WEBVTT 1 00:00:00.000 --> 00:00:01.440 In this lesson, 2 00:00:01.440 --> 00:00:05.910 we will learn about Asymmetric Cryptography Use Cases. 3 00:00:05.910 --> 00:00:09.900 Asymmetric Cryptography Use Cases involve scenarios 4 00:00:09.900 --> 00:00:12.420 where public and private key pairs 5 00:00:12.420 --> 00:00:14.390 are utilized to secure communications 6 00:00:14.390 --> 00:00:16.975 and authenticate users. 7 00:00:16.975 --> 00:00:20.089 Asymmetric cryptography use cases include 8 00:00:20.089 --> 00:00:22.470 certificate-based authentication, 9 00:00:22.470 --> 00:00:26.160 passwordless authentication, and secure email. 10 00:00:26.160 --> 00:00:28.440 Certificate-based Authentication 11 00:00:28.440 --> 00:00:32.100 uses digital certificates to validate identities. 12 00:00:32.100 --> 00:00:36.450 Next, Passwordless Authentication uses cryptographic keys 13 00:00:36.450 --> 00:00:38.940 to eliminate the need for passwords. 14 00:00:38.940 --> 00:00:43.403 Finally, Secure Email employs asymmetric encryption 15 00:00:43.403 --> 00:00:47.460 to ensure that email communications are confidential 16 00:00:47.460 --> 00:00:48.446 from end-to-end, 17 00:00:48.446 --> 00:00:52.110 and can only be read by the intended recipient. 18 00:00:52.110 --> 00:00:55.411 Let's learn more about Certificate-based Authentication, 19 00:00:55.411 --> 00:00:59.010 Passwordless Authentication, and Secure Email. 20 00:00:59.010 --> 00:01:02.580 First, we have Certificate-based Authentication. 21 00:01:02.580 --> 00:01:06.013 Certificate-based Authentication is a secure method 22 00:01:06.013 --> 00:01:10.320 of verifying identities using digital certificates, 23 00:01:10.320 --> 00:01:13.950 which are issued by a trusted certificate authority 24 00:01:13.950 --> 00:01:17.160 within a public key infrastructure. 25 00:01:17.160 --> 00:01:19.500 Certificate-based authentication 26 00:01:19.500 --> 00:01:23.160 ensures that only authorized users and systems 27 00:01:23.160 --> 00:01:25.590 can access protected resources 28 00:01:25.590 --> 00:01:29.520 by proving their identity with a digital certificate. 29 00:01:29.520 --> 00:01:31.500 In client authentication, 30 00:01:31.500 --> 00:01:35.010 a server verifies whether a connection request 31 00:01:35.010 --> 00:01:39.330 is coming from a preauthorized client, such as a device, 32 00:01:39.330 --> 00:01:43.290 or user based on the client-presented certificate. 33 00:01:43.290 --> 00:01:46.606 This is commonly managed through Network Access Control 34 00:01:46.606 --> 00:01:48.591 or NAC systems. 35 00:01:48.591 --> 00:01:50.886 NAC systems authenticate devices 36 00:01:50.886 --> 00:01:53.447 and ensure that only trusted clients 37 00:01:53.447 --> 00:01:56.340 can connect to the network. 38 00:01:56.340 --> 00:02:00.147 Alternatively, server authentication is used by a client 39 00:02:00.147 --> 00:02:04.140 to validate that the server, such as a web server, 40 00:02:04.140 --> 00:02:07.350 is genuine and not an imposter. 41 00:02:07.350 --> 00:02:10.050 For example, every time a web browser 42 00:02:10.050 --> 00:02:13.650 connects to a website over https, 43 00:02:13.650 --> 00:02:17.370 which is hypertext transfer protocol over SSL, 44 00:02:17.370 --> 00:02:21.491 it uses a digital certificate issued to the server 45 00:02:21.491 --> 00:02:24.600 to confirm the server's identity. 46 00:02:24.600 --> 00:02:28.002 This ensures the user is connecting to the real website 47 00:02:28.002 --> 00:02:30.510 and not a fraudulent one. 48 00:02:30.510 --> 00:02:32.880 In modern enterprise environments, 49 00:02:32.880 --> 00:02:36.630 certificate-based authentication is often integrated 50 00:02:36.630 --> 00:02:40.055 within Single Sign-On or SSO systems, 51 00:02:40.055 --> 00:02:42.987 which streamline access management. 