Security+: PKI, Certificate Management, and Associated Components (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Public Key Infrastructure (PKI) is a framework (not a specific technology) used to provide security to transactions and messages on a large scale. PKI is a two-key asymmetric technique, and it has four main components. These components are:
- Certificate Authority (CA)
- Registration Authority (RA)
- RSA (it is an encryption algorithm)
- Digital Certificates
Their detailed descriptions will be covered in the subsequent sections. Any Security+ candidate must understand the details and methods of utilizing PKI to pass this exam.
What do I need to know about Certificate Authorities and Digital Certificates for Security+?
Certification Authority (CA): A CA is a trusted third party company that issues digital certificates or electronic documents for verifying the identity of a digital entity on the internet. Digital certificates are vital components of secure communication and play a crucial role in PKI. Digital certificates incorporate some important information, which includes the owner’s public key, his name, the expiration date of a certificate, and other pertinent information to a public key holder. Browsers and Operating Systems (OSs) maintain lists of CA root certificates to confirm certificates that a CA has signed and issued.
If a user opens a browser and connects to a secure website, the browser will first check the certificate that comes from VeriSign or a similar company before validating the certificate. Under such circumstances, the user and the site are two parties trying to communicate. However, the CA is a third party for the purpose of negotiating security between the website and the user.
To acquire a digital identity certificate, the user’s machine should initiate a CSR (Certificate Signing Request). For example, when a user types www.transferwise.com on the browser, it automatically redirects him/her to https://www.transferwise.com, which is secured via VeriSign certificate. The browser shows indicators for secure websites. Refer to the Figure below, which is taken from Google Chrome, for an example. It shows a padlock in the locked position to indicate safety and the address bar with green text.
International Telecommunication Union (ITU), as well as various other standards organizations, support a popular certificate, X.509 version 3, X.509, which is a standard format as well.
A certification policy spells out what certificate does. The CA can issue a number for various certificates, such as one for e-commerce and one for email. The policy will demonstrate that the certificate is not used for purchasing equipment or signing contracts.
Additionally, the CA utilizes a Certificate Practice Statement (CPS) for implementing its policies and issuing certificates.
Certification Revocation Lists (CRLs): A CRL is a list of certificates that are revoked or invalidated by the issuer (or CA) or that are no longer valid. Certificates are issued for a certain period of time before they suffer an expiration date. This is known as their lifetime date.
Certification revocation is a process of revoking certificates by the issuing CA before their expiration date because they’re no longer trusted. It often occurs when a user violates an issuer’s certification policy or uses a certificate to commit a crime.
When the CA revokes the certificate, it’s incorporated in the CRL, which is a database of revoked certificates. Certification Authorities use digital signatures to digitally sign CRLs for preventing spoofing attacks and DoS.
Online Certificates Status Protocol (OCSP): An OCSP is an alternative to CRL. However, it’s less secure than CRL because it doesn’t require encryption. Each time a user acquires a new certificate, he/she sends a query to a CA OCSP server, and then the CA responds directly to demonstrate whether the certificate has been revoked or is still valid. By employing OCSP, the CA repeatedly transmits CRLs to every requesting system, ensuring that queries are current, immediate, and direct.
Renewal is the process whereby a certificate or key is reissued by the CA, with an extended lifetime date before the certificate or key expires.
Another important concept is Suspension, which is an alternative to revocation. The CA uses suspension to temporarily remove a certificate or key from an active use, but without invalidating it.
Certificate Signing Request (CSR): A CSR is a message that a user sends to the Certification Authority for requesting and applying for digital certificates. The CSR either follows the Signed Public Key and Challenge (SPKAC) format or the PKCS #10, PKCS #11, or PKCS #12 specifications.
What Components and Usage of PKI are covered on the Security+ Exam?
