Question

EXPLAIN

• Authentication, Authorization and Accounting (AAA) security model. o As it applies to the layers (using the 5 story building example). • What is SSL/TLS and how it works. • Public Key Infrastructure o Public + Private key

Answer 1

Authentication Authorization and Accounting (AAA)

Definition - What does Authentication Authorization and Accounting (AAA) mean?

Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. AAA is often is implemented as a dedicated server.
This term is also referred to as the AAA Protocol.

Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.

Authorization refers to the process of adding or denying individual user access to a computer network and its resources. Users may be given different authorization levels that limit their access to the network and associated resources. Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities. Other associated types of authorization service include route assignments, IP address filtering, bandwidth traffic management and encryption.

Accounting refers to the record-keeping and tracking of user activities on a computer network. For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.

Examples of AAA protocols include:

• Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS)
• Terminal Access Controller Access-Control System (TACACS)
• Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.

Types of AAA servers include:

• Access Network AAA (AN-AAA) which communicates with radio network controllers
• Broker AAA (B-AAA), which manages traffic between roaming partner networks
• Home AAA (H-AAA)

What is SSL and TLS and How it Work

A popular implementation of public-key encryption is the Secure Sockets Layer (SSL). Originally developed by Netscape, SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the "http" in the address line is replaced with "https," and you should see a small padlock in the status bar at the bottom of the browser window. When you're accessing sensitive information, such as an online bank account or a payment transfer service like PayPal or Google Checkout, chances are you'll see this type of format change and know your information will most likely pass along securely.

TLS and its predecessor SSL make significant use of certificate authorities. Once your browser requests a secure page and adds the "s" onto "http," the browser sends out the public key and the certificate, checking three things: 1) that the certificate comes from a trusted party; 2) that the certificate is currently valid; and 3) that the certificate has a relationship with the site from which it's coming.

The browser then uses the public key to encrypt a randomly selected symmetric key. Public-key encryption takes a lot of computing, so most systems use a combination of public-key and symmetric key encryption. When two computers initiate a secure session, one computer creates a symmetric key and sends it to the other computer using public-key encryption. The two computers can then communicate using symmetric-key encryption. Once the session is finished, each computer discards the symmetric key used for that session. Any additional sessions require that a new symmetric key be created, and the process is repeated.

How SSL works

Encryption is necessary in order to communicate securely over the internet: if your data isn't encrypted, anyone can examine your packets and read confidential information. The safest method of encryption is called asymmetrical cryptography; this requires two cryptographic keys — pieces of information, usually very large numbers — to work properly, one public and one private. The mathematics here are complex, but in essence, you can use the public key to encrypt the data, but need the private key to decrypt it. The two keys are related to each other by some complex mathematical formula that is difficult to reverse-engineer by brute force. Think of the public key as information about the location of a locked mailbox with a slot on the front, and the private key as the key that unlocks the mailbox. Anyone who knows where the mailbox is can put a message in it; but for anyone else to read it, they need the private key.

Because asymmetrical cryptography involves these difficult mathematical problems, it takes a lot of computing resources, so much so that if you used it to encrypt all the information in a communications session, your computer and connection would grind to a halt. TLS gets around this problem by only using asymmetrical cryptography at the very beginning of a communications session to encrypt the conversation the server and client have to agree on a single session key that they'll both use to encrypt their packets from that point forward. Encryption using a shared key is called symmetrical cryptography, and it's much less computationally intensive than asymmetric cryptography. Because that session key was established using asymmetrical cryptography, the communication session as a whole is much more secure than it otherwise would be.

The process by which that sessions key is agreed upon is called a handshake, since it's the moment when the two communicating computers introduce themselves to each other, and it's at the heart of the TLS protocol.

What is a TLS handshake?

TLS is an encryption protocol designed to secure Internet communications. A TLS handshake is the process that kicks off a communication session that uses TLS encryption. During a TLS handshake, the two communicating sides exchange messages to acknowledge each other, verify each other, establish the encryption algorithms they will use, and agree on session keys. TLS handshakes are a foundational part of how HTTPS works.

TLS vs. SSL handshakes

SSL, or Secure Sockets Layer, was the original encryption protocol developed for HTTP. SSL was replaced by TLS, or Transport Layer Security, some time ago. SSL handshakes are now called TLS handshakes, although the "SSL" name is still in wide use.

When does a TLS handshake occur?

A TLS handshake takes place whenever a user navigates to a website over HTTPS and the browser first begins to query the website's origin server. A TLS handshake also happens whenever any other communications use HTTPS, including API calls and DNS over HTTPS queries.

TLS handshakes occur after a TCP connection has been opened via a TCP handshake.

What happens during a TLS handshake?

During the course of a TLS handshake, the client and server together will do the following:

• Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
• Decide on which cipher suites (see below) they will use
• Authenticate the identity of the server via the server’s public key and the SSL certificate authority’s digital signature
• Generate session keys in order to use symmetric encryption after the handshake is complete

What are the steps of a TLS handshake?

