Public Key Infrastructure (PKI) is asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates. Certificates are used for both encryption and authentication, and in this chapter, we are going to look at different encryption types and how certificates are issued and used. This is the most difficult module for students to understand, so we have focused on making the most difficult aspects seem easy. If you are going to be successful in the Security+ exam, you must know this module thoroughly.

In this chapter, we are going to cover the following topics:

• Public Key Infrastructure Concepts
• Asymmetric and Symmetric Encryption
• Cryptography Algorithms and Their Characteristics
• Comparing and Contrasting the Basic Concepts of Cryptography

The PKI provides asymmetric techniques using two keys: a public key and a private key. There is a certificate hierarchy, which is called the Certificate Authority, that manages, signs, issues, validates, and revokes certificates. Let's first look at the components of the certificate hierarchy. A certificate is known as an X509 certificate.

Certificate Hierarchy

The Certificate Authority (CA) is the ultimate authority as it holds the master key, also known as the root key, for signing all of the certificates that it gives to the Intermediary who issues the certificate to the requester.

Figure 2.1 – CA Hierarchy

Let's look at the CA hierarchy shown in the preceding diagram in more depth:

• Online CA: An internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night. This would not be the case in a government or top-security environment.
• Offline...

There are two main types of encryption that use certificates: asymmetric and symmetric. We need to learn about each thoroughly. Let's start by understanding what encryption is, please remember that you are taking plaintext and changing it into ciphertext so that the information cannot be read by outside agencies.

Encryption Explained

Encryption is where we take plaintext that can be easily read and convert it into ciphertext that cannot be easily read, let us look at some different types of encryption.

• Substitution Cipher: Julius Caesar, who died in 44 BC, invented the first substitution cipher, where he moved each letter of the alphabet three places one way or another. This way, he could make his military plans unreadable if they had been intercepted. What he forgot about was that most people in those days could not read! This was called ROT 13, after the thirteen-letter rotation, and is now known as the Caesar cipher. For example...

Key stretching is where you append a random set of characters to a password to increase the size of the password and its hash, ensuring that a brute-force attack needs more compute time to crack the password.

• BCRYPT: BCRYPT is a password-hashing algorithm based on the Blowfish cipher. It is used to salt the passwords. A random string is appended to the password to increase the password length to help increase the compute time for a brute-force attack.
• PBKDF2: PBKDF2 stores passwords with a random salt and with the password hash using HMAC. It then iterates, which forces the regeneration of every password and prevents any rainbow table attack. A rainbow table is a list of passwords and their corresponding hash.

  Tip

  Symmetric encryption is used to encrypt large amounts of data as they have small, fast keys and use block ciphers.

Salting is a technique where random characters are appended to a password before it is hashed. This makes the password longer; it is similar to key stretching and increases the compute time for Brute Force attacks.

There are different cipher modes; most symmetric keys use a block cipher and can encrypt a large amount of data quicker than asymmetric encryption. Let's look at these in turn:

• Stream Cipher: A stream cipher is a method of encrypting text (to produce ciphertext) in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. It is normally used by asymmetric encryption.
• Block Cipher: A block cipher is where a block of data is taken and then encrypted; for example, 128 bits of data may be encrypted at a time. This is the method used today as it is much faster than a stream cipher. It is used by symmetric encryption with the exception of RC4.

Stream versus Block Cipher Analogy

We have two teams of four people who have been tasked with unloading a five-ton lorry full of skittles and placing them in a room on the bottom floor of a building.

There are skittles in boxes and there are skittles...

Traditional computer chips use bits to store data in values of 1 where the bit is switched on, and a 0 value where the bit is switched off. Quantum computing uses qubits, which can be switched on or off at the same time or somewhere in between. This is known as a superposition.

A traditional computer trying to find the way from A to B could only try a single path at any one time until it found the path; however, quantum computing could try every path at the same time. Quantum computing will make cracking encryption much faster and, at this moment in time, Google has created a quantum computer that is 53 qubits, known as Sycamore, that made calculations in a few minutes that would have taken an earlier supercomputer 10,000 years to calculate. Post-quantum computing could see a very powerful computer with massive qubits using Shor's algorithm to break PKI technology.

Blockchain was originally the technology that powered Bitcoin, but it has greater scope than that. It is a digital ledger of transactions where the data is stored in batches called blocks that are distributed to many computers. Therefore, if you wanted to tamper with the blockchain, it would be impossible as you would have to change the data on every computer holding a copy. As they say, there is safety in numbers.

Blockchain can be used to store financial, medical, or land sale transactions. This data is chained together with a block of data holding both the hash for that block and the hash of the preceding block. To create a new block on the chain, the computer that wishes to add the block solves a cryptographic puzzle and sends the solution to the other computers participating in that blockchain. This is known as proof of work. Once that has been verified by those computers on this network, a new block is added to the end of the chain. Should...

