Public Key Infrastructure
Public Key Infrastructure (PKI) is a system used to manage digital certificates and public-private key pairs. It provides a secure way to exchange information over the internet by enabling encryption, digital signatures, and secure communication. PKI ensures the authenticity, integrity, and confidentiality of data, making it a fundamental component of secure communication and e-commerce.
6 Key excerpts on "Public Key Infrastructure"
eBook - ePubInternet Security
A Jumpstart for Systems Administrators and IT Managers
- Tim Speed, Juanita Ellis(Authors)
- 2003(Publication Date)
- Digital Press(Publisher)
...Interestingly enough, implementing a PKI for the general public is somewhat difficult. You will see why a bit later. 7.1.2 Business to business This environment is where PKI can really shine. You will see that by using some type of PKI, you can determine whom you are doing business with and use that information to track and verify transactions. PKI can be very useful in the high-volume transaction and mobile world of Internet commerce. It provides risk management control for business systems. 7.1.3 Employees to business This environment is another example of how PKI can help an organization. PKI can provide a secure mechanism to transfer mail not only inside the organization but also outside the organization. Also, there are the benefits of being able to have a secure transaction and access based on a certificate. You could even set up a central certificate database (LDAP) and authenticate using it as your authoritative source. 7.1.4 PKI components With all that said, let’s review: PKI is the use of public key cryptography via some type of network (for our discussion—the Internet). In most cases, a standard public-private key system will be used. This PKI will include several components. Certificate authority (CA) The CA issues, verifies, renews, and revokes digital certificates. A certificate includes the public key or information about the public key and may even offer a directory to store the public key. The management system There are many different implementations of PKI in the marketplace. Many of these systems are shipped with a web server or are offered as a stand-alone program...
eBook - ePubSurviving Security
How to Integrate People, Process, and Technology
- Amanda Andress(Author)
- 2003(Publication Date)
- Auerbach Publications(Publisher)
...Although compatibility issues are decreasing, many still cause quite a few headaches when administrators attempt to implement a PKI. Trust Besides proving identity, a PKI is seen as the technology that provides trust on the Internet. Building trust in the confidentiality of Internet transactions is one of the most important and yet most challenging issues in business. Multimillion-dollar business-to-business (B2B) transactions and highly sensitive company documents are traveling across the Internet, a public network. The sensitivity of these communications makes ensuring the authenticity, integrity, and confidentiality of the transactions extremely important. Ensuring the interoperability of multivendor PKI environments is the key to building trust in online business transactions. As we mentioned earlier, the primary component of a PKI service is the CA. The CA can be seen as the trusted third party in a PKI. It is responsible for creating, distributing, and revoking digital certificates. A certificate binds a public-key value to a person, computer, or entity via a process called certification. CAs are organized in a hierarchy in which each parent CA signs a certificate vouching for a subordinate CA’s public key. The verification process starts with a user’s certificate and proceeds upward via the certificate path until a higher-level CA can verify a certificate. The difficult part comes when companies want to communicate with one another via the use of PKI for authentication and trust. PKI interoperability has been a problem for quite some time. When PKI products were first developed, vendors used proprietary protocols, making interoperability almost impossible. The development of the PKIX (public-key infrastructure and X.509) standards and X.509 certificate standards have greatly increased interoperability...
eBook - ePubIT Governance
An International Guide to Data Security and ISO 27001/ISO 27002
- Alan Calder, Steve Watkins(Authors)
- 2019(Publication Date)
- Kogan Page(Publisher)
...The keys used are either 40-bit, 128-bit or 256-bit. Public Key Infrastructure Vendors of public key technology have been working to create an industry- standard implementation that standardizes certificate types as well as the principles used for recognizing and managing a CA, the trusted party that issues certificates to identified and known third parties. Critical issues in the development of Public Key Infrastructure (PKI) include directory services for locating certificates for particular individuals, and means of effectively communicating revocation of certificates, particularly when an organization ceases to trade and its certificate and technology are acquired by a less scrupulous operator than the one that originally obtained the certificate. X.509 is the current standard for PKI; it defines standard formats for certificates and a certificate validation algorithm. The organization should, again, use a risk assessment to determine whether or not encryption is a key component of its ISMS. The two main areas for which encryption should be considered are the protection of sensitive information on notebook computers and the protection of information being sent across public networks. Only the most sensitive of information (depending on its classification) travelling on public networks should need to be encrypted, and such a policy should be adopted only if all components of it can be fully implemented. Dangers include employees losing keys (which would render useless, and potentially irretrievable, anything encrypted with them). If the outcome of the risk assessment is that encryption is an appropriate protection, then specialist advice should be sought in selecting an appropriate technology and in considering any legal implications that there might be in using encryption, or cryptographic technology. Most large, specialist security organizations could provide specialist advice on cryptography...