52 00:02:42.987 --> 00:02:47.987 SSO allows users to access multiple resources and services 53 00:02:48.379 --> 00:02:50.846 using a single set of credentials 54 00:02:50.846 --> 00:02:53.610 or a digital certificate. 55 00:02:53.610 --> 00:02:56.943 For example, a user might log into their computer 56 00:02:56.943 --> 00:03:00.857 with a smart card that a digital certificate. 57 00:03:00.857 --> 00:03:03.585 Once authenticated, the SSO system 58 00:03:03.585 --> 00:03:06.279 uses the certificate to grant access 59 00:03:06.279 --> 00:03:09.180 to various applications, websites, 60 00:03:09.180 --> 00:03:12.280 and network resources without requiring the user 61 00:03:12.280 --> 00:03:15.840 to repeatedly enter their credentials. 62 00:03:15.840 --> 00:03:19.113 This approach simplifies user authentication, 63 00:03:19.113 --> 00:03:23.460 reduces the risk of password-related security issues, 64 00:03:23.460 --> 00:03:27.540 and enhances overall security by leveraging strong 65 00:03:27.540 --> 00:03:30.960 certificate-based identity verification. 66 00:03:30.960 --> 00:03:33.058 So, by relying on certificates 67 00:03:33.058 --> 00:03:35.760 instead of traditional passwords, 68 00:03:35.760 --> 00:03:37.950 certificate-based authentication 69 00:03:37.950 --> 00:03:40.560 significantly enhances security, 70 00:03:40.560 --> 00:03:43.920 reduces the burden of managing multiple credentials, 71 00:03:43.920 --> 00:03:46.877 and provides a seamless user experience 72 00:03:46.877 --> 00:03:50.220 in accessing trusted resources. 73 00:03:50.220 --> 00:03:53.970 Second, we have Passwordless Authentication. 74 00:03:53.970 --> 00:03:58.110 Passwordless Authentication is an authentication method 75 00:03:58.110 --> 00:04:00.661 that allows users to access systems 76 00:04:00.661 --> 00:04:02.720 without entering passwords 77 00:04:02.720 --> 00:04:05.940 or other knowledge-based secrets. 78 00:04:05.940 --> 00:04:09.559 This approach enhances security and user experience 79 00:04:09.559 --> 00:04:12.510 by using password alternatives, 80 00:04:12.510 --> 00:04:15.330 such as public-key cryptography, 81 00:04:15.330 --> 00:04:18.361 where a private key is stored on the user's device 82 00:04:18.361 --> 00:04:20.923 and used for authentication. 83 00:04:20.923 --> 00:04:23.877 Passwordless authentication generally relies 84 00:04:23.877 --> 00:04:26.327 on two main types of factors. 85 00:04:26.327 --> 00:04:29.559 Ownership factors are something the user has, 86 00:04:29.559 --> 00:04:34.426 like a smartphone, a smart card, or a hardware token, 87 00:04:34.426 --> 00:04:38.247 while biometric factors are something the user is, 88 00:04:38.247 --> 00:04:41.760 such as fingerprints or facial recognition. 89 00:04:41.760 --> 00:04:43.863 These factors eliminate the need 90 00:04:43.863 --> 00:04:46.020 for traditional passwords, 91 00:04:46.020 --> 00:04:49.890 which are often vulnerable to being stolen or guessed. 92 00:04:49.890 --> 00:04:53.047 Passwordless systems offer several benefits, 93 00:04:53.047 --> 00:04:57.302 including improved security, a better user experience, 94 00:04:57.302 --> 00:05:00.480 and reduced IT cost. 95 00:05:00.480 --> 00:05:02.310 By removing passwords, 96 00:05:02.310 --> 00:05:05.061 systems are protected against common attacks 97 00:05:05.061 --> 00:05:08.087 like brute force and password theft. 98 00:05:08.087 --> 00:05:11.911 Users also enjoy a smoother experience, 99 00:05:11.911 --> 00:05:14.323 as they no longer need to remember 100 00:05:14.323 --> 00:05:17.910 or frequently update complex passwords. 