Showing posts with label Public Key. Show all posts
Showing posts with label Public Key. Show all posts

Friday, November 28, 2014

Information Security Basics Part 4:Public Key Infrastructrue (PKI)

On my last post, I talked about cryptography and one of the Cryptographic algorithms is Public Key where a pair of keys are generated.

I am sure everyone would have seen this on their browser:

Usually, user will just click "I Understand the Risks" and move on.  User education is a major part of security in an enterprise or as a matter of fact any organization.  An organization can have the state of the art firewall and IPS/IDS but the users are always the weakest link for security.  Nowadays, USB comes in 4G, 8G or 16G.  Way back when most USB is 256 MB, hackers would put a 1G USB (with virus) on a cooperation's packing lot hoping some employee would pick that up and plug that onto their PC at work to checkout what is in the USB.  It is very possible to gain access to a cooperation's network this way.

Anyways, back to the topic of this post. On a web browser when we are using https we are using a digital certificate to prove the identity of the web server.  Digital certificate is usually generated in a Public Key Infrastructure(PKI). Since we get in touch with digital certificate on a daily basis I think it will be interesting to take a look PKI.

PKI is a big topic and I can only touch on the most important elements so we can have a general overview of what PKI is.  

Digital Certificate
Wikipedia defines Digital Certificate as "an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner."

Digital certificates are in the X.509 format where there is a data section and a signature section.
 image source:http://pic.dhe.ibm.com/infocenter/tpfhelp/current/topic/com.ibm.ztpf-ztpfdf.doc_put.cur/gtps5/ssldig17.gif

The above diagram breaks down the different sections of a digital certificate.  For a more detailed description of digital certificate take a look at this IBM article.

One important information included in the certificate is the public key.  When a certificate is generated a private key and a public is issued.  The private key is keep by the owner of the certificate while the public key is included in the digital certificate and thus we have the name "Public Key" Infrastructure.
 
Online banking and eCommerce while being the most common use case for digital certificate, there are other use cases for digital certificates such as VPN (Virtual Private Network) that we can enable remote employees to gain access to the cooperate computer resources.  Company issued digital certificates are installed on the remote employee's laptop.  With a company issued/trusted certificate, the device is able to prove identity and gain access from home or from hotel securely over certificate based VPN.  Even for SSL based VPN, certifcate are also used.

Public Key Infrastructure (PKI)
For banking and eCommerce, the digital certificates are bought from well know digital certificate vendors such as Verisign, GeoTrust or Thawte.

It is also common for organization to setup it own Public key Infrastructure for its internal use.

When we see the word "infrastructure", we will think of complicated system such as OpenStack as a cloud infrastructure.  According to this article, PKI at its core is abut certificate:
  • How they are created
  • What information they contain
  • How they are used
  • What is the level of trust 
  • What to do when the certificate is lost
Planning and writing up of of the security procedure are an essential part of setting up a Public Key Infrastructure.  Written documents are particular important for security audit and to comply to regulatory requirements.

When we think of PKI we think of a PKI hierarchy.  In a PKI hierarchy, there is the the concept of Root CA and the Issuing CA. 

In the simplest form, PKI will have one server being the Certification Authority (CA) to generate and to revoke certificates.   In a more complex environment, there is a Root CA and then there are subordinate CA  This is useful for a big cooperation to configure subordinate CA to handle the certificate issue of a particular division.

This is the concept of CA tiering.  In general there are 3 types of tiering design.

Single/One Tier Hierarchy
A single machine handles all the operations concerning certificate.  As mentioned before in a PKI hierarchy there is the Root CA and there is the Issuing CA.  In this case of a single machine, it performs both functions.  While it is the simplest way, it is not a secure way.  User will have to decide if this single tier hierarchy is sufficient to serve the organization.
image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_2.png

Two Tier Hierarchy
In this model, the Root and Issuing CA are on a different machine.  In this tier, the Root CA is put offline so as to protect the private key of the Root CA.  In this model there can be multiple Issuing CAs and it can be distributed according to geographic or departmental need.

image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_4.png

Three Tier Hierarchy
In this tier there is a new type of CA - Policy CA in between the Root CA and the Issuing CA.  The purpose of the Policy CA is to issue certificate to the Issuing CA according to administrative boundary and restriction.  Each Policy CA will have its own Issuing CA.  Same as the Root CA, once the PKI is setup the Policy CA is put offline for security purpose.

Another advantage of this model is that if some certificate is compromised, user can only revoke the a single Policy CA's certificate without having to affect the other certificate under a different Policy CA.  For example, if the Policy CA is configure for different remote offices based on it geographic location.  If the certificate for Branch A is compromised, we just revoke the certificate of the Policy CA for Branch A.  All other remote location are not affected.


image source: http://blogs.technet.com/blogfiles/askds/WindowsLiveWriter/DesigningandImplementingaPKIPartIDesigna_884F/image_6.png

There are a lot more to talk about PKI.  As I am interested in security, I will blog about this subject again in the near future.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 2: Defense in Depth 
Information Security Basics Part 3: Cryptography

Reference:
"Public Key Certificate." Wikipedia. Wikimedia Foundation, 15 Nov. 2014. Web. 24 Nov. 2014.
"Getting Started with Public Key Infrastructure." Networklore. N.p., n.d. Web. 24 Nov. 2014.
Posted by at No comments:
Labels: , , , , , ,

Thursday, November 27, 2014

Information Security Basics Part 3: Cryptography

image source: http://www.motherjones.com/files/cryptokids-nsa425x320.jpg

In a nutshell, this cartoon depict what cryptography is - hidden writing.

