Understanding PKI : Concepts, Standards, and Deployment Considerations
by Adams, Carlisle; Lloyd, SteveEdition: 2nd
Format: Hardcover
Pub. Date: 2003-01-01
Publisher(s): Addison-Wesley Professional
Other versions by this Author
List Price: $64.99
Rent Book
Select for Price
New Book
We're Sorry
Sold Out
Used Book
We're Sorry
Sold Out
eBook
We're Sorry
Not Available
How Marketplace Works:
- This item is offered by an independent seller and not shipped from our warehouse
- Item details like edition and cover design may differ from our description; see seller's comments before ordering.
- Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
- Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
- Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.
Summary
Public-Key Infrastructure (PKI) is the foundation of the four major elements of digital security: authentication, integrity, confidentiality, and non-repudiation. The idea of a public-key infrastructure has existed for more than a decade, but the need for PKI has intensified over the last few years as the Internet has expanded its reach into business, government, the legal system, the military, and other areas that depEND on secure communications. Understanding PKI, Second EDITION, is both a guide for software engineers involved in PKI development and a readable resource for technical managers responsible for their organization's security policies and investments. It is a comprehensive primer to the latest in PKI technology and how it is used today. Taking a non-vENDor-specific approach, this book explains fundamental concepts, examines emerging standards, and discusses deployment considerations and strategies that effect success. This second EDITION has been updated throughout to incorporate all of the most recent developments in the PKI field. Two new chapters have been added to address the use of PKI in the real world and to explore the technology's future. This new EDITION also addresses: bull;The X.509 standard bull;PKI for privacy bull;The emergence of electronic signatures and accompanying legislation bull;New PKI initiatives supported by the XML standards bodies In addition to this specific information, the AUTHORs lEND their informed opinions on how emerging trENDs will drive the expansion of PKI. 0672323915B10162002
Table of Contents
Foreword.
Preface.
About the Authors.
2. Public-Key Cryptography.
3. The Concept of an Infrastructure.
4. Core PKI Services: Authentication, Integrity, and Confidentiality.
5. PKI-Enabled Services.
6. Certificates and Certification.
7. Key and Certificate Management.
8. Certificate Revocation.
9. Trust Models.
10. Multiple Certificates per Entity.
11. PKI Information Dissemination: Repositories and Other Techniques.
12. PKI Operational Considerations.
13. Electronic Signature Legislation and Considerations.
14. PKI in Practice.
15. The Future of PKI.
16. Conclusions and Further Reading.
17. Introduction.
18. Major Standards Activities.
19. Standardization Status and Road Map.
20. Standards: Necessary but Not Sufficient.
21. Conclusions and Further Reading.
22. Introduction.
23. Benefits and Costs of a PKI.
24. Deployment Issues and Decisions.
25. Barriers to Deployment.
26. Typical Business Models.
27. Conclusions and Further Reading.
References.
Index. 0672323915T10162002
Preface.
About the Authors.
I. CONCEPTS.
1. Introduction.2. Public-Key Cryptography.
Symmetric versus Asymmetric Ciphers.
Public/Private-Key Pair.
Services of Public-Key Cryptography.
Security between Strangers.
Encryption.
Digital Signature.
Data Integrity.
Key Establishment.
Other Services.
Algorithms.
RSA.
DSA.
DH.
ECDSA and ECDH.
SHA-1.
Ongoing Work.
Summary.
Secret Key.
New Directions: Public Key.
New Directions: Public Key.
Public/Private-Key Pair.
Services of Public-Key Cryptography.
Security between Strangers.
Encryption.
Digital Signature.
Data Integrity.
Key Establishment.
Other Services.
Algorithms.
RSA.
DSA.
DH.
ECDSA and ECDH.
SHA-1.
Ongoing Work.
Summary.
3. The Concept of an Infrastructure.
Pervasive Substrate.
Application Enabler.
Secure Sign-On.
End-User Transparency.
Comprehensive Security.
Business Drivers.
Public-Key Infrastructure Defined.
Certification Authority.
Certificate Repository.
Certificate Revocation.
Key Backup and Recovery.
Automatic Key Update.
Key History.
Cross-Certification.
Support for Non-repudiation.
Time Stamping.
Client Software.
Summary.
Application Enabler.
Secure Sign-On.
End-User Transparency.
Comprehensive Security.
Business Drivers.
Public-Key Infrastructure Defined.
