Welcome to the Cyber. A video Siri's in the Company of Security Plus 5 +01 Certification and Exam.
I'm your Instructor, Round Warner.
The security plus requirement for section 6.4 is given a scenario. Implement public key infrastructure,
Public Key Infrastructure or P K I is widely used to provide the secure infrastructure for applications and networks,
including access control. Resource is for Web browsers, secure email and much more.
P. K I is a large collection of varying technologies and policies for the creation and use of digital certificates.
A P K I encompasses digital certificates, certificate authorities and the tools, systems and processes needed to bring it all together.
In this video, I'll cover P K I components such as keys,
certificates and certificate management.
P k. I concept
types of certificates and certificate formats.
Before we jump into P K I. Let's have a quick review of asymmetric encryption and the use of public and private keys. You need to have this down for both security plus and understand P k I to encrypt a document. You do it with the recipients public key
on Lee. The recipient can decrypt it with his or her private key.
The sign. A message. I would sign it with my private key than anyone. Comm prove. I signed it with my public key.
Review this material. Make sure you have it down.
Let's quickly review some of the P K I components. This is a review from section 6.1
p. K. I consists of an infrastructure, hardware, software policies and processes.
These components provide for management and use of digital certificates.
Core components include certificate authorities, certificate policies, digital certificates and certificate practice statements. P k i. Is that process off working with all of these certificates and uses X 509 for its standard,
we'll dive into this in a lot more detail throughout this video.
As I explained in previous videos,
digital certificates are critical component to provide secure systems.
EEP and wireless networks requires digital certificates to verify the identity of the client or server.
Digital certificates are digitally signed data blocks, which provides several potential functions but most notably are used for identification and authentication purposes.
A digital certificate includes information about the key information about the identity of the owner, also called the subject
and the digital signature of the entity that has been verified
that has verified the certificates. Contents called the Issuer
X 509 V three is the standard, and it defines certificate formats and fields for public keys.
Your screen shows the components of a digital signature, including the version serial number.
The issue of the Sea, eh? We'll talk about C is in a moment.
How long is it valid
subjects? Public key information issuers Unique. I D
Subject also has a unique I. D. In any extensions. Let me show you an actual example from the Internet.
On your screen is the nest website.
Let's check out its digital certificate.
Do so by clicking on secure green lock
certificate. Showing the certificate is valid
on the general screen.
Insurers the identity of both the remote computer and improves my identity as well.
To click on details, it actually shows the contents of the digital certificates I briefly mentioned earlier,
and you can look into these contents. I highly recommend. Pull up your favorite website review the digital certificate as you're walking through. This topic
will now explain different X 509 certificates.
First of all is the root certificate. This is for root authorities. These air usually self signed by that authority
he kept offline.
The Devi, or domain validator, is the quickest and least expensive option for a certificate because it on Lee the ownership of a specific don't main name is validated.
Organizational validation or oh, Weise certificates provide stronger assurance over just domain verification
because the organization has not just domain verified.
Finally, evey is tthe e extended validation, and it's the certification that provides the highest level of trust and security features.
X 509 uses different types of certificates
based on the circumstance and organization.
For example, a wildcard certificate allows for those sub domains for single registered domain. You saw that with the NIST example.
Yes, a N or subject alternate name. It's a special X 509 certificate that allows additional items such as I P addresses, domain names, et cetera,
code signing certificate used to sign computer code so developed code you could sign with their certificate
to prove that it is valid.
There's also machine or computer certificates that are assigned to a specific computer machine.
Email certificates used with s mine. I could use this as part of my secure email strategy
and then user certificates assigned to specific users.
Certificates can have various file extension types.
Some extension types are interchangeable, but not all are.
Be sure to determine whether the certificate is binary or based. 64. Ask e and coded chart on the screen shows the differences with the format and the including along with the systems that are used with it, then the extensions you'll find on your computer.
