Implementing Public Key Infrastructure
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Public key infrastructure or PKI.
00:00
The learning objectives for this lesson are to explore
00:00
how PKI functions and its role,
00:00
to define the parts involved with PKI,
00:00
and to explore how PKI is implemented and used.
00:00
Let's get started. You may remember in
00:00
the previous lesson where we discuss the difficulties of
00:00
sending symmetric encrypted data to
00:00
someone and then supplying
00:00
the password to them to decrypt it.
00:00
It's very difficult to ensure that
00:00
that password is not intercepted,
00:00
so asymmetric encryption solves this problem.
00:00
It does so by creating a key pair.
00:00
The first is the public key they
00:00
can be freely given to anyone,
00:00
and the second is
00:00
the private key which we have to keep secure;
00:00
it's used to decrypt messages that have been sent to us.
00:00
But this is a key part of how PKI functions,
00:00
and I want to make sure you understand
00:00
this before we move deeper.
00:00
I'm going to use a visual on the next slides to
00:00
show you how this process works from start to finish.
00:00
We have Alice, and she wants to send a message to Bob.
00:00
Bob will send his public key to Alice.
00:00
Alice will then use
00:00
Bob's public key and encrypt a message to him.
00:00
Then she'll send that message directly to Bob.
00:00
Bob will take his
00:00
private key and decrypt the message and then read it.
00:00
This gives you a basic flow of
00:00
how asymmetric encryption works.
00:00
But these are the key points that
00:00
I wanted you to keep in mind.
00:00
Public key and private key are a matching pair.
00:00
Our public key can be freely given to anyone but
00:00
we've got to keep our private key safe and secure.
00:00
We can use asymmetric encryption to
00:00
digitally sign messages or files and by doing that,
00:00
I am proving that I'm the one who did that.
00:00
Let's move on into how this connects over to PKI.
00:00
Public key infrastructure or PKI are tools
00:00
that support not only
00:00
encryption and digital certificates,
00:00
but also integrity checks and authentication is
00:00
a central control over
00:00
the digital certificates that can be used
00:00
to identify users and services.
00:00
Those digital certificates will have
00:00
a public key embedded in them and
00:00
allows for message signing or
00:00
for message integrity and authentication.
00:00
When we're signing messages with
00:00
a digital certificate or our public key,
00:00
we're proving that I'm the one who did this.
00:00
That gives us non-repudiation.
00:00
Let's talk about some common uses of PKI.
00:00
Code signing is a very good example of this.
00:00
We have to be able to show that this code that we're
00:00
producing it may be an executable or a driver,
00:00
are validated by us that we're the ones that did this,
00:00
and it is trustworthy.
00:00
This is becoming a really big deal
00:00
because we need to ensure
00:00
that the drivers we're installing,
00:00
the executables we're installing,
00:00
come from sources that have been
00:00
validated and their certificates are
00:00
trusted by a certificate authority and
00:00
that certificate authority itself is a trusted CA.
00:00
If you remember Stuxnet that I
00:00
discussed in a previous lesson,
00:00
they use stolen digital certificates
00:00
to install malware onto systems,
00:00
and they did this by signing drivers that
00:00
Microsoft when Windows saw these particular drivers
00:00
had been signed by a certificate
00:00
that was accepted they allowed those drivers to
00:00
be installed directly onto the system without even
00:00
taking it further to check them out or to block that.
00:00
By doing that they just snuck right past
00:00
all the defenses and that really allowed
00:00
for the virus to first begin its exploitation part,
00:00
but to really spread further.
00:00
You can see the importance of making sure
00:00
that we're assigning our software
00:00
or our code because it's
00:00
such a key part to ensuring
00:00
we're not installing bad things in there.
00:00
Now we can't stop it if a certificate has
00:00
stolen in the case of Stuxnet,
00:00
but we can at least prevent
00:00
the easier attacks by installing drivers or apps on
00:00
our devices by not allowing
00:00
them to be installed from sources that are not trusted.
00:00
A digital certificate is a public assertion of identity.
00:00
I'm saying this is me,
00:00
and my digital certificate has a public key in that.
00:00
Not only that, my digital certificate has
00:00
been validated by a certificate authority.
00:00
That CA has said yes,
00:00
we know who this person is
00:00
they are who they say they are,
00:00
it is safe to send a message to him.
00:00
We can not only use this for sending messages,
00:00
or encrypting messages, or signing messages,
00:00
but we can also use it for encrypting web traffic.
00:00
Your browser has its own digital certificate and then
00:00
when we're going to a website via HTTPS,
00:00
we're using our digital certificate
00:00
and the site's digital certificate to
00:00
negotiate encryption to ensure
00:00
that the traffic is encrypted back and forth.
00:00
If we would have a third party
00:00
that jumped in there and put
00:00
a bad certificate on that web server,
00:00
then they would be able to intercept
00:00
that traffic so we have to make sure that
00:00
our web servers that we're
00:00
browsing to or if we have our servers and our own company
00:00
that we have valid digital
00:00
certificates that are in place to
00:00
validate who we are as a web server,
00:00
or end users need to make sure that when they're going to
00:00
different websites that were certificates
00:00
we see are valid and match the website we're going to.
