Tải bản đầy đủ - 0 (trang)
Chapter 17. Public Key Infrastructure (PKI)

Chapter 17. Public Key Infrastructure (PKI)

Tải bản đầy đủ - 0trang

IntroductiontoPKI

Aspreviouslymentioned,PKIisasecurityarchitecturethatprovidesahigher

levelofconfidenceforexchanginginformationoverinsecurenetworks.PKIis

basedonpublickeycryptography,atechnologythatwasfirstcreatedtoencrypt

anddecryptdatainvolvingtwodifferenttypesofkeys:apublicandaprivate

key.Ausergivestheirpublickeytootherusers,keepingtheprivatekey.Data

thatisencryptedwiththepublickeycanbedecryptedonlywiththe

correspondingprivatekey,andviceversa.Figure17-1illustrateshowthis

works.

Figure17-1.PrivateandPublicKeys



ThefollowingisthesequenceinFigure17-1:

1. UserAobtainsUserB'spublickeyandusesittoencryptamessage

destinedforUserB.

2. UserAsendstheencryptedmessageovertheunsecurednetwork.

3. UserBreceivestheencryptedmessageanddecryptsitusinghisown



privatekey.

ThefollowingareseveralkeytermsandconceptsusedinPKI:

Certificates

Certificateauthority(CA)

Certificaterevocationlist(CRL)

SimpleCertificateEnrollmentProtocol(SCEP)

Thefollowingsubsectionsdefineeachofthesetermsandconceptsinturn.



Certificates

Digitalcertificatesarecommonlyusedtoauthenticateandvalidateusersand

deviceswhilesecuringinformationexchangedoverunsecurednetworks.

Certificatescanbeissuedforauseroranetworkdevice.Certificatessecurely

bindtheuser'sordevice'spublickeyandotherinformationthatidentifiesthem.

ThecertificatesyntaxandformataredefinedintheX.509standardofthe

InternationalTelecommunicationUnion-TelecommunicationStandardization

Sector(ITU-T).AnX.509certificateincludesthepublickeyandinformation

abouttheuserordevice,informationaboutthecertificateitself,andoptional

issuerinformation.Generally,certificatescontainthefollowinginformation:

Theentity'spublickey

Theentity'sidentifierinformation,suchasthename,e-mailaddress,

organization,andlocality

Thevalidityperiod(thelengthoftimethatthecertificateisconsidered

valid)

Issuer'sinformation



CRLdistributionpoint

Digitalcertificatescanbeusedinmanyimplementations,suchasIPSecand

SecureSocketsLayer(SSL),securee-mailusingSecure/MultipurposeInternet

MailExtensions(S/MIME),andmanyothers.Thesamecertificatemighthave

differentpurposes.Forexample,ausercertificatecanbeusedforremoteaccess

VPN,accessingapplicationservers,andforS/MIMEe-mailauthentication.

Note

CiscoASAsupportsdigitalcertificatesforremote-accessandsite-tositeIPSecVPNsessionauthentication,aswellasforWebVPNand

SSLadministrativesessions.



TheCAthatissuesthecertificatedeterminestheimplementationsforeach

certificate.TheusageofthecertificateisrecordedtotheCA(e.g.,SSL,IPSec,

etc.)



CertificateAuthority

ACAisadeviceorentitythatcanissueacertificatetoauserornetworkdevice.

BeforeanyPKIoperationscanbegin,theCAgeneratesitsownpublickeypair

andcreatesaself-signedCAcertificate.Afingerprintinthecertificateisusedby

theendentitytoauthenticatethereceivedCAcertificate.Thefingerprintis

createdbycalculatingahash(MD5orSHA-1)onthewholeCAcertificate.This

correspondstotheultimaterootcertificate,incasesinwhichmultiplelevelof

CAexists.

CAscanbeconfiguredinahierarchy.TheCAatthetopofacertification

hierarchyisusuallyreferredasthemainrootCA.Figure17-2illustratesthis

concept.

