CISSP Domain 3 Review / Mind Map (7 of 9) | Digital Certificates, Digital Signatures & PKI

hey i'm rob witcher and i'm here to help you pass the cissp exam we're going to go through a review of the major topics related to digital certificates digital signatures public key infrastructures and key management in domain 3 to understand how they interrelate and to guide your studies this is the seventh of nine videos for domain three i've included links to the other mind map videos in the description below in the last video video six in domain three we started our voyage through the wonders of cryptography let's now delve a little deeper into what cryptography

enables us to do with digital signatures and digital certificates and how we can establish trust on an untrusted network like the internet via public key infrastructures and how we must carefully manage encryption keys we'll begin with digital signatures digital signatures provide three major and very useful services integrity authenticity and non-repudiation we create and use digital signatures in all sorts of different places sending emails and using digital signatures to verify the integrity authenticity and unreputation of a message code signing so that we can verify that an update we just downloaded to our iphone actually came from

apple and that it wasn't modified in transit signing legal documents such as pdfs allowing others to verify who specifically signed the document let's now go through these services the digital signatures provide in a wee bit more detail integrity means that we can tell if a message or file has been changed or modified in any way authenticity means we know who the message came from we know who the sender is and non-repudiation means someone cannot deny the validity of something they are two scenarios in which we can achieve non-repudiation with digital signatures non-repudiation of origin means

the sender cannot deny that they sent exactly the message that was received and non-repudiation of delivery means the receiver cannot deny that they received the exact message that was sent now on to digital certificates digital certificates are used to verify the owner of a public key you often need someone's public key to securely communicate with them and they need yours you could just exchange public keys across the internet you could for instance send me your public key but anyone could intercept and modify your key or more likely swap out your key for theirs and the

major problem here is i would have no idea this happened i would have no idea that the key i received actually belongs to some sketchy character out there and not you this is a major problem you cannot for instance securely communicate with your online bank unless you know you have your online bank's public key digital certificates solve this problem digital certificates allow us to verify who a public key belongs to a couple of the important bits of information that a digital certificate contains is the name of the owner of the public key and a copy

of their public key thus allowing us to verify who a public key belongs to i'm obviously glossing over a lot of the specifics of how this works if you want to dig a little deeper i created a more detailed video specifically on digital certificates which i've linked to in the description below digital certificates can be created by loads of different organizations you can get a digital certificate from one of the big certificate authorities such as komodo symantec digicert or rentrust and everyone in the world will trust that certificate you can get a digital certificate from

say your company and that certificate will only be trusted within your company you can even create your own self-signed certificate that no one but you will trust because certificates can be created by so many different entities in so many different situations we need a standard to make sure all these certificates are interoperable that standard is 509 certificate authorities will typically issue a certificate that is valid for one or two years an expiry date will be noted in the digital certificate itself and when that expiry date has been reached or just before it a new digital

certificate will need to be created this is replacement the regular replacement of expired certificates and you can easily see when a certificate needs to be replaced based on the expiry date noted in the digital certificate itself revocation is an entirely different matter digital certificates contain a copy of a public key a public key is one key in a key pair the other key being the associated private key the public key can be shared with anyone and everyone the associated private key must remain private if the associated private key is compromised you can never trust any

communications from that entity you can't trust the associated public key this is where certificate revocation comes into play if for instance your private key has been compromised then you need to immediately tell everyone not to trust your associated public key the way you do this is by contacting your certificate authority and asking them to revoke your digital certificate the ca maintains a list of all the revoked certificates before you trust the public key in any digital certificate you should first check with the ca to see if the certificate has been revoked if the certificate has

been revoked then you should absolutely not trust the public key contained within it how do you check to see if a certificate has been revoked or more specifically how would the software you use like your web browser check for you there are two protocols crl certificate revocation list is the older less efficient way of checking with a ca to see if a certificate has been revoked a client asks the ca if a certificate is being revoked and the ca responds by sending a large file which lists all the certificates that have ever been revoked and