The most common format an extension for certificates is P M, which is mostly associated with Apache Web servers. Servers.
The pen format is based. 64 asking coded text file, which makes copying the contents from one document toe. Another
Another base 64 encoded certificate format is P seven B, also known as P K CS number seven.
This format uses the got P seven B or dot p seven C file extension,
which is commonly supported on the Windows operating system, and Java Tomcat.
The binary form of a PEM certificate is D. E R.
In addition to the dot d e r extension dot c e r and dot C R T extensions can be used for D are encoded certificates
D are included. Certificates are common on Java platforms.
Be familiar with these different types of certificate formats.
Earlier in this video and mentioned certificate, authorities
C ays are trusted entities within P K I.
The CIA's role is to issue certificates,
verify the holder of a digital certificate and ensure holders of certificates are who they claim to be.
A common analogy is to compare See a tow, a passport issuing authorities for me to get my passport. Have to take some other type of identity of my birth certificate. Driver's license
to the post office. Who's that authority to give me a passport?
Then the passport office can issue my document.
This is similar to how a C A works
an organization can establish its own. See a typically for use on Lee. Within that organization,
you can also use an external or third party. See a such a semantic go daddy et cetera.
You see on the screen the additional duties associated with certificate authorities. As previously mentioned, this is a key component of P K. I
since see Ace 10 to be quite busy, they have a helper. None is tthe e r registration authority
registration Authorities provide authentication to the sea A on the validity of a client certificate request.
In addition, the are a serves as an aggravator of information.
For example, a user contacts in Ouray, which then verifies the user's identity before issuing the request of the C A.
To go ahead and issue a digital certificate.
Note. Our ace. Do not issue digital certificates themselves. That is the role of the C. A.
Let's look at some of the P K I components.
The first is a certificate signing request or CSR
A. C s. Ours requested from the applicant to the c A.
To install a digital certificate. A specific request needs to be generated and submitted to the CIA.
This request to apply for a digital certificate is known as the CSR.
Included within the request is the applicants public he along with the information about the applicant.
Typical information includes a fully qualified domain name,
legally incorporated name of the company,
maybe a department name, city, state, country or email address.
Before submitting a CSR, the applicant generates a key pair consisting of a public and private key.
The public he is provided with the request and the applicant signs the request with their private key.
If all is successful, the CIA returned a digital certificate that it's signed with the sea, a CZ private key
Digital certificates can also be revoked.
Revocation happens for several reasons. For example, a private key might become compromised,
maybe lost or the identifying credentials might no longer be valid.
Other reasons for revocation include fraudulently obtained certificates or change in the holder status,
which could indicate less trustworthiness.
Revoking a certificate is not enough.
The community that trust these certificates must be notified that that the certificate is no longer valid.
This is accomplished with a certificate revocation list or C r L.
You could search for CR l's within your own Web browser.
They also may use an online certificate status protocol.
I'll explain each of these.
The three basic status levels exist in most peak I solutions.
Valid, suspended or revoked.
You can check the status of a certificate by going to the sea A that issued the certificate or tow an agreed upon directory server that maintains a database indicating the status level for the set of certificates.
The certificate revocation list is the method for distributing that certificate revocation information from that see a server
down to clients must be updated very often.
A certificate is in compared against the sea Earl. If it's not valid
thrown out, you may receive a warning.
C r l must be updated and maintained, which could be a maintenance nightmare.
Be familiar with certificate revocation.
Another method for specific revocation is O S C. P Online certificate status protocol.
This is a in real time process for checking a certificate status against a revocation list.
Oh, SCP stapling allows the Web server to staple
a time stamped O S. C. P response is part of a T. L s handshake with the client. So reduces the load on the C A.
The Web server is now responsible for handling oh SCP requests instead of the C A.
Oh, SCP stapling provides several benefits. Ts. First, it improves the performance of the secure connection.