101 00:05:17.910 --> 00:05:21.150 IT departments benefit as well, 102 00:05:21.150 --> 00:05:23.460 since the need for password storage, 103 00:05:23.460 --> 00:05:28.080 management and security auditing is significantly reduced. 104 00:05:28.080 --> 00:05:31.110 Additionally, passwordless authentication 105 00:05:31.110 --> 00:05:34.290 provides better tracking of credential use, 106 00:05:34.290 --> 00:05:38.100 as it is closely tied to specific devices 107 00:05:38.100 --> 00:05:41.792 or unique user attributes like biometrics. 108 00:05:41.792 --> 00:05:46.500 But passwordless authentication also has some challenges, 109 00:05:46.500 --> 00:05:49.710 including higher implementation costs, 110 00:05:49.710 --> 00:05:51.690 the need for additional training 111 00:05:51.690 --> 00:05:54.450 and potential single points of failure 112 00:05:54.450 --> 00:05:58.110 if relying on only one factor, 113 00:05:58.110 --> 00:06:01.860 such as a hardware token or a biometric scan. 114 00:06:01.860 --> 00:06:05.640 For example, if biometric factors like fingerprints 115 00:06:05.640 --> 00:06:07.890 or facial recognition are used, 116 00:06:07.890 --> 00:06:11.340 there is a risk of biometric impersonation. 117 00:06:11.340 --> 00:06:13.779 Biometric impersonation involves 118 00:06:13.779 --> 00:06:16.890 bypassing biometric security 119 00:06:16.890 --> 00:06:20.220 by mimicking a user's physical traits. 120 00:06:20.220 --> 00:06:22.380 This can be seen in movies, 121 00:06:22.380 --> 00:06:25.692 where a spy recreates someone's fingerprint 122 00:06:25.692 --> 00:06:29.128 from a drinking glass to bypass security. 123 00:06:29.128 --> 00:06:31.440 To mitigate such risks, 124 00:06:31.440 --> 00:06:34.646 systems must ensure low false-positive rates 125 00:06:34.646 --> 00:06:36.690 in biometric scanners, 126 00:06:36.690 --> 00:06:39.477 and use secure, well-tested technology. 127 00:06:39.477 --> 00:06:43.212 While biometric authentication is considered secure, 128 00:06:43.212 --> 00:06:47.042 using multifactor authentication or MFA 129 00:06:47.042 --> 00:06:49.380 greatly enhances security. 130 00:06:49.380 --> 00:06:53.251 For example, if you can consider the iPhone's Touch ID 131 00:06:53.251 --> 00:06:55.710 and Face ID systems, 132 00:06:55.710 --> 00:06:58.530 you will find that a standard four-digit PIN 133 00:06:58.530 --> 00:07:01.050 has a one in 10,000 chance 134 00:07:01.050 --> 00:07:03.630 of being guessed by an attacker. 135 00:07:03.630 --> 00:07:06.990 But if you're using Touch ID with your fingerprint 136 00:07:06.990 --> 00:07:08.940 to unlock the device, 137 00:07:08.940 --> 00:07:10.988 the chance that somebody else's fingerprint 138 00:07:10.988 --> 00:07:15.502 will unlock your device goes up to one in 50,000, 139 00:07:15.502 --> 00:07:18.420 making it five times more secure. 140 00:07:18.420 --> 00:07:21.677 If you're using Face ID with its facial recognition scanning 141 00:07:21.677 --> 00:07:24.210 to secure your device, 142 00:07:24.210 --> 00:07:28.350 the chances of somebody else's face unlocking your device 143 00:07:28.350 --> 00:07:30.660 goes up to one in 1 million. 144 00:07:30.660 --> 00:07:32.964 But for the most secure implementation 145 00:07:32.964 --> 00:07:35.455 of passwordless authentication, 146 00:07:35.455 --> 00:07:38.700 you should use multifactor authentication. 147 00:07:38.700 --> 00:07:41.847 For example, if you combine facial recognition 148 00:07:41.847 --> 00:07:46.500 with a one-time PIN from an RSA key fob, 149 00:07:46.500 --> 00:07:48.374 your overall system security 150 00:07:48.374 --> 00:07:51.738 is going to increase tremendously, 151 00:07:51.738 --> 00:07:56.053 because multi-factor authentication is much more secure 152 00:07:56.053 --> 00:07:59.730 than any single factor on its own. 153 00:07:59.730 --> 00:08:03.720 Third and last, we have Secure Email. 