TLS handshakes are a series of datagrams, or messages, exchanged by a client and a server. A TLS handshake involves multiple steps, as the client and server exchange the information necessary for completing the handshake and making further conversation possible.

The exact steps within a TLS handshake will vary depending upon the kind of key exchange algorithm used and the cipher suites supported by both sides. The RSA key exchange algorithm is used most often. It goes as follows:

1. The 'client hello' message: The client initiates the handshake by sending a "hello" message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the "client random."
2. The 'server hello' message: In reply to the client hello message, the server sends a message containing the server's SSL certificate, the server's chosen cipher suite, and the "server random," another random string of bytes that's generated by the server.
3. Authentication: The client verifies the server's SSL certificate with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.
4. The premaster secret: The client sends one more random string of bytes, the "premaster secret." The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server's SSL certificate.)
5. Private key used: The server decrypts the premaster secret.
6. Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
7. Client is ready: The client sends a "finished" message that is encrypted with a session key.
8. Server is ready: The server sends a "finished" message encrypted with a session key.
9. Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys.

All TLS handshakes make use of asymmetric encryption (the public and private key), but not all will use the private key in the process of generating session keys. For instance, an ephemeral Diffie-Hellman handshake proceeds as follows:

1. Client hello: The client sends a client hello message with the protocol version, the client random, and a list of cipher suites.
2. Server hello: The server replies with its SSL certificate, its selected cipher suite, and the server random. In contrast to the RSA handshake described above, in this message the server also includes the following (step 3):
3. Server's digital signature: The server uses its private key to encrypt the client random, the server random, and its DH parameter*. This encrypted data functions as the server's digital signature, establishing that the server has the private key that matches with the public key from the SSL certificate.
4. Digital signature confirmed: The client decrypts the server's digital signature with the public key, verifying that the server controls the private key and is who it says it is. Client DH parameter: The client sends its DH parameter to the server.
5. Client and server calculate the premaster secret: Instead of the client generating the premaster secret and sending it to the server, as in an RSA handshake, the client and server use the DH parameters they exchanged to calculate a matching premaster secret separately.
6. Session keys created: Now, the client and server calculate session keys from the premaster secret, client random, and server random, just like in an RSA handshake.
7. Client is ready:
8. Same as an RSA handshake.
9. Server is ready
10. Secure symmetric encryption achieved

*DH parameter: DH stands for Diffie-Hellman. The Diffie-Hellman algorithm uses exponential calculations to arrive at the same premaster secret. The server and client each provide a parameter for the calculation, and when combined they result in a different calculation on each side, with results that are equal.

How Does PKI Work ?

PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). It works by using two different cryptographic keys: a public key and a private key. The public key is available to any user that connects with the website. The private key is a unique key generated when a connection is made, and it is kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key. This protects the user’s information from theft or tampering.

How Does PKI Authentication Work?

A Public Key Infrastructure requires several different elements for effective use. A Certificate Authority (CA) is used to authenticate the digital identities of the users, which can range from individuals to computer systems to servers. Certificate Authorities prevent falsified entities and manage the life cycle of any given number of digital certificates within the system.

Second in command is the component of a Registration Authority (RA), which is authorized by the Certificate Authority to provide digital certificates to users on a case-by-case basis. All of the certificates that are requested, received, and revoked by both the Certificate Authority and the Registration Authority are stored in an encrypted certificate database.

Certificate history and information is also kept on what is called a certificate store, which is usually grounded on a specific computer and acts as a storage space for all memory relevant to the certificate history, including issued certificates and private encryption keys. Google Wallet is a great example of this.

By hosting these elements on a secure framework, a Public Key Infrastructure can protect the identities involved as well as the private information used in situations where digital security is necessary, such as smart card logins, SSL signatures, encrypted documents, and more.

Does PKI Perform Encryption?

Public Key Infrastructure is a complex subject, so you may be wondering if it actually performs encryption. The simple answer is yes, it does. What is PKI if not a one-stop-shop for the encryption of classified information and private identities?

PKI performs encryption directly through the keys that it generates. Whether these keys are public or private, they encrypt and decrypt secure data.

What Type of Encryption Does PKI Use?

PKI merges the use of both asymmetric and symmetric encryption. Symmetrical encryption protects the single private key that is generated upon the initial exchange between parties—the digital handshake, if you will. This secret key must be passed from one party to another in order for all parties involved to decrypt the information that was exchanged.

Asymmetric encryption is fairly new to the game and you may know it better as “public key cryptography.” Asymmetric encryption uses two keys to encrypt plain text, both a public key and a secret key.

Both symmetric and asymmetric encryption have their own strengths and best use case scenarios, which is what makes the combination of both so powerful in Public Key Infrastructure.

Digital Certificates

PKI functions because of digital certificates. A digital certificate is like a drivers license—it’s a form of electronic identification for websites and organizations. Secure connections between two communicating machines are made available through PKI because the identities of the two parties can be verified by way of certificates.

