CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [199]
Be able to describe the process of asymmetric algorithms. Asymmetric algorithms use a two-key method of encryption. The message is encrypted using the public key and decrypted using a second key or private key. The key is derived from the same algorithm.
Know the primary objectives for using cryptographic systems. The main objectives for these systems are confidentiality, integrity, authentication, and nonrepudiation. Digital signatures can be used to verify the integrity and provide nonrepudiation of a message.
Understand the process used in PKI. PKI is an encryption system that utilizes a variety of technologies to provide confidentiality, integrity, authentication, and nonrepudiation. PKI uses certificates issued from a CA to provide this capability as well as encryption. PKI is being widely implemented in organizations worldwide.
Be able to describe the revocation process in PKI. PKI issues a CRL from a CA when a revocation request is made. The CRL can take anywhere from a few hours to several days to propagate through a community.
Know the trust models used in PKI. PKI provides the ability to use hierarchical, bridged, meshed, and hybrid models for trust. A CA hierarchy, or tree, is broken into subcomponents. The subcomponents are called root authorities, intermediate CAs, and leaf CAs.
Know the primary attack methods used against cryptographic systems. The primary attacks against cryptographic systems are birthday attacks, mathematical attacks, and weak key attacks.
Identify the common technologies and methods used in encryption. Although this chapter introduced many different protocols and standards, you need to be familiar with PKIX/PKCS, X.509, SSL/TLS, S/MIME, SSH, PGP, HTTPS, IPS, WTLS, WEP, and IPSec. Each of these standards provides specific capabilities.
Identify the stages in a key/certificate life cycle. A life cycle involves the generation, distribution, protection, archiving, recovery, and revocation of a key or certificate. Each of these aspects of key management must be considered to provide an effective and maintainable security process.
Identify the relative advantages and disadvantages of centralized versus decentralized key management. Centralized key management uses centralized computers to generate keys. Key generation is a very computer-intensive process. When centralized processes are used, the processes are open to single-point failure and key transmission problems. Decentralized key generation allows work to be spread over an entire organization. The disadvantage is that spreading out the process makes securing the keys more difficult. Most systems use a split method. Private keys should be transmitted using an out-of-band method.
Be able to describe the storage methods used for keys. Physical protection methods include physical storage devices that place a key under lock and key. Storage devices include, but aren’t limited to, filing cabinets and safes. Software storage refers to hardened servers or other computer systems that are used to store keys. Most keys are compromised as a result of human error.
Know the purpose of key escrow. Key escrow allows law enforcement or other authorized governmental officials to access keys to conduct investigations. A key escrow agency or agent is a third party that is trusted to provide this service. A key archival system would normally be able to accomplish this task.
Be able to describe the purpose of key expiration. Keys are usually stamped with an expiration date. The longer a key stays in use, the more likely it is to be compromised. The more a key is used, the more often it will need to be changed.
Understand the difference between a key revocation and a suspension. A key revocation is performed when a key has potentially become compromised or lost. Key revocation is usually accomplished using some form of