Summary

Previous page
Table of content
Next page

In this chapter, you learned about the standards, agencies, and associations that are interested in cryptography. You also learned about the standards associated with cryptographic systems and the key management life cycle.

Several government agencies have been specifically charged with overseeing security and encryption. The NSA and NIST are both concerned with government encryption standards. NIST is primarily concerned with nonmilitary standards; NSA/CSS is concerned with military applications.

The IEFT, ISOC, ITU, and the IEEE are industrial associations concerned with different aspects of security. They are not required to coordinate their activities, but as a general rule they do. The IEEE publishes many standards and guidelines that are adhered to by most manufacturers.

The series of stages during the process of managing a key or a certificate is called a key/certificate life cycle. A life cycle encompasses all of the major aspects of the life of a key or a certificate from the time it is generated until the time it is retired. The ten stages of a key's life cycle are

  • Key generation and distribution

  • Key storage and distribution

  • Key escrow

  • Key expiration

  • Key revocation

  • Key suspension

  • Key recovery and archival

  • Key renewal

  • Key destruction

  • Key usage

You need to consider each of these stages when you implement a key or certificate within your organization. If you fail to properly address these issues, you can compromise the process or make more work for yourself. If the process is not followed, the entire system is vulnerable.

You need to decide whether to use a centralized or a decentralized process to generate keys. Centralized key generation can potentially create a bottleneck or a single point of failure. Decentralized key generation can create administrative and security problems. Most modern implementations support both centralized and decentralized key generation.

Appropriate key storage is critical to maintaining a secure environment. Keys should be stored on hardened systems under close physical control. Keys can be stored in physical cabinets or on servers. Security storage failures are usually the result of human error. Distributing keys and transporting keys can present security challenges. Private keys should never be sent through the communications network. If an existing key has been compromised, the new key will be just as compromised. Out-of-band transmission should be used to transport or distribute private keys. Public keys are intended for circulation; however, major steps must be taken to protect the integrity of the key.

Key escrow is the process where keys are made available to law enforcement or other authorized agencies to utilize keys to conduct an investigation. Key escrow agents store these keys, and they release them to authorized authorities.

A key expires when it reaches the end of its life cycle. Typically, this is a date-driven event. An expired key may be reissued using a rollover process, but in general terms this is considered a bad practice. The longer a key is used, the more likely it is to be broken.

When a key or certificate has been identified as corrupt, compromised, or lost, it can be revoked. A CRL informs all of the end users and CAs that the certificate has been revoked. Once a key is revoked, it can no longer be used.

Keys are suspended to disable them for a period of time. Suspension may occur because the key holder has become ill or has taken time off. A key can be unsuspended and reused.

Key recovery is the ability to recover a lost key or to use a previously active key. Three types of keys must be considered in this process: current keys, previous keys, and archived keys. An organization can use a key archival system to recover information that has been encrypted using older keys. Key archival systems usually utilize some type of access control such as the M of N Control method. This method stipulates that a certain number of people must be present to access key archives. A key archival system will usually work in conjunction with a key-generating system to provide complete archiving.

Key destruction is the process of rendering a key unusable. Physical keys must be physically destroyed. Software keys and smart card keys should have their key files erased to prevent them from being used.

Either symmetrical or multiple key pairs can be used. Symmetrical keys are identical on both ends of the channel. Multiple key pairs usually refer to two-key systems in which a public and a private key are generated. The public key can be distributed; the private key must be kept secured.


Previous page
Table of content
Next page
CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167
Authors: Michael A. Pastore
BUY ON AMAZON
Qshell for iSeries
Metrics and Models in Software Quality Engineering (2nd Edition)
Oracle Developer Forms Techniques
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
101 Microsoft Visual Basic .NET Applications
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy