Public Key Infrastructure

11 Key excerpts on "Public Key Infrastructure"

• 

  eBook - ePub

  Network Perimeter Security

  Building Defense In-Depth

  • Cliff Riggs(Author)
  • 2003(Publication Date)
  • Auerbach Publications

    (Publisher)

  Chapter 7

  The Public Key Infrastructure

  The purpose of this section is to describe the need for the Public Key Infrastructure (PKI) and then walk the reader through the process of creating a PKI that meets their specific needs. The PKI is a term that is constantly bandied about as being something that is “essential” and “necessary” to the long-term growth of the Internet and electronic information processing. Many people, however, would be hard-pressed to walk into a network and say, “this is part of the Public Key Infrastructure” while pointing at a piece of hardware on a rack of equipment.

  The reason for that is twofold. First, although the need for a PKI is often discussed, the definition of the PKI is difficult to nail down. The second reason is related to the first; a PKI is not a device, or even a single technology. The PKI is just as its name implies, an infrastructure. It is the combination of a number of technologies that enables us to effectively utilize public key technologies.

  While the math may be somewhat obscure to the non-mathematicians among us, the actual process of encrypting data using public key and secret key algorithms is quite straightforward. The chances are very good that you, in your normal Internet activities, have used encryption without ever even realizing it. The problem is not the actual encryption of data in a secure manner. Rather, the problem is knowing to whom you are encrypting the data. In our day-to-day lives, you know that you are speaking with your mother because the identity of your mother has been imprinted upon you for quite some time. You know her by sight and you know the sound of her voice. On the Internet we do not have the benefit of feedback from our own direct experience to identify someone, even if it is our mother. What we need is an electronic way of identifying a remote party—even if we have never met them prior to our first encounter.

  The way we do this is through certificates

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  How to Cheat at Designing Security for a Windows Server 2003 Network

  • Chris Peiris, Chris Ruston(Authors)
  • 2005(Publication Date)
  • Syngress

    (Publisher)

  Designing a Secure Public Key Infrastructure Solutions in this chapter: Introduction One of the major challenges in our interconnected world is this: how can you verify the iden-tity of people you’ve never seen before so that you can do business with them, and how can you transmit confidential information over a public network like the Internet? While there are any number of solutions to both of these problems, one that has become widely used due to its rela-tively low cost and ease of deployment is the Public Key Infrastructure, or PKI.You’ll see PKIs implemented for any number of reasons, but the most common application is for e-commerce transactions. PKI provides a way for a seller to verify the identity of a buyer, and for customers to be sure that the company they’re transmitting their credit card information to is really who they think it is. To accomplish this, you have a number of certificate authorities, or CAs, who act as impar-tial third parties to establish and verify the identities of organizations doing business on the Internet.You see, the entire PKI system is dependent on the concept of trust .The e-commerce vendor trusts a third-party CA (such as VeriSign) to issue a PKI certificate for its use.The con-sumer, in turn, trusts that the certificate issued by VeriSign is genuine; that is, that VeriSign has done some form of due diligence to verify that they are issuing a certificate to a legitimate company. Because consumers trust VeriSign and the PKI certificate issued to the e-commerce vendor by VeriSign, they then feel comfortable doing business with this e-commerce vendor. PKI can also have a number of uses within a corporate enterprise.The Windows Server 2003 implementation of PKI, Certificate Services, allows for the use of IP Security (IPSec) to secure TCP/IP transmissions across a network, Secure Sockets Layer (SSL) communication on a Web server, and the Encrypted File System (EFS) to secure files and folders stored on file shares.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  How to Cheat at Securing Your Network

  • Ido Dubrawsky(Author)
  • 2011(Publication Date)
  • Syngress

    (Publisher)

  Public keys are generally transported and stored in a document known as a “ certificate. ” To vouch for that identity, certificates are signed either by the certificate owner (a self-signed certificate ), or by another party who is already trusted. PKI has become such an integrated part of Internet communications that most users are unaware that they use it every time they access the Web. PKI is not limited to the Web; applications such as Pretty Good Privacy (PGP) also use a form of PKI for e-mail protection; FTP over SSL/TLS uses PKI, and most other protocols have the ability to manage identities through the management and exchange of keys and certificates. So, what exactly is PKI and how does it work? Public Key Infrastructure, or PKI, is a term for any system that associates public keys with identified users or systems, and validates that association. www.syngress.com 366 Chapter 10 • Public Key Infrastructure N OTE For details on symmetric and asymmetric algorithms, please refer to Chapter 9. There are several different kinds of PKI.The most widely used is based on a hierarchical model of trust, but there are several different trust models that can be used to form a PKI. Trust Models Before looking at trust models, let’s look at the word “trust” itself.The idea behind “trust” is that one party will automatically rely on another party to take an action or provide information on their behalf. Assuming that the trusted party (Tim) is relied on, or trusted, by the relying party (Amanda), a one-way trust relationship is formed. Likewise, if Amanda is relied on by Tim, a two-way trust relationship is formed. In a marriage, a husband and wife rely on each other to act on their behalf.They have formed a two-way trust relationship (see Figure 10.1).

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Enterprise Security

  IT Security Solutions -- Concepts, Practical Experiences, Technologies

  • Walter Fumy, Jörg Sauerbrey(Authors)
  • 2013(Publication Date)
  • Publicis

    (Publisher)

  All of these components and processes have to be integrated into the existing environment. Another important aspect is the training and familiarization of all persons involved, the PKI users as well as the personnel operating and maintaining the PKI. In particu- lar, providing information for users about the benefits of the PKI is a pre-requisite for acceptance and success of the PKI. 12.7 Conclusion A Public Key Infrastructure aims to be a pervasive security infrastructure for public key-enabled applications and services and is vital for using public key cryptography in large or dynamic systems. Therefore, PKIs allow us to build scalable solutions for secure communications. In addition, this infrastructure itself is implemented and delivered using public key concepts and techniques. Numerous standards exist, which allow interoperable solutions to be realized for enterprises or within the public or government sector. Moreover, there are a couple of leading manufacturers offering very experienced software for PKIs. There are also leading manufacturers offering PKI-enabled applications. However, the integration of PKI services in these applications lags somewhat behind the opportunities offered by the PKI products. In addition, a PKI is a complex system that is also highly dependent on its environ- ment (organizational and technical), and one which in turn significantly influences its environment. A high level of experience, technical expertise and an overview of the product landscape is therefore an absolute necessity for making the right decisions in the PKI environment, in order to fully harness future opportunities in the fields of e- business, e-government and e-commerce. 183 13 Smart Card Technologies Detlef Houdeau Smart cards have been with us for over 20 years now. Since the 1970s, the history of smart cards has reflected steady advancements in chip capabilities and capacity, as well as a significant rise in the variety and number of applications.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Handbook of Financial Cryptography and Security

  • Burton Rosenberg(Author)
  • 2010(Publication Date)
  • Chapman and Hall/CRC

    (Publisher)

  Chapter 16 Public Key Infrastructure Carl Ellison 16.1 Introduction The term Public Key Infrastructure (PKI) refers to public key certificates and to the pro-tocols, ceremonies, computers (both client and server), databases, and devices involved in their management and use. PKI is viewed differently by the legal, business, and security communities. Each of the three communities has contributed defining concepts to the term, PKI, but there are times when a concept out of one community contradicts a related concept out of another community. As a result, the mixing of concepts from these different communities might produce confusion for the reader. There are some who see a digital signature as a component of contract law 1 and who have lobbied for, drafted, and passed digital signature laws to govern their use for that purpose. One legal theory associated with some digital signature laws is the presumption of non-repudiation. This chapter does not attempt to address the many facets of digital signature law, but does briefly discuss the security reality behind the concept of non-repudiation (Section 16.6.5). There are businesses created to issue certificates, referred to as a commercial Certificate Authority (CA). As businesses, they issue certificates wherever the market demands or where a market can be created. The primary success to date has been in issuing SSL server certificates, since that use of PKI has been built into browsers since Netscape invented SSL and was the predominant browser vendor. This chapter does not describe how one could set up a commercially viable CA. This chapter is written from the point of view of the security community. To the security community, there is one requirement for a PKI: to enable the making of security decisions that are as difficult to attack as possible and that represent the intent of the system’s security policy as closely as possible.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Modern Cryptography for Cybersecurity Professionals

  • Lisa Bock(Author)
  • 2021(Publication Date)
  • Packt Publishing

    (Publisher)

  Chapter 8 : Using a Public Key Infrastructure

  Malicious actors constantly launch assaults on a network, such as malware, spoofing, and Denial of Service (DoS ) attacks. As a result, during a data transaction on a network, it's important to have the confidence that you are communicating with an authorized entity. A Public Key Infrastructure (PKI ) enables the secure exchange of data between two parties.

  In this chapter, we'll learn how a PKI is the cornerstone for most digital transactions that require encryption. We'll outline how a PKI provides the trust required when exchanging data, and how components (such as algorithms) and a certificate authority (CA ) work together. Next, we'll see how a PKI manages, securely stores, and distributes session keys, along with outlining the difference between a trusted root certificate and a self-signed certificate. So that you understand the many moving parts of a transaction, we'll examine the heart of a PKI: the elements within an X.509 certificate. Finally, we'll see the different methods used to provide validation, along with some of the ways in which we use a digital certificate.

