• Choose a category
• All
• Classic-Fiction

Real World Scenario

Designing a CA Structure for Your Organization

You’ve been assigned to implement a CA structure for your organization. Your organization has several large national factories and small remote facilities throughout the country. Some of these facilities have high-speed networks; others have low-speed dial-up capabilities. Your management reports that network traffic is very high, and they don’t want to overburden the network with CA traffic. How would you go about implementing this structure?

You should probably install CA systems at each of the major facilities throughout the country. Additionally, you may want to install CAs in key geographic locations where certificate access is needed. You need to establish a procedure to allow certificates to be issued in remote locations, and you also need to implement an RA process in your larger locations. Remote users could receive certificates either by e-mail or by out-of-band methods if network access was limited.

FIGURE 7.17 A hybrid model

The major difficulty with hybrid models is that they can become complicated and confusing. A user can unintentionally acquire trusts that they shouldn’t have obtained. In our example, a user could accidentally be assigned to one of the CAs in the middle circle. As a member of that circle, the user could access certificate information that should be available only from their root CA. In addition, relationships between CAs can continue long past their usefulness; unless someone is aware of them, these relationships can exist even after the parent organizations have terminated their relationships.

Preparing for Cryptographic Attacks

The ultimate objective of an attack on a cryptographic system is to either decipher the messages or disrupt the network. Cryptographic systems can be susceptible to denial of service (DoS) attacks, which were explained in Chapter 2, “Identifying Potential Risks.”

Specific attacks on cryptographic systems can be divided into three types:

Attacking the key Key attacks are typically launched to discover the value of a key by attacking the key directly. The keys can be passwords, encrypted messages, or other key-based encryption information. An attacker might try to apply a series of words, commonly used passwords, and other randomly selected combinations to crack a password. A key attack involves trying to crack a key by repeatedly guessing the key value. Most operating system manufacturers provide programming interfaces that allow access to password and encryption subsystems. An attacker can use this access and information to break a password. Remember that passwords are typically generated with a one-way hashing function. The anticipated amount of time it takes to break a password depends on the length of the password and the characters used in the password. Making keys longer and more complicated tends to make key attacks more difficult.

Attacking the algorithm The programming instructions and algorithms used to encrypt information are as much at risk as the keys. If an error isn’t discovered and corrected by a program’s developers, an algorithm might not be able to secure the program. Many algorithms have well-publicized back doors. If a weakness in the programming or model used to develop an algorithm is discovered, a significant security exposure may exist.

Real World Scenario

WEP (In)Security

A paper was submitted to the Internet community that discussed a theoretical weakness in the algorithm used as the basis for the Wired Equivalent Privacy (WEP) security system. WEP supporters publicly discounted the weakness to the computer community: They indicated that the vulnerability was theoretical and couldn’t happen in the real world. Within seven days of their brash statements, they received over a dozen different examples of how to break the WEP system.

Intercepting the transmission The process of intercepting a transmission may, over time, allow attackers to inadvertently gain information about the encryption systems used by an organization.