The practical, results-focused PKI primer for every security developer and IT manager.
Public Key Infrastructure (PKI) and related standards give you powerful new ways to solve your toughest e-commerce and Internet security problems. Now there's a comprehensive PKI primer for both technical and nontechnical professionals. IBM security expert Messaoud Benantar delivers the in-depth guidance developers and managers need to make PKI work, including coverage of important related topics such as ASN.1 and PKCS. From start to finish, Benantar focuses on getting resultsand on answering your most critical questions about PKI deployment, operation, and administration. Coverage includes:
Benantar's detailed real-world scenarios give developers, administrators, and decision-makers unprecedented insight for deploying effective PKI/PKIX systems. If you plan to use these breakthrough Internet security technologies, there's no better resource.
1. Secret Key Cryptography.
Introduction. Background. Basic XOR. About the Key Space. Common Secret Key Algorithms. Security Services of Secret Key Encryption. Secret Key Cryptography and Nonrepudiation. Origin Authenticity. Data Integrity.
Introduction. Sharing Secret Keys: Topology Effect.Central Secret Key Management. The Needham-Schroeder Scheme. A Note about Secret Key Distribution.
Foundations of Public Key Cryptography. The Fate of Secret Key Cryptography. Public Key Cryptography Services. Trusting a Public Key.
Introduction. Background. PKIX Certificates and Certificate Revocation Lists. Elements of PKIX. ASN.1: The PKIX Definition Language. The PKIX Information Mode.
Introduction. X.509 v3 Certificate Extensions. About the X.509 Certificate Extensions. X.509 v2 CRL Extensions. Reason Code. Invalidity Date. Certificate Issuer. Hold Instruction Code.
Introduction. Hierarchical Trust. Cross-Certification. Hybrid Model. Web Trust Model. Certificate Validation. Validation Input. Validation Procedure.
Introduction. The Infrastructure Topology. Overview of the PKI Management Operations. Certificate Management Protocol (CMP).
Introduction. FTP. HTTP. Electronic Mail. DNS. LDAP.
Introduction. PKCS #8. PKCS #12. PKCS #11. PKCS #15.
Introduction. PKCS #7. Content Parameterization. Encrypted Data. Enveloped Data. Signed and Enveloped Data. Digested Data. PKCS #7 Security Services. CMS. CMC. Further Protections of CMS Messages. S/MIME v3. SSL/TLS.
Modern secret key cryptography draws strength from the secrecy of keys. This characteristic is not arrived at by choice, rather it is an imposed one. Consider the case of shedding secrecy around a particular cryptographic algorithm. First, the algorithm becomes unavailable for public scrutiny. In the absence of technical scrutiny, the algorithm may hide its weaknesses and thus serves the undesirable principle of security by obscurity. Further yet, such a hiding of the strength or the weakness in a cryptographic algorithm cannot go on for an indefinite period of time. Sooner or later someone will arrive at reverse-engineering the processing logic embedded in a software or a hardware cryptographic module. The outcome will indeed signal the end of that particular algorithm.
Secret keys require distribution to communicating partners and the more often a secret key is distributed the more likely it is to become compromised. Distribution of long-term secret keys goes against the core premise of secret key cryptography, otherwise known as symmetric key cryptography. Transport of secret keys requires the establishment of secure channels. Human transport can be a solution but is certainly one that does not lend itself to large scale distributions. Online distributions require highly secure cryptographic channels, and thus the bootstrapping nature of the secret key distribution problem arises.
In order to alleviate the extent of the secret key distribution problem, the concept of central key distribution (KDC) entity emerged as a somewhat of a natural progression. This entity represents the sole agent that is trusted by every other entity. It plays the role of both the keeper of secret long-term keys and the distributor of short-term session keys intended for use between two communicating entities. This latter role is dubbed as the introduction of entities to one another and is accomplished using cryptographic channels established between each respective entity and the third party agent based upon a shared long term secret key. Albeit this approach has evolved into the most elegant third party key distribution center, it lacks the flexibility of today's Internet ubiquitous computing paradigm.
Now we're back to the future, to exploiting the concept of public key cryptography that had emerged long before concepts such as the KDC existed. In the basic yet far-reaching concept of public key cryptography, encryption keys come in related pairs, private and public. The private key remains concealed by the key owner, while the public key is freely disseminated. The premise is that it is computationally infeasible to compute the private key by knowing the public key. Data encrypted by the public key can only be decrypted by the private key. With such an appealing characteristic, public key cryptography finally seemed to hold the promise of solving the secret key distribution problem. It certainly did so with the elegant key exchange scheme such as Diffie-Hellman's. Public key Public key cryptography, however, is intended to achieve not only key exchange protocols but to render various security services such as digital signatures, non-repudiation and data enciphering using the well known public key algorithms such as RSA.
The premise of freely disseminating a public key comes with a cost; that of trust. Security services that are based on public key cryptography rely on the single foundation of trusting that a particular public key material is indeed bound to its legitimate user. A promising solution for public key trust-establishment lies in the digital certification provided by X.509 which is adopted as an Internet standard. This book is intended to be a single source covering the major aspects of the Internet public key certification.