Security
Reader small image

You're reading from  CompTIA CASP+ CAS-004 Certification Guide

Product typeBook
Published inMar 2022
PublisherPackt
ISBN-139781801816779
Edition1st Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Mark Birch
Mark Birch
author image
Mark Birch

Mark Birch is an experienced courseware developer and teacher in both information systems and cyber-security. Mark has been developing content and teaching CompTIA A+ classes for more than 20 years and understands the subject area in great depth. Mark began his career working within the aerospace industry (for a major defense contractor) and has over 30 years' experience consulting, engineering, and deploying secure information systems. He has spent over 20 years working with the United States Military and United Kingdom Armed Forces, helping many students attain their learning goals. Mark has ensured that soldiers, officers, and civilians have had the best opportunities to gain cyber-security accreditation.
Read more about Mark Birch

Right arrow

Chapter 12: Implementing Appropriate PKI Solutions, Cryptographic Protocols, and Algorithms for Business Needs

Public key infrastructure (PKI) is of vital importance to any size organization and becomes a necessity for a large enterprise. PKI gives an organization the tools to verify and provide authentication for keys that will be used to secure the data. Without PKI we cannot use encryption keys, as the authenticity of keys cannot be verified. When a key pair is generated, we need to assign a trustworthy signed certificate to the unique public key, in a similar fashion to a passport that is generated for a trustworthy citizen. Without PKI, we cannot use online banking, e-commerce, smart cards, or virtual private networks (VPNs) with any assurance.

It is important to understand how the entire process works and potential problem areas that may need to be managed using troubleshooting skills. In this chapter, we will take a look at the following topics:

  • Understanding the...

Understanding the PKI hierarchy

A PKI hierarchy describes the main components needed to process certificate signing requests (CSRs), authorize requests, and perform the signing process. Each component of the PKI plays an important role. In Figure 12.1, we can see an overview of the PKI hierarchy:

Figure 12.1 – Common components of PKI

We will now learn about these components.

Certificate authority

A certificate authority (CA) consists of an application server running a service called Certificate Services (or Linux/Unix equivalent daemon). There may be multiple levels of CAs; there will always be a root CA. In addition, there will normally be at least one more layer. This is known as the subordinate or intermediate CA. The root CA will typically be kept in a secure location, in many cases isolated (or air-gapped). The root CA only needs to be powered up and available to sign intermediate CA signing requests. For redundancy, an enterprise may...

Understanding certificate types

Large enterprises have very specific needs when enrolling for certificates; sometimes, the goal may be ease of administration or flexibility to add additional sites to an e-commerce operation. In some cases, customers may need the assurance provided with highly trusted certificates. Here are some common types of certificates used.

Wildcard certificate

A wildcard certificate allows an organization to host multiple websites, using a single key pair, with a single certificate. There may be restrictions or additional costs based upon the number of sites hosted. The wildcard certificate requires all sites covered by the certificate to use the same Domain Name System (DNS) domain name. Only the hostname of each site can be different. Figure 12.3 shows a wildcard certificate:

Figure 12.3 – Wildcard certificate

It is possible to host multiple sites while changing only the DNS hostname for each site.

Extended validation...

Understanding PKI security and interoperability

It is important to understand why a CA needs to be trusted and independently verified by third-party auditors. There are security best practices that ensure hosted e-commerce and financial sites have robust configurations. It is also important that CAs can be incorporated together using trusted certificates.

Trusted certificate providers

Commercial CAs must adhere to recognized standards; there are industry associations that govern CAs. In order to offer CA services, you must be independently audited by a recognized auditor. Microsoft recognizes the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) as CAs that meet their stringent requirements. An annual audit must be performed to remain compliant with Microsoft policies. If a CA meets these requirements, then its root certificates can be trusted. In Europe, the recognized authority for auditing CAs is European...

Troubleshooting issues with cryptographic implementations

In an enterprise-supporting PKI implementation, we can expect to see issues where there are compatibility, configurational, and operational problems that cause communication to be disrupted or executed insecurely. It is important to recognize where these problems could occur and look to mitigate them through effective policies and procedures.

Key rotation

It is important to recognize the benefits of key rotation to ensure data confidentiality is maintained. Keys can be rotated automatically or manually, based upon the organization's policies, or may be dictated by regulatory compliance. If a key is compromised, then it should be revoked immediately. The Payment Card Industry Data Security Standard (PCI DSS) requires that keys are rotated on a regular basis, based upon the number of records or transactions that have been encrypted. There are other considerations that an organization should have, including staff turnover...

Summary

In this chapter, we have learned about the importance of PKI, we have taken a look at a typical PKI hierarchy. We have been able to understand the roles played by CAs and registration authorities (RAs).

We have taken a look at certificate types, including wildcard certificates, extended validation, multi-domain, and general-purpose certificates. We have gained an understanding of the common usages for certificates, including client authentication, server authentication (application servers), digital signatures, and code signing. We have taken a look at important extensions used when publishing certificates, including CN and SAN.

We have taken a look at the requirements needed to become a trusted CA, how providers are audited, and what is required to maintain trusted status.

We have looked at common trust models used when CAs need to work together and have understood the importance of the cross-certification trust model.

We have understood why is important to address...

Questions

  1. ACME needs to request a new website certificate. Where will they send the request (in the first instance)?
    1. Root CA
    2. Subordinate/intermediate CA
    3. RA
    4. CRL
  2. Software engineers are developing a new customer relationship management (CRM) tool. They need to ensure customers will be able to verify the code is trustworthy. What type of certificate will they request?
    1. Client authentication
    2. Server authentication
    3. Digital signatures
    4. Code signing
  3. Web developers have created a new customer portal for online banking. They need to ensure their corporate customers are satisfied with the security provisions when connecting to the portal. Which certificate type should they request for the portal?
    1. Wildcard certificate
    2. Extended validation
    3. Multi-domain
    4. General-purpose
  4. A large e-commerce provider needs to minimize administration by allocating a single certificate to multiple sites. The sites will be country-specific, with different domain names. What would be the best choice of certificate...

Answers

  1. C
  2. D
  3. B
  4. D
  5. A
  6. A
  7. A
  8. C
  9. C
  10. A
  11. B
  12. D
  13. C
  14. A
  15. D
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 16 of 23
Next Chapter
You have been reading a chapter from
CompTIA CASP+ CAS-004 Certification Guide
Published in: Mar 2022Publisher: PacktISBN-13: 9781801816779
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Mark Birch

Mark Birch is an experienced courseware developer and teacher in both information systems and cyber-security. Mark has been developing content and teaching CompTIA A+ classes for more than 20 years and understands the subject area in great depth. Mark began his career working within the aerospace industry (for a major defense contractor) and has over 30 years' experience consulting, engineering, and deploying secure information systems. He has spent over 20 years working with the United States Military and United Kingdom Armed Forces, helping many students attain their learning goals. Mark has ensured that soldiers, officers, and civilians have had the best opportunities to gain cyber-security accreditation.
Read more about Mark Birch

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages