CS406: Certificate and Registration Authorities | Saylor Academy

Methods of certification

Broadly speaking, there are three approaches to getting this trust: certificate authorities (CAs), web of trust (WoT), and simple public-key infrastructure (SPKI).

Certificate authorities

The primary role of the CA is to digitally sign and publish the public key bound to a given user. This is done using the CA's own private key, so that trust in the user key relies on one's trust in the validity of the CA's key. When the CA is a third-party separate from the user and the system, then it is called the Registration Authority (RA), which may or may not be separate from the CA. The key-user binding is established, depending on the level of assurance the binding has, by software or under human supervision.

The term trusted third party (TTP) may also be used for certificate authority (CA). Moreover, PKI is itself often used as a synonym for a CA implementation.

Temporary certificates & single sign-on

This approach involves a server that acts as an online certificate authority within a single sign-on system. A single sign-on server will issue digital certificates into the client system, but never stores them. Users can execute programs, etc. with the temporary certificate.

Web of trust

An alternative approach to the problem of public authentication of public-key information is the web of trust scheme, which uses self-signed certificates and third party attestations of those certificates. The singular term web of trust does not imply the existence of a single web of trust, or common point of trust, but rather one of any number of potentially disjoint "webs of trust". Examples of implementations of this approach are PGP (Pretty Good Privacy) and GnuPG (an implementation of OpenPGP, the standardized specification of PGP). Because PGP and implementations allow the use of e-mail digital signatures for self-publication of public-key information, it is relatively easy to implement one's own web of trust.

One of the benefits of the web of trust, such as in PGP, is that it can interoperate with a PKI CA fully trusted by all parties in a domain (such as an internal CA in a company) that is willing to guarantee certificates, as a trusted introducer. Only if the "web of trust" is completely trusted, and because of the nature of a web of trust, trusting one certificate is granting trust to all the certificates in that web. A PKI is only as valuable as the standards and practices that control the issuance of certificates and including PGP or a personally instituted web of trust could significantly degrade the trustability of that enterprise's or domain's implementation of PKI.

Simple public-key infrastructure

Another alternative, which does not deal with public authentication of public-key information, is the simple public-key infrastructure (SPKI) that grew out of three independent efforts to overcome the complexities of X.509 and PGP's web of trust. SPKI does not associate users with persons, since the key is what is trusted, rather than the person. SPKI does not use any notion of trust, as the verifier is also the issuer. This is called an "authorization loop" in SPKI terminology, where authorization is integral to its design.

Source: https://csf102.dfcsc.uri.edu/wiki/System_Fundamentals_For_Cyber_Security/Authentication/Public_Key_Infrastructure
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, 15 April 2021, 4:25 PM

General

Course Syllabus

Unit 1: Introduction to Information Security

1.1: The History and Evolution of Information Security

Information Security History

Timeline of the History of Information Security

1.2: Confidentiality, Integrity, and Availability – The CIA Triad

The CIA Triad

1.3: Threats, Vulnerabilities, and Risks

Threats and Vulnerabilities

The Elements of Security: Vulnerability, Threat, Risk

1.4: The Risk Management Process

NIST SP 800-39

Risk Management

More on Risk Management

1.5: The Incident Response Process

NIST SP 800-61

Incident Response

1.6: Security Control

Security Control

Security Control Types

Security Control Functions

1.7: Defense-in-Depth

Introduction to Defense-in-Depth

Defense-in-Depth Example

Defense-in-Depth

1.8: Human Behavioral Risks

The Human Factor

Humans are the Weakest Link

Security Awareness, Training, and Education

Security Threats and the Human Factor

1.9: Security Frameworks

Security Frameworks

Center for Internet Security (CIS) Controls

Payment Card Industry Data Security Standard (PCI DSS)

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Threats and Attack Modes

2.1: Threat Terminology

Threat Terminology

An Overview of Threats

Privacy Threats

2.2: Types of Attacks

Types of Attacks

Classifying Threats

Birthday Attacks

What is a Botnet?

More on Botnets

Man-in-the-Middle Attacks

Teardrop Attacks

What is War Dialing?

More on War Dialing

Zero-Day Exploits

2.3: Spoofing Attacks

Spoofing Attacks

A Comprehensive Analysis of Spoofing

Email Spoofing

Caller ID Spoofing

IP Address Spoofing

2.4: Social Engineering

An Overview of Social Engineering

Dumpster Diving

One Man's Trash is Another Man's Treasure

Shoulder Surfing

Tailgating

How to Protect Against Tailgating

Phishing, Spear-phishing, and Whaling

Pretexting

2.5: Application Attacks

Application Attacks

Types of Application Attacks

The Basics of Buffer Overflows

More on Buffer Overflows

Time of Check to Time of Use

Application and Escalation of Privilege

Escalation of Privilege

2.6: Web Application Attacks

Types of Application Attacks

Cross-Site Scripting

Examples of Cross-Site Scripting