Understanding Public-Key Infrastructure

Concepts, Standards, and Deployment Considerations

Carlisle Adams, Steve Lloyd

Publisher: MacMillan, 1999, 296 pages

ISBN: 1-57870-166-X

Keywords: Networks, IT Security

Last modified: June 7, 2021, 11:14 a.m.

Public Key Infrastructures (PKIs) are a crucial part of many aspects of security management and are quickly becoming the foundation for maintaining security for distributed applications. Understanding Public-Key Infrastructure provides network architects and implementers and MIS professionals with essential information for understanding and deploying enterprise PKIs. This authorative reference covers:

  • Core PKI and PKI-enabled services, inclduing authentication, integrity, confidentiality, digital time stamping, notarization, non-repudiation, and privilege management
  • Detailed information on the role of a single PKI as a foundation for securing multiple applications within an enterprise
  • Standards activities and interoperability initiatives that affect PKI technology
  • Deployment considerations, from product selection and deployment troubleshooting to the benefits of PKI and common business models

Because public key cryptography is the emerging standard for authentication in electronic commercial transactions, as well as for enterprise communications, Understanding Public-Key Infrastructure is a critical resource for PKI architects and for application developers who will rely on PKI for security. The information presented will help you:

  • Appreciate the importance of each phase in key/certificate life cycle management — from generation and publication to termination and key recovery
  • Understand the concepts and principles behind PKI with detailed information on all fundamental aspects of this technology
  • Evaluate tradeoffs based on PKI operational considerations such as on-line requirements, physical security, and disaster planning
  1. Concepts
    1. Introduction
    2. Public-Key Cryptography
      • Symmetric Versus Asymmetric Ciphers
        • Secret Key
        • New Directions: Public Key
      • Public/Private Key Pair
        • Relationship between Keys in a Pair
      • Services of Public–Key Cryptography
        • Security between Strangers
        • Encryption
        • Digital Signature
        • Data Integrity
        • Key Establishment
        • Other Services
      • Algorithms
        • RSA
        • DSA
        • ECDSA and ECDH
        • SHA.1
      • Summary
      • References
    3. The Concept of an Infrastructure
      • Pervasive Substrate
      • Application Enabler
        • Secure Sign-On
        • End-User Transparency
        • Comprehensive Security
      • Business Drivers
      • Public-Key Infrastructure Defined
        • Certification Authority
        • Certificate Repository
        • Certificate Revocation
        • Key Backup and Recovery
        • Automatic Key Update
        • Key History
        • Cross-Certification
        • Support for Non-repudiation
        • Time Stamping
        • Client Software
      • Summary
    4. Core PKI Services: Authentication, Integrity, and Confidentiality
      • Definitions
        • Authentication
        • Integrity
        • Confidentiality
      • Mechanisms
        • Authentication
        • Integrity
        • Confidentiality
      • Operational Considerations
        • Performance
        • On-Line Versus Off-Line Operation
        • Commonality of Underlying Algorithms
        • Entity Naming
      • Summary
      • References
    5. PKI-Enabled Services
      • Secure Communication
      • Secure Time Stamping
      • Notarization
      • Non-Repudiation
        • Connection with Other Services
        • Need for a Secure Data Archive
        • Complexity of this Service
        • The Human Factor
      • Privilege Management
        • Authentication and Authorization
        • Authorization Authorities
        • Delegation
        • Connection with the PKI
      • Mechanisms Required to Create PKI-Enabled Services
        • Digital Signatures, Hashes, MACs, and Ciphers
        • Trusted Time Sources
        • Privilege Policy Creation Mechanism
        • Privilege Policy Processing Engines
        • Privilege Management Infrastructure Mechanisms
      • Operational Considerations
        • Trusted Time Delivery Mechanism
        • Secure Protocols
        • Server Redundancy
        • Physically Secure Archive facilities
        • Real Life
      • "Comprehensive PKI" and Current Practice
      • Summary
      • References
    6. Certificates and Certification
      • Certificates
        • Certificate Structure and Semantics
        • Certificate Validation
        • Alternative Certificate Formats
      • Certificate Policies
        • Object Identifiers
        • Policy Authorities
      • Certification Authority
      • Registration Authority
      • Summary
      • References
    7. Key and Certificate Management
      • Key/Certificate Life Cycle Management
        • Initialization Phase
        • Issued Phase
        • Cancellation Phase
      • Summary
      • References
    8. Certificate Revocation
      • Periodic Publication Mechanisms
        • Certificate Revocation Lists (CRLs)
        • Complete CRLs
        • Authority Revocation Lists (ARLs)
        • CRL Distribution Points
        • Enhanced CRL Distribution Points and redirect CRLs
        • Delta CRLs
        • Indirect CRLs
        • Certificate Revocation Trees
        • On-Line Query Mechanisms
        • Online Certificate Status Protocol (OCSP)
        • The Future: On-Line Transaction Validation Protocols
      • Other Revocation Options
      • Performance, Scalability, and Timeliness
      • Summary
      • References
    9. Trust Models