Next privacy concerns are reduced because the end user's browser does not need to potentially contact the third party, see eight to verify the certificates and reveal the browsing history.
Finally, reliability is improved.
Another p k I component you need to be aware of is certificate trust models.
If your organization acts as its own, see A. It's known as a single C A,
and you can issue self signed certificates. This is the simplest scenario, but there's no redundancy.
It's possible for anyone to generate a self science certificate. In fact, this is an easy task to perform. Using Microsoft I. I s
The certificate will be x 509 but it'll be digitally signed by you.
This means that although it could be used to transmit your public, he it won't be trusted by browsers.
This will instead generate a certificate error message, which I'm sure you've all encountered
more common model and the one that reduces the risks inherent with a single C. A is the hierarchical. See a model
in this model, an initial route see a exists at the top of the hierarchy and subordinate. See Ace or intermediate See Ace reside beneath the root.
The subordinate See Ace provide redundancy and load balancing in case any of the other C ase fail or need to be taken off line.
Because of this model, you might hear p k I referred to as a trust hierarchy
a route see a differs from a subordinate ta is because the route C A is usually offline.
Remember, if the route see a this is the one it's all based on is compromised.
The higher architecture is therefore compromised.
If a subordinate ta is compromised, however, the route see a can revoke
the subordinate C A
certificate chaining is associated with those ideas.
It refers to the fact that a certificate handled by it are handled by a chain of trust.
You purchase a digital certificate from a C A. So you trust that See a certificate
in turn that see a trusts a route certificate.
In this example, the sea a certificate is an intermediary si es and the ultimate trust is the root certificate.
An alternative to this hierarchical model is the cross certification model often referred to as a web of trust.
In this, model, C A s are considered appears to each other
to achieve secure exchange of information
across the Internet.
There are is also a bridge C A, which provides a cross certification model using a central point of trust.
You should review these different certificate trust models that are all part of P K. I
key escrow occurs when a C A or other entity maintains a copy of the private key associated with the public he signed by the sea. Eh?
So I give my private key to a trusted entity.
I escrow Mikey with them.
This scenario allows the C A or escrow agent have access to all of the information encrypted. Using the public key from a user certificate and to create digital certificates and signatures on behalf of the user
has some danger associated with it.
But despite public concerns about escrow for private use, key escrow is often considered a good idea In corporate p k I environments,
the key recovery agent is an entity that is, it has the ability to recover a key, the key components or plain text messages as needed.
The last topic associated with P k I. I'll be covering in this video is pinning
with certificate pinning
hashes of public. He's for popular Web servers are built into applications such as Web browsers.
This provides a method that extends beyond certificate validation.
This stops man in the middle attacks.
Http Public key pinning or h p. K p uses public key pins
which are essentially hashed values of the public key communicated to the browser client
from the server in the http header.
In this video, I covered a number of topics associated with P K I.
Let's practice on a few sample quiz questions.
The job of this service is to issue certificates, verify the holder of a digital certificate
and ensure that the holders air certificates are who they claim to be.
The answer is a. This is the definition of a certificate authority,
or C A
Which of the following is not contained in a standard X 509 certificate?
Remember the example I showed you of what often is contained in the next 509 certificate.
What is not contained?
The answer is C subject's private key. Only the subject's public key is included.
There are two labs associated with P K. I will give you hands on practice on these concepts. The first is understanding P K I. Concepts.
This module provides you with instruction and server hardware. Develop your hands on skill
in the areas of installing and configuring active directory certificate service is
and configuring certificate revocation lists
the other lab is managing certificates
where you will learn about managing certificate templates, configuring certificate, auto enrollment, implementing key archival and rolling user certificates, and managing key recovery.
Each of these laps will provide you with hands on experience on the concepts associated with P K I.
This concludes the video for section 6.4.
Given a scenario, implement public key infrastructure
and this concludes domain six cryptography and p K I
Please review your study material for more information on this topic.