reflection 2
Implementing Public Key Infrastructure
Lesson 6
1
Implement Certificates and Certificate Authorities
Topic 6A
2
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
3.9 Given a scenario, implement public key infrastructure
Syllabus Objectives Covered
3
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Public key cryptography
When you want others to send you confidential messages, you give them your public key to use to encrypt the message
When you want to authenticate yourself to others, you create a signature and sign it by encrypting the signature with your private key
But how does someone trust the public key?
Public key infrastructure (PKI) validates the identity of the owner of a public key
Public key is wrapped in a digital certificate signed by a certificate authority (CA)
Sender and recipient must both trust the CA
Public and Private Key Usage
4
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate Authorities
Private CAs versus third-party CAs
Define services offered
Ensure validity of certificates and users
Establish trustworthy working procedures
Manage servers and keys
Screenshot used with permission from Microsoft.
5
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
PKI Trust Models and Certificate Chaining
Single CA
Hierarchical/chain of trust
Root CA
Intermediate CAs
Leaf certificates
Online versus offline
Screenshot used with permission from Microsoft.
6
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Registration identification and authentication procedures
Private versus third-party CAs
Certificate Signing Request (CSR)
Client generates key pair and sends public key to CA with CSR
CA performs subject identity checks
CA signs and issues certificate
Registration authority (RA)
Registration and CSRs
7
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Digital Certificates
Contains subject’s public key
Information identifying the subject plus usage and validity
Digital certificate standards
X.509 Public Key Infrastructure (PKIX)
PKCS (Public Key Cryptography Standards)
Screenshot used with permission from Microsoft.
8
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Certificate Attributes
| Field | Usage |
| Serial Number | A number uniquely identifying the certificate within the domain of its CA. |
| Signature Algorithm | The algorithm used by the CA to sign the certificate. |
| Issuer | The name of the CA. |
| Valid From/To | Date and time during which the certificate is valid. |
| Subject | The name of the certificate holder, expressed as a distinguished name (DN). Within this, the Common Name (CN) part should usually match either the fully qualified domain name (FQDN) of the server or a user email address. |
| Public Key | Public key and algorithm used by the certificate holder. |
| Extensions | V3 certificates can be defined with extended attributes, such as friendly subject or issuer names, contact email addresses, and intended key usage. |
| Subject Alternative Name (SAN) | This extension field is the preferred mechanism to identify the DNS name or names by which a host is identified. |
9
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Subject Name Attributes
Common Name (CN)
Legacy method of recording FQDN
Deprecated by standards
BUT still used in many implementations
Subject Alternative Name (SAN)
Structured identifiers
List multiple host/subdomains
Use wildcard subdomain
Screenshot used with permission from Microsoft.
10
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Types of Certificate
Certificate policies and templates
Key usage
Extended Key Usage/Enhanced Key Usage
Critical or non-critical
Screenshot used with permission from Microsoft.
11
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Web Server Certificate Types
Domain Validation (DV)
More rigorous identity checks
Extended Validation (EV)
Even more rigorous identity checks
Screenshot used with permission from Microsoft.
12
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Other Certificate Types
Machine/computer
Servers and network appliances
Identify by FQDN
Email/user certificate
Can be various types (email, encryption, smart card logon, and so on)
Identify by email address
Code signing
Validate publisher name
Root certificate
Self-signed certificate for the CA
Self-signed certificate
Must be manually trusted
Screenshot used with permission from Microsoft.
13
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificates and Certificate Authorities
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Review Activity
Assisted Labs
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Managing the Lifecycle of a Certificate
15
Lab Activity
Implement PKI Management
Topic 6B
16
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
3.9 Given a scenario, implement public key infrastructure
4.1 Given a scenario, use the appropriate tool to assess organizational security (OpenSSL only)
Syllabus Objectives Covered
17
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate and Key Management
Key life cycle
Key generation
Certificate generation
Storage
Revocation
Expiration and renewal
Vulnerabilities from improper management
18
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Key Recovery and Escrow
M-of-N control for critical keys (root servers)
Keys can be backed up to protect against data loss
Anyone with access to backup keys could impersonate the true key holder
Key recovery processes can be protected by M of N control
Escrow backup
Placing archived keys with a trusted third party
19
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate Expiration
Certificate duration
Certificate renewal
Use existing key pair
Re-key with newly generated key pair
Expiration
Public key will no longer be accepted
Archiving versus destroying key material
Secure erasing methods
20
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate Revocation Lists
Revocation versus suspension
Reason codes
Certificate Revocation List (CRL)
List of revoked and suspended certificates
Browser CRL checking
Screenshot used with permission from Microsoft.
21
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Online Certificate Status Protocol Responders
Online Certificate Status Protocol (OCSP)
OCSP responder
Provide real-time status information (though some rely on CRLs)
Client queries single certificate per transaction
OCSP stapling
Clients might need to make lots of certificate queries for a chain of trust
Queries can be used to track clients
Stapling proxies the OCSP response
22
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate Pinning
Defend against MitM attacks on chain of trust
Web server references authorized public key(s) in HTTP header
HTTP Public Key Pinning (HPKP)
Certificate Transparency framework
23
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Certificate Formats
Distinguished Encoding Rules (DER)
Binary format
Privacy-enhanced Electronic Mail (PEM)
Represent binary as ASCII using Base64 encoding
.CER and .CRT file formats may be either binary or ASCII
Personal information exchange
Export a private key (binary and password-protected)
.PFX or .P12 (PKCS #12)
Export a certificate chain
.P7B (PKCS #7)
Screenshot used with permission from Microsoft.
24
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
OpenSSL
Windows Certificate Services and certutil/PowerShell
OpenSSL
Key pair generation and CA root certificate
Certificate requests
Viewing and verifying certificates
Converting certificate formats
25
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Certificate Issues
Troubleshoot rejection of certificates by servers and clients
Existing certificate—check expiry and status
New certificate
Check key usage settings and requirements
Check subject name
Check chain of trust/root certificates
Verify time and date settings
Audit certificate and PKI infrastructure
26
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
PKI Management
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
27
Review Activity
Assisted Labs
Managing Certificates with OpenSSL
28
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Lab Activity
Summary
Lesson 6
CompTIA Security+ Lesson 6 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
29