CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [178]
Nonrepudiation
Nonrepudiation prevents one party from denying actions they carried out. To use an analogy, imagine coming home to find your house’s picture window broken. All three of your kids say they didn’t do it, and the babysitter says it must have been broken when she arrived. All the parties who could be guilty are “repudiating” the fact that they did it, and it’s their word against common sense. Now, imagine that you had a nanny-cam running and were able to review the tape and see who actually broke it. The tape cancels out their saying they knew nothing about the broken window and offers “nonrepudiation” of the facts.
In the electronic world, a similar type of proof can be achieved in a two-key system. The problem is that anyone can claim to be the legitimate receiver, and if they have access to this type of system, they can send you a public key. So although the user would have received the message, you would have no way to verify that the user is really who they say they are and that they’re a valid user; you need nonrepudiation to verify that someone is whom they report to be.
Third-party organizations called certificate authorities (CAs) manage public keys and issue certificates verifying the validity of the sender’s message. The verifying aspect serves as nonrepudiation; a respected third party vouches for the individual. The goal of any effective cryptography system must include nonrepudiation. However, the implementation is a little more difficult than the concept.
The CA process is covered in the section “Using Public Key Infrastructure.”
Access Control
Access control refers to the methods, processes, and mechanisms of preventing unauthorized access to the systems that do the cryptography. Keys are vulnerable to theft, loss, and human security failings. A key component of access control involves both physical and operational security of these resources.
Real World Scenario
Nonrepudiation and eBay
Recently, a young man gained access to his parents’ key information on eBay. He managed to successfully win several auctions, and he racked up over a million dollars in charges to his parents’ account. The parents (naturally) disputed the bill. eBay invalidated the bids when the deception was discovered. The situation caused a great deal of personal embarrassment for the parents and potentially opened them up to litigation.
The term access control is used in many different settings, such as access control lists, access lists, and so on. The important thing to consider is that these techniques are collectively intended to limit access to information.
Key management presents a major challenge with large encryption systems. Keeping the keys in secured areas with limited access by unauthorized personnel is important. If the keys become compromised, the entire system breaks down, no matter how good it is.
Make sure the keys are kept in the highest security areas available to you. Physical keys, such as smart cards, should be immediately erased when they are retired; these keys should also be kept in a secured area for storage. One of the big problems that credit card companies are encountering is the ease with which the encoding on a credit card’s magnetic strip can be counterfeited. If you can gain access to an active credit card, the magnetic strip can be duplicated onto a blank card. Make sure all your security devices are kept under tight physical control when they aren’t in use.
Using Public Key Infrastructure
The Public Key Infrastructure (PKI) is a first attempt to provide all the aspects of security to messages and transactions that have been previously discussed. The need for universal systems to support e-commerce, secure transactions, and information privacy is one aspect of the issues being addressed with PKI.
PKI is a two-key—asymmetric—system with four key components: Certificate Authority (CA), Registration Authority