Cryptography has 2 distinct operations:
  • Encryption
  • Decryption
When we hide a message, we need a way to return it to it original form.  A cipher is an algorithm to perform the encryption and decryption.

Cryptography History
Wikipedia has a very comprehensive wiki on the history of cryptography. Way back to the ancient Egyptian Kingdom in 1900 B.C. cryptography is a very simple is being used.  Julius Caesar in 100 B.C has the Caesar Cipher to encrypt secret message to his generals. His cipher is a simple substitution method of shifting the character by 3.

As time progress, more and more complicated cipher is used.  In the 16 century, Vigenere introduced a primitive form of encryption keys.  At the beginning of the 19 century, machines was used as a cipher in the field of Cryptography.

Of course the most famous cryptography machine is the Engima machine used by the German. The movie U-571 is still one of my favorite war movies.

image source: http://www.niwarmemorial.org/wp-content/uploads/2014/02/EnigmaMachineTopCoverRemovedRNM.jpg

As a side note not the U.S. Army is very smart in using the Navajo Indian to use their native language to communicate with each other at the Pacific theater.  In essence,  the Navajo Indian is the cipher machine.  U.S. Marine is assigned to protect this asset and sadly, if necessary the marine has to "destroy" this unique cipher machine and not to let it fall into the hand of the enemy - the Japanese.

Modern Cryptography is based on complex mathematical algorithms.

Cryptography Goal
What we have discussed so far is that Cryptography is the way to encrypt and decrypt messages.  In fact there are all together 4 goals in Cryptography:
  • Confidentiality
  • Authentication
  • Integrity of Data
  • Non-repudiation
I think for confidentiality, authentication and data integrity, it is self explanatory.  As for non-repudiation, it means the sender cannot deny sending the message.  For example, my 4 year old son is playing with my laptop and he managed to send you an Email saying I will pay you $1,000 and signed the Email with my private key.  In the eye of the court, I am obligated to pay you the $1,000 because the Email is signed by my private key which no one should have.

Cryptography Types
There are 3 general types of Cryptographic algorithms:
  • Secret Key
  • Public Key
  • Hashing
Secret Key
It is also called Symmetric key cryptography because the message is encrypted and decrypted with the same key. The advantage is speed for encrypting and decrypting.  It is vulnerable for brute force attack for the key to be cracked by hackers.  Key creation and distribution to the various party is also vulnerable for the key being compromised.

The longer the key the more difficult or needs longer time to crack by hackers.  Commonly used symmetric encryption algorithms are AES (Advanced Encryption Standard), DES (Data Encryption Standare) or Triple DES.  Sometimes in the movies or TV show we can see that 1024-bit or 2048-bit encryption is used and how the hacker is able to gain access to a certain computer system or network.

Note: Double DES is not used because it is found that doing the encryption only twice does not increase the efficiency of the key size.

Public Key
It is also called Asymmetric Key cryptography because there are 2 keys one for encrypting the message and the other is used to decrypting the message.  One key is called the private key which should be kept in secret and the other is public.  When I send a message to you, I encrypted it with my private key and you will use my public key to decrypt it.  When you reply, you will use my public key to encrypt the message and then I will use my private key to decrypt it.  The draw back for this method is that it is slow due to the complex mathematics algorithm.

As mentioned in the previous section on non-repudiation, when a message is encrypted by a private key, one cannot dispute that the message is NOT send by that person holding the private key.

Example of an asymmetric-key system is the Diffie-Hellman Key Exchange.

One of the application of this method is to use the Asymmetric key to exchange a symmetric key between 2 parties and after that all the communication between these 2 parties will be encrypted with a symmetric key which is much faster.

Hashing
Hashing is different then the symmetric and asymmetric key cryptography.  It is a one-way encryption.  Plain text go through a hashing function and become a cipher text.  This cipher text, however, cannot be convert back to it original form.

If it is not possible to convert the cipher text back to the original plain text, what is the use of this method.  This method is good for data integrity.  On top of keeping the message confidential, the use of hashing function can show that the message has not been altered either intentionally by another party or unintentionally due to hardware or communication error.

Example of hashing functions are MD5, SHA256/SHA-384/SHA-512

Cryptography Use Cases
The most commonly used case for cryptography is the Secure Socket Layer (SSL).  Everyone uses the web and some website choose to use https instead of http for the communication between the web browser and the web server and https is to have http run on top of SSL.

In OpenStack, as I have blogged about the messaging and queuing system as part of my OpenStack series, SSL is being used to secure RabbitMQ or Qpid.

In an Microsoft infrastructure, Kerberos is used to allow user to log on to the infrastructure and gain access the various compute resources in the infrastructure without having to perform authentication and authorization repeatedly.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 2: Defense in Depth
Information Security Basics Part 4: Public Key Infrastructure (PKI)
Posted by at 2 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)