Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)

Previous Topic/Section
4.5.10.1  Multiple Key Pairs (Single, Dual)
Previous Page
Pages in Current Topic/Section
12345
6
Next Page
4.7  Success Questions
Next Topic/Section

4.6  Summary
(Page 6 of 6)

Key Management



You discovered various things about the key management process, such as:

  • Keys can be managed by either a central authority or via a distributed system in which each individual (or small groups of individuals, headed by a designated manager) manages their own key; when you use a CA to issue and manage certificates, you are using a centralized model

  • Private keys must be securely stored (it is not unheard-of for companies to keep copies of private keys in vaults or off-site, in case needed for recovery; private keys may be stored in software or in hardware devices specifically designed for secure key storage)

  • Each private key owner is responsible for safeguarding his/her private key so that it does not fall into anyone else’s hands

  • Key escrow, which is the process of keeping a copy of the user’s private key in a centralized location accessible to security administrators, or implementing a mechanism whereby the private key can be recovered without being stored; this allows for future recovery of a key, should it be lost due to hardware issues on the user’s machine, etc.

You learned that there are some interesting issues in key recovery. Since private keys are very sensitive items, and anyone possessing the private key can sign documents claiming to be the person to whom the private key belongs, care must be taken during key recovery. Persons given this privilege should be highly trusted, and careful logs kept to ensure that this privilege is not abused. Because of the significant exposure of single-person key recovery, organizations have come up with a way to use the concept of M-of-N control to require multiple participants in any key recovery operation, reducing risk. M-of-N control involves dividing up a task among multiple people so it cannot be performed by one person acting alone. One key recovery technique using M-of-N control involves issuing each potential key recovery agent a percentage of the private key used for the recovery system, in the form of a token; in order to perform a key recovery, some M of the N authorized people entrusted with these tokens must come together and combine their tokens, to be allowed access to key recovery functions.

You discovered that multiple key pairs can be employed for added security, since a single key pair violates non-repudiation, because of the potential for someone other than the key owner to obtain someone’s private key used to sign documents. With multiple key pairs, each entity is assigned TWO key pairs, a “signing key pair” and an “encryption key pair”. This ensures that if you need to perform key recovery in order to obtain the entity’s private key to decrypt messages sent to them, you can obtain that key without also obtaining the private key that could be used to masquerade as that user’s identity.


Previous Topic/Section
4.5.10.1  Multiple Key Pairs (Single, Dual)
Previous Page
Pages in Current Topic/Section
12345
6
Next Page
4.7  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.