So how do devices get these certificates? You can create your own certificates for internal communications. If you would like certificates for a commercial site or something of a larger scale, you can obtain a PKI digital certificate through a trusted third party issuer, called a certificate authority.

Much like the state government issuing you a license, certificate authorities vet the organizations seeking certificates and issue one based on their findings. Just as someone trusts the validity of your license based on the authority of the government, devices trust digital certificates based on the authority of the issuing certificate authorities. This process is similar to how code signing works to verify programs and downloads.

PKI & Digital Certificates

PKI functions on asymmetric key methodology: a private key and a public key. The private key can only be accessed by the owner of a digital certificate, and they can choose where the public key goes. A certificate is essentially a way of handing out that public key to users that the owner wants to have it.

Private and public PKI keys must work together. A file that is encrypted by the private key can only be decrypted by the public key, and vice versa. If the public key can only decrypt the file that has been encrypted by the private key, being able to decrypt that file assures that the intended receiver and sender took part in the informational transaction.

What Is the Benefit of Providing a Public Key in the Form of a Certificate?

PKI authentication through the use of digital certificates is the most effective way to protect confidential electronic data. These digital certificates are incredibly detailed and unique to each individual user, making them nearly impossible to falsify.

Once a user is issued a unique certificate, the details incorporated into the certificate undergo a very thorough vetting process that includes PKI authentication and authorization. Certificates are backed by a number of security processes such as timestamping, registration, validation, and more to ensure the privacy of both the identity and the electronic data affiliated with the certificate.

How Is PKI Used?

Public Key Infrastructure is used to protect confidential communication from one party to another. By using a two-key encryption system, PKI secures sensitive electronic information as it is passed back and forth between two parties, and provides each party with a key to encrypt and decrypt the digital data.

Popular Ways PKI is Used

PKI security is used in many different ways. The following are a few ways that PKI security can be used:

• Securing emails

• Securing web communications (such as retail transactions)

• Digitally signing software

• Digitally signing applications

• Encrypting files

• Decrypting files

• Smart card authentication

Does Using a PKI Infrastructure Guarantee Secure Authentication?

As far as we know, secure authentication is not a solid guarantee no matter how careful we are to facilitate a foundation of encryption and protection. Breaches in security do happen from time to time, which is what makes the Certificate Authority and Registration Authority so vital to the operations.

Without a top-performing CA and RA to authenticate and manage public key information, the “web of trust” is virtually nonexistent.

Security Limitations of PKI

With all of the strengths of a Public Key Infrastructure, there is room for improvement. As it currently stands, PKIs rely heavily on the integrity of the associated Certificate Authority and Registration Authority, which aren’t always functioning at the ideal level of diligence and scrutiny. PKI management mistakes are another weak link that needs to be addressed.

Another current security limitation of Public Key Infrastructures today (or rather, a security risk) is the obvious lack of multi-factor authentication on many of the top frameworks. Regardless of the world’s increasing ability to blow through passwords, PKIs have been slow to combat this threat with various levels of authorization before entry.

Furthermore, the overall usability of Public Key Infrastructure has never been ideal. More often than not, PKIs are so remarkably complicated that users would rather forgo the addition PKI authorization in exchange for a more convenient and realistic security process.

Lastly, PKI technology is known for its inability to easily adapt to the ever-changing advancements of the digital world. Users report being unhappy with their current PKI’s lack of ability to support new applications that are geared toward improvements in security, convenience, and scalability.

Add in video here

Does SSL Use PKI?

SSL (Secure Sockets Layer) Cryptography relies heavily on PKI security to encrypt and decrypt a public key exchange using both symmetric and asymmetric encryption. How does PKI work with an SSL? Excellent question. We can sum up the relationship in three phases:

1. First, the web server sends a copy of its unique asymmetric public key to the web browser.

2. The browser responds by generating a symmetric session key and encrypting it with the asymmetric public key that was received by the server.

3. In order to decrypt and utilize the session key, the web server uses the original unique asymmetric private key.

Once the digital relationship has been established, the web browser and the web server are able to exchange encrypted information across a secure channel. The Public Key Infrastructure acts as the framework and facilitator for the encryption, decryption, and exchange of information between the two parties.

What Is PKI Authentication?

Let’s recap. PKI authentication (or public key infrastructure) is a framework for two-key asymmetric encryption and decryption of confidential electronic data. By way of digital certificate authorization, management, and authentication, a PKI can secure private data that is exchanged between several parties, which can take the form of people, servers, and systems.

If you want to learn more about how PKI can be used in your life and your business, contact Venafi and see how we can help you get the authentication you need today.

• Smart card authentication

If you want to learn more about how PKI can be used in your life and your business? Contact Venafi and see how we can help you get the authentication you need today.

What is the use of public key and private key?

Public key is used to convert the message to an unreadable form. Private key is used to convert the received message back to the original message. Both these keys help to ensure the security of the exchanged data. A message encrypted with the public key cannot be decrypted without using the corresponding private key.