Certification Authority.
Certificate Repository.
Certificate Revocation.
Key Backup and Recovery.
Automatic Key Update.
Key History.
Cross-Certification.
Support for Non-repudiation.
Time Stamping.
Client Software.
Summary.
4. Core PKI Services: Authentication, Integrity, and Confidentiality.
Definitions.
Authentication.
Integrity.
Confidentiality.
Mechanisms.
Authentication.
Integrity.
Confidentiality.
Operational Considerations.
Performance.
Online versus Offline Operation.
Commonality of Underlying Algorithms.
Entity Naming.
Summary.
Authentication.
Integrity.
Confidentiality.
Mechanisms.
Authentication.
Integrity.
Confidentiality.
Operational Considerations.
Performance.
Online versus Offline Operation.
Commonality of Underlying Algorithms.
Entity Naming.
Summary.
5. PKI-Enabled Services.
Secure Communication.
Secure Time Stamping.
Notarization.
Non-repudiation.
Connection with Other Services.
Need for Secure Data Archive.
Complexity of This Service.
The Human Factor.
Privilege Management.
Authentication and Authorization.
Authorization Authorities.
Delegation.
Connection with the PKI.
Privacy.
Mechanisms Required to Create PKI-Enabled Services.
Digital Signatures, Hashes, MACs, and Ciphers.
Trusted Time Sources.
Privilege Policy Creation Mechanism.
Privilege Policy Processing Engines.
Privilege Management Infrastructure Mechanisms.
Privacy Architecture.
Operational Considerations.
Trusted Time Delivery Mechanism.
Secure Protocols.
Server Redundancy.
Physically Secure Archive Facilities.
Privacy Certificates and Identity Mapping.
Real Life.
Comprehensive PKI and Current Practice.
Summary.
Secure Time Stamping.
Notarization.
Non-repudiation.
Connection with Other Services.
Need for Secure Data Archive.
Complexity of This Service.
The Human Factor.
Privilege Management.
Authentication and Authorization.
Authorization Authorities.
Delegation.
Connection with the PKI.
Privacy.
Mechanisms Required to Create PKI-Enabled Services.
Digital Signatures, Hashes, MACs, and Ciphers.
Trusted Time Sources.
Privilege Policy Creation Mechanism.
Privilege Policy Processing Engines.
Privilege Management Infrastructure Mechanisms.
Privacy Architecture.
Operational Considerations.
Trusted Time Delivery Mechanism.
Secure Protocols.
Server Redundancy.
Physically Secure Archive Facilities.
Privacy Certificates and Identity Mapping.
Real Life.
Comprehensive PKI and Current Practice.
Summary.
6. Certificates and Certification.
Certificates.
Digital Certificate.
Certificate Structure and Semantics.
Alternative Certificate Formats.
Certificate Policies.
Object Identifiers.
Policy Authorities.
Certification Authority.
Registration Authority.
Summary.
Digital Certificate.
Certificate Structure and Semantics.
Alternative Certificate Formats.
Certificate Policies.
Object Identifiers.
Policy Authorities.
Certification Authority.
Registration Authority.
Summary.
7. Key and Certificate Management.
Key/Certificate Life-Cycle Management.
Initialization Phase.
Issued Phase.
Cancellation Phase.
Summary.
Initialization Phase.
Issued Phase.
Cancellation Phase.
Summary.
8. Certificate Revocation.
Periodic Publication Mechanisms.
Certificate Revocation Lists (CRLs).
Complete CRLs.
Certification Authority Revocation Lists (CARLs).
End-Entity Public-Key Certification Revocation Lists (EPRLs).
CRL Distribution Points.
Redirect CRLs.
Delta and Indirect Delta CRLs.
Indirect CRLs.
Certificate Revocation Trees (CRTs).
Online Query Mechanisms.
Online Certificate Status Protocol (OCSP).
Simple Certificate Validation Protocol (SCVP).
Other Revocation Options.
Performance, Scalability, and Timeliness.
Summary.
Certificate Revocation Lists (CRLs).
Complete CRLs.
Certification Authority Revocation Lists (CARLs).
End-Entity Public-Key Certification Revocation Lists (EPRLs).
CRL Distribution Points.
Redirect CRLs.
Delta and Indirect Delta CRLs.
Indirect CRLs.
Certificate Revocation Trees (CRTs).
