Foreword | p. xv |
About the Authors | p. xvii |
About the Reviewers | p. xix |
Preface | p. xxi |
Introduction | p. 1 |
Security Trends | p. 2 |
Electronic Commerce and Security Today | p. 3 |
Security Services | p. 3 |
Public Key Infrastructure | p. 6 |
Applications | p. 7 |
Audience | p. 7 |
About this Book | p. 8 |
About the Authors | p. 10 |
Introduction to Cryptography | p. 11 |
My Mom | p. 11 |
Is Cryptography Really Needed? | p. 12 |
Cryptography | p. 15 |
Cryptographic Algorithms | p. 15 |
Cryptology and Cryptanalysis | p. 16 |
Security by Obscurity | p. 17 |
Cryptography 101 | p. 18 |
The Characters | p. 19 |
Symmetric Cryptography | p. 21 |
Pick a Number, Any Number | p. 21 |
Symmetric Cryptography Recap | p. 28 |
Asymmetric Cryptography | p. 29 |
Public and Private Keys | p. 31 |
The Benefits and Drawbacks of Asymmetric Cryptography | p. 34 |
Asymmetric Cryptography Recap | p. 35 |
The Best of Both Worlds | p. 35 |
Hashes | p. 39 |
Digital Signatures | p. 41 |
Digital Certificates | p. 45 |
Non-Repudiation | p. 49 |
Congratulationsl | p. 50 |
Cryptography Recap | p. 50 |
Securing Web Transactions | p. 51 |
Why Isn't Cryptography Pervasive Yet? | p. 56 |
Standards-Based, Interoperable Solutions | p. 57 |
Getting Burned | p. 57 |
Migration | p. 59 |
The Test | p. 60 |
Reference | p. 61 |
Public Key Infrastructure Basics | p. 63 |
Public Key Infrastructure Basics | p. 63 |
Why Isn't Public Key Cryptography Enough? | p. 64 |
The Need for Trusted Identities | p. 66 |
Certification Authorities | p. 68 |
What Is a Digital Certificate? | p. 70 |
Application Use of Certificates | p. 77 |
Why Do You Need a Public Key Infrastructure? | p. 79 |
User Authentication | p. 80 |
Public Key Infrastructure Components | p. 83 |
Key and Certificate Life Cycle Management | p. 88 |
The Role of Authorization | p. 89 |
Summary | p. 93 |
References | p. 94 |
PKI Services and Implementation | p. 95 |
Key and Certificate Life Cycle Management | p. 95 |
Certificate Issuance | p. 96 |
How Long Will that Key Last? | p. 103 |
Certificate Revocation | p. 106 |
Certificate Validation | p. 108 |
Certification Paths | p. 109 |
Types of Keys | p. 115 |
Certificate Distribution | p. 118 |
Fundamental Requirements | p. 121 |
Protection of Private Keys | p. 122 |
Deploying PKI Services | p. 128 |
Public Certification Authority Services | p. 129 |
In-House Enterprise Certification Authorities | p. 132 |
Outsourced Enterprise CAs | p. 133 |
How Do You Decide? | p. 135 |
Summary | p. 136 |
References | p. 137 |
Key and Certificate Life Cycles | p. 139 |
Non-Repudiation and Key Management | p. 139 |
Key Management | p. 141 |
Key Generation | p. 141 |
Key Stores | p. 144 |
Key Transport | p. 145 |
Key Archival | p. 147 |
Key Recovery | p. 150 |
Certificate Management | p. 155 |
Certificate Registration | p. 156 |
End-Entity Certificate Renewal | p. 163 |
CA Certificate Renewal | p. 163 |
Certificate Revocation | p. 165 |
Summary | p. 178 |
A PKI Architecture--The PKIX Model | p. 179 |
Public Key Infrastructure Architecture | p. 179 |
The PKIX Model | p. 179 |
