Chapter 6

Proof utilizing asymmetric cryptography, that the senders personal key was used to encrypt the digest.

A document provided by a trusted 3rd party

A technology that used to associate a user's identity to a public key and that has been digitally signed by a trusted third party.

Owners name or alias, Owners public key, name of the issuer, digital signature of the issuer, serial number of the digital certificate, and the expiration date of the public key.

A trusted third party who is responsible for issuing digital certificates

A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.

a digital certificate manager

Generate, issue, and distribute public key certificates. Distribute CA certificates. Generate and publish certificate status information. Provide a means for subscribers to request revocation. Revoke public key certificates. Maintain the security, availability, and continuity of certificate issuance signing functions.

specially formatted encrypted message that validates the information that the CA requires to issue a digital certificate.

Another for of RA designed to help lessen congestion

Receive, authenticate, and process certificate revocation requests. Identify and authenticate subscribers. Obtain a public key from the subscriber. Verify that the subscriber processes the asymmetric private key corresponding to the public key submitted for certification. (mainly they verify the identity of an individual)

a publicly accessible centralized directory of digital certificates used to view the status of digital certificates.

Removing certificate rights.

a list of certificate serial numbers that have been revoked.

performs a real time certificate status check.

Web servers send queries to the OSCP responder at regular intervals to receive signed time-stamped responses. This is to help with real time verification congestion.

Personal DC's Server DC's software publisher DC's

RA assigns directly to individual

Often this is a web server to client

Ensure authenticity of web server Ensure authenticity of cryptographic connection to web server

CA must pass independent audit verifying that is follows EV standards. Legal existence of the owner must be verified. Website if the registered owner and has exclusive control of the domain name Authorizing individuals applying for a certificate must be verified by CA, and valid signature from an officer of the company must be provided

these are provided by software publishers to verify their programs are secure and un tampered with.

Most widely accepted format for digital certificates, and internationally recognized.

Digital certificate managment

PKI standards defined by RSA corporation.

they type of true relationship that can exist between individuals or entities.

Trust is mutual because they trust the third party moderator

Assigns a single hierarchy with one master CA called the root.

Multiple CA's signing DC's. This prevents total loss if one private key is stolen since there are still many CA's left.

No single CA, but on CA that facilitates interconnection to all other CA's.

A method to managing multiple public keys consistently.

Published set of governing rules for a PKI

More technical document than a (CP) describing the management of certificates.

1. Creation 2. suspension 3. revocation 4. expiration

process by which 3rd parties manage keys.

some keys have expiration dates

Some existing keys can be renewed.

Sometimes keys need to be revoked. (these cannot be reinstated)

key recovery agent (KRA), or M-of-N control are two methods of recovery.

key is divided into specific number of parts, parts are distributed to other people (with an overlap so that multiple people have the same part) know as N group. If recovery is necessary then a smaller part of N group meets (M group) and agrees that it needs to be recovered.

Key suspension is set for a specific amount of time.

Removes all private and public keys along with user's identification information in the CA.

One of the most common cryptographic transport algorithms.

Another cryptographic transport algorithm. TLS is much more secure than SSL

named combination of the encryption, authentication, and message authentication code (MAC) algorithms used with SSL and TLS.

4096 length = best 2048 length = ok length < 2048 = not secure

Encrypted alternative to Telnet protocol used to access remote computers.

Common use of TLS and SSL to secure communications between a browser and a web server.

suit for securing Internet Protocol (IP) communications.

Applications Users Software

authentication confidentiality key management

authenticates that packets received were sent from their source.

Supports authentication of sender and encryption of data

generates the key and authenticates user utilizing tools such as digital certificates.

encrypts only data portion (payload) of each packet, and leaves the header unencrypted.

Transport mode, and Tunnel mode.

Encrypts both data and header.

Network to network

device must see source and destination addresses to route a packet.