PKI focuses primarily on providing a way to protect the integrity of the message through the use of hashing, providing a means to exchange session-based symmetric encryption keys by using asymmetric cryptographic techniques and validating the identity of the communicating parties. The important components and usage of PKI include:
Recovery Agent: Recovery agents are also called key-escrow agents or key-recovery agents. A recovery agent is a software tool that can be used to archive and restore keys when required, such as in the case of incident or disaster. For example, a recovery agent is necessary when corrupted or lost keys need to be restored.
Public Key: A digital certificate is connected to a key pair set: a public key and a private key. The public key is incorporated in the certificate, and this information is for the public so anyone in the world can see it. If one person wants to initiate a secure communication with the second person having a public key, the former will use latter’s public key for this purpose.
Private Key: this key is used to decrypt communications that are encrypted through the use of a public key. The private key is also used to craft digital signatures. However, it is primarily used for decryption purposes and it must be safeguarded to ensure the confidentiality of the data.
Various applications are available that use both private and public keys. For example, TrueCrypt is an open-source and free application that performs several types of encryption by using both public and private keys. Typically, a user can generate a private/public key pair set through a TrueCrypt program. For instance, a user John initiates a communication with another user Alice with his public key. Alice will use John’s public key to encrypt information that no one can see other than John using his private key.
There are various levels of encryptions. Some of them include Triple DES (an alternative to the DES algorithm which is much stronger than DES), RSA, Blowfish, Twofish, and AES.
Registration: Registration is the process of attaining the certificate. A Registration Authority (RA) verifies requests for certificates from one or more applicants. When a request is considered valid, the RA apprises the CA to issue a certificate.
Key Escrow: Key Escrow is a storage process whereby the secure copies of private keys are held in an Escrow, a centralized management system as shown in the Figure below. A secure copy of a user’s private key can be restored from the Escrow when the key is lost or in the event of a disaster. Deployment of Key Escrow in PKI is inevitable if data loss is unacceptable or data has high sensitivity level such as state’s internal or external security information. When a key is lost, the Key-escrow agent retrieves a secure copy of that key held in an Escrow to recover data encrypted with the lost or damaged key.
What is Key Management?
Key management is the process of providing the security to the cryptosystems that describe how keys are managed, exchanged, stored, and destroyed (crypto-shredding). Without secure management of cryptographic keys, the strong encryption cannot be achieved; hence, the chances of data loss are high.
How are Keys Created, Stored and Distributed?
Key generation, storage, and distribution are the lifecycles of key management. Their description is given below.
Key Generation: The user or requestor asks CA through a Certificate Signing Request (CSR) to generate the key-pair set for the certificate. The private key and the certificate are packaged in the PKCS#12 format. The CA sends this package to the user through Email by which he/she can retrieve the package.
Key Storage: Secure key storage has paramount importance in cryptography. The public key is stored on the certificate, whereas the private key can be stored on the key owner’s computer system. This technique is unsecured because the intruder can steal the key if he gains access to owner’s computer. Therefore, the private key is stored on a password-protected removable storage token. The storage formats are different for storing keys, and it also depends on vendors, as sometimes they use proprietary storage formats. For example, Baltimore, GlobalSign, and VeriSign use a standard format coined .p12, while Entrust employs the proprietary format named .epf.
Distribution: The CA has the responsibility to publish the certificates.
What Are the PKI Trust Models?
A PKI Trust Model is the structure of the trust hierarchy that is used by the Certification Authority (CA) system. The CAs typically use a hierarchical structure with a single and top-level root CA. The root CA self-signs its certificate to start the tree of a trust. The root CA can further involve one or more subordinate CAs that are referred to as leaf CAs or intermediate CAs.
There are four main types of Trust Models that are employed with PKI:
InfoSec Security+ Boot Camp
If you are aspiring for a Security+ exam, then InfoSec Institute is the right institution for you. As a matter of fact, the InfoSec offer a Security+ Boot Camp that teaches you the information theory, as well as reinforces theory with hands-on exercises that help you “learn by doing.”
InfoSec also offers thousands of articles on all manner of security topics.