Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)

Previous Topic/Section
4.5.10.1  Multiple Key Pairs (Single, Dual)
Previous Page
Pages in Current Topic/Section
123
4
56
Next Page
4.7  Success Questions
Next Topic/Section

4.6  Summary
(Page 4 of 6)

PKI (Public Key Infrastructure)



You explored PKI (Public Key Infrastructure), which is the combination of software, encryption technologies and services allowing organizations to protect the security of their communications and data. PKI’s are generally implemented with public/private key systems, and use digital certificates issued and validated by certificate authorities for authentication.

You discovered important elements of a PKI including:

  • Digital Certificates, a digital ID card binding a public key to the individual or item such as a server identified by the certificate; most certificates are based on the X.509 certificate standard and include information like the X.509 version, expiration date, serial number, name of issuing certificate authority, name of individual to whom certificate belongs and their public key; versions in common use include X.509v2 and X.509v3 which adds custom extensions to X.509v2.

  • Certificate Authority, or CA, the digital equivalent of a notary public, which is a trusted third party that can verify the legitimacy of a public/private key pair as belonging to the individual in question; they create key pairs, publish public keys in directories, provide services such as revocation and expiration for keys, verify certificate status in response to queries, etc.

  • Certificate Policy, the set of rules issued by a CA indicating the applicability of a certificate to a class of applications with common security requirements; describes rules for the issuance, management and use of certificates issued by that CA.

  • Certificate Practice Statement, or CPS, a more detailed statement of the procedures and policies used by the CA in managing the certificates it issues; includes operational procedures and a description of the organization’s certificate management system; tends to be much more detailed than a Certificate Policy.

  • Certificate Revocation List, or CRL, a list of all revoked, expired or suspended certificates which is a time-stamped list digitally signed with the CA’s private key; one problem with CRL’s is that they are typically updated once a day or so, rather than in real time, so there can be a delay between the time revocation is requested and the time a certificate appears in the CRL.
Certificates

In taking a more in-depth look at certificates, you learned that certificate authorities may be arranged in various ways; there may be a single certificate authority, or a combination of several, used in managing a PKI. “Trust” is the confident reliance on an entity or organization; in the PKI world it often describes the relationship between the certificate holder and the issuing CA, or viewer of a certificate and the issuing CA. “Trust models” are used to describe the “chain of trust”, that indicates how trust in an entity affects trust in other entities, similar to the way trusts work in Windows 2000 domain environments. Some common CA trust models include:

  • Web of Trust, no central authority; each user creates and signs certificates for people they know; PGP uses this model.

  • Single CA, each entity is issued a public key, over a secure channel, which is generally issued by a single CA; there is a single point of contact to check certificate status and to request certificate actions such as revocation.

  • Hierarchical, a tree-structured model involving multiple CA’s with a Root CA at the top, using lower-level CA’s whose certificates are signed by the Root CA, for improved scalability; better for large hierarchical organizations like the military than for distributed, non-centralized peer-to-peer uses.

  • Browser Trust List, or CA list, in which each user has a list of public keys for all the CA’s the user trusts.

Previous Topic/Section
4.5.10.1  Multiple Key Pairs (Single, Dual)
Previous Page
Pages in Current Topic/Section
123
4
56
Next Page
4.7  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.