SlideShare ist ein Scribd-Unternehmen logo

Pki 201 Key Management

•
•
NCC Group
NCC Group
TechnologieBildung
1 von 22
Downloaden Sie, um offline zu lesen
PKI 201 – Key Management By Aman Hardikar
Agenda • Basic Cryptosystem • Types of Keys • Key Life Cycle • Pre Operational • Creation • Distribution • Operation • Post Operational • Destruction • Storage • X509 Certificate Basics
An Example of a Basic Crypto System • Three keys • 1 symmetric key • 1 public key • 1 private key • Three algorithms • 1 symmetric cipher algorithm (block / stream) • 1 asymmetric cipher algorithm • 1 hashing algorithm • Optional • RNG (Random Number Generator)
Biggest Problem Key Management • Why? • Easier to steal the key than to break the lock. In general, majority of the attacks on a cryptosystem were on Key Management.
Types of Keys To mitigate key management issues, multiple keys were created according to its designated purpose. Private Signature Key Public Key Transport Key Public Signature Key Symmetric Key Agreement Key Symmetric Authentication Key Private Static Key Agreement Key Private Authentication Key Public Static Key Agreement Key Public Authentication Key Private Ephemeral Key Agreement Key Symmetric Data Encryption Key Public Ephemeral Key Agreement Key Symmetric Key Wrapping Key Symmetric Authorization Key Symmetric Master Key Public Authorization Key Private Key Transport Key Private Authorization Key
Cryptographic Strength & Key Size Comparable Key Strength Bits Symmetric Algorithm RSA ECC 80 2kTripleDEA 1024 160–223 112 3kTripleDEA 2048 224–255 128 AES-128 3072 256–383 192 AES-192 7680 384–511 256 AES-256 15360 512+ • Ephemeral or temporary keys • Long life keys OUP (Originator Usage Period) Time during which cryptographic protection may be applied to data
Key Lifecycle
Key Lifecycle - Preoperational • Installing key policies • Selecting algorithms • Registering attributes • Key parameters Keys are registered (binding them to subject’s identity). In PKI, it is implemented using x509 certificate. X.509 certificate binds a public key with subject name (user)
Key Lifecycle - Creation • Avoid weak keys • Avoid weak algorithms or weak implementations of algorithms • Process of key generation • Type, purpose and crypto applications of keys
Key Lifecycle – Creation (2) Random Number Generators (RNG) • Produce a sequence of 0s and 1s for use in cryptography • Combined into sub-sequences or blocks of random numbers • Types • Deterministic • Produces sequence based on a known value (seed) • Nondeterministic • Produces sequence based on an unpredictable source
Key Lifecycle - Distribution • Based on the type of the key • Requirements • Availability of the keys • Association of keys with intended use • Integrity – detection of change during transit • Confidentiality – split knowledge principle • Distribution • Private keys – split knowledge, trusted entities for distribution • Public keys – X509 certificate • Manual key distribution (encrypted using key wrapping keys) • Wrapping keys are generally public keys • If private keys are used, then a separate distribution channel should be established Keys used only for encrypting data in storage should not be distributed.
Key Lifecycle - Operation • Backup and recovery mechanisms • Compromised backups • Controls for detecting a compromise • Regeneration • Updates and changes • Crypto period expiration • Suspected or real key compromise • Rekeying • Needs redistribution • Updating the key • No redistribution required • Produced based on the old key • Known to all parties
Key Lifecycle – Post-operation • Key not operational • Access to keys needed • Decrypt data • Verify signature
Key Lifecycle - Destruction • Zeroization • Replacing key material with ‘0’ or ‘o’ or something meaning less • Not just the key material at rest, other places should also be considered
Key Storage • Provide Integrity • Provide Confidentiality • Association with application and objects • Assurance of domain parameters Keys are protected with additional level of access control. Destroying of key material using zeroization, if required.
Key Escrow • Multiple parties/agencies storing part of the key. • Generally operates with two components held with two independent agents. • Risks • Collusion • Failure of reassembling Ex: SKIPJACK and LEAF method.
Key States / Transitions
Digital Certificate An electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. In PKI, all digital certificates were issued based on the X.509 standard.
X.509v3 Certificate
SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 Not valid before: Dec 1 00:00:00 2010 GMT Not valid after: Dec 4 12:00:00 2013 GMT Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=*.bolton.gov.uk Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75: 7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f: bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14: ………… 48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6: d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63: 66:1f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: 08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC X509v3 Subject Alternative Name: DNS:*.bolton.gov.uk, DNS:bolton.gov.uk, DNS:ebiz.bolton.gov.uk X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl3.digicert.com/ca3-g8.crl URI:http://crl4.digicert.com/ca3-g8.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.3.0.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt X509v3 Basic Constraints: critical CA:FALSE
X.509v3 Certificate Signing
Continued ….. PKI 202/203 • Trust Models • CRL Models • Working of SSL, SMIME • Walk through using software • Architectural Weaknesses • Auditing a PKI Infrastructure

