- CA has a root key
- Stage 1—do you want to install a public or private CA
- Public CA required for trading on the internet (B2B)
- Architect builds the CA and intermediary authorities
- Intermediary authorities issue the certificates
- Certificate pinning—prevents CA compromise and fraudulent certificates
- Certificate Revocation List (CRL)—checks certificate validity
- OCSP—used only when the CRL is going slow
- Certificate stapling—when the web server bypasses the CRL and goes directly to the OCSP
- Always retained—never given away
- P12 format, .pfx extension, password protected
- Used to decrypt data
- Used to digitally sign email—provides integrity
- Key Escrow—holds the private keys for third parties
- Hardware Security Module (HSM)—stored and manages the keys for the Key Escrow
- Data Recovery Agent (DRA)—obtains private keys from the Key Escrow to recover data
- Used to encrypt data—normally use someone else's to send encrypted data to them
- Exchange with others
- P7B format or .cer extension
- Two different PKIs trusting each other—bridge root of trust
- PGP—uses a web of trust
- TPM—hardware root of trust
- Object Identifier (OID)—unique numerical value equivalent to a serial number
- PEM—Base64 certificate
- Extended validation—higher level of trust, green background when used
- Certificate chaining—three levels showing the vendor, CA, and computer installed on
- Wildcard certificate—used for multiple servers in the same domain, also used by host headers
- Subject Alternate Domain (SAN)—used for multiple domain names
- Certificate Signing Request (CSR)—application for new certificates
- Encryption—asymmetric or symmetric—exchange keys
- Stream cipher—encrypt one bit at a time
- Block cipher—encrypt blocks of data
- Single key—private or shared key
- Encrypts a large amount of data
- Encrypts data-at-rest
- DES—56 bits
- 3DES—168 bits
- AES—up to 256 bits
- Blowfish—64 bits
- Twofish—128 bits
- Two keys—public and private
- Diffie Hellman—create a secure tunnel
- RSA
- Elliptic curve—used for small devices
- PGP—encryption between two people
- Short-live—one-time use
- Diffie Hellman Ephemeral (DHE)
- Elliptic curve Diffie Hellman Ephemeral (DHE)
- Provides data integrity
- SHA1 160 bits
- MD5 128 bits
- Hash before and after—data integrity produces the same hash
- Rainbow tables—precomputed password and associated hashes
- Collision attack—two hash values match
- TLS—data-in-transit
- Increases compute time for brute force attacks
- Key stretching tools—bcrypt, PBKDF2
- Obfuscation—masks data so it cannot be read if stolen
- Steganography—embeds or hides data inside other data
- Salting—appends a random value to passwords
- Salting—prevents duplicate passwords being stored
- Salting—reduces the effectiveness of a brute force attack
- Data-in-transit—use TLS or VPN to protect it
- Data-at-rest—use encryption such as AES/DES/3DES
- Data-in-use —resides in volatile RAM.
- Key strength—smaller the key size the faster but less secure it is
- WEP—very weak
- WPA—backward-compatible with WEP
- WPA2—CCMP—strongest wireless encryption—uses AES
- WPA2—enterprise—RADIUS with 802.1x for domains
- PSK—press shared key
- TKIP—legacy
- WPS—push button to activate, insert password first
- WPS and PSK—can be subject to brute force attack
- Disable SSID—can be discovered by a wireless packet sniffer
- Troubleshoot Wi-Fi—use wireless packet sniffer/scanner
- Site survey—needed before setting up WLAN
- Guest Wi-Fi—used by visitors or employees at lunchtime
- Open system authentication—no security
- Captive portal—request secondary information to connect
- EAP-TL—certificate on the endpoint
- EAP-TTLS—certificate on the server
- EAP-FAST—mutual authentication, no certificate
- PEAP—encapsulates EAP packets, uses TLS