Question

Q1) what is the difference between the sender and the holder of the digital certificate? How to consider that a digital certificate is valid? How can one obtain a digital certificate for one public key without disclosing the private key?

Q2) Describe the relationship between the incident response and the forensic analysis.

Answer 1

Answer: A Digital Certificate is a certificate that is issued by a third party Certificate Authority (CA). The CA is verify the identity of the certificate owner. A digital certificate contains the certificate owner name, a serial number, date which displays the certificates valid from and expires date, a copy of certificate owner’s public key and the digital certificates of Certificate Authority (CA).

A certificate is digitally signed by a root certificate from a trusted CA. A Trusted CA root certificates are listed on Operations systems and browsers, so that they can easily verify that certificate which is issued and signed by CAs.Once a website is signed with a Digital Certificate, it indicates the business/website/sign-person is legitimate and verified by the Certificate Authority.

And a sender is a person who is sending message to a website or service. In a way a sender is end User/consumer person who wants to use the service.

- digital certificate is valid: A digital certificate is usually valid for a period of 1 or 2 years from the date of its download into token. A subscriber should be well aware of its certificate validity to that he can renew his certificate on time before the validity expires and to avoid probable business loss due to expired certificate.

ProxKey Token has unique expiry notification which brings to the subscriber knowledge, how much validity is balance for the certificate. These notifications will start 1 month prior to expiry of the certificate. To ensure that the token management utility given proper notification , the system date and time should be correct.

Check certificate details - The Certificate Details dialog box displays certificate information such as the signer’s name in the Signing as box, and who issued the certificate.

1. Open the file that contains the certificate you want to view.

2. Click File > Info > View Signatures.

3. In the list, on a signature name, click the down-arrow, and then click Signature Details.

4. In the Signature Details dialog box, click View.

- How can one obtain a digital certificate for one public key without disclosing the private key:

you don't need to publish the private key at all - RSA is a trapdoor permutation which means:

• If you encrypt with a public key, you can decrypt with the private key.
• If you encrypt with a private key, you can decrypt with a public key.

Thus, RSA supports doing both signing and encryption relying on the end user having only the public key.

In your case, if the client wishes to verify data came from the server, you apply the second case of RSA and decrypt the signature data using the public key you already have.

Furthermore, because it is a permutation, you shouldn't need to modify your code at all. Both keys should work using the same function. I would expect any decent crypto library would have APIs for verifying signatures according to the varying standards that exist - one of these would probably be a good bet.

RSA Labs provide a nice explanation of this.

If you want to extend this between servers, or verify client communication - generate keys for each entity and swap the public ones. The process can then be used at both ends.

Theoretically speaking, e and d are interchangeable (which is why RSA works)(one must be designated secret and kept secret) but p and q must always be kept secret as these allow you to derive d from e and vice versa. However, you need to be extremely careful in your understanding of the private key - does your software store p/q in the private key? If so, you can't publish it as is. Also, when I say interchangeable - once you publish one of that pair (e or d along with your modulus n) you must guard the other with your life. Practically speaking as Graeme linked to in the comments e is often chosed as a small/fixed value. My comment on e/d being interchangeable clearly does not apply when e is easily determined. Doing this sort of thing therefore has the potential for confusion and mis-implementation. Use a third-party library/don't start publishing private keys.

Answer 2:

Incident response and forensic analysis are related disciplines that can leverage similar tools and related data sets but also have some important differences. There are four particularly important distinctions between incident response and forensic analysis:

• Goals
• Data requirements
• Team skills
• Benefits

The difference in the goals of incident response and forensic analysis is perhaps the most important. Incident response is focused on determining a quick (i.e., near real time) reaction to an immediate threat or issue. For example, a house is on fire and the firemen that show up to put that fire out are involved in incident response. Forensic analysis is typically performed as part of a scheduled compliance, legal discovery, or law enforcement investigation. For example, a fire investigator might examine the remains of that house fire to determine the total damage to the house, the cause of the fire, and whether the root cause was such that other houses are also at risk. In other words, incident response is focused on containment of a threat or issue, while forensic analysis is focused on a full understanding and thorough remediation of a breach.

A second major distinction between the disciplines is the data resources required to achieve the goals. Incident response teams typically only require short-term data sources, often no more than a month or so, while forensic analysis teams typically require much longer lived logs and files. Keep in mind that the average dwell time of a successful attack is somewhere between 150 and 300 days.

While there is commonality in the personnel skills of incident response and forensic analysis teams, and in fact incident response is often considered a subset of the border forensic discipline, there are important distinctions in job requirements. Both types of research require strong log analysis and malware analysis capabilities. Incident response requires the ability to quickly isolate an infected device and to develop means to remediate or quarantine the device. Interactions tend to be with other security and operations team members. Forensic analysis typically requires interactions with a much broader set of departments, including operations, legal, HR, and compliance.

Not surprisingly, the perceived benefits of these activities also differ.

The ability to eliminate a threat on one machine in near real time is a major determinate in keeping breaches isolated and limited in impact. Incident response, and proactive threat hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. However, the benefits of this work are undeniable. A thorough forensic investigation allows the remediation of all threats with the careful analysis of an entire attack chain of events. And that is no laughing matter.