eBook - ePub- Terry Bossomaier, Steven D'Alessandro, Roger Bradbury(Authors)
- 2019(Publication Date)
- Auerbach Publications(Publisher)
...It is issued to Cloudflare by Baltimore Root. It provides two different fingerprints, using SHA-1 and SHA-256. 7.12.1 Public Key Infrastructure (PKI) Managing the huge number of certificate checks which would be needed every second on the web makes a well-designed system essential. Such a system forms the Public Key Infrastructure (PKI). The design enables it to operate with a minimum of web traffic. In brief, it comprises The Certificate Authority (CA)s, which provide the root certificates. Any certificate signed by a CA can be trusted. There are multiple roots, scattered around the world. Even with multiple roots, there is still a potential bottleneck. Thus there are intermediate certificates, forming a chain, each signed by the next one above in the chain, until finally the root is reached. Even with chains, there would still be a lot of traffic. This is reduced by a website providing not just its certificate, but all the additional ones in the chain above it, to avoid the client browser having to prod each site in the chain. Finally, at the end of the chain, the browser gets to the CA and the root. To avoid further traffic, browsers are usually equipped with a root store, which contains a wide range of root certificates preloaded. Figure 7.7: MIME types and subtypes. There are seven types and numerous sub-types. Only a sample is presented here. The root store is crucially important and should be modified only with great care. There are legitimate reasons to do so. For example, a large organization might create its own root certificate, which was the ultimate signatory for all its internal certificates. However, other software may have malicious intent, and we study some notorious examples in Section 2.9. 7.13 Email Email originated before the internet and has since proved extremely popular and useful, even if, at times, a bit overwhelming...
eBook - ePubInformation-Driven Business
How to Manage Data and Information for Maximum Advantage
- Robert Hillard(Author)
- 2010(Publication Date)
- Wiley(Publisher)
...Information management practitioners can, therefore, usually assume their existence and make use of PKI to manage the security of content. APPLYING PKI Digital certificates support signatures and encryption. They can be imbedded in office documents such as world-processor files, spreadsheets, presentations, and e-mails. The certificate validates that the author identified is legitimate (authenticity) and that the document has not been modified by anyone other than the author (integrity). Increasingly, attaching your certificate to a document is seen as a legal signature by regulatory authorities and courts (nonrepudiation). Digital certificates provide a protection against malicious misinformation being inserted into the enterprise, but they also help to make individuals accountable for all information that they are responsible for publishing. Given the importance of cross-referencing information contained within documents to manage the quality of information (see Chapter 13), it is equally important to provide evidence that each reference is genuine. This becomes increasingly important when trusted references cross organizational boundaries; all e-mail should include the certificate of the sender. E-mail, in particular, is a critical business tool that is vulnerable to spoofing where the from address is fraudulent. Many nontechnical users of e-mail are not aware how easy it is to send an e-mail that claims to come from someone else. Even e-mail distributed inside the walls of the enterprise and appearing to come from a company e-mail address could be sent from the outside the firewall...
eBook - ePub- John Marshall(Author)
- 2017(Publication Date)
- International Society of Automation(Publisher)
...9.0 Basic Precautions for Network Security Disclaimer The topic of information security is complex and expansive enough to warrant an entire book, let alone a small chapter. A quick search on “network security” at www.amazon.com turned up 37,534 books. That’s more than a good weekend of reading for anyone. The scope of this chapter is purposely constrained to fit within the pages allocated. It focuses solely on an overview of industrial security, something akin to learning to fly an airplane by looking through the window in the departure lounge. All disciplines have a language of their own. Network security is no exception. To discuss network security—the threats, attack profiles, and security features to counter those threats— it is helpful to understand some basic terms: • Public Key – A series of bytes which form a key that the owner makes available to anyone who requests it. • Private Key – A series of bytes which form a key that is kept private by the owner and never released to anyone else. • Digital Certificates – A sequence of data bytes that functions like a driver’s license. The digital certificate verifies that you are who you say you are. There are many components to a digital certificate, including the name of the algorithm and the organization that created it, the owner’s public key, and the dates it is valid. X.509 (also X 509 certificates) refers to the most popular certificate standard. You will also encounter the term Distinguished Encoding Rules (DER) certificates, which refers to the method for encoding certificates as a binary series of bytes. • Certification Authority (CA) – An organization that creates and distributes digital certificates. The CA creates the public and private keys that are associated with the certificate owner. The CA often encrypts a portion of the certificate with its private key (i.e., signs it) to assure everyone that the CA did create the certificate...