Empfohlen

Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access Management
Sam Bowne
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 

Empfohlen

Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access Management
Sam Bowne
 
Key management
Key managementKey management
Key management
Brandon Byungyong Jo
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
Arash Ramez
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
Arash Ramez
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
Flaskdata.io
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
Satria Ady Pradana
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
Satria Ady Pradana
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
FRSecure
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Edureka!
 
Cyber security
Cyber securityCyber security
Cyber security
JahirUddinKomol
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
Sam Bowne
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
Arash Ramez
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Edureka!
 

Was ist angesagt? (20)

How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 
Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP Slide Deck – Session 9 – FRSecure CISSP
Slide Deck – Session 9 – FRSecure CISSP
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
 
Cyber security
Cyber securityCyber security
Cyber security
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
 
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
CNIT 125 Ch 5 Communication & Network Security (part 2 of 2)
 

Andere mochten auch

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
NCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
NCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
NCC Group
 

Andere mochten auch (20)

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 

Ähnlich wie Pki 201 Key Management

CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxCompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
mohedkhadar60
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
DataArt
 
Electronic security
Electronic securityElectronic security
Electronic security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 

Ähnlich wie Pki 201 Key Management (20)

Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptxCompTIASecPLUS-Part6 - UnlimitedEdited.pptx
CompTIASecPLUS-Part6 - UnlimitedEdited.pptx
 
Encryption techniques
Encryption techniquesEncryption techniques
Encryption techniques
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Cryptography
CryptographyCryptography
Cryptography
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Slidecast - Workshop
Slidecast - WorkshopSlidecast - Workshop
Slidecast - Workshop
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Are your crypto keys safe?
Are your crypto keys safe?Are your crypto keys safe?
Are your crypto keys safe?
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Cryptography
CryptographyCryptography
Cryptography
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]Essential Guide to Protect Your Data [Key Management Techniques]
Essential Guide to Protect Your Data [Key Management Techniques]
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 

KĂźrzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

KĂźrzlich hochgeladen (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Pki 201 Key Management

