Access Control, Authentication,
and Public Key Infrastructure
Lesson 13
Public Key Infrastructure and Encryption
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Public Key Infrastructure (PKI)
▪ A framework that:
• Consists of programs, procedures, and
security policies
• Employs public key cryptography and the
X.509 standard (digital certificates) for
secure communications
▪ Is a hybrid system of symmetric and
asymmetric key algorithms
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Components of PKI
Certificate
authority
Certificate
repository
Registration
authority
Certificate
server
Certificate
validation
Key
Recovery
Service
Time server
Access Control, Authentication, and PKI
Signing
server
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Encryption Process
Encryption is the process of applying an algorithm to
cleartext (or plaintext) data, resulting in ciphertext
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Encryption and Cryptography Terms
▪ Cryptosystem
• A hardware or software system that
provides encryption and decryption
• Is made up of the encryption algorithm, the
keys, and the software and protocols
▪ Secret piece of the cryptosystem is the key
▪ Keyspace is the range of values that
construct the key
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Ensuring Integrity, Confidentiality,
Authentication, and Nonrepudiation
Confidentiality
• Ensures that only the intended recipient
can read a message
Integrity
• Ensures message recipient can be certain
that message received was message sent
Authentication
• Allows someone to prove his or her identity
to another
Nonrepudiation
• Ensures that a third party can verify that a
message came from the purported sender
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Symmetric Key Encryption
Process
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Shared Key Encryption
Data
Encryption
Process
on System
1
Encryption
Data sent
to System
2
System 2
applies shared
key to decrypt
encrypted data
Key
Original
Data
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Asymmetric Key Encryption
Process, Public Key
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Number of Keys Needed
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Asymmetric Encryption Process
Model
Joan’s Public Key
on Internet (With
Certificate Provider)
1. Joan receives message.
2. Decrypts message with
her computer’s private key
3. Joan’s private key is only
available to her.
Access Control, Authentication, and PKI
Joan’s public
key is available
to all Internet
users
Request Joan’s
public key to
encrypt message
to send over
Internet
1. Composes message
2. Encrypts w/Joan’s
public key
3. Sends message
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Business Requirements for
Cryptography
▪ Ensuring software and data integrity
▪ Ensuring secure collaboration between entities
inside and outside an organization
▪ Ensuring secure cloud computing
▪ Providing secure transactions with consumers
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Digital Certificates
▪ Are used by individuals and servers to provide
unknown third parties with a known secure copy
of their public encryption key
▪ Certificate authority (CA) issues digital certificates
after verifying the identity of the end user
▪ Registration authority (RA) verifies the identity of
an individual, initiates the certification process
with a CA on behalf of the user, and performs
certificate life-cycle management
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Digital Certificate Details
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Digital Signature Process
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Digital Signature Verification
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Estimated Costs Involved in
Signatures
▪ It is estimated that 30 billion paper documents are
copied or printed by U.S. companies annually.
▪ The associated cost of each signature is
estimated at $6.50 each, including costs of
copying, scanning, archiving, routing, and
retrieving lost documents.
▪ The average authorized employee signs 500
documents a year at a total cost of $3,250.
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Importance of Digital Signatures
Organizations are implementing standard
digital signatures to:
▪ Cut operational costs.
▪ Automate and expedite business processes.
▪ Address legal compliance and limit liability.
▪ Go green.