  In this chapter, we're going to cover the following main topics:

  • Describing a PKI framework
  • Managing public keys
  • Examining a certificate

  Describing a PKI framework

  If you see a lock by the web address when making a transaction on the internet, as shown in the following screenshot, you can be confident the site is secure:

  Figure 8.1 – The Packt Publishing website showing a lock to indicate a secure site

  The lock represents trust, which means that when exchanging data with the website, your data is secure. A PKI verifies the identities of both parties so that they can encrypt and securely exchange information.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Security+ Study Guide

  • Ido Dubrawsky, Jeremy Faircloth(Authors)
  • 2007(Publication Date)
  • Syngress

    (Publisher)

  Never give your private key to anyone; it is yours alone, and when used to identify you, can only identify you if you are the only person who has ever held that key.Through the use of these keys, messages can be encrypted and decrypted to transfer messages in confidence. Messages can also be signed, to prove that they are unaltered from the version that you sent. Public keys are generally transported and stored in a document known as a “ cer-tificate. ” To vouch for that identity, certificates are signed either by the certificate owner (a self-signed certificate ), or by another party who is already trusted. PKI has become such an integrated part of Internet communications that most users are unaware that they use it every time they access the Web. PKI is not lim-ited to the Web; applications such as Pretty Good Privacy (PGP) also use a form of PKI for e-mail protection; FTP over SSL/TLS uses PKI, and most other protocols have the ability to manage identities through the management and exchange of keys and certificates. So, what exactly is PKI and how does it work? Public Key Infrastructure, or PKI, is a term for any system that associates public keys with identified users or sys-tems, and validates that association. N OTE For details on symmetric and asymmetric algorithms, please refer to Chapter 9. There are several different kinds of PKI.The most widely used is based on a hierarchical model of trust, but there are several different trust models that can be used to form a PKI. Trust Models Before looking at trust models, let’s look at the word “trust” itself.The idea behind “trust” is that one party will automatically rely on another party to take an action or provide information on their behalf. Assuming that the trusted party (Tim) is www.syngress.com 560 Chapter 10 • Public Key Infrastructure relied on, or trusted, by the relying party (Amanda), a one-way trust relationship is formed.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  Wireless Mobile Internet Security

  • Man Young Rhee(Author)
  • 2013(Publication Date)
  • Wiley

    (Publisher)

  Chapter 7

  Public-Key Infrastructure

  This chapter presents the profiles related to public-key infrastructure (PKI) for the Internet. The PKI manages public keys automatically through the use of public-key certificates. It provides a basis for accommodating interoperation between PKI entities. A large-scale PKI issues, revokes, and manages digital signature public-key certificates to allow distant parties to reliably authenticate each other. A sound digital signature PKI should provide the basic foundation needed for issuing any kind of public-key certificate.

  The PKI provides a secure binding of public keys and users. The objective is how to design an infrastructure that allows users to establish certification paths which contain more than one key. Creation of certification paths, commonly called chains of trust, is established by Certification Authorities (CAs). A certification path is a sequence of CAs. CAs issue, revoke, and archive certificates. In the hierarchical model, trust is delegated by a CA when it certifies a subordinate CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. Trust is also established between any two CAs in peer relationships (cross-certification).

  The CAs will certify a PKI entity's identity (a unique name) and that identity's public key. A CA performs user authentication and is responsible for keeping the user's name and the associated public key. Hence, each CA must be a trusted entity, at least to the extent described in the Policy Certification Authority (PCA) policies. The CAs will need to certify public keys, create certificates, distribute certificates, and generate and distribute Certificate Revocation Lists (CRLs). The PCA is a special purpose CA which creates a policy-setting responsibility: that is, how the CA's and PCA's functions and responsibilities are defined and how they interact to determine the nature of the infrastructure. Therefore, PKI tasks are centered on researching and developing these functions, responsibilities, and interactions.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Hack Proofing Windows 2000 Server

  • Syngress(Author)
  • 2001(Publication Date)
  • Syngress

    (Publisher)