154 00:08:03.720 --> 00:08:07.620 Secure Email creates confidentiality, integrity, 155 00:08:07.620 --> 00:08:12.620 authentication, and non-repudiation in email communication. 156 00:08:13.200 --> 00:08:17.136 To achieve confidentiality, the email message is encrypted 157 00:08:17.136 --> 00:08:19.680 with the receiver's public key, 158 00:08:19.680 --> 00:08:22.326 ensuring that only the intended recipient 159 00:08:22.326 --> 00:08:25.200 can decrypt and read the message. 160 00:08:25.200 --> 00:08:28.480 For integrity, the sender hashes the email message, 161 00:08:28.480 --> 00:08:31.261 creating a unique hash digest 162 00:08:31.261 --> 00:08:32.626 that ensures the content 163 00:08:32.626 --> 00:08:36.210 has not been altered during transmission. 164 00:08:36.210 --> 00:08:38.340 To provide non-repudiation, 165 00:08:38.340 --> 00:08:43.068 the sender encrypts this hash digest with their private key, 166 00:08:43.068 --> 00:08:47.131 allowing the receiver to confirm the sender's identity 167 00:08:47.131 --> 00:08:51.630 and that the message has not been tampered with. 168 00:08:51.630 --> 00:08:54.120 One of the most widely used standards 169 00:08:54.120 --> 00:08:55.710 for secure email is 170 00:08:55.710 --> 00:09:00.710 the Secure Multipurpose Internet Mail Extension or S/MIME. 171 00:09:00.750 --> 00:09:04.440 S/MIME uses public key cryptography standards 172 00:09:04.440 --> 00:09:09.240 or PKCS to provide encryption, digital signatures, 173 00:09:09.240 --> 00:09:11.730 and other cryptographic security 174 00:09:11.730 --> 00:09:14.700 for electronic messaging like email. 175 00:09:14.700 --> 00:09:16.834 Unlike connection security protocols 176 00:09:16.834 --> 00:09:21.810 like Secure Sockets Layer and Transport Layer Security, 177 00:09:21.810 --> 00:09:23.910 which protect data in transit, 178 00:09:23.910 --> 00:09:28.110 S/MIME focuses on securing individual messages. 179 00:09:28.110 --> 00:09:29.550 It applies encryption 180 00:09:29.550 --> 00:09:33.330 and digital signatures directly to each email, 181 00:09:33.330 --> 00:09:35.576 ensuring both sender and receiver 182 00:09:35.576 --> 00:09:38.310 can trust the message's integrity 183 00:09:38.310 --> 00:09:41.010 and guarantee confidentiality. 184 00:09:41.010 --> 00:09:45.150 Today, S/MIME is integrated into most email clients, 185 00:09:45.150 --> 00:09:49.380 such as Microsoft Outlook, Apple Mail, and Gmail. 186 00:09:49.380 --> 00:09:53.430 It uses separate session keys for each email message 187 00:09:53.430 --> 00:09:55.907 and applies digital signatures to emails 188 00:09:55.907 --> 00:10:00.780 to ensure authentication, integrity and non-repudiation. 189 00:10:00.780 --> 00:10:02.490 For S/MIME to work, 190 00:10:02.490 --> 00:10:05.314 each user is issued a digital certificate 191 00:10:05.314 --> 00:10:07.950 containing their public key 192 00:10:07.950 --> 00:10:12.450 signed by a trusted certificate authority or CA, 193 00:10:12.450 --> 00:10:15.540 and a private key that remains a secret. 194 00:10:15.540 --> 00:10:18.450 This public and private key combination 195 00:10:18.450 --> 00:10:22.230 allows users to securely exchange public keys 196 00:10:22.230 --> 00:10:24.900 and validate each other's identities 197 00:10:24.900 --> 00:10:28.290 through their respective certificate authorities. 