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Components of Key Management
Key
Management
Key
generation
Key
distribution
Key storage
Key usage
Key recovery
Key
termination
Access Control, Authentication, and PKI
Key archival
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Key Management Considerations
▪ Key should be long enough to provide the
necessary level of protection
▪ Keys should be random and algorithm should
use the full keyspace
▪ Key’s lifetime should correspond with the
sensitivity of the data
▪ The more a key is used, the shorter its lifetime
should be
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Symmetric Versus Asymmetric
Algorithms
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Certificate Authority (CA)
▪ Is a trusted organization that maintains,
issues, and distributes digital certificates
▪ Uses the X.509 digital certificate standard
to create certificates
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
CA in a PKI System
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Trusted Certificate Authorities
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
What PKI Is and What It Is Not
▪ Is a strong authentication mechanism
▪ Provides integrity, confidentiality,
authentication, and nonrepudiation in a single
framework
▪ Is not an answer to all security questions or
concerns
▪ Does not provide authorization
▪ Does not ensure that the end user can be
trusted
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Potential Risks Associated with
PKI
▪ If PKI key management is mishandled,
entire PKI system could fail
▪ Managing a secure environment with
multiple keys and multiple entities can be
overwhelming
▪ Properly maintaining a PKI comes with a
financial burden
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Implementations of Business
Cryptography
▪ Encrypting hard drives as a preventive measure in
case a laptop or other mobile device is stolen
▪ Encrypting removable devices such as universal
serial bus (USB) drives
▪ Encrypting instant messaging communication
▪ Encrypting file transfers within and outside of the
network
▪ Encrypting highly sensitive data
▪ Encrypting information on mobile devices
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Certificate Authorities (CAs)
Functions
Policy
authority
Certificate
manufacturer
Certificate
issuer
Revocation
manufacturer
Registration
authority
Authentication
service
Repository
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Week 14 Assignment
Implementing various technologies and addressing remote
access concerns ensures your systems and data are
protected. Some of the technologies used in remote access
are RADIUS, RAS, TACACS+, and VPN.
Using this course rules of writing, please address each of
these technologies with a minimum of two paragraphs on
each. In writing about these remote access methods,
please include the role they play as it relates to the
organization network security. Each section should have at
least four (4) complete sentences, as well as a different
citation supporting the presented claim. The SafeAssign
score should not be more than 30%.
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Week 15 Assignment
▪ For this assignment, list and discussed the four (4) security services
provided by public key infrastructure (PKI) according to the course
reading material. Please write at least two paragraphs on each.
Additionally:
▪ Write 2 to 3 paragraphs (In the third person) on the following:
▪ What was most compelling to you in this course?
▪ How did participating in the discussion board enhance your learning
abilities?
▪ Is there anything you are uncertain about as it relates to Access
Control?
▪ Respond to at least two classmates’ posts with no less than 100
words.
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Week 16 Assignment
▪100 multiple choice questions
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Conclusion
▪ It was a pleasure having you.
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Access control
Course Objectives
Course Competencies/ Learning Objectives
Course Learning Objectives
Major
Instructional
Areas
Define the authorization and the access to an IT
infrastructure based on an access control policy
framework.
Ch. 1
Mitigate risk to an IT infrastructure’s confidentiality,
integrity, and availability with sound access controls.
Ch. 2
Analyze how a data classification standard impacts an IT
infrastructure’s access control
Ch. 3
Assessment Method
Homework assignments
Midterm Exam
Final Exam
Homework Assignments
Midterm Exam
Final Exam
Homework Assignments
Midterm Exam
Final Exam
Page 1
requirements and implementation.
Develop an access control policy framework consisting of best practices
for policies, standards, procedures, and guidelines to mitigate
unauthorized access.
Homework
Ch. Assignments Midterm
4
Exam
Final Exam
Assess the consequences of failed access controls and mitigate
unauthorized access.
Homework
Assignments Midterm
Ch. Exam
Final Exam
5
Apply various access control methods to solve a range of business
challenges.
Define proper security controls for information systems within IT
infrastructures.
Explore ways to secure the facilities that house sensitive resources and
use biometric technology to verify identity.
Homework
Assignments Midterm
Ch. Exam
Final Exam
6
Ch. Homework
7, 8 Assignments Midterm
Exam
Final Exam
Ch. Homework
9
Assignments Midterm
Exam
Final Exam
Design appropriate authentication solutions throughout an IT infrastructure Ch. Homework
based on user types and data classification standards.
10 Assignments Midterm
Utilize policies, standards, guidelines, and procedures to implement and
maintain access control.
Implement a secure remote access solution.
Exam
Final Exam
Homework
Ch. Assignments Midterm
11 Exam
Final Exam
Homework
Ch. Assignments Midterm
12 Exam
Final Exam
Purchase answer to see full
attachment