      • Strict Hierarchy of Certification Authorities
      • Distributed Trust Architecture
        • Mesh Configuration
        • Hub-and-Spoke Configuration
      • Web Model
      • User-Centric Trust
      • Cross-Certification
      • Entity Naming
      • Certificate Path Processing
        • Path Construction
        • Path validation
        • Trust Anchor Considerations
      • Summary
      • References
    10. Multiple Certificates per Entity
      • Multiple Key Pairs
      • Key Pair Uses
      • Relationship between Key Pairs and Certificates
      • Real-World Difficulties
      • Independent Certificate Management
      • Support for Non-Repudiation
      • Summary
      • References
    11. PKI Information Dissemination: Repositories and Other Techniques
      • Private Dissemination
      • Publication and Repositories
        • Privacy Issues
        • Interdomain Repository Deployment Options
      • In-Band Protocol Exchange
      • Summary
      • References
    12. PKI Operational Considerations
      • Client-Side Software
      • Off-Line Operations
      • Physical Security
      • Hardware Components
      • User Key Compromise
      • Disaster Preparation and Recovery
        • relying Party Notification
        • Preparation
        • Recovery
        • Additional Observations
      • Summary
      • References
    13. Legal Framework
      • Legal Status of Digital Signatures
      • Legal Framework for PKIs
        • CA Licensing Requirements and Liability
        • Roles and Responsibilities
        • Private Enterprise PKIs
        • Other Contractual-Based Frameworks
      • What about Confidentiality?
      • Summary
      • References
    14. Conclusions and Further Reading
      • Conclusions
      • Further Reading
  2. Standards
    1. Introduction
    2. Major Standards Activities
      • X.509
      • PKIX
      • X.500
      • LDAP
      • ISO TC68
      • ANSI X9F
      • S/MIME
      • IPsec
      • TLS
      • SPKI
      • OpenPGP
      • EDIFACT
      • Other Activities
        • U.S. FPKI
        • MISPC
        • GOC PKI
        • SET
        • SEMPER
        • ECOM
      • Summary
      • References
    3. Standardization Status and Road Map
      • Current Standardization Status
        • X.509
        • PKIX
        • X.500
        • LDAP
        • S/MIME
        • IPsec
        • TLS
        • Toolkit Requirements (APIs and Mechanisms)
        • Others
      • On-Going Standardization Work
      • Summary
      • References
    4. Standards: Necessary, but Not Sufficient
      • The Role of Standards, Profiles, and Interoperability Testing
        • Profiles and Interoperability Testing
      • Interoperability Initiatives
        • Automotive Network eXchange
        • Bridge CA Demonstration
        • Federal Public Key Infrastructure
        • Minimum Interoperability Specification
        • National Automated Clearing House Association
        • Public Key Infrastructure X.509
        • Securities Industry Root CA Proof of Concept
      • Summary
      • References
    5. Conclusions and Further Reading
      • Summary
      • Suggestions for Further Reading
        • Certificate/CRL Syntax and Life Cycle Management Protocols
        • Certificate/CRL Storage and Retrieval
        • Interoperability Initiatives
        • Standards Bodies Web Sites
        • Books
  3. Deployment Considerations
    1. Introduction
    2. Benefits (and Costs) of a PKI
      • Business Case Considerations
      • Cost Considerations
      • Deployment: Now or Later?
      • Summary
      • Reference
    3. Deployment Issues and Decisions
      • Trust Models: Hierarchical Versus Distributed
      • In-Source Versus Out-Source
      • Build Versus Buy
      • Closed Versus Open Environment
      • X.509 Versus Alternative Certificate Formats
      • Targeted Applications Versus Comprehensive Solution
      • Standard Versus Proprietary Solutions
      • Interoperability Considerations
        • Certificate and CRL Profiles
        • Multiple Industry Accepted Standards
        • PKI-Enabled Applications
        • Policy Issues
      • On-Line Versus Off-Line Operation
      • Peripheral Support
      • Facility Requirements
      • Personnel Requirements
      • Certificate Revocation
      • End-Entity Roaming
      • Key Recovery
      • Repository Issues
      • Disaster Planning and Recovery
      • Security Assurance
      • Mitigating Risk
      • Summary
      • References
    4. Barriers to Deployment
      • Repository Issues
        • Lack of Industry-Accepted Standard
        • Multi-Vendor Interoperability
        • Scalability and Performance
      • Knowledgeable Personnel
      • PKI-Enabled Applications
      • Corporate-Level Acceptance
      • Summary
      • References
    5. Typical Business Models
      • Internal Communications Business Model
      • External Communications Business Model
        • Business-to-Business
        • Business-to-Consumer
      • Internal/External Business Model Hybrids
      • Business Model Influences
      • Government-Sponsored Initiatives
      • Inter-Domain Trust
        • Entrust Worldwide
        • Identrus
        • VeriSign Trust Network
        • GTE CyberTrust OmniRoot
        • Other Trust Networks
      • Summary
      • References
    6. Conclusions and Further Reading
      • Summary
      • Suggestions for Further Reading

Reviews

Understanding Public-Key Infrastructure

Reviewed by Roland Buresund

Disappointing *** (3 out of 10)

Last modified: May 21, 2007, 2:47 a.m.

Good overview, but not very inspiring. This is an introductory text, nothing else. I expected a lot of detail, but I was disappointed.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required