Online Query Mechanisms.
Online Certificate Status Protocol (OCSP).
Simple Certificate Validation Protocol (SCVP).
Other Revocation Options.
Performance, Scalability, and Timeliness.
Summary.
9. Trust Models.
Strict Hierarchy of Certification Authorities.
Loose Hierarchy of Certification Authorities.
Policy-Based Hierarchies.
Distributed Trust Architecture.
Mesh Configuration.
Hub-and-Spoke Configuration.
Four-Corner Trust Model.
Web Model.
User-Centric Trust.
Cross-Certification.
Entity Naming.
Certificate Path Processing.
Path Construction.
Path Validation.
Trust Anchor Considerations.
Summary.
Loose Hierarchy of Certification Authorities.
Policy-Based Hierarchies.
Distributed Trust Architecture.
Mesh Configuration.
Hub-and-Spoke Configuration.
Four-Corner Trust Model.
Web Model.
User-Centric Trust.
Cross-Certification.
Entity Naming.
Certificate Path Processing.
Path Construction.
Path Validation.
Trust Anchor Considerations.
Summary.
10. Multiple Certificates per Entity.
Multiple Key Pairs.
Key Pair Uses.
Relationship between Key Pairs and Certificates.
Real-World Difficulties.
Independent Certificate Management.
Support for Non-repudiation.
Summary.
Key Pair Uses.
Relationship between Key Pairs and Certificates.
Real-World Difficulties.
Independent Certificate Management.
Support for Non-repudiation.
Summary.
11. PKI Information Dissemination: Repositories and Other Techniques.
Private Dissemination.
Publication and Repositories.
Locating Repositories 162Tradeoffs.
Interdomain Repository Issues and Options.
Direct Access.
Border Repository.
Shared Repository.
Interdomain Replication.
In-band Protocol Exchange.
Summary.
Publication and Repositories.
Locating Repositories 162Tradeoffs.
Interdomain Repository Issues and Options.
Direct Access.
Border Repository.
Shared Repository.
Interdomain Replication.
In-band Protocol Exchange.
Summary.
12. PKI Operational Considerations.
Client-Side Software.
Off-line Operations.
Physical Security.
Hardware Components.
User Key Compromise.
Disaster Preparation and Recovery.
Relying Party Notification.
Preparation.
Recovery.
Additional Observations.
Summary.
Off-line Operations.
Physical Security.
Hardware Components.
User Key Compromise.
Disaster Preparation and Recovery.
Relying Party Notification.
Preparation.
Recovery.
Additional Observations.
Summary.
13. Electronic Signature Legislation and Considerations.
Electronic Signature Legislation.
E-Sign.
Digital Signatures in Context.
EU Electronic Signature Directive.
The Significance of Electronic Signature Initiatives.
Legal Considerations for PKIs.
CA Requirements.
Roles and Responsibilities.
Private Enterprise PKIs.
Other Contractual-Based Frameworks.
Confidentiality.
Summary.
E-Sign.
Digital Signatures in Context.
EU Electronic Signature Directive.
The Significance of Electronic Signature Initiatives.
Legal Considerations for PKIs.
CA Requirements.
Roles and Responsibilities.
Private Enterprise PKIs.
Other Contractual-Based Frameworks.
Confidentiality.
Summary.
14. PKI in Practice.
What PKI Does.
What PKI Does Not Do.
The Value of PKI.
When Certificates and People Meet.
An E-mail Scenario.
A Web Scenario.
Summary.
What PKI Does Not Do.
The Value of PKI.
When Certificates and People Meet.
An E-mail Scenario.
A Web Scenario.
Summary.
15. The Future of PKI.
What Happened?
How the World Is Changing.
A Recognized Authoritative Body.
A Motivation.
Users.
Reasons for Cautious Optimism.
Summary.
How the World Is Changing.
A Recognized Authoritative Body.
A Motivation.
Users.
Reasons for Cautious Optimism.
Summary.
16. Conclusions and Further Reading.
Conclusions.
Suggestions for Further Reading.
Suggestions for Further Reading.
II. STANDARDS.
17. Introduction.
18. Major Standards Activities.
X.509.
PKIX.
X.500.
LDAP.
ISO TC68.
ANSI X9F.
S/MIME.
IPsec.
TLS.
SPKI.
OpenPGP.
EDIFACT.
IEEE.
WAP.
XML-Based Activities.
