Web sites use certificates to create SSL sessions.  When a user clicks a HTTPS link, it initiates the SSL handshake process.

 The web site will then send the client a certificate with a public key that can be used in the asymmdtric portion of the SSL session to create a session key. (The session key will then be used in the symmetric portion of the SSL session.)  The client needs to verify the certificate is trusted and valid:

Trusted.  First, the certificate must have been issued from a trusted certificate authority (CA). A list of trusted CAs can be viewed in Internet Explorer by clicking Tools -> Internet Options, selecting the Content tab, click the Certificates button, and selecting Trusted Root Certification Authorities.  If the certificate was issued to the web site from a company with a certificate in the Trusted Root Certification Authority store, it will be trusted. If the certificate is not trusted, the user will be notified that it's not trusted and encouraged not to continue.

Valid.  Next, the client attempts to validate the certificate. CAs can revoke certificates if they become compromised in some way. A revoked certificate is considered invalid and shouldn't be used. Revoked certificates are published on a certificate revocation list (CRL). Clients can check if a certificate is valid using one of two methods:

• Requesting the CRL.  The client requests a copy of the CRL from the CA.  The CA sends the CRL and the client then checks the CRL to see if the certificate is on the list.  If it's on the list, it's considered invalid and wouldn't be used.
• Online Certificate Status Protocol (OCSP). OCSP is an improved streamlined process. Instead of the client requesting a copy of the CRL, the client queries the CA about the certificate. Certificates are uniquely identified with a serial number. The CA then replies indicating the certificate is healthy (not revoked), not healthy (revoked), or unknown (the serial number is not known by the CA.

Once the certificate is verified to be trusted and valid, the public key embedded in the certificate is used to encrypt the session key.  Imagine the client wants to use a key of 1234. The client then encrypts this key with the public key to result in something like "AF4D2D0F3EB304". (Both the session key and the encrypted session would be much larger but are shortened for illustration purposes. )

 At this point, only the client knows the session key.  The encrypted session key is sent back to the web server.  Since this key was encrypted with the public key (which is matched to the private key held by the server and unknown to anyone else) it can't be decrypted if anyone intercepts it.  When the web server receives the encrypted key, it decrypts it with the private key.  Use of the public and private key is known as asymmetric encryption.

 For the remainder of the session, the client and server use the session key (symmetric encryption).

 Darril Gibson

Security+ Tip of day Tweets
twitter.com/DarrilGibson

Authentication is used to verify a user’s identity by providing a previously known identifier.  Basically, there are three ways to do this which are commonly referred to as the three factors of authentication.

• Something you know.  As an example, a user would know their username and password.  This is considered the weakest form of authentication.  One of the primary reasons is that users often use weak passwords or write their passwords down.

•  Something you have. Smart cards and fobs are common examples. A smart card is a credit card sized card that holds key information about the user.  Smart cards have certificates embedded in them using TLS and provide very strong authentication. A fob (sometimes called a token) has an LED display that shows a number that changes regularly, such as every 60 seconds. This number is synchronized with a server.  When the user logs into a website, they enter the number shown on the display to verify they have the token. This factor is often combined with another factor to provide multifactor authentication.

• Something you are. Biometrics is used for this factor of authentication and is not only in movies.  Biometrics is commonly used in many applications today. A common example is at theme parks like Disney World.  It includes fingerprints, retinal scans, voice prints and even handwriting analysis. Biometrics is considered the strongest form of authentication, but also the most expensive.

Multifactor Authentication. Multifactor authentication combines two or three of the factors. Two common examples are where

1. Someone may have a smart card and know a personal identification number (PIN), or
2. Have a fob and know their username and password.

 Darril Gibson

Security+ Tip of day Tweets
twitter.com/DarrilGibson

Some people query about the popularity of Security+ in the past few years.  What is driving so many people to seek this certification?

 One of the big driving factors is a U.S. Department of Defense (DoD) directive named DoD 8570.1.  This directive mandates many IT professionals employed in the government to have specific certifications.  Some of the common certifications are CompTIA A+, Network+, and Security+ and the people required to have the different certifications are military personnel, civilian employees and civilian contractors.

While civilian companies aren't mandated to have employees with these certifications, they are much more competitive if they do when they compete for IT sservice contracts.  Employers may not require you to have the certification, but if do have it, it weighs just a little more in your favor.

 Darril

CompTIA Security+: Get Certified Get Ahead

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:

• Single loss expectancy (SLE).  The is the cost of any single loss expressed in monetary terms (such as $4,000).
• Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
• Annualized loss expectancy (ALE). SLE * ARO.  What you expect to lose annually if no action is taken in this example is $16,000.

Using and SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1.  How much money would you save?

• The original ALE is $16,000 ($4,000 * 4).
• If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
• You spent $2,000 to save $12,000 so you saved $10,000

 Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure.  Imagine the ALE is $16,000.  Someone proposes a risk mitigation solution that costs $35,000  a year with a guarantee that it will eliminate this risk.  Does that make fiscal sense?  In other words, you’ll spend $35,000 to save $16,000 - not too good.  Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ exam. 

Darril

CompTIA Security+: Get Certified Get Ahead