00:00
We can also use our digital certificates
00:00
for secure authentication.
00:00
We need to be able to ensure that
00:00
two parties or two entities can
00:00
authenticate to each other in a secure way.
00:00
Sometimes this may involve multifactor authentication.
00:00
We can also use device certificates,
00:00
or the device itself has its own certificate,
00:00
and they can authenticate to another device or service.
00:00
A good example of this would be
00:00
if you had a remote user who was
00:00
wanting to connect via
00:00
your corporate VPN back to the corporate network.
00:00
Maybe it's not enough just to have a password
00:00
because the password could be guessed or cracked.
00:00
You may want them to use something
00:00
like a smartcard, for example,
00:00
and that smartcard would have
00:00
a digital certificate stored
00:00
on a chip that's on that card,
00:00
and the user would plug their card in,
00:00
and then they have to activate
00:00
it by using their PIN code.
00:00
Now we've established a multifactor authentication system
00:00
for this user to connect to our VPN.
00:00
They first had to have a password,
00:00
they add to use their smartcard,
00:00
and then their smartcard to be activated,
00:00
had to have a pin code.
00:00
That's multifactor to ensure that we have
00:00
the right person authenticating to our VPN server.
00:00
We can also use PKI automation support.
00:00
When our certificates are used for authentication,
00:00
we're logging a lot of events.
00:00
Sometimes these are going to be denials,
00:00
and sometimes it's going to be the granting of access.
00:00
But either way we can set up
00:00
different triggers to happen based
00:00
on certain thresholds on
00:00
the actions that we want it to happen.
00:00
For example, with our VPN user
00:00
that we discussed earlier,
00:00
maybe we don't want to allow
00:00
anyone to connect to our VPN after
00:00
midnight or we don't want to
00:00
allow anyone to connect before a certain time.
00:00
When those authentications come in,
00:00
even if they're valid,
00:00
we can have an automated playbook that will go into
00:00
effect to ensure that certain actions
00:00
are taken on those authentications based on
00:00
the steps or actions that we have set up ourselves.
00:00
This is really helpful
00:00
when we're looking for malicious events.
00:00
We want to be able to respond to
00:00
those as quickly as possible.
00:00
It's a lot easier to have
00:00
an automated process that performs
00:00
certain specified actions rather than having someone
00:00
sitting there looking for
00:00
events and then having them respond.
00:00
We could even take this a step further that if
00:00
someone successfully authenticates to our network,
00:00
we want to make sure that their device even reaches
00:00
a certain standard before it's allowed to gain access.
00:00
We may want to make sure that they have
00:00
a certain patch level or they
00:00
have a specific anti-malware products in place,
00:00
and we want to put all of that in
00:00
our automation so that even
00:00
if someone successfully authenticates,
00:00
if their device doesn't meet a certain standard or
00:00
our corporate policy that
00:00
we're not going to allow them to authenticate.
00:00
Federated PKI.
00:00
This is where we have two independent PKI hierarchies
00:00
that each support their own trust domains.
00:00
They have their own root certificate authorities
00:00
but they trust each other.
00:00
By doing this,
00:00
the users in the first group
00:00
automatically will trust the users in the second group.
00:00
This greatly expands the ability for organizations
00:00
to trust each other without
00:00
having to set up complex policies.
00:00
In a Federated PKI situation
00:00
you make sure that both of the organizations that
00:00
are involved have a common set of
00:00
policies there so that you're not giving
00:00
too many levels of trust away too easily,
00:00
you want to make sure that your policies
00:00
match each other.
00:00
I also wanted to clear up that it
00:00
doesn't have to be just two organizations.
00:00
They can be any number of organizations,
00:00
but for sake of an example we're
00:00
discussing two different organizations
00:00
that trust each other,
00:00
but you can have as many as you want it on
00:00
a global scale and
00:00
all those organizations will be able to trust each other.
00:00
Let's summarize. We went over
00:00
asymmetric encryption and public key infrastructure.
00:00
We also went over the components of
00:00
PKI and certificate authorities.
00:00
We discussed the common usages of PKI,
00:00
Federated PKI, and secure authentication.
00:00
Let's do some example questions. Question 1.
00:00
True or false, in public key encryption,
00:00
the receiver's private key is used to encrypt
00:00
messages to them/ false.
00:00
The receiver's public key is used. Question 2.
00:00
Blank is a set of independent PKI hierarchies that
00:00
trust each other. Federated PKI.
00:00
Question 3. This is used for PKI that involves
00:00
software proving its authenticity as safe to be used.
00:00
Code signing. Question 4.
00:00
A blank will validate
00:00
certificates so that their authenticity can be proven.
00:00
Certificate authority. I hope
00:00
this lesson was helpful for you
00:00
, and I'll see you in the next one.
Up Next
Module 4 Review Questions
10m
Instructed By
