Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)
      9  4.5  Key Management and Certificate Lifecycles

Previous Topic/Section
4.5.2.2  Private Key Protection
Previous Page
Pages in Current Topic/Section
1
Next Page
4.5.4  Expiration
Next Topic/Section

4.5.3  Escrow

Key Escrow405 is the procedure of keeping a copy of a user’s private key in a centralized location that is only accessible to security administrators. Key Escrow also provides a mechanism whereby the private key can be recovered without having to be physically stored. Escrow allows for the future recovery of the key, should it be lost due to disaster or by its owner, or needed by someone authorized to view the information encrypted by it, such as in certain regulatory environments or situations in which law enforcement is involved.

Key Escrow is the PKI equivalent of giving a trusted friend a copy of your car and house keys, perhaps in a sealed envelope or maybe in a combination-lock box if you are especially protective of them, just in case something happens to your original set of keys. The concerns and types of precautions you might take in that situation apply equally to safeguarding escrowed keys.

Depending on how (if) the organization controls private keys, and the conscientiousness of users, this recovery ability may be needed more or less routinely. It may be accomplished by encrypting the central database in which private keys are stored, or by safeguarding hardware used to automatically regenerate the private key given the appropriate information.

Key escrow can be performed either after the key has been generated or by pre-compiling public/private keys before assignment (depending on what your key escrow system supports, and your policies allow).

In systems that use separate key pairs for signing and encrypting data, both the signing and encryption keys may be archived, with either key recoverable independently, to preserve non-repudiation even if an encryption/decryption key is recovered. That is, the key used for decrypting private messages sent to a particular user can be recovered, without also obtaining the key used to sign messages with the identity of that user.

Different organizations and industries (such as the securities industry, which requires that transaction-related data be stored for 7 years) have different requirements for archiving business-related information. If that information is stored in an encrypted state for security purposes, encryption keys must be held for that period as well.


 __________________

405. http://www.networkmagazine.com/article/NMG20001004S0015/2

Previous Topic/Section
4.5.2.2  Private Key Protection
Previous Page
Pages in Current Topic/Section
1
Next Page
4.5.4  Expiration
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.