Given a scenario, implement public key infrastructure

Syllabus Objectives Covered

3

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Public key cryptography

When you want others to send you confidential messages, you give them your public key to use to encrypt the message

When you want to authenticate yourself to others, you create a signature and sign it by encrypting the signature with your private key

But how does someone trust the public key?

Public key infrastructure (PKI) validates the identity of the owner of a public key

Public key is wrapped in a digital certificate signed by a certificate authority (CA)

Sender and recipient must both trust the CA

Public and Private Key Usage

4

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate Authorities

Private CAs versus third-party CAs

Define services offered

Ensure validity of certificates and users

Establish trustworthy working procedures

Manage servers and keys

Screenshot used with permission from Microsoft.

5

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

PKI Trust Models and Certificate Chaining

Single CA

Hierarchical/chain of trust

Root CA

Intermediate CAs

Leaf certificates

Online versus offline

Screenshot used with permission from Microsoft.

6

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Registration identification and authentication procedures

Private versus third-party CAs

Certificate Signing Request (CSR)

Client generates key pair and sends public key to CA with CSR

CA performs subject identity checks

CA signs and issues certificate

Registration authority (RA)

Registration and CSRs

7

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Digital Certificates

Contains subject’s public key

Information identifying the subject plus usage and validity

Digital certificate standards

X.509 Public Key Infrastructure (PKIX)

PKCS (Public Key Cryptography Standards)

Screenshot used with permission from Microsoft.

8

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Certificate Attributes

Field Usage
Serial Number A number uniquely identifying the certificate within the domain of its CA.
Signature Algorithm The algorithm used by the CA to sign the certificate.
Issuer The name of the CA.
Valid From/To Date and time during which the certificate is valid.
Subject The name of the certificate holder, expressed as a distinguished name (DN). Within this, the Common Name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address.
Public Key Public key and algorithm used by the certificate holder.
Extensions V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage.
Subject Alternative Name (SAN) This extension field is the preferred mechanism to identify the DNS name or names by which a host is identified.

9

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Subject Name Attributes

Common Name (CN)

Legacy method of recording FQDN

Deprecated by standards

BUT still used in many implementations

Subject Alternative Name (SAN)

Structured identifiers

List multiple host/subdomains

Use wildcard subdomain

Screenshot used with permission from Microsoft.

10

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Types of Certificate

Certificate policies and templates

Key usage

Extended Key Usage/Enhanced Key Usage

Critical or non-critical

Screenshot used with permission from Microsoft.

11

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Web Server Certificate Types

Domain Validation (DV)

More rigorous identity checks

Extended Validation (EV)

Even more rigorous identity checks

Screenshot used with permission from Microsoft.

12

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Other Certificate Types

Machine/computer

Servers and network appliances

Identify by FQDN

Email/user certificate

Can be various types (email, encryption, smart card logon, and so on)

Identify by email address

Code signing

Validate publisher name

Root certificate

Self-signed certificate for the CA

Self-signed certificate

Must be manually trusted

Screenshot used with permission from Microsoft.

13

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificates and Certificate Authorities

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Review Activity

Assisted Labs

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Managing the Lifecycle of a Certificate

15

Lab Activity

Implement PKI Management

Topic 6B

16

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

3.9 Given a scenario, implement public key infrastructure

4.1 Given a scenario, use the appropriate tool to assess organizational security (OpenSSL only)

Syllabus Objectives Covered

17

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate and Key Management

Key life cycle

Key generation

Certificate generation

Storage

Revocation

Expiration and renewal

Vulnerabilities from improper management

18

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Key Recovery and Escrow

M-of-N control for critical keys (root servers)

Keys can be backed up to protect against data loss

Anyone with access to backup keys could impersonate the true key holder

Key recovery processes can be protected by M of N control

Escrow backup

Placing archived keys with a trusted third party

19

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate Expiration

Certificate duration

Certificate renewal

Use existing key pair

Re-key with newly generated key pair

Expiration

Public key will no longer be accepted

Archiving versus destroying key material

Secure erasing methods

20

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate Revocation Lists

Revocation versus suspension

Reason codes

Certificate Revocation List (CRL)

List of revoked and suspended certificates

Browser CRL checking

Screenshot used with permission from Microsoft.

21

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Online Certificate Status Protocol Responders

Online Certificate Status Protocol (OCSP)

OCSP responder

Provide real-time status information (though some rely on CRLs)

Client queries single certificate per transaction

OCSP stapling

Clients might need to make lots of certificate queries for a chain of trust

Queries can be used to track clients

Stapling proxies the OCSP response

22

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate Pinning

Defend against MitM attacks on chain of trust

Web server references authorized public key(s) in HTTP header

HTTP Public Key Pinning (HPKP)

Certificate Transparency framework

23

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Certificate Formats

Distinguished Encoding Rules (DER)

Binary format

Privacy-enhanced Electronic Mail (PEM)

Represent binary as ASCII using Base64 encoding

.CER and .CRT file formats may be either binary or ASCII

Personal information exchange

Export a private key (binary and password-protected)

.PFX or .P12 (PKCS #12)

Export a certificate chain

.P7B (PKCS #7)

Screenshot used with permission from Microsoft.

24

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

OpenSSL

Windows Certificate Services and certutil/PowerShell

OpenSSL

Key pair generation and CA root certificate

Certificate requests

Viewing and verifying certificates

Converting certificate formats

25

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Certificate Issues

Troubleshoot rejection of certificates by servers and clients

Existing certificate—check expiry and status

New certificate

Check key usage settings and requirements

Check subject name

Check chain of trust/root certificates

Verify time and date settings

Audit certificate and PKI infrastructure

26

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

PKI Management

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Review Activity

Assisted Labs

Managing Certificates with OpenSSL

28

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Lab Activity

Summary

Lesson 6

CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

29