Figure17-2.CertificationHierarchy



[Viewfullsizeimage]



IntheexampleinFigure17-2,therootCAserverhastwosubordinateCAs,US

andAustralia.TheUSCAserveralsohastwosubordinates,NewYorkandLos

Angeles.EachCAservergrantsordeniescertificateenrollmentrequestsfromits

correspondingusersandnetworkdevices(CiscoASAsinthisexample).

Auserornetworkdevicechoosesthecertificateissuerasatrustedrootauthority

byacceptingtheissuerCA'sself-signedcertificatecontainingtheissuer'spublic

key.ThecertificateinformationfromalltrustedCAswithinthehierarchyis

oftenreferredtoasthecertificatechainoftrust.

ThereareseveralCAvendors.ThefollowingaresomeoftheCAssupportedby

CiscoASA:

MicrosoftWindows2000and2003CAServer(s)

VeriSign

BaltimoreUniCERT

RSAKeon

Entrust



CiscoIOSrouterconfiguredasaCAserver

SeveralPKIimplementationsalsoincludetheuseofregistrationauthorities

(RAs).AnRAactsasaninterfacebetweentheclient(userornetworkdevice)

andtheCAserver.AnRAverifiesandidentifiesallcertificaterequestsand

requeststheCAtoissuethem.RAscanbeconfiguredwithinthesameCA

(server)orinaseparatesystem.MicrosoftCAserver,RSAKeon,andEntrustare

examplesofPKIserversthatutilizeRA.

AcertificateisvalidonlyfortheperiodoftimespecifiedbytheissuingCA.

Onceacertificateexpires,anewcertificatemustberequested.Youalsohavethe

abilitytorevokeaspecificuseranddevicecertificate.Theinventoryofserial

numbersofrevokedcertificatesismaintainedonacertificaterevocationlist

(CRL).



CertificateRevocationList

Whenyourevokeacertificate,theCApublishesitsserialnumbertotheCRL.

ThisCRLcanbemaintainedonthesameCAoraseparatesystem.TheCRLcan

beaccessedbyanyentitytryingtocheckthevalidityofanygivencertificate.

LDAPandHTTParethemostcommonlyusedprotocolswhenpublishingand

obtainingaCRL.StoringCRLsinaseparatesystemotherthantheCAserveris

oftenrecommendedforlargeenvironments,forbetterscalabilityandtoavoid

singlepointsoffailure.

Figure17-3illustrateshowacertificatecanberevokedonaCAand

subsequentlypublishedtoaCRLserver.

Figure17-3.CertificateRevocationandCRLExample



ThefollowingisthesequenceofeventsinFigure17-3:

1. TheusercertificateisrevokedintheCAserver.TheCAserverupdatesthe

CRL/LDAPserver.

2. TheuserattemptstoestablishanIPSecVPNconnectiontotheCiscoASA.

3. TheCiscoASAisconfiguredtoquerytheCRLserver.Itdownloadsthe

CRLandfindsthecertificateserialnumberonthelistofrevoked

certificates.

4. TheCiscoASAdeniesaccesstotheuserandsendsanIKEdeletemessage.

ThereareseveralreasonswhyyouneedtouseCRLs.Revokingacertificateis

crucialifitmighthavebeencompromisedoriftheusermightnothaveauthority

tousesuchcertificate.Forexample,youshouldalwaysrevokecertificateswhen

employeesleaveyourorganization.



SimpleCertificateEnrollmentProtocol

SimpleCertificateEnrollmentProtocol(SCEP)isaprotocoldevelopedby

Cisco.SCEPprovidesasecureissuanceofcertificatestousersandnetwork

devicesinascalablemanner.ItusesHTTPforthetransportmechanismfor

enrollmentandusesLDAPorHTTPforCRLchecking.SCEPsupportsthe

followingoperations:



CAandRApublickeydistribution

Certificateenrollment

Certificaterevocation

Certificatequery

CRLquery

CiscoASAsupportsenrollmentviaSCEPandmanuallyviaacut-and-paste

method.

Tip

UsingSCEPisrecommendedforbetterscalability.Themanualcutand-pastemethodisnormallyusedwhentheCAserverdoesnot

supportSCEPoranHTTPconnectionisnotpossible.



