Hey, guys. Welcome to another episode of the S S C P Exam Prep Siri's I'm your host, Pierre Simple. Oh,
this is going to be the fifth and last lesson off Do mean five.
So far in the fifth domain, we've taken a look at fundamental concepts of cryptography. We've taken a look at symmetrical cryptography and how it only uses one key, and it's very quick.
We've taken a look at asymmetric cryptography, which uses two keys and solves a lot of key management issues. We've taken a look at methods off Captain Alec attacks, which all our different ways that Attackers try to break encryption. And now, in this lesson, we're gonna look at some
key management concepts, such as
how to keep a management safe, that you had to keep a key safe house, keep updating the life cycle of a key and how to dispose of the key. But it's done.
We want to be taking a look at secure protocols, different protocols that all for authentication and encryption.
when it comes to public, he's There's a lot of doubt of whose key belongs to who people are very people to be very worried that they might be encrypting something with so and so's public key.
But that public he might not actually be theirs might belong to an attack or who could then decrypt it and see what they're trying to send. As a result, public he infrastructure is in place.
Public key infrastructure is a set of system software and communication protocols required for public key cryptography
mystery main purposes for P k I public he infrastructure. And that is to publish public keys and certificates,
certify a key, is actually tied to an individual or entity,
and provide verification of the validity of a public kid.
So the P K I simply exists to purr as 1/3 party to provide trust that someone's public. He that they say, is the public. He is. Actually, their public
certificate authority is a component of the of the P. K. I. On maintains the digital certificates of keys There are has two main jobs.
It is that has the registration authority, which verifies and entities identity,
and it has it maintains a certificate re vocation list. This is a list that is maintained by the CIA
that contains information on revoked digital signatures.
Key management is the most important part of any cryptographic implementation.
Kirk trough principle
states that encrypted system should be secure, even if everything about the system except the key is public knowledge.
So what he's saying is everything about the encryption algorithm should be known, and the only thing that should be kept hidden are the keys. He says this because he understands that key management is the most important part of any cryptographic implementation. And also when people have access to the ER
they contest it themselves. They can see if there's any bugs or flaws which otherwise might not maintain the integrity off. Whatever being encrypted,
key management applications. There's the Extensible markup language key management specifications to point out, which is simply a group of protocols for distributing and registering Public Key's On. There's also an SI x 9.17 which is developed to address the needs
off financial institutions in public key cryptography.
Now this uses two types of keys,
data, keys and key, encrypting the data keys or otherwise known as session keys or the ones that encrypt the data. These are smaller keys that are used to encrypt and decrypt data very, very fast.
Now, key encrypting keys are very long and beefy keys that take a while to decrypt it take forever. In fact, it is almost takes too long to encrypt them to make it worthwhile.
So the key encrypting keys encrypting the data keys, which and then,
ah, encrypt the data
key distribution of management. Let's take a look about how this works.
Secure keys depend on automated key generation randomness on key. Like
so, key generation is the key policy enforcement. All the policies for creating key. All the steps must be followed every time, so that a secure, valid key is created every time
randomness, zeros and ones need to be random. And obviously the key length plays a major factor in any off the key and encryption. The longer the key, the better off you are.
Keep rapping Is the process of using key encryption keys to protect session keys.
This is good for sending keys over an untrusted transport and supports symmetric and asymmetric ciphers. Now, this is how
keep wrapping session takes place. So you start with this session
and the session key is encrypted with the key key in red encrypting key
and then that is transported over a network.
Once they're over the network, the encryption key
it's decrypted, and then you're left with a session,
which can then in from any encrypt or decrypt. Any data that's needed
out of band is the key exchange that used the medium other than through which secure messages will be sent.
So if the secure messages will be sent through email, then you want to send the key, either in person or by hand
or through the mail, the regular mail or something. Something like that. You don't want to send the key.
We're the medium which make your secure messages will be sent. The problem with this is that it's not very skilled. I mean, if you live near someone or if you were close by someone, yes, you can give them to keep personally. But many times that is not simply the case. Many times
you need to send someone a key that lives halfway around the world or, you know, thousands thousands of miles away, and that's that. That that becomes a problem. It's very hard to get them a key when They're not nearby,
obviously. So this is where a K D. C key distribution center comes it. It contains public. He's with balance certificates on there's two keys, master keys
Remember, Kerberos Curtain Rose is an example off key of a key distribution center.
