Page 39 - StudyBook.pdf
P. 39
General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1 23
the certificate should be verifiable and unbroken.This indicates a high probability
that the software has not been tampered with since it was originally made available
for download.Additionally, certificates may be used in processes such as data encryp-
tion or in network protocols requiring their use, such as Internet Protocol Security
(IPSec), when the sending and receiving machines must be verifiable.
This process is part of the Public Key Infrastructure (PKI) framework.
Certificates are used more frequently since the development and expansion of
Internet-based transactions has grown. X.509 is an ITU-T standard for PKI, and
X.509 certificates are now used for Web-based authentication for access to remote
systems, and for encryption of information on local machines.They are also used
for directory services access in various operating systems, Smart Cards, digital sig-
natures for e-mail, and encrypting e-mail.Additionally, they may be used for
authentication when implementing a secure network protocol such as IPSec to
protect data transmission within systems.All of these become part of the PKI,
which is described as the plan or methods for exchange of authentication infor-
mation and protection of that information (see Chapter 10).
The certificates can be installed via the Web browser on client machines to
identify and authenticate users. In some OSes such as Windows 2003, certificates
can be mapped to user accounts in Active Directory, and then associated with the
access tokens generated by the operating system when the user logs on, making the
local installation of the certificate optional on the workstation being used.Web
servers must have a Web server certificate installed in order to participate in SSL.
EXAM WARNING
Remember that certificates must be issued from a verifiable and identifi-
able CA. This can be a commercial entity, such as Verisign or Thawte, or
a standalone or enterprise CA within your organization. The path to the
CA must be unbroken, or the certificate may be viewed as invalid. A
compromised or physically unsecured CA will require recreation of your
entire PKI infrastructure.
Multiple aspects of the certificate may be verified including the cer-
tificate expiry date, the domain associated with the certificate, and the
validity of the CA. It is important to note that if the software verifying
the certificate is not configured to trust the CA, the certificate will be
considered invalid.
www.syngress.com
