Public Key Infrastructure

6 Key excerpts on "Public Key Infrastructure"

• 

  eBook - ePub

  Internet Security

  A Jumpstart for Systems Administrators and IT Managers

  • Tim Speed, Juanita Ellis(Authors)
  • 2003(Publication Date)
  • Digital Press

    (Publisher)

  There are a lot of reasons for a customer to use the Internet. Do you have to authenticate with each of these reasons? No, you only need to authenticate in those areas where you need to identify the user. Interestingly enough, implementing a PKI for the general public is somewhat difficult. You will see why a bit later.

  7.1.2 Business to business

  This environment is where PKI can really shine. You will see that by using some type of PKI, you can determine whom you are doing business with and use that information to track and verify transactions. PKI can be very useful in the high-volume transaction and mobile world of Internet commerce. It provides risk management control for business systems.

  7.1.3 Employees to business

  This environment is another example of how PKI can help an organization. PKI can provide a secure mechanism to transfer mail not only inside the organization but also outside the organization. Also, there are the benefits of being able to have a secure transaction and access based on a certificate. You could even set up a central certificate database (LDAP) and authenticate using it as your authoritative source.

  7.1.4 PKI components

  With all that said, let’s review: PKI is the use of public key cryptography via some type of network (for our discussion—the Internet). In most cases, a standard public-private key system will be used. This PKI will include several components.

  Certificate authority (CA)

  The CA issues, verifies, renews, and revokes digital certificates. A certificate includes the public key or information about the public key and may even offer a directory to store the public key.

  The management system

  There are many different implementations of PKI in the marketplace. Many of these systems are shipped with a web server or are offered as a stand-alone program. The keys are typically created simultaneously using the same algorithm by a certificate authority.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Surviving Security

  How to Integrate People, Process, and Technology

  • Amanda Andress(Author)
  • 2003(Publication Date)
  • Auerbach Publications

    (Publisher)

  Overall, a full-blown PKI is usually the best choice if you are planning to roll out a company-wide system to provide strong authentication and e-mail security. A managed PKI is very complex and requires integration and compatibility with whatever applications you want to use. For example, if you want to provide PKI functionality in an in-house developed application, you will need to implement new functionality that might require redesigning the entire application. For commercial packages, if the vendor does not provide support for PKI, you might be out of luck. Or you might find a vendor with a product that supports PKI, but only a PKI from a few specific vendors, and those vendors might not provide the functionality you need in your environment. Although compatibility issues are decreasing, many still cause quite a few headaches when administrators attempt to implement a PKI.

  Trust

  Besides proving identity, a PKI is seen as the technology that provides trust on the Internet. Building trust in the confidentiality of Internet transactions is one of the most important and yet most challenging issues in business. Multimillion-dollar business-to-business (B2B) transactions and highly sensitive company documents are traveling across the Internet, a public network. The sensitivity of these communications makes ensuring the authenticity, integrity, and confidentiality of the transactions extremely important. Ensuring the interoperability of multivendor PKI environments is the key to building trust in online business transactions.

  As we mentioned earlier, the primary component of a PKI service is the CA. The CA can be seen as the trusted third party in a PKI. It is responsible for creating, distributing, and revoking digital certificates. A certificate binds a public-key value to a person, computer, or entity via a process called certification. CAs are organized in a hierarchy in which each parent CA signs a certificate vouching for a subordinate CA’s public key. The verification process starts with a user’s certificate and proceeds upward via the certificate path until a higher-level CA can verify a certificate. The difficult part comes when companies want to communicate with one another via the use of PKI for authentication and trust.

  PKI interoperability has been a problem for quite some time. When PKI products were first developed, vendors used proprietary protocols, making interoperability almost impossible. The development of the PKIX (public-key infrastructure and X.509) standards and X.509 certificate standards have greatly increased interoperability. The obstacle that remains is establishing trust.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  IT Governance

  An International Guide to Data Security and ISO 27001/ISO 27002

  • Alan Calder, Steve Watkins(Authors)
  • 2019(Publication Date)
  • Kogan Page

    (Publisher)

  The digital certificate is proven to be authentic because it contains the CA’s distinguished name and decrypts correctly using the public key of the CA. The CA may be a secure server on the network (the single trust model) or an external organization recognized by many (the multi-party trust model). The keys used are either 40-bit, 128-bit or 256-bit.

  Public Key Infrastructure

  Vendors of public key technology have been working to create an industry- standard implementation that standardizes certificate types as well as the principles used for recognizing and managing a CA, the trusted party that issues certificates to identified and known third parties. Critical issues in the development of Public Key Infrastructure (PKI) include directory services for locating certificates for particular individuals, and means of effectively communicating revocation of certificates, particularly when an organization ceases to trade and its certificate and technology are acquired by a less scrupulous operator than the one that originally obtained the certificate. X.509 is the current standard for PKI; it defines standard formats for certificates and a certificate validation algorithm.

  The organization should, again, use a risk assessment to determine whether or not encryption is a key component of its ISMS. The two main areas for which encryption should be considered are the protection of sensitive information on notebook computers and the protection of information being sent across public networks. Only the most sensitive of information (depending on its classification) travelling on public networks should need to be encrypted, and such a policy should be adopted only if all components of it can be fully implemented. Dangers include employees losing keys (which would render useless, and potentially irretrievable, anything encrypted with them).