EnrollingtheCiscoASAtoaCAUsingSCEP

EnrollmentistheprocessofobtainingacertificatefromaCAserver.This

sectioncoversthenecessarystepstoconfigureandenrollaCiscoASAtoaCA

server.



GeneratingtheRSAKeyPair

Beforestartingtheenrollmentprocess,youmustgeneratetheRSAkeypairwith

thecryptokeygeneratersacommand.Togeneratethekeys,youmustfirst

configureahostnameanddomainname.Example17-1demonstrateshowto

configuretheCiscoASAhostnameanddomainnameandgeneratetheRSAkey

pair.

Example17-1.GeneratingtheRSAKeyPair

ASA(config)#hostnameChicago

Chicago(config)#domain-namesecuremeinc.om

Chicago(config)#cryptokeygeneratersamodulus1024

INFO:Thenameforthekeyswillbe:

Keypairgenerationprocessbegin.



Note

InExample17-1,thenameforthekeypairis.

Theisreplacedwithakeypairlabelif

configured.



UsethecryptokeyzeroizersacommandifanRSAkeypairexistsandanew

pairneedstoberegenerated.Example17-2demonstrateshowtoremove

existingRSAkeypairs.

Example17-2.RemovingExistingRSAKeyPair

Chicago(config)#cryptokeyzeroizersa

WARNING:AllRSAkeyswillberemoved.



WARNING:Allcertsissuedusingthesekeyswillalsoberemoved

Doyoureallywanttoremovethesekeys?[yes/no]:yes



ToverifythegenerationoftheRSAkeypair,usetheshowcryptokey

mypubkeyrsacommand.Example17-3showstheoutputofthiscommand.

Example17-3.ViewingRSAKeyPairInformation

Chicago#showcryptokeymypubkeyrsa

Keypairwasgeneratedat:08:46:31UTCJul102005

Keyname:

Usage:GeneralPurposeKey

ModulusSize(bits):1024

KeyData:



30819f300d06092a864886f70d010101050003818d0030818902818



08b00ac5fb06adda7c7a2ae626c136ce990f561241d6fa0979ef251



64bc15f81b3a4f1e131f1765866dfb3abb8c3a59f86056258e8ff0c



75c753c3dd5f55f36d49d774523b9d8b78ad05b4efd7579388ac964



017d464d4a817041a559dc632532c657cc12373ac7b733f1a50bdb8



Note

ThesameRSAkeypairisusedforSecureShell(SSH)connectionsto

thesecurityappliance.



ConfiguringaTrustpoint

TheCiscoASAcertificateconfigurationcommandsaresimilartoCiscoIOS

commands.ThecryptocatrustpointcommanddeclarestheCAthatyourCisco

ASAshoulduseandallowsyoutoconfigureallthenecessarycertificate

parameters.Invokingthiscommandputsyouinca-trustpointconfiguration

mode,asshowninExample17-4.

Example17-4.ConfiguringaTrustpoint

Chicago#configureterminal

Chicago(config)#cryptocatrustpointCISCO

Chicago(ca-trustpoint)#



Table17-1listsanddescribesalltheca-trustpointsubcommands.

Table17-1.EnrollmentConfigurationSubcommands

Subcommand



Description



accept-subordinates



AllowstheCiscoASAtoacceptsubordinateCA

certificates



crl



CRLoptions(explainedlaterinthischapter)



default



Returnsallenrollmentparameterstotheirdefault

values



email



Usedtoenterthee-mailaddresstobeusedinthe

enrollmentrequest



enrollment



Enrollmentparameters:

retryPollingretrycountandperiod

selfEnrollmentwillgenerateaself-signedcertificate

terminalUsedformanualenrollment(cut-and-paste

method)

urlTheURLoftheCAserver



fqdn



Includesfullyqualifieddomainname



id-cert-issuer



AcceptsIDcertificates



ip-address



IncludesIPaddress



keypair



Specifiesthekeypairwhosepublickeyistobe



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 17. Public Key Infrastructure (PKI)

Tải bản đầy đủ ngay(0 tr)

×