There's a lot of key aspects when it comes to keys and key management. The first is storage. It's very important to store your keys in a very safe location and also to have a life cycle for these keys. So
if you have a key one, make sure it's encrypted if it's not being used.
And also you want to make sure there's an expiration deep. So if anyone is trying or actively trying to drag, get your key. If the key expires after a while, and if the key expires before the person trying to grab the keys.
Ah, successfully decrypt sit, then they're gonna have to start all over again. It's just another way to keep your key secure. And once the expiration date happens, get rid of your key and you definitely want to get a new one.
When it comes to backups, you want to make sure you have a sort of key backup in place so you can recover any type of key now different key recovery methods, the more of the most common ones is Multiparty said. This is where you break up
your key and give it to different people,
friends or whoever may be some co workers.
And they all have a different part of your key. So if you ever lose your key or you can't use it anymore and you need it,
you can call up your friends and get the part of the key from all three of them or however many there are, and you and you can put your key back together That way.
There's also a common directories, which is usually managed by the I T department, which contains a lot of the public keys in case there's a backup. And obviously there's password wallets where
you went on your Web browser or a system managed the keys for you, and you only have to remember one key. So
if you can't seem to remember the key or whatever, they can give it to you.
The key escrow on the third party holds a key in case you do lose it
on the web of trust, authenticity of a public key and it's over
I p sec is a suite of particles for communicating securely with i p by giving mechanisms for authentication and encryption.
So the board of the parts of this is the authentication hair. This is used to identify the center and to ensure the integrity off the packet or the payload that this they used this on by using hashes and sequence numbers. So the hashes, or used
to ensure the data has not been altered inside the packet.
So when the packet is encrypted, the hash is sent over and then the packet is sent over with the hash, and then when the packet reaches the destination to hashes are compared if they're the same, then clearly nothing happened to the packet.
Now sequence numbers are there to ensure that all the packets arrived there successfully.
If a number is missing, then obviously a packet is missing.
Encapsulating security payloads E S P.
This contains off four different parts.
You have the header which is that contains the security number and security associations. Where the packet supposed to go.
You have the payload, which is the encrypted part off the packet,
and you have the trailer. This is not always required, but sometimes if the packet is not completely full and it needs to be patting can be added to keep the packet at the full at the full size on authentication. Obviously hash value of the packet if
that nothing happened to the packing all the way,
so endpoints talk through eyepiece. Act by using transport ward total moods
with transport mood. The payload is protected. Bought the header is not so. You can see the sequence number and the hash of the authentication matter as where with tunnel mood that pay Loader and the header are both protected
Internet. He exchanged. Awesome, it's like is an authentication part of I P. Security
Face. One establishes authentication using either a shared secret, which would be like a key in symmetric key encryption
public key encryption, where there is a private and a public key
and there is the revised mood off public key encryption. This is there to us to reduce the overhead off regular public key encryption, so a random you know, bit number is encrypted with the communicating partner of Public Key and the piers identity
is encrypted with the symmetric encryption
using that same random number string as the key
face two of the Internet. Each change is where the security associations are established using ah, the secure tunnel and a secure association methods at the end of phase one
secure socket layer and the transport layer Security S S l N C l s. This is like a total used to encrypt confidential data over a secure network. So think of a tunnel going from point A to point B and nothing can get inside. So once the data from point A and there's the tunnel,
nothing can come in to the total. Nothing can come out of the tunnel. No one can peer inside. They can't access the information anywhere that tall,
and then the information comes out the other side at point B. Now the secure socket says between the application layer and the transport layer
secure multipurpose Internet mail extensions. Otherwise, notice asked mine. This is used to send digitally signed and encrypted messages through email. This provides authentication, integrity and non repudiation.
Into these lecture, we discussed the management concepts and secure protocols
John has lost his private encryption key.
Darn it, Jon. Thankfully, he has split up his private key among three different friends, and now he calls them up and pieces his bribe key back together.
This is an example of what?
See key storage or D key recovery.
If you said d key recovery, then you are correct. Remember, John lost his private encryption key, but thankfully, he had split it up among his friends to get it back.
All his friends have to do is come together, give John each third piece of the key, and then John will be able to have his private encryption key once again.
Thanks for watching guys. I really hope you learned a lot in this video and I'll see you next time.