198 00:10:28.290 --> 00:10:32.910 For instance, if you and I want to exchange secure emails, 199 00:10:32.910 --> 00:10:36.630 we first exchange our public keys through email, 200 00:10:36.630 --> 00:10:38.498 signing these initial messages 201 00:10:38.498 --> 00:10:41.700 with our private keys for validation. 202 00:10:41.700 --> 00:10:44.897 My email client will verify your public key 203 00:10:44.897 --> 00:10:47.730 using your certificate authority 204 00:10:47.730 --> 00:10:49.770 to ensure its authenticity, 205 00:10:49.770 --> 00:10:53.220 and you will do the same with my public key. 206 00:10:53.220 --> 00:10:56.493 Once we have each other's validated public keys, 207 00:10:56.493 --> 00:11:00.000 we can start sending encrypted emails to each other 208 00:11:00.000 --> 00:11:01.900 using each other's public keys 209 00:11:01.900 --> 00:11:04.410 to ensure confidentiality. 210 00:11:04.410 --> 00:11:07.123 Each of us will also sign our messages 211 00:11:07.123 --> 00:11:12.123 by encrypting a message hash with our own private key. 212 00:11:12.229 --> 00:11:15.113 This adds authentication, integrity, 213 00:11:15.113 --> 00:11:19.053 and non-repudiation to our communication. 214 00:11:19.053 --> 00:11:22.170 This layered approach makes S/MIME 215 00:11:22.170 --> 00:11:25.350 a critical component of email security, 216 00:11:25.350 --> 00:11:28.680 but S/MIME does have some challenges, 217 00:11:28.680 --> 00:11:30.860 such as potentially being exploited 218 00:11:30.860 --> 00:11:33.390 in social engineering attacks. 219 00:11:33.390 --> 00:11:36.840 For example, an attacker could send malware 220 00:11:36.840 --> 00:11:39.450 hidden inside of an encrypted email, 221 00:11:39.450 --> 00:11:42.360 bypassing traditional security filters. 222 00:11:42.360 --> 00:11:44.370 Since the contents are encrypted, 223 00:11:44.370 --> 00:11:47.910 boundary protection devices like email filters 224 00:11:47.910 --> 00:11:50.730 cannot inspect the message for threats 225 00:11:50.730 --> 00:11:53.250 without access to the private key. 226 00:11:53.250 --> 00:11:56.730 This creates a trade-off when implementing S/MIME. 227 00:11:56.730 --> 00:11:59.293 because while it provides robust security 228 00:11:59.293 --> 00:12:01.770 for legitimate communications, 229 00:12:01.770 --> 00:12:04.920 it can be used to bypass security measures too, 230 00:12:04.920 --> 00:12:06.394 requiring careful consideration 231 00:12:06.394 --> 00:12:11.394 and additional controls when used in corporate environments. 232 00:12:11.400 --> 00:12:15.393 So, remember, Asymmetric Cryptography uses public 233 00:12:15.393 --> 00:12:18.337 and private key pairs to secure communications 234 00:12:18.337 --> 00:12:21.210 and authenticate users. 235 00:12:21.210 --> 00:12:24.016 This approach is seen in various use cases, 236 00:12:24.016 --> 00:12:27.840 including Certificate-based authentication, 237 00:12:27.840 --> 00:12:31.950 Passwordless authentication, and Secure email. 238 00:12:31.950 --> 00:12:34.929 First, Certificate-based Authentication 239 00:12:34.929 --> 00:12:39.300 uses digital certificates to verify identities, 240 00:12:39.300 --> 00:12:41.425 enhancing security by proving 241 00:12:41.425 --> 00:12:45.990 that users and devices are who they claim to be. 242 00:12:45.990 --> 00:12:49.736 Second, Passwordless Authentication eliminates the need 243 00:12:49.736 --> 00:12:54.570 for passwords, relying instead on cryptographic keys 244 00:12:54.570 --> 00:12:58.020 and biometrics to provide secure access. 245 00:12:58.020 --> 00:13:02.971 And third, Secure Email employs asymmetric encryption 246 00:13:02.971 --> 00:13:06.065 to ensure that messages are confidential, 247 00:13:06.065 --> 00:13:09.963 authentic, and protected from tampering.