Public Key Infrastructure PKI Concepts

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi I'm Lisa Spooner and this lesson public key infrastructure concepts is part of the CompTIA security plus training course and in this lesson we'll start with an overview of what public key infrastructure is then we'll talk about the public and private key pair and what the difference between the two is next digital certificates and how they solve the problem of authentication then we'll talk about the certificate authorities otherwise known as the CA then with just those few concepts under our belt we can start on how PKI works next we'll talk about registration authorities and how the RA does some administrative tasks for the CA then certificate revocation lists recovery agents what to do if the key gets lost and key escrow and we'll talk about the difference between key escrow and recovery agents now this lesson talks about the core concepts of public key infrastructure that's what you'll need to learn before learning the real-life implementations of PKI and certificate management that we'll discuss in a future lesson first that overview I promised you PKI is a two key encryption system having two keys the word for that is asymmetric now it's important to note that PKI is a framework like a guideline that different systems vendors and technologies can interpret and use to provide authentication and confidentiality in their data transmissions so it's a set of rules right and one being they have to have two keys the key length is up to you the encryption algorithm you use is up to you but you have to have those two keys so PKI provides confidentiality with that encryption and it provides authentication with the use of digital certificates which we'll talk about in a minute but first let's start with those two keys so let's say you want to send a secure message to Alice now Alice has a key pair a public key and a private key and those two keys are mathematically related they were created by a special algorithm at the same time so let's see how this works you request Alice's public key now that's public meaning anyone can see it anyone can have it so she sends it to you then you use that public key to encrypt the message that you want to send Alice and you send it back now so far not so secure sounding right just wait anything encrypted with this public key cannot be decrypted with that same key it has to be decrypted with the pair to it the private key which only Alice has so she uses that private key to decrypt the message and read it now this is great for confidentiality right nobody can intercept that message in between and decrypt it because they don't have Alice's private key but how do we really authenticate I mean someone could be pretending to be Alice using a different public private key pair send you their proper key decrypt the message with the private key and you'd never be the wiser well that's four digital certificates come in so now we get to authentication digital certificates associate a particular public key with an individual a company and organization whoever it is that owns that public key digital certificates are issued by a certificate authority so what's contained in those certs well a common certificate standard is the X dot 509 and it contains fields like when is a cert valid not before this date not after this date what algorithm is used for encryption what's the public key that one's important right oh and the issuer that set certificate authority let's talk about that now a certificate authority as a server responsible for issuing revoking and distributing digital certificates this is often a trust a third party organization commercial examples are digi cert and Verisign but companies and organizations can create their own in-house CA for example the Windows Server products offer tools to create a local certificate authority the CA also stores the public keys in a directory that is available to anyone that wants to verify your certificate now that we have added the CA that secure message transfer gets even better again you'll want to send a message to Alice here's how it would look using public key infrastructure Alice has already registered and has a digital certificate from the CA you request Alice's certificate from the CA remember one of the CIA's responsibilities is distributing the certs or Alice could send it to herself its public how we know it actually belongs to Alice is that is signed by the CA and we trust the CA so you get the certificate you encrypt your message using Alice's now verified public key that's contained within the cert he ascended to Alice no one can decrypt it along the way without Alice's private key she uses that private key decrypts the message reads it now I know that I said that we'll be talking about PK I implementations in a future lesson but I just wanted to show you real quick a place where PKI is used in our daily lives come with me public-key infrastructure is used all over the web in the form of ssl certificates now verifying who you're interacting with is especially important when shopping online so here I am at Train Signal comm and if I add a product to my cart and begin the checkout process if I right-click on the checkout page click properties and then certificates I can see that SSL cert if I go to details here's version 3 of that X dot 509 standard I was talking about there's a ton of information here the issuer is Verisign the subject is actually who owns the cert that's train signal and here's that public key beautiful isn't it ok I just wanted to give you a quick peek let's go back now let's talk about registration registration authorities help PKI even more by acting as a kind of secretary or administrative assistant for the CA it takes some of the workload off of the CA when the RA is involved you interact with the RA server directly you provide the RA with your information and your payment if it's a third party the RA verifies this documentation before confirming that the CA can issue and sign the certificate the RA does not sign the certificate itself now when you send this information to be verified one thing that you might might send them is your public key if the key pair was generated locally you would need to provide your public key this is more secure than if