  • 1. PKI 201 – Key Management By Aman Hardikar
  • 2. Agenda • Basic Cryptosystem • Types of Keys • Key Life Cycle • Pre Operational • Creation • Distribution • Operation • Post Operational • Destruction • Storage • X509 Certificate Basics
  • 3. An Example of a Basic Crypto System • Three keys • 1 symmetric key • 1 public key • 1 private key • Three algorithms • 1 symmetric cipher algorithm (block / stream) • 1 asymmetric cipher algorithm • 1 hashing algorithm • Optional • RNG (Random Number Generator)
  • 4. Biggest Problem Key Management • Why? • Easier to steal the key than to break the lock. In general, majority of the attacks on a cryptosystem were on Key Management.
  • 5. Types of Keys To mitigate key management issues, multiple keys were created according to its designated purpose. Private Signature Key Public Key Transport Key Public Signature Key Symmetric Key Agreement Key Symmetric Authentication Key Private Static Key Agreement Key Private Authentication Key Public Static Key Agreement Key Public Authentication Key Private Ephemeral Key Agreement Key Symmetric Data Encryption Key Public Ephemeral Key Agreement Key Symmetric Key Wrapping Key Symmetric Authorization Key Symmetric Master Key Public Authorization Key Private Key Transport Key Private Authorization Key
  • 6. Cryptographic Strength & Key Size Comparable Key Strength Bits Symmetric Algorithm RSA ECC 80 2kTripleDEA 1024 160–223 112 3kTripleDEA 2048 224–255 128 AES-128 3072 256–383 192 AES-192 7680 384–511 256 AES-256 15360 512+ • Ephemeral or temporary keys • Long life keys OUP (Originator Usage Period) Time during which cryptographic protection may be applied to data
  • 8. Key Lifecycle - Preoperational • Installing key policies • Selecting algorithms • Registering attributes • Key parameters Keys are registered (binding them to subject’s identity). In PKI, it is implemented using x509 certificate. X.509 certificate binds a public key with subject name (user)
  • 9. Key Lifecycle - Creation • Avoid weak keys • Avoid weak algorithms or weak implementations of algorithms • Process of key generation • Type, purpose and crypto applications of keys
  • 10. Key Lifecycle – Creation (2) Random Number Generators (RNG) • Produce a sequence of 0s and 1s for use in cryptography • Combined into sub-sequences or blocks of random numbers • Types • Deterministic • Produces sequence based on a known value (seed) • Nondeterministic • Produces sequence based on an unpredictable source
  • 11. Key Lifecycle - Distribution • Based on the type of the key • Requirements • Availability of the keys • Association of keys with intended use • Integrity – detection of change during transit • Confidentiality – split knowledge principle • Distribution • Private keys – split knowledge, trusted entities for distribution • Public keys – X509 certificate • Manual key distribution (encrypted using key wrapping keys) • Wrapping keys are generally public keys • If private keys are used, then a separate distribution channel should be established Keys used only for encrypting data in storage should not be distributed.
  • 12. Key Lifecycle - Operation • Backup and recovery mechanisms • Compromised backups • Controls for detecting a compromise • Regeneration • Updates and changes • Crypto period expiration • Suspected or real key compromise • Rekeying • Needs redistribution • Updating the key • No redistribution required • Produced based on the old key • Known to all parties
  • 13. Key Lifecycle – Post-operation • Key not operational • Access to keys needed • Decrypt data • Verify signature
  • 14. Key Lifecycle - Destruction • Zeroization • Replacing key material with ‘0’ or ‘o’ or something meaning less • Not just the key material at rest, other places should also be considered
  • 15. Key Storage • Provide Integrity • Provide Confidentiality • Association with application and objects • Assurance of domain parameters Keys are protected with additional level of access control. Destroying of key material using zeroization, if required.
  • 16. Key Escrow • Multiple parties/agencies storing part of the key. • Generally operates with two components held with two independent agents. • Risks • Collusion • Failure of reassembling Ex: SKIPJACK and LEAF method.
  • 17. Key States / Transitions
  • 18. Digital Certificate An electronic identity issued to a person, system, or an organization by a competent authority after verifying the credentials of the entity. In PKI, all digital certificates were issued based on the X.509 standard.
  • 20. SSL Certificate: Version: 2 Serial Number: 4294967295 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 Not valid before: Dec 1 00:00:00 2010 GMT Not valid after: Dec 4 12:00:00 2013 GMT Subject: /C=GB/ST=Lancashire/L=Bolton/O=Bolton Metropolitan Borough Council/OU=Bolton/CN=*.bolton.gov.uk Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:84:24:fb:93:61:c4:3e:82:dc:6b:f0:d7:75: 7e:93:93:a3:fe:34:05:1b:f0:12:37:e0:b2:f1:0f: bd:b5:aa:57:ee:53:ac:67:af:62:48:15:21:c8:14: ………… 48:a5:46:07:77:07:c0:e5:ff:5c:b9:5c:72:27:e6: d6:e4:2c:a4:3d:55:3b:3c:aa:bf:71:69:af:c8:63: 66:1f Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Authority Key Identifier: keyid:50:EA:73:89:DB:29:FB:10:8F:9E:E5:01:20:D4:DE:79:99:48:83:F7 X509v3 Subject Key Identifier: 08:BC:EF:1E:D5:0D:92:26:7B:6C:CA:E9:48:A9:ED:EB:AE:C0:B1:BC X509v3 Subject Alternative Name: DNS:*.bolton.gov.uk, DNS:bolton.gov.uk, DNS:ebiz.bolton.gov.uk X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl3.digicert.com/ca3-g8.crl URI:http://crl4.digicert.com/ca3-g8.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.1.3.0.1 CPS: http://www.digicert.com/ssl-cps-repository.htm User Notice: Explicit Text: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt X509v3 Basic Constraints: critical CA:FALSE
  • 22. Continued ….. PKI 202/203 • Trust Models • CRL Models • Working of SSL, SMIME • Walk through using software • Architectural Weaknesses • Auditing a PKI Infrastructure