then the client needs to search through this giant list to see if their certificate of interest has been revoked or not lots of overhead ocsp online certificate status protocol is a much newer and more efficient protocol the client queries the ca for the revocation status of a specific certificate and the ca responds it's being revoked you should run screaming or nope all good live long and prosper i may have just taken some comedic license there with exactly how the ca responds to the ocsp queries but you know it's something like that the final bit we'll

talk about related to digital certificates is certificate pinning the idea here is that if we download a digital certificate from say a server there is a very small but non-zero chance that an attacker could intercept that certificate and forward on a spoofed certificate google diginotar if you want to read about a real-world example of where this has happened so if we're worried about being sent a spoofed certificate we can instead trust the local certificate we have on our system already a certificate we have pinned how did we get this local certificate the less secure way

is to pin the first certificate you received from a server the first time you talk to the server the more secure way is to use a piece of software that comes with pre-installed pinned certificates from whoever made the software significant issues have actually been found with pinning and it's been superseded with certificate transparency but now you know about certificate painting in case it comes up on the exam all right now let's talk about how we create the whole infrastructure that allows us to trust users and systems across an entirely trustworthy environment like the internet public

key infrastructures is the broad set of roles policies procedures hardware and software that is used to create distribute use store replace and revoke digital certificates and we do all of this so that we can use digital certificates to bind a public key to its owner to trust who or what we are communicating with all the trust in a pki is ultimately rooted in the certificate authority which is why the ca is often referred to as the root of trust the ca uses its private key to encrypt some data including the name of the owner and

their public key to create a digital certificate because the ca is the only entity in the world that has their private key the ca's private key no one can modify certificates the ca creates or create spoof certificates that look like they came from the ca on the flip side anyone can decrypt a digital certificate that has been created by one of the big public cas because everyone has their public key how do we all have the big cas public keys they come pre-installed in our browsers like firefox chrome savari and other software we use before

a ca will create a digital certificate for you they first need to proof your identity to confirm you are who you say you are the role within the ca that performs the identity proofing is known as the ra the registration authority now i mentioned that the certificate authority creates a digital certificate by encrypting a bit of data including the name of the owner and the public key with the ca's private key this is an oversimplification and in fact a bad idea if the ca was encrypting new certificates using its private key that would mean that

private key would have to be on a system that is online connected to the wildly untrusted internet and if the ca's private key is ever compromised this whole entire system goes up in flames no one can trust anyone it's the end of the world okay yes that's a bit early dramatic but it was really bad if the ca's private key is compromised you can't trust any digital certificate the ca has ever issued and therefore you can't trust a whole lot of entities websites on the internet to avoid this major risk of the ca's private key

being stolen the private key is in a system that is offline air-gapped not connected to the internet in a giant vault within another vault surrounded by hungry dogs underneath a mountain in an undisclosed location it is as unavailable as it can be alright so if the root private key is offline how do certificates get signed and created the ca's private key is used to sign intermediate certificates which can then be used to sign issuing certificates and those issuing certificates can then be used to sign entity certificates the certificates that we pay a ca to make

for us this is often referred to as the chain of trust you can follow the chain of trust back up to verify that ultimately it was the ca's private key that was used to sign the first certificate in the chain so if you get a question asking you which role in the city issues certificates the perfect answer is the issuing ca and not the root ca the ca needs to maintain a list of all the certificates they've ever issued and which have been revoked this data is stored in the certificate database each ca maintains their

own certificate database endpoint systems like our desktops laptops and mobile phones need to securely store our private keys and any other keys and certificates we might need like the big ca's public keys the certificates store is the local secure storage place for all such keys on our systems every endpoint device will have its own little certificate store let's now talk in a little more detail about keys and why we need to put so much focus and effort into key management there's an expression i like the hardest part of security is cryptography and the hardest part