Other Activities.
U.S. FPKI.
MISPC.
GOC PKI.
SET.
SEMPER.
ECOM.
JCP.
ICE-CAR.
Summary.
PKIX.
X.500.
LDAP.
ISO TC68.
ANSI X9F.
S/MIME.
IPsec.
TLS.
SPKI.
OpenPGP.
EDIFACT.
IEEE.
WAP.
XML-Based Activities.
Other Activities.
U.S. FPKI.
MISPC.
GOC PKI.
SET.
SEMPER.
ECOM.
JCP.
ICE-CAR.
Summary.
19. Standardization Status and Road Map.
Current Standardization Status.
X.509.
PKIX.
X.500.
LDAP.
S/MIME.
IPsec.
TLS.
Toolkit Requirements (APIs and Mechanisms).
Others.
Ongoing Standardization Work.
Summary.
X.509.
PKIX.
X.500.
LDAP.
S/MIME.
IPsec.
TLS.
Toolkit Requirements (APIs and Mechanisms).
Others.
Ongoing Standardization Work.
Summary.
20. Standards: Necessary but Not Sufficient.
The Role of Standards, Profiles, and Interoperability Testing.
Profiles and Interoperability Testing.
Interoperability Initiatives.
Automotive Network eXchange.
Bridge CA Demonstration.
Federal PKI.
Minimum Interoperability Specification.
National Automated Clearing House Association.
PKI X.509.
Securities Industry Root CA Proof of Concept.
EEMA PKI Challenge.
Summary.
Profiles and Interoperability Testing.
Interoperability Initiatives.
Automotive Network eXchange.
Bridge CA Demonstration.
Federal PKI.
Minimum Interoperability Specification.
National Automated Clearing House Association.
PKI X.509.
Securities Industry Root CA Proof of Concept.
EEMA PKI Challenge.
Summary.
21. Conclusions and Further Reading.
Conclusions.
Suggestions for Further Reading.
Certificate/CRL Syntax and Life-Cycle Management Protocols.
Certificate/CRL Storage and Retrieval.
XML-Based Initiatives.
Interoperability Initiatives.
Standards Bodies' Web Sites.
Books.
Suggestions for Further Reading.
Certificate/CRL Syntax and Life-Cycle Management Protocols.
Certificate/CRL Storage and Retrieval.
XML-Based Initiatives.
Interoperability Initiatives.
Standards Bodies' Web Sites.
Books.
III. DEPLOYMENT CONSIDERATIONS.
22. Introduction.
23. Benefits and Costs of a PKI.
Business Case Considerations.
Cost Considerations.
Deployment: Now or Later?
Summary.
Cost Considerations.
Deployment: Now or Later?
Summary.
24. Deployment Issues and Decisions.
Trust Models: Hierarchical versus Distributed.
In-sourcing versus Out-sourcing.
Build versus Buy.
Closed versus Open Environment.
X.509 versus Alternative Certificate Formats.
Targeted Applications versus Comprehensive Solution.
Standard versus Proprietary Solutions.
Interoperability Considerations.
Certificate and CRL Profiles.
Multiple Industry-Accepted Standards.
PKI-Enabled Applications.
Policy/Business Control Issues.
On-line versus Off-line Operations.
Peripheral Support.
Facility Requirements.
Personnel Requirements.
Certificate Revocation.
End-Entity Roaming.
Key Recovery.
Repository Issues.
Disaster Planning and Recovery.
Security Assurance.
Mitigating Risk.
Summary.
In-sourcing versus Out-sourcing.
Build versus Buy.
Closed versus Open Environment.
X.509 versus Alternative Certificate Formats.
Targeted Applications versus Comprehensive Solution.
Standard versus Proprietary Solutions.
Interoperability Considerations.
Certificate and CRL Profiles.
Multiple Industry-Accepted Standards.
PKI-Enabled Applications.
Policy/Business Control Issues.
On-line versus Off-line Operations.
Peripheral Support.
Facility Requirements.
Personnel Requirements.
Certificate Revocation.
End-Entity Roaming.
Key Recovery.
Repository Issues.
Disaster Planning and Recovery.
Security Assurance.
Mitigating Risk.
Summary.
25. Barriers to Deployment.
Repository Issues.
Lack of Industry-Accepted Standard.
Multivendor Interoperability.
Scalability and Performance.
Knowledgeable Personnel.