  If the outcome of the risk assessment is that encryption is an appropriate protection, then specialist advice should be sought in selecting an appropriate technology and in considering any legal implications that there might be in using encryption, or cryptographic technology. Most large, specialist security organizations could provide specialist advice on cryptography. This advice should reflect the latest situation in terms of government restrictions (in the United Kingdom, the Electronic Communications Act 2000) on the use of cryptographic technology and the countries in which it can and cannot be used.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Human Dimensions of Cybersecurity

  • Terry Bossomaier, Steven D'Alessandro, Roger Bradbury(Authors)
  • 2019(Publication Date)
  • Auerbach Publications

    (Publisher)

  Figure 7.6: Example certificate from a Firefox root store. It is issued to Cloudflare by Baltimore Root. It provides two different fingerprints, using SHA-1 and SHA-256.

  7.12.1   Public Key Infrastructure (PKI)

  Managing the huge number of certificate checks which would be needed every second on the web makes a well-designed system essential. Such a system forms the Public Key Infrastructure (PKI). The design enables it to operate with a minimum of web traffic. In brief, it comprises

  • The Certificate Authority (CA)s, which provide the root certificates. Any certificate signed by a CA can be trusted. There are multiple roots, scattered around the world.
  • Even with multiple roots, there is still a potential bottleneck. Thus there are intermediate certificates, forming a chain, each signed by the next one above in the chain, until finally the root is reached.
  • Even with chains, there would still be a lot of traffic. This is reduced by a website providing not just its certificate, but all the additional ones in the chain above it, to avoid the client browser having to prod each site in the chain.
  • Finally, at the end of the chain, the browser gets to the CA and the root. To avoid further traffic, browsers are usually equipped with a root store , which contains a wide range of root certificates preloaded.

  Figure 7.7: MIME types and subtypes. There are seven types and numerous sub-types. Only a sample is presented here.

  The root store is crucially important and should be modified only with great care. There are legitimate reasons to do so. For example, a large organization might create its own root certificate, which was the ultimate signatory for all its internal certificates. However, other software may have malicious intent, and we study some notorious examples in Section 2.9 .

  7.13   Email

  Email originated before the internet and has since proved extremely popular and useful, even if, at times, a bit overwhelming. The sheer volume of email we often receive these days makes it easy for us to make mistakes through frustration or tiredness (Section 4.6.3

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Information-Driven Business

  How to Manage Data and Information for Maximum Advantage

  • Robert Hillard(Author)
  • 2010(Publication Date)
  • Wiley

    (Publisher)

  Information management practitioners can, therefore, usually assume their existence and make use of PKI to manage the security of content. APPLYING PKI Digital certificates support signatures and encryption. They can be imbedded in office documents such as world-processor files, spreadsheets, presentations, and e-mails. The certificate validates that the author identified is legitimate (authenticity) and that the document has not been modified by anyone other than the author (integrity). Increasingly, attaching your certificate to a document is seen as a legal signature by regulatory authorities and courts (nonrepudiation). Digital certificates provide a protection against malicious misinformation being inserted into the enterprise, but they also help to make individuals accountable for all information that they are responsible for publishing. Given the importance of cross-referencing information contained within documents to manage the quality of information (see Chapter 13), it is equally important to provide evidence that each reference is genuine. This becomes increasingly important when trusted references cross organizational boundaries; all e-mail should include the certificate of the sender. E-mail, in particular, is a critical business tool that is vulnerable to spoofing where the from address is fraudulent. Many nontechnical users of e-mail are not aware how easy it is to send an e-mail that claims to come from someone else. Even e-mail distributed inside the walls of the enterprise and appearing to come from a company e-mail address could be sent from the outside the firewall

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Industrial Ethernet, Third Edition

  • John Marshall(Author)
  • 2017(Publication Date)
  • International Society of Automation

    (Publisher)

  9.0 Basic Precautions for Network Security Disclaimer The topic of information security is complex and expansive enough to warrant an entire book, let alone a small chapter. A quick search on “network security” at www.amazon.com turned up 37,534 books. That’s more than a good weekend of reading for anyone. The scope of this chapter is purposely constrained to fit within the pages allocated. It focuses solely on an overview of industrial security, something akin to learning to fly an airplane by looking through the window in the departure lounge. All disciplines have a language of their own. Network security is no exception. To discuss network security—the threats, attack profiles, and security features to counter those threats— it is helpful to understand some basic terms: • Public Key – A series of bytes which form a key that the owner makes available to anyone who requests it. • Private Key – A series of bytes which form a key that is kept private by the owner and never released to anyone else. • Digital Certificates – A sequence of data bytes that functions like a driver’s license. The digital certificate verifies that you are who you say you are. There are many components to a digital certificate, including the name of the algorithm and the organization that created it, the owner’s public key, and the dates it is valid. X.509 (also X 509 certificates) refers to the most popular certificate standard. You will also encounter the term Distinguished Encoding Rules (DER) certificates, which refers to the method for encoding certificates as a binary series of bytes. • Certification Authority (CA) – An organization that creates and distributes digital certificates. The CA creates the public and private keys that are associated with the certificate owner. The CA often encrypts a portion of the certificate with its private key (i.e., signs it) to assure everyone that the CA did create the certificate

  Sign up to read

  Learn more about book