you relied on the CA to create that key pair now creating the key pair locally or the CA creating it both ways are common for PKI to work digital certificates need to be kept up-to-date and valid to keep track of certs that can no longer be used the CA maintains certificate revocation lists the CRL is published hourly or daily really often and the CA sends the list to anyone that subscribes to it and makes it available to anyone that requests it some reasons assert might be on the CRL well that's expired or it's been revoked say it has a ooh compromised private key or an HR reason like the key owner no longer works for the company or the company itself has changed names physical address CNS or any reason prior to expiration its revoked and this is permanent a new cert would have to be issued sometimes a cert is just suspended say an employee takes a leave of absence in this case the reason for revocation listed on the CRL will be a certificate hold the SIRT owner or an authorized administrator can request the cert be revoked so it's very important the second that you find out that a key has been compromised or any other reason you send that revocation request ASAP and it's important to know that verification happens at this stage of the game to the CA verifies that the request is from the cert owner or someone verified to make this request before it's put on the CRL so what if a key gets lost PKI allows for the option of maintaining a secure key recovery server and an authorized person or persons who have access to it a key recovery agent is an actual person and that person is authorized to retrieve keys in certain cases now the recovery agent isn't recovering keys that have been lost as in let loose in the world but more like forgotten say a user's key was stored on a local computer and that computer crashed in that case you could get the user up and running again on a new computer after recovering their private key the system of having a recovery server and recovery agents is usually used in locally maintained public key infrastructures I think it goes without saying that this server must be kept extremely secure in some cases there is actually more than one recovery agent and both must be present to retrieve the lost key that's a great example of separation of duty don't you think when recovering the key the recovery agent must provide the following things proof that the request is from an authorized recovery agent the name of the key owner the time the key was created and the issuing CA server so having a recovery agent isn't something that you want to think of after the keys been lost but a system you want to have in place before it does again this whole system is optional if no recovery system is in place and a key gets lost a new cert must be issued in the oven placed on the certificate revocation list like the key recovery server the key escrow agency or key archival system keep secured copies of private keys that's called key escrow but this time they are not available to the recovery agent instead they are available to law enforcement during a formal investigation and in theory a warrant would be needed before accessing the private keys sometimes there are multiple databases with only part of the private key kept in each that's that separation of duty again making the private key even more secure in 1995 the US government tried to mandate that copies of all private keys be kept in escrow but they soon gave up on that demand due to public outcry and conspiracy theories today key escrow is optional but not uncommon and that's it but before we wrap up the lesson here are the new terms that were introduced in this lesson and the ones that you'll want to have down pat for the exam first public key infrastructure PKI is the framework for encryption that Associates a public key with a verified person or system next public key is the part of the key pair that is available and distributed to the public the private key is the part of the key pair that is secret and used only by the key owner certificate authorities CAS are responsible for issuing revoking and distributing digital certificates and those are certificates that verify whom a public key belongs to then we have registration authority the RA verifies the prospective key owners identity and sends it to the CA to issue a cert certificate revocation lists that's a frequently published list of certificates that are no longer usable for a variety of reasons recovery agent is a person who is authorized to recover lost private keys in certain cases and last key escrow keeping secured copies of private keys for law enforcement purposes all right what have we covered in this lesson first we did a quick overview of what public key infrastructure is remember there was an emphasis on the word infrastructure this is not one particular technology but a framework used by many technologies and each vendor can interpret this however they choose and some still aren't compatible with each other next we talked about the public and private key pair remember the public is public the private is private and the pair is mathematically related and generated at the same time then we talked about digital certificates some of the info contained on them and how they are issued then we discuss the Big Bad certificate authority and how it has the most important job within PKI then I showed you a nifty diagram of how PKI works to send a secured message to Alice and only Alice and you can still sleep at night knowing that no one else can read it then we talked about registration authorities and how it helps offload some of the grunt work for the CA then they talked about certificate revocation lists those a lists of certs that can no longer be used sometimes the CRL contains information about why the cert was revoked and when the last time communication with that cert was considered secure last we talked about recovery agents and key escrow both ways to backup your private keys one for you and one for the government I hope you enjoyed watching this lesson on public key infrastructure I know I enjoyed creating it thanks for watching

Info

Channel: RadwanoVetch

Views: 215,060

Rating: 4.8895416 out of 5

Keywords:

Id: t0F7fe5Alwg

Channel Id: undefined

Length: 15min 17sec (917 seconds)

Published: Thu Mar 27 2014