site_logo

previous


  1. A+ Core 1 Practice Tests
  2. A+ Core 2 Practice Tests
  3. Network+ Practice Tests
  4. Security+ Practice Tests

CompTIA® Security+ : Cryptographic Tools And Products ,Core Concepts Of Pki

6.2 Use and apply appropriate cryptographic tools and products

Hash Algorithms : Hash algorithms produce a hash of a message and encrypt it. They use a mathematical formula for hashing, and it is extremely difficult to tamper with the message and still produce the same hash. Basically, Hashing enable a recipient to check whether a message is received intact without being tampered by a third party.

  • SHA (Secure Hashing Algorithms): There are several Secure Hashing Algorithms and they primarily differ in the hash length. They are SHA-1, SHA-256, SHA-384 and SHA-512. In SHA-1 the bit length is 160 bits, in SHA-256 it is 256 bits, for SHA-384, 384 bits and in SHA-512 it is 512 bits.

  • MD2, MD4, MD5 (Message Digest Series Algorithms): These are another type of hash algorithms. These algorithms were developed by Rivest. All three algorithms take a message of arbitrary length and produce a 128-bit message digest. MD2 is meant for 8 bit machines and MD4, MD5 are suitable for 32 bit machines. These algorithms are primarily used for digital signature applications.

  • CHAP (Challenge Handshake Authentication Protocol) works on point to point connections. It uses a three step process for authentication (excluding making the connection itself). If making the connection is also involved, it would be a 4 step process.

A cryptographic hash function is a "one-way" operation. It is practically not possible to deduce the input data that had produced the output hash.
You can decrypt an encoded message using matching secret key. Similarly, Digital certificate is issued by a CA, and can be decrypted to find the contents of the certificate.

PGP uses public-key encryption for sending and receiving email messages. Diffie-Hellman and RSA algorithms are used for encryption/ decryption of PGP messages.

Encryption Schemes:

  • AES (Advanced Encryption Standard) is more secure than DES or 3DES.

  • AES is a symmetric block cipher that can encrypt (encipher) or decrypt (decipher) information

  • AES is based on Rijndael algorithm

  • PGP (Pretty Good Privacy) can use Diffie-Hellman or RSA algorithms, but not AES or DES.

PGP (Pretty Good Privacy) : PGP certificates differ from X.509 certificates in two ways:

  • PGP certificates are issued (signed) by normal people while the X.509 certificates must be issued by a professional CA, and

  • PGP implements a security fault tolerance mechanism, called the Web of Trust. Here an individual is allowed to sign and issue certificates to people they know

6.3 Explain the core concepts of public key infrastructure

Three basic types of distributed trust models are:

Hierarchical trust model : Here one root CA and one or more subordinate CAs will be present. The subordinate CAs provide redundancy and load balancing. The root CA is usually off-line. Here even if a subordinate CA is compromised, the root CA can revoke the subordinate CA, thus providing redundancy.

Web of Trust : This is also called cross-certification model. Here CAs form peer-to-peer relationship. This model is difficult to manage as the number of CAs grow larger. This kind of trust relationship may happen when different divisions of a company has different CAs, and need to work together. Here CAs must trust one another.

Bridge CA architecture : Bridge CA overcomes the complexity involved with Web of Trust model. Here Bridge CA act as the central co-ordinate point. All other CAs (known as principals) must trust only the Bridge CA.
If the CA's private key is compromised, certificates' private key is compromised, certificates issued by that CA issued by that CA are affected. This will lead to issuance of new certificates to all users, and registration. These problems can be overcome by use of a distributed trust model, in which multiple CAs are involved.

In public key infrastructure

  • A key is required to encode/decode a message, and the security of a message depends on the security of key.

  • A cipher text is the encoded message, and

  • A certificate is a digitally signed document by a trusted authority.

Certificate Revocation List (CRL) : A certificate revocation list (CRL) is a list of certificates, which have been revoked, and are no longer valid. A digital certificate is a credential issued by a trusted authority that binds you (and individual or an organization) to an identity that can be recognized and verified electronically by other agencies. Locally issued digital certificates are valid only within an organizations network (like intranet). Therefore, any secure pages or digital signatures containing local registration will not work on the Internet.

6.4 Implement PKI, certificate management and associated components

Public Key Infrastructure (PKI) : It is a framework for all of the entities involved in digital certificates-including hardware, software, people, policies, and procedures to create, store, distribute, and revoke digital certificates. PKI is essentially digital certificate management.

Recovery agent : It is responsible for recovering lost or damaged digital certificates

Certificate Revocation List (CRL) : A certificate revocation list (CRL) is a list of certificates, which have been revoked, and are no longer valid. A digital certificate is a credential issued by a trusted authority that binds you (and individual or an organization) to an identity that can be recognized and verified electronically by other agencies. Locally issued digital certificates are valid only within an organizations network (like intranet). Therefore, any secure pages or digital signatures containing local registration will not work on the Internet.

Key escrow : Key escrow refers to a process in which keys are managed by a third party, such as a trusted CA. In key escrow, the private key is split and each half is encrypted. The two halves are sent to the third party, which stores each half in a separate location. A user can then retrieve the two halves, combine them, and use this new copy of the private key for decryption. Key escrow relieves the end user from the worry of losing her private key. The drawback to this system is that after the user has retrieved the two halves of the key and combined them to create a copy of the key, that copy of the key can be vulnerable to attacks.

Trust Models : A trust model refers to the type of trusting relationship that can exist between individuals or entities. In one type of trust model, direct trust, a relationship exists between two individuals because one person knows the other person.

A third-party trust refers to a situation in which two individuals trust each other because each trusts a third party.

There are essentially three PKI trust models that use a CA.

  • The hierarchical trust model assigns a single hierarchy with one master CA called the root. This root signs all digital certificate authorities with a single key.

  • Distributed trust model has multiple CAs that sign digital certificates. This essentially eliminates the limitations of a hierarchical trust model; the loss of a CA's private key would compromise only those digital certificates for which it had signed, the workload of verifying and signing digital certificates can be distributed, and there is no competition regarding who can perform the functions of a CA

  • Bridge Trust Model The bridge trust model is similar to the distributed trust model in that there is no single CA that signs digital certificates. However, with the bridge trust model there is one CA that acts as a "facilitator" to interconnect all other Cas. This facilitator CA does not issue digital certificates; instead, it acts as the hub between hierarchical trust models and distributed trust models.

previous



simulationexams.com ad


certexams.com ad

Disclaimer:TutorialsWeb.com is neither associated nor affiliated with CompTIA® or any other company. A+, Network+, Security+, Server+ are trademarks of CompTIA® organization and duly acknowledged. The Cram Notes material is a copyright of TutorialsWeb.com and the same is not approved or endorsed by respective certifying bodies.