These are usually the encryption of a message digest with the senders private key.
In order to verify them, the recipient uses the senders public
... [Show More] key.
They are considered good if they provide the following.
Authentication
Integrity
Non-repudiation
Digital Signature
It is a digital document that contains a public key and some information to allow your system to verify where they key came from.
This is the most common way to distribute pubic keys in asymmetric cryptography.
Digital Certificate
uses asymmetric key pairs and combines software, encryption and services to provide a means of protecting the security of business communications and transactions.
PKI (Public Key Infrastructure)
They are in place by the RSA to ensure uniform certificate management throughout the internet
PKCS (Public Key Cryptography Standards)
A certificate is a digital representation of information that identifies you as a relevant entity by a?
Trusted Third Party (TTP)
This is an entity trusted by one or more users to manage certificates
CA (Certificate Authority)
Used to take the burden off of a CA by handling verification prior to certificates being issues. They act as a proxy between user and CA. They receive requests, authenticate them and forward them to the CA
RA (Registration Authority)
is a set of rules that defines how a certificate may be used.
CP (Certificate Policy)
An international standard for the format and information contained in a certificate. The most common type of digital certificate in the world.
Relied on by S/MIME
Contains your name, info about you and signature of the person who issued the certificate
X.509
List of certificates issued by a CA that are no longer valid
CRL (Certificate Revocation List)
CRL Distribution Method:
CA automatically sends the CRL out at regular intervals
PUSH Model
CRL Distribution Method:
The CRL is downloaded from the CA by those who want to see verify a certificate. This is the end users responsibility
Pull Method
Is a Base64 encoded DER certificate, enclosed between
"------ BEGIN CERTIFICATE ------" AND
"------ END CERTIFICATE ------"
.pem
Usually in binary DER form, but Base64-encoded certificates are common too.
.cer, .crt, .der
PKCS#7 Signed Data structure without data just certificate(s) or CRL(s)
.p7b, p7c
PKCS#12, may contain certificate(s) pubic and private (password protected) keys.
.p12
Predecessor of PKCS#12 usually contains data in PKCS#12 format with files generated in IIS
.pfx
A newer protocol for verifying certificates in real-time
Online Certificate Status Protocol (OSCP)
Determining the path between X.509 digital certificates and a trusted root
Delegated Path Discovery
The validation of the path to the trusted root according to a particular validation policy
Delegated Path Validation
Setup and initialization
Administration
Cancelation
are the phases of?
Key life-cycle
Registration
Key pair Generation
Certificate Generation
Certificate Dissemination
Setup and Initialization Phase
Key storage
Certificate retrieval and validation
Backup or escrow
Recovery
Administration Phase
Expiration
Renewal
Revocation
Suspension
Destruction
Cancelation and History Phase
Person who can recover keys from keystore on behalf of a user
Highly-trusted person
Issue recovery agent certificates
- EFS Recovery Agent certificate
- Key Recovery Agent Certificate
Update and Path Vulnerabilities
The most basic form of authentication
User name and password are transmitted over the network and compared to a table of corresponding name-password pairs.
Name-password pair table is encrypted, but the transmission of the passwords is done in clear text, unencrypted.
It is the basic authentication feature for HTTP
PAP (Password Authentication Protocol)
This is a proprietary version of PAP, it is somewhat more secure then PAP because username and passwords are both encrypted when they are sent over the network.
S-PAP (Shiva Password Authentication Protocol)
After a connecting is established the authenticator will "challenge" the requestor.
The requestor responds with a calculated has function.
The authenticator checks the response against its own calculation of the expected hash function. If they match the authenticator acknowledges the request, otherwise the connection is terminated.
This processes is repeated at random intervals.
CHAP (Challenge-Handshake Authentication Protocol)
Most widely used authentication protocol, mainly within Microsoft systems. Invented at MIT and is named for the three-headed mythical dog that was reputed to guard the gates of Hades.
Uses symmetric cryptography, with authentication performed on UDP port 88
Kerberos
A server or client that Kerberos can assign tickets to
Principal
This server authorizes the principal and connects them to the ticket granting server
Authentication Server (AS)
This server provides tickets to the principal after they are authenticated and connected
Ticket Granting Server (TGS)
Provides the initial ticket to the principal and handles TGS requests. Typically runs both the AS and TGS services
Key Distribution Center (KDC)
A boundary within and organization, each separate boundary has its own AS and TGS
Realm
This server grants tickets to remote realms
Remote Ticket Granting Server (RTGS)
A ticket that is granted during the authentication process
Ticket Granting Ticket (TGT)
Used to authenticate to the server. Contains client identity, session key, timestamp and a checksum. It is encrypted with the servers keys
Ticket
A temporary encryption key
Session Key
Proves the session keys was recently created, typically expires within five minutes
Authenticator
Step 1: User sends credentials to the AS
Step 2: AS authenticates user
Step 3: The AS contacts the TGT that is sent to the users computer
Step 4: The users computer presents the TGT back to the TGS to request access to a specific network resource. The TGS uses the AS to authenticate the ticket. if it is authentic then a resource ticket and session key are sent to the users computer
Step 5: The users presents the ticket/session key to the resource
Step 6: The resource verifies the ticket/session key with the TGS
Step 7: The user is authorized access to the resource
Kerberos Process
By itself it is not an algorithm, but uses other well established asymmetric and symmetric algorithms. This software products was developed to make encryption and decryption readily usable by end users.
Usually associated with email encryption
Can be used to create certificates, but unlike X.509 they contain multiple signatures and define there own format
Pretty Good Privacy (PGP)
Wi-Fi Encryption method that uses a stream cipher RC4 128 or 156 bits.
WEP (Wired Equivalent Privacy)
Uses a Pre-shared key mode
Designed for home and small office networks
Does not require an Authentication Server
Each wireless device authenticates using the same 256 bit key
Uses Temporal Key Integrity protocol (TKIP) a 128 bit per-packet key and is dynamically generates a new key for each packet
WPA-Personal
This version of Wi-Fi encryption implements mandatory elements of 802.11i and introduces CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) a new AES-based encryption mode.
Has the optional use of Pairwise Master Key (PMK) caching and opportunistic PMK caching which cache the results of 802.1X authentications to improve access time.
WPA-2
Wi-Fi encryption standard that uses a stream cipher RC4 to secure data and a CRC-32 checksum for error checking.
Standard versions use a 40 bit key with 24bit IV's to form a 64 bit encryption
128 bit version uses a 104 bit key with a 24 bit IV
Wired Equivalent Privacy (WEP)
Designed for enterprise networks and requires a RADIUS authentication server.
Extensible Authentication Protocol (EAP) is used for authentication and has a variety of implementations such as EAP-TLS and EAP-TTLS
WPA-Enterprise (WPS-802.1x Mode)
Developed by Netscape and has been supplanted by TLS. Was the preferred method used with HTTPS.
SSL (Secure Socket Layer)
This is a encrypting transmission protocol where the client and server perform a negotiation using a handshaking procedure.
The client presents the server with a list of encryption and hashing functions it can support.
The server picks the strongest encryption and hashing it can also support and notifies the client of the chosen algorithms.
The server presents the client with an X.509 Certificate that the client can verify through a CA.
The client uses the servers public key with random numbers to generate a session key for a secure connection that is decrypted with the servers private key.
This information is used to generate the key material used for encryption and decryption
TLS (Transport Layer Security) [Show Less]