Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Infrastructure
I. Public Key Infrastructure
1. Public and Private Key Pairs
1.
2.
3.
4.
5.
6. Certificate Authorities
1. Certificate authority is a computer or entity that creates and issues digital
certificates.
2. Inside the Digital Certificate
a. Information about the identity of the device such as IP FQDN and public key of
the device
b. CA takes all the info including the public key generated by the device and
generates a digital certificates CA assigns a serial number to and signs the
certificate with its own digital certificate (CAs signature).
c. Also includes validity dates for the certificate, expiration, possibly revocation
details.
d. Also information about the CA, including a URL to check the certificate against
the CA.
e. Most web browsers have a huge list of common CAs.
f. Could create your own CA server, but no one would trust it you would use it
internally only
8. Root Certificate
1. Contains public key of CA server and other details about the CA server
subject of the root certificate is the CA itself. The subject for a client's
identity certificate is the client.
5. Public Key The contents of the public key and the length of the key
are often both shown. After all, the public key is public
6. Thumbprint algorithm and thumbprint This is the hash for the
certificate. On a new root certificate, you could use a phone to call and
ask for the hash value and compare it to the hash value you see on the
certificate. If it matches, you have just performed out-of-band (using the
telephone) verification of the digital certificate
9. Identity Certificate
1. Similar to a root certificate but describes the client and contains the public key of an
individual host. Example would be a web server that wants to support SSL or router
that wants to use digital signatures for authentication of a VPN tunnel. Example
below:
2.
15.Revoked Certificates
1. One must manually check to see if a certificate has been revoked unless the device is
set to automatically check each time when authenticating.
2. Three basic ways to check in order of popularity
a. Certificate Revocation List (CRL) This is a list of certificates, based on their
serial numbers, that had initially been issued by a CA but have since been
revoked and as a result should not be trusted. A CRL could be very large, and
the client would have to process the entire list to verify the certificate is not on
the list. A CRL can be thought of as the naughty list. This is the primary
protocol used for this purpose, compared to OSCP and AAA. A CRL could be
accessed by several protocols, including LDAP and HTTP. A CRL could also be
obtained via SCEP
b. Online Certificate Status Protocol (OCSP) This is an alternative to CRLs.
Using this method, a client simply sends a request to find the status of a
certificate and gets a response without having to know the complete list of
revoked certificates
c. AAA Cisco AAA services also provide support for validating digital
certificates, including a check to see whether a certificate has been revoked.
Because this is a proprietary solution, this is not often used in PKI
17.PKI Topologies
1. Small network a single CA server may be enough
2. Large network 30,000 devices plus, a single server may not provide the
availability and fault tolerance required
a. (We are talking about a companies OWN CA server for company usage only)
18.Single Root CA
1. Having one CA server having thousands of customers who want to authenticate that
CA and request their own identity certificates might be too large of a demand on one
server
a. Offload some work by publishing CRLs on other servers
b. Still no fault tolerance though with one CA
20.Cross-Certifying CAs
1. Cross-certifying topology CA with a horizontal trust relationship over to a second
CA so that clients of either CA could trust the signatures of the other CA
2. ASA example
2. ff
2. When adding a new root certificate you are also adding details about how you are
going to work with that CA
3. Click More Options
a. Answer questions about the CRL (Certificate Revocation List) and specify other
details about which protocols to be used for certificate verification for this
firewall to use when dealing with certificates issued by this CA
4. After you call to get the hash and compare it to your calculated hash, you can
request for an identity certificate
8. Specify the enrollment mode of SCEP and the IP address of the CA server that
supports SCEP shown below
9. Once the enrollment method and IP address are configured, click the OK button, and
then click the Add Certificate button
10. Equivalent CLI commands to authenticate and enroll with a new CA via SCEP
11. f
Using its private key to encrypt a generated hash, a digital signature is created.
The receiver uses the public key of the sender to validate the digital signature and
verify the identity of the peer
Digital certificate File that contains the public key of the entity, a serial number, and the signature of
the CA that issued the certificate
Public and private Used as a pair to encrypt and decrypt data in an asymmetrical fashion
keys
Certificate
authority
The CA's job is to fulfill certificate requests and generate the digital certificates for
its clients to use. It also maintains a list of valid certificates that have been issued,
and maintains a CRL listing for any revoked certificates
X.509v3
Subordinate
CA/RA
Assistant to the CA, which can issue certificates to clients. Clients need both the
certificates from the root and the subordinate to verify signatures all the way to the
root. Used in a hierarchical PKI topology
PKCS
1-8
9-10
1. Why is the public key in a typical public-private key pair referred to as public?
a. Because the public already has it
b. Because it is shared publicly
c. Because it is a well-known algorithm that is published
d. The last name of the creator was publica, which is Latin for public
2. What is the key component used to create a digital signature?
a. Ink
b. Public key
c. Private key
d. AES
3. What is the key component used to verify a digital signature?
a. Sender's public key
b. Receiver's public key
c. AES
d. One-time PAD
4. What is another name for a hash that has been encrypted with a private key?
a. MD5
b. SHA-1
c. AES
d. Digital signature
5. What are the primary responsibilities for a certificate authority (CA)? (Choose all
that apply.)
a. Verification of certificates
b. Issuing identity certificates
c. Maintaining client's private keys
d. Tracking identity certificates
6. Which of the following is not a way for a client to check to see whether a certificates
has been revoked?
a. Look at the lifetime of the certificate itself
b. CRL
c. OSCP
d. LDAP
7. Which of the following could be found in a typical identity certificate? (Choose all
that apply.)
a. CRL locations
b. Validity date
c. Public key of the certificate owner
d. Serial number
8. Which standard format is used to request a digital certificate from a CA?
a. PKCS#7
b. PKCS#10
c. LDAP
d. TLS/SSL/HTTPS
9. When obtaining the initial root certificate, what method should be used for
validation of the certificate?
a. Sender's public key
b. Telephone
c. HTTPS/TLS/SSL
d. Receiver's private key
10. Which method, when supported by both the client and the CA, is the simplest to use
when implementing identity certificates on the client?
a. PKCS#7
b. PKCS#10
c. SCEP
d. LDAP
Page
Number
Text
444
Text
445
Text
Certificate authorities -
446
Text
446
List
Certificate components -
447
Text
449
List
449
Text
450
Text
PKCS standards -
450
Text
SCEP -
451
Text
Revoked certificates -
451
Text
PKI topologies -
452
Example 18-1
457
Example 18-2
458
Table 18-2
461
File that contains the public key of the entity, a serial number, and
the signature of the CA that issued the certificate
Certificate authority
The CAs job is to fulfill certificate requests and generate the digital
certificates for its clients to use. It also maintains a list of valid
certificates that have been issued, and maintains a CRL listing any
revoked certificates.
X.509v3
Subordinate CA/RA
PKCS
Crypto ca enroll