of cryptography is key management why is key management so critically important our guy kirchhoffs summed it up nicely in 1883 with his principal a cryptosystem should be secure even if everything about the system except the key is public knowledge an attacker can know the algorithm being used the initialization vector can have access to the cipher text the attacker can know all of this and the information will remain secure so long as the key is kept secret this obviously implies that we need to do a very good and very secure job of generating keys distributing keys

storing keys rotating keys disposing of keys and even recovering keys so let's talk through each of these key management activities key generation or key creation is all about creating new symmetric or asymmetric key pairs what is of critical importance is that each new key must be randomly selected out of the entire key space to avoid the plague of cryptography patterns heat distribution is focused on securely transmitting these shiny new keys to whoever may need them and no one else a few options to know about for key distribution you could use the diffie-hellman key exchange protocol

which uses asymmetric cryptographic techniques to generate the same key for two people without sending the key itself you could use out of band which means sending the keys through some other communications channel you could write out the key and post it in a letter or send it via carrier pigeon or perhaps you could call someone and read them a string of 256 ones and zeros that would be fun for everyone involved or more realistically and much more commonly used you could use hybrid cryptography you could encrypt the symmetric key that you need to send to

alice with say alice's public key you could then send this ciphertext over to alice and only she could decrypt the ciphertext with her private key we call this hybrid cryptography because we're distributing sending a symmetric key using asymmetric cryptography and then once the receiver has securely received the symmetric key you can switch over to symmetric cryptography to encrypt and decrypt lots of data quickly and efficiently this is exactly how a super popular protocol like tls works hybrid cryptography when keys have been created and or received they need to be stored in an extremely secure location

there are two pieces of hardware that are purpose built to securely store encryption keys that you need to know about tpm trusted platform modules are little tiny computer chips that are built into endpoint devices like a desktop laptop or mobile phone and tpm modules are designed to very securely store encryption keys a tpm module for instance is required if you want to have whole drive encryption hsms hardware security modules are typically external standalone devices that are used to both securely store encryption keys for the enterprise and to act as cryptographic accelerators to for example quickly

and efficiently perform encryption and decryption and verify digital signatures it is a good idea to periodically change encryption keys this is often referred to as he rotation rotating to a new symmetric e or asymmetric key pair how often encryption keys are rotated is entirely dependent on the value of the data being protected and the risk of keys being compromised among other factors sometimes we need to securely destroy every single copy of a key defensively destroy the encryption keys why one reason we might want to destroy every single copy of a key is so that we

can crypto shred some data the idea of crypto shredding is to securely destroy data by destroying the encryption keys used to encrypt the data if all the data you want to cryptoshred has been encrypted with an excellent algorithm like aes with a 256-bit key and then you destroy every single copy of that key used to encrypted data then the data has been crypto shredded rendered unrecoverable and essentially therefore destroyed sometimes we may need to recover a lost key and there are a few different ways we can recover keys split knowledge split the knowledge of the

key up amongst two or more people in order to recover the key these folks need to get together and combine each of their bits of knowledge to recover the complete key dual control two or more people need to perform some action to recover the key i always think about how they launch a nuclear missile alright let's do it insert launch key standby two people have to turn their keys at exactly the same time on my mark three two one mark t minus 50. same sort of idea with dual control in order to recover the key

two people have to do something together to recover the key key escrow a copy of the encryption key is stored kept in escrow with a trusted third party if you need to recover the key you ask for a copy of the key stored with the trusted third party and that is an overview of digital certificates digital signatures pki and key management within domain 3 covering the most critical concepts to know for the exam in the next video we'll talk about cryptanalysis and how we try and break all of this if you found this video helpful

you can hit the thumbs up button and if you want to be notified when we release additional videos in this mind map series then please subscribe and hit the bell icon to get notifications i'll provide links to the other mind map videos in the description below thanks very much for watching and all the best in your studies