Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is an essential framework in cybersecurity that works like a digital passport office, issuing and validating certificates for secure data transfer and communication. The process involves Certificate Authorities (CAs), akin to passport officers, that authenticate and issue these digital certificates. With additional tools like S/MIME, PGP for secure emails, HTTPS over TLS for web security, and IPSec for network security, PKI forms a robust security structure for data integrity and secure communication in the digital world.

Public Key Infrastructure (PKI)

PKI is a pretty important component to ensure secure communication and data transfer, both within an organization, and externally. Think of it the passport office of the cyber world, issuing and validating digital passports (the certificates) that provide the identity of people (users and systems).

Certificate Authorities (CAs)

Continuing with our analogy, these guys are the "passport officers". They authenticate and issue digital certificates that contain public keys for users and systems. For example, let's say a server decides that it wants to secure it's communications. It will request a certificate from a CA, which will verify the server's details and issue a certificate.

Now, users, servers, or systems distribute these certificates to entities they want to communicate securely with. Just like showing your passport at an airport, this certificate proves who they are, along with providing their public key.

Now, anyone can just hand someone a fake passport in real life, and buy drinks when you're under 21. How do we verify it? Well, let's see what happens when we visit https://untrusted-root.badssl.com, a website that has been setup with an untrusted root (our fake passport) intentionally:

As you can see, the browser detects that this certificate is signed from an untrusted root, and alerts us. This is because our browser comes pre-loaded with a list of trusted certificate authorities or root certificates. We need to use a CA's public key, to establish a chain of trust from the certificate back to the issuing CA.

This chain can have multiple levels, with an intermediate CA issuing the certificate, but the trust ultimately lies with the root CA. The root CA is like the national passport agency - while local offices (intermediate CAs) might issue passports, the trustworthiness of the passport comes from the national agency.

The root CA's key, similar to a master key, which in practice is often kept offline for added security. The root key is like the master key of a building - it can open every door, so you want to keep it safe and use it sparingly. Instead, you make copies of keys (in this case, you issue certificates) for individual rooms (servers, services, etc.) These 'lesser' keys have specific permissions and access levels and can perform day-to-day operations.

Email: S/MIME and PGP

Let's start with email. Email as a protocol wasn't originally designed with security in mind. The SMTP protocol (Simple Mail Transfer Protocol) which is used to send emails, doesn't include any mechanisms for encryption or security. That's where S/MIME and Pretty Good Privacy (PGP) come in. These tools can encrypt your emails, preventing them from being read by unintended recipients.

S/MIME and PGP still can't encrypt metadata, like the sender, recipient, and subject line. Services like Protonmail and Tutanota use their own protocols to address this, but it is limited within their own, non-standardized network.

Web: HTTPS over TLS

Moving onto web security, HTTPS is now the standard, essentially layering HTTP over TLS (Transport Layer Security). TLS has replaced the older SSL (Secure Sockets Layer) protocol, yet the term "SSL" is still commonly used due to its longevity in the field.

Network: IPSec

IPSec (Internet Protocol Security) is a set of protocols used for securing IP communications by encrypting and authenticating all IP packets of a communication session, and it natively supported in Windows:

IP Sec can used to create secure connections between networks (for example, between a company's network and its remote employees' devices) or between servers. It's commonly used to set up VPNs, but it can also be used for secure direct communications between two computers.

IPSec uses two main protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP)

Authentication Header (AH): This protocol provides connectionless integrity and data origin authentication for IP datagrams (i.e., it ensures that the data hasn't been tampered with while in transit and that it really came from the claimed sender). It also provides protection against replay attacks (replays of packets that were captured and later resent in an attempt to gain unauthorized access or disrupt the service).

Encapsulating Security Payload (ESP): This protocol provides confidentiality, along with the services provided by AH. In other words, not only does it authenticate the data and protect it against replay attacks, it also encrypts the data to keep it confidential while in transit. This makes it harder for unauthorized people to understand the data, even if they were to intercept it.

ESP is used more commonly than AH in many modern applications due to its ability to provide confidentiality through encryption, a feature that AH lacks. In some cases, ESP can be configured to provide the same services as AH.

There are two protocols that IPSec uses: Transport Mode and Tunnel Mode

Transport Mode: In this mode, only the payload of the IP packet is encrypted or authenticated. The headers remain untouched, so it can be used when you need to ensure that the payload of packets remains confidential while being transmitted over an unsecured network.

Tunnel Mode: In this mode, the entire IP packet is encrypted and then encapsulated into a new IP packet. This includes the original headers along with the payload, so the entire original IP packet is protected. This is used when you need to ensure privacy for the entire data packet and is often used in network-to-network communications, like in VPNs.

	Transport Mode	Tunnel Mode
Function	Encrypts only the data payload of the IP Packet	Encrypts the entire IP packet (header + payload)
Use Case	End-to-end communications between hosts, e.g, server-to-server within a network	Network-to-network or host-to-network communication e.g VPNs
Advantages	Has a lower overhead (less resources)	Higher security: hides details of the inner packet
Disadvantages	Does not hide the header information	Higher overhead: additional encryption and IP header

Think like a C-Suite

Risk Analysis Formulas

Threat Modeling

Types of Law

Domain 2: Asset Security

Introduction & New Concepts

Frameworks

Technological Architectures

Computing Programs

Authentication & Access

Cloud & Network Security

Hardware & System Infrastructure

Threats & Countermeasures

Physical Security

Cryptographic Systems

Introduction & Concepts

Ciphers & Codes

Public Key Infrastructure (PKI)

Asymmetric vs. Symmetric

Hashing vs. Encryption

Types of Attacks

Introduction & Concepts

Net. Topologies and Cabling

Communication Models

Advanced Network Concepts

Network Architecture

Wireless & Cellular Networks

Advanced Technologies

Network Security

Network Devices & Infrastructure

Introduction & Concepts

Security Controls

Risk Management

Access Control Attacks

Identity, Access Management

Summary

Introduction & Concepts

Access Management and Operational Controls

Configuration and Vulnerability Management

Intrusion Detection and Response

Monitoring and Auditing

Computer Crime and Investigations

BCP & DRP

Introduction & Concepts

Database Concepts and Threats

Machine Learning and Artificial Intelligence

Software Development Concepts

Software Security and Threats

Systems Security Concepts

Exam 2

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI)

Certificate Authorities (CAs)

Email: S/MIME and PGP

Web: HTTPS over TLS

Network: IPSec