Tuesday, August 5, 2014

Assignment for Final. (PKI & Hardening)

Public Key Infrastructure (PKI)


What is PKI?

PKI (Public Key Infrastructure) is a process or method of determining the identity and validity of a person (or entity) that you have not previously met or interacted with through the use of certificates containing identifying information and public keys. PKI accomplishes this by defining a central authority who is mutually trusted by all users of the system (Gaulet, 2009).

There are different types of systems in a PKI:
  1. Private and Public Key Systems: Private systems are symmetric cryptography and public systems are asymmetric cryptography. Currently, public key systems are the most common.
  2. Symmetric Encryption Systems: The same key is used for both the processes of encryption and decryption.
  3. Asymmetric Encryption Systems: A different key is used for each process. If something is encrypted with the public key, then decryption can only be done with the private key. Alternatively, if something is encrypted with the private key, then decryption must be done only with the public key (Janssen, Public Key Infrastructure (PKI), 2014).

Digital Certificate Stores

To verify the identity of people and organizations on the Web and to ensure content integrity, Internet Explorer uses industry-standard X.509 v3 digital certificates. Certificates are electronic credentials that bind the identity of the certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign information digitally. These electronic credentials assure that the keys actually belong to the person or organization specified. Messages can be encrypted with either the public or the private key and then decrypted with the other key (Microsoft , 2014).

Certificates form the basis for secure communication and client and server authentication on the Web. You can use certificates to do the following:
  • Verify the identity of clients and servers on the Web. 
  • Encrypt channels to provide secure communication between clients and servers. 
  • Encrypt messages for secure Internet e-mail communication. 
  • Verify the sender's identity for Internet e-mail messages. 
  • Put your digital signature on executable code that users can download from the Web. 
  • Verify the source and integrity of signed executable code that users can download from the Web (Microsoft , 2014)
  
The following illustration shows the basic process of using public and private keys to encrypt and decrypt a message sent over the Internet.

                                        Dd361898.ierk601(en-us,TechNet.10).gif

 (Microsoft , 2014)

Web Browser example

Below is a typical flow for a one-way communication between a web browser and a web server over HTTPS. This system utilizes asymmetric keys for the initial handshake, and then a symmetric key to encrypt data thereafter.
  • Client browser hits your web server asking for identification.
  • The server responds by sending the client its public key (or certificate file).
  • The client browser then examines the certificate, checking it against its built in database of Certification Authority (CA) keys. If it has a CA root key installed for the CA used to sign the servers certificate and it checks out, then it trusts that the server is who it says it is.
  • Using the servers now validated public key, the browser generates and encrypts a symmetric key. It then sends it the server.
  • The server receives the encrypted symmetric key and decrypts it with its private key.
  • Now the client and server both have a copy of the symmetric key, efficient encryption / decryption can occur between the server and client (Inbound Traffic, 2014).

The Basics of Computer System Hardening

Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers such as the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between (Janssen, 2014).

Hardening’s goal is to eliminate as many risks and threats to a computer system as necessary (Janssen, 2014). For instance, employees in the IT department of a hospital or bank would employ some of the various means of protection on their systems to protect the privacy of the information they collect from their customers, as well as safeguard against unauthorized personnel having access to information they have not been cleared to have. 


Hardening activities for a computer system can includes the following:
  • Keeping security patches and hot fixes updated
  • Installing a firewall
  • Installing virus and spyware protection, including an anti-adware tool
  • Keeping a backup, such as a hard drive, of the computer system
  • Disabling cookies
  • Creating strong passwords
  • Never opening emails or attachments from unknown senders
  • Using encryption where possible
  • Implementing Hardening security policies, such as local policies relating to how often a password should be changed, how long and in what format a password must be in (Janssen, 2014).

In recent news reports, there have been news stories involving data breach of large companies such as Target (Sharf, 2014), and most recently, the restaurant P.F. Chang’s (London, 2014). Having a hardening security policy in place could have protected their systems from such breaches. It is not enough to plan, develop, and implement a data security plan. The last phase of the process, evaluation, has to be ongoing. Technicians must stay on top of current trends and make sure their systems are built proactively to potential security threats.


References

Gaulet, W. (2009, January 19). Summarizing PKI Certification Validation . Retrieved from Securism Blog: http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/
Inbound Traffic. (2014, January 22). How does PKI work? Retrieved from Inbound Traffic: http://inboundtraffic.net/how-does-pki-work/
Janssen, C. (2014). Hardening. Retrieved from Techopedia.com: http://www.techopedia.com/definition/24833/hardening
Janssen, C. (2014). Public Key Infrastructure (PKI). Retrieved from Techopedia.com: http://www.techopedia.com/definition/4071/public-key-infrastructure-pki
London, D. (2014, August 4). P.F. Chang's: 33 restaurants affected in data breach. Retrieved from USA Today: http://www.usatoday.com/story/money/business/2014/08/04/pfchang-credit-debit-card-data-breach/13567795/
Microsoft . (2014). Digital Certificates. Retrieved from Technet.Microsoft.com: http://technet.microsoft.com/en-us/library/dd361898.aspx
Sharf, S. (2014, August 5). Target Shares Tumble As Retailer Reveals Cost Of Data Breach. Retrieved from Forbes.com: http://www.forbes.com/sites/samanthasharf/2014/08/05/target-shares-tumble-as-retailer-reveals-cost-of-data-breach/



No comments:

Post a Comment