PKI-Enabled Applications.
Corporate-Level Acceptance.
Summary.
Lack of Industry-Accepted Standard.
Multivendor Interoperability.
Scalability and Performance.
Knowledgeable Personnel.
PKI-Enabled Applications.
Corporate-Level Acceptance.
Summary.
26. Typical Business Models.
Internal Communications Business Model.
External Communications Business Model.
Business-to-Business Communication.
Business-to-Consumer Communication.
Internal/External Business Model Hybrids.
Business Model Influences.
Government-Sponsored Initiatives.
Interdomain Trust.
Identrus.
Bridge CA.
VeriSign Trust Network.
GTE CyberTrust/Baltimore Technologies OmniRoot.
Other Trust Networks.
Summary.
External Communications Business Model.
Business-to-Business Communication.
Business-to-Consumer Communication.
Internal/External Business Model Hybrids.
Business Model Influences.
Government-Sponsored Initiatives.
Interdomain Trust.
Identrus.
Bridge CA.
VeriSign Trust Network.
GTE CyberTrust/Baltimore Technologies OmniRoot.
Other Trust Networks.
Summary.
27. Conclusions and Further Reading.
Conclusions.
Suggestions for Further Reading.
Suggestions for Further Reading.
References.
Index. 0672323915T10162002
Excerpts
Without doubt, the promise of public-key infrastructure (PKI) technology has attracted a significant amount of attention in the last few years. Hardly a week goes by without some facet of PKI being addressed in a newspaper, trade journal, or conference paper. We hear and read about the promise of authentication and non-repudiation services provided through the use of digital signature techniques and about confidentiality and key management services based on a combination of symmetric and asymmetric cryptographyall facilitated through the realization of a supporting technology referred to as PKI. In fact, many people consider the widespread deployment of PKI technology to be an important enabler of secure global electronic commerce.Although the foundation for PKI was established over two decades ago with the invention of public-key cryptography, PKI technology has been offered as a commercially viable solution only within the last few years. But what started as a handful of technology vendors a few years ago has seen the birth of dozens, perhaps hundreds, of products that offer one form or another of PKI-related service. Further, the commercial demand for PKI-based services remains strong, and available evidence suggests that this will continue for the foreseeable future.Still, as a technology, PKI is fairly new. And to many, PKI technology is shrouded in mystery to some extent. This situation appears to be exacerbated by the proliferation of conflicting documentation, standards, and vendor approaches. Furthermore, there are few comprehensive books devoted to PKI that provide a good introduction to its critical concepts and technology fundamentals.Thus, the authors share a common motivation in writing this book: to provide a vendor-neutral source of information that can be used to establish a baseline for understanding PKI. In this book, we provide answers to many of the fundamental PKI-related questions, including Whatexactlyis a PKI? What constitutes a digital signature? What is a certificate? What is certificate revocation? What is a Certification Authority (CA)? What are the governing standards? What are the issues associated with large-scale PKI deployment within an enterprise?These are just some of the questions we explore in this book. Motivations for PKIIt is important to recognize that PKI is not simply a "neat" technology without tangible benefits.When deployed judiciously, PKI offers certain fundamental advantages to an organization, including the potential for substantial cost savings. PKI can be used as the underlying technology to support authentication, integrity, confidentiality, and non-repudiation. This is accomplished through a combination of symmetric and asymmetric cryptographic techniques enabled through the use of a single, easily managed infrastructure rather than multiple security solutions. (See Chapter 2, Public-Key Cryptography; Chapter 3, The Concept of an Infrastructure; Chapter 4, Core PKI Services: Authentication, Integrity, and Confidentiality; and Chapter 5, PKI-Enabled Services.) PKI offers scalable key management in that the overhead associated with the distribution of keying material to communicating parties is reduced significantly when compared with solutions based solely on symmetric cryptography. (See Chapter 2 for a description of symmetric and asymmetric cryptographic techniques.) Ultimately, however, the primary motivations from a business standpoint are not technical but economic: How can PKI give a positive return on investment? To that end, judicious deployment of a single, unifying PKI technology can help, among other things Reduce administrative overhead (when compared with the deployment of multiple point solutions) Reduce the number of passwords required by end users (and, consequently, the administrative and help desk costs asso
An electronic version of this book is available through VitalSource.
This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.
By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.
A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.
Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.
Please view the compatibility matrix prior to purchase.