Hashing is where the data inside a document is hashed using an algorithm, such as a Secure Hash Algorithm Version 1 (SHA1), SHA2, SHA3, and MD5. This turns the data inside the file into a long text string known as a hash value; this is also known as a message digest.

While you are hashing the same data, if you copy a file and therefore have two files containing the same data, then hash them with the same hashing algorithm. It will always produce the same hash value. Let's look at the following examples on hashing and data integrity:

• Verifying Integrity: During forensic analysis, a scientist takes a copy of the data before investigation. To ensure that they have not tampered with it during the investigation, they will hash the data before starting and then compare the hash to the data when finished. If the hash matches, then they know that the integrity of the data is intact.
• One-Way Function: For the exam, hashing is a one-way...

In this section, we are going to outline the uses of different aspects of cryptography.

Asymmetric – PKI

Asymmetric keys are obtained from a CA. If you are selling products or services with external entities, then you need to obtain your X509s from a public CA; otherwise, your internal certificates will not be accepted.

Asymmetric – Weak/Depreciated Algorithms

SSL should now be depreciated as it is weak; an example of an exploit is the POODLE attack, which is a man-in-the-middle attack that exploits the vulnerabilities of SSL 3.0 using CBC. Asymmetric algorithms should not be using a key whose strength is 2046 or lower. However, an SSL VPN is the only VPN that uses an SSL certificate and works with legacy clients.

Asymmetric – Ephemeral Keys

Ephemeral keys are short-lived keys that are used for a one-time-only session. There are two types of ephemeral keys: Diffie Hellman Ephemeral...

The Security+ exam is full of cryptographic terminologies, and in this section, we are going to start with obfuscation, which makes the code obscure. Try asking your family and friends to say the word obfuscation and watch them struggle. It is aptly named as the word itself is very obscure! You must know the terminology thoroughly.

Obfuscation

Obfuscation is the process where you take source code and make it look obscure, so that if it is stolen, it would not be understood. It is used to mask data. XOR, ROT13, and steganography could all be used for obfuscation in the Security+ exam.

Pseudo-Random Number Generator

Pseudo-Random Number Generator (PRNG) refers to an algorithm that uses mathematical formulas to produce sequences of random numbers. Random numbers can be used when generating data encryption keys.

Nonce

A nonce is an arbitrary number that can be used just once; it is often a random number.

Perfect Forward Secrecy

In the Security+ exam, the use case just means examples of when something is used. We are now going to look at examples of when different cryptography techniques are used.

Supporting Confidentiality

A company's data cannot be priced, and the disclosure of this data could cause grave danger to the company. If your competitors steal your secrets, they could beat you to the market and you would not get the rewards that you deserved. To prevent data from being accessed, we will encrypt the data to prevent it from being viewed and prevent any protocol analyzer from reading the packets. When people access the company's network from a remote location, they should use an L2TP/IPSec VPN tunnel, using AES as the encryption method to create a secure tunnel across the internet and to prevent man-in-the-middle attacks. Encryption could be coupled with mandatory access control to ensure that data is secure and kept confidential.

Supporting Integrity...

For these three practical exercises, you need a 2012/2016 server that is a domain controller.

If you are a home user and have access to a desktop with Windows 7, Windows 8.1, or Windows 10, and do not have a server, you can still complete the second exercise.

Practical Exercise 1 – Building a Certificate Server

To build a certificate server, follow these steps:

1. Log in to your 2012/2016 domain controller and open Server Manager.
2. Select Manage, followed by Add Roles and Features. Then, click Next three times.
3. On the Select Server Roles page, check the top box, Active directory certificate server. Select the Add Features button. Click Next three times. Check the CA box, then click Next, and then Install. This will take a few minutes. When finished, press Close.
4. On the Server Manager toolbar, double-click on the yellow triangle. This is a notification. In the post-deployment configuration wizard, double-click on the blue...

Now it's time to check your knowledge. Answer the questions, and then check your answers, which can be found in the Solutions section at the end of the book:

1. What type of certificate does a CA have?
2. If you are going to use a CA internally, what type of CA should you choose?
3. If you want to carry out B2B activity with third-party companies or sell products on the web, what type of CA should you use?
4. Why should you take your CA offline when not in use?
5. What type of encryption does PKI use?
6. Who signs X509 certificates?
7. What can you use to prevent your CA from being compromised and fraudulent certificates from being issued?
8. If two entities want to set up a cross-certification, what must they set up first?
9. What type of trust model does PGP use?
10. How can you tell whether your certificate is valid?
11. If the CRL is going slowly, what should you implement?
12. Explain certificate stapling/OCSP stapling.
13. What is the process...