  A receiver of a document will go up the chain until a trusted certificate authority is located. As a result, each subordinate certificate authority’s public key is identified by its issuing superior certificate authority. Windows 2000 PKI Components In order to protect your organization on the Internet, you must use crypto-graphic technologies to create a secure infrastructure. Microsoft has built a com-prehensive PKI into the Windows 2000 operating system.The PKI is designed to take full advantage of the Windows 2000 security architecture, and through public key cryptography, digital certificates, and certificate authority, it provides a flexible, secure infrastructure that is easy to use. Any PKI is a defined set of operating system and application services that makes the use of public key cryptography a seamless process.The PKI does not in any way replace or override the domain trust and authorization process based on the domain controller and Kerberos Key Distribution Center, but in fact it enhances scalability. Because security is based on key use, a PKI must give the administrator the capa-bility to create and issue new keys as well as the capability to revoke any existing key.The PKI must provide the client with a way to locate and retrieve a needed public key without any additional effort.When these two capabilities are in place, the application programmers can build even more secure applications. It is commonly thought that PKI is a single item, but the PKI is really a col-lection of various components that work together to allow public cryptography to occur and at the same time are transparent to clients. Operating systems pro-vide numerous infrastructures, so PKI is implemented in the Windows 2000 operating system. Figure 9.6 shows the components of the Windows 2000 PKI.The client machine is the focal point for all other components. In this view, the components are identified but are not reflected on any physical piece of hardware.

  Sign up to read

  Learn more about book
• 

  eBook - ePub

  The Zero Trust Framework

  Threat Hunting & Quantum Mechanics

  • Ravindra Das(Author)
  • 2023(Publication Date)
  • CRC Press

    (Publisher)

  In the world of PKI, there are two primary keys that are used, and they are called the public and the private key, and are also used to encrypt and decrypt the plaintext, which is sent between the sending and the receiving parties as they communicate with another. In the most simplistic terms, a PKI can be likened to that of a safety box at a local bank. In this example, normally, there are two sets of keys, which are used.

  One key is the one which the back gives to you. This can be referred to as the public key, because it is used over and over again by past renters of this particular safety deposit box, and for other, future renters as well. The second key is the private key, which the bank keeps in their possession at all times, and only the bank personnel know where it is kept.

  A PKI is just like this example, but of course, it is much more complex than this in practice. To start off with, typically, it is the receiving party which is primarily responsible for generating both the public and the private key. In this situation, let us refer to the public key as “pk”, and the private key as “sk”.

  So, to represent both of these keys together, it would be mathematically represented as (pk,sk). It is then the sending party which uses the public key (pk) to encrypt the message they wish to send to the receiving party, which then uses the private key (sk), which they have privately and personally formulated to decrypt the encrypted ciphertext from the sending party.

  One of the primary goals of a PKI is to avoid the need for both the sending and the receiving parties from having to meet literally face to face in order to decide on how to protect (or encrypt) their communications with another. So, at this point, the question then arises is, how does the sending party know about the public key (pk) generated by the receiving party so that the two can communicate with each other?

  The Public Key and the Private Key

  There are two distinct ways in which this can be accomplished:

  1. The receiving party can deliberately and purposefully notify the sending party of the public key (pk) in a public channel, so that communications can be initiated;
  2. The sending party and the receiving party do not know anything about each other in advance. In this case, the receiving party makes their public key known on a global basis so that whoever wishes to communicate with the receiving party can do so, as a result.

  Sign up to read

  Learn more about book
• 

  eBook - PDF

  Cryptography and Public Key Infrastructure on the Internet

  • Klaus Schmeh(Author)
  • 2006(Publication Date)
  • Wiley

    (Publisher)

  Most PKIs I know of were set up, to a considerable extent, because it would facilitate the encryption of e-mails. This subject will be examined in detail in Chapter 26. A PKI can also be a source of income A PKI service can also be set up as an ancillary service Combined models are also possible E-mail encryption is a popular PKI application 20 Practical aspects of PKI construction 298 2. Protection of WWW connections with SSL In addition to encryption of e-mail, encryption and authentication between Web browser and Web server is one of the most important PKI applications. The SSL protocol, which is described in Chapter 24, was developed to facilitate the protection of Web connections. Since all the usual Web browsers and Web servers support SSL, the protection of WWW connections can normally be introduced relatively easily. 3. Virtual private network (VPN) In addition to cryptographic protection of e-mails and WWW connections, the operation of a virtual private network (VPN) is one of the most important applications of PKI. It will be looked at in more detail in Sections 22.4 and 23.6. 4. File encryption File encryption is seldom the reason for setting up a PKI, but in many cases constitutes an ancillary application. There are different ways to integrate file encryption in an operating system For manual file encryption, Alice starts the encryption process with a mouse click, or by calling up a command. For transparent file encryption, the encryption process is automatic if, for example, a file is saved in a specific directory. 5. SAP R/3 protection The protection of SAP R/3 ports is another popular use of a PKI. Because sensitive data is processed in an R/3 system, it is obvious that PKI-based access protection is a must. More on this subject in Section 28.5. 6. Single Sign-on (SSO) By Single Sign-on (SSO, also Secure Single Sign-on), we understand the concept of providing just one authentication for several applications (see Section 13.7.1).

  Sign up to read

  Learn more about book