PKIX Architecture | p. 181 |
PKIX Functions | p. 183 |
PKIX Specifications | p. 186 |
PKI Entities | p. 188 |
Registration Authority | p. 188 |
Certification Authority | p. 190 |
Repository | p. 191 |
PKIX Management Protocols | p. 191 |
CMP | p. 192 |
CMC | p. 197 |
Non-PKIX Management Protocols | p. 200 |
SCEP | p. 200 |
PKIX Certificate Validation Protocols | p. 202 |
OCSP | p. 203 |
SCVP | p. 205 |
OCSP-X | p. 207 |
Summary | p. 208 |
References | p. 208 |
Application Use of PKI | p. 211 |
PKI-Based Services | p. 211 |
Digital Signature | p. 211 |
Authentication | p. 212 |
Timestamp | p. 213 |
Secure Notary Service | p. 213 |
Non-Repudiation | p. 214 |
PKI-Based Protocols | p. 216 |
Diffie-Hellman Key Exchange | p. 217 |
Secure Sockets Layer | p. 219 |
IPsec | p. 223 |
S/MIME | p. 228 |
Time Stamp Protocol | p. 229 |
WTLS | p. 229 |
Formatting Standards | p. 230 |
X.509 | p. 230 |
PKIX | p. 231 |
IEEE P1363 | p. 231 |
PKCS | p. 232 |
XML | p. 234 |
Application Programming Interfaces | p. 234 |
Microsoft CryptoAPI | p. 235 |
Common Data Security Architecture | p. 236 |
Generic Security Service API | p. 238 |
Lightweight Directory Access Protocol | p. 238 |
Application and PKI Implementations | p. 239 |
Signed Data Application | p. 240 |
Summary | p. 241 |
Trust Models | p. 243 |
What Is a Trust Model? | p. 243 |
Trust | p. 244 |
Trust Domains | p. 245 |
Trust Anchors | p. 246 |
Trust Relationships | p. 247 |
General Hierarchical Organizations | p. 249 |
Trust Models | p. 251 |
Subordinated Hierarchical Models | p. 251 |
Peer-to-Peer Models | p. 256 |
Mesh Models | p. 260 |
Hybrid Trust Models | p. 268 |
Who Manages Trust? | p. 273 |
User Control | p. 273 |
Local Trust Lists | p. 276 |
Managed Trust | p. 278 |
Certificate Policy | p. 280 |
Constrained Trust Models | p. 281 |
Path Length | p. 281 |
Certificate Policies | p. 282 |
Path Construction and Validation | p. 286 |
Path Construction | p. 287 |
Path Validation | p. 289 |
Implementations | p. 290 |
Identrus Trust Model | p. 290 |
ISO Banking Trust Model | p. 292 |
Bridge CA | p. 294 |
Summary | p. 296 |
References | p. 296 |
Authentication and PKI | p. 299 |
Who Are You? | p. 299 |
Authentication | p. 299 |
Authentication and PKI | p. 301 |
Secrets | p. 302 |
Passwords | p. 302 |
Passwords in the Clear | p. 302 |
Something Derived from Passwords | p. 304 |
Adding a Little Randomness | p. 306 |
Password Update | p. 311 |
Here Come the Problems | p. 312 |
The Costs of Passwords | p. 315 |
Passwords Recap | p. 316 |
Passwords and PKI | p. 316 |
Moore's Law Has Got UsI | p. 318 |
Work to Strengthen Passwords | p. 319 |
Authentication Tokens | p. 320 |
2-Factor Authentication | p. 321 |
Types of Authentication Tokens | p. 322 |
PIN Management | p. 331 |
Authentication Token Recap | p. 334 |
Authentication Tokens and PKI | p. 334 |
Smart Cards | p. 337 |
Smart Card Construction | p. 337 |
Talking to a Smart Card | p. 339 |
Smart Card Classifications | p. 341 |
Non-Crypto Cards | p. 342 |
Crypto Cards | p. 343 |
When Are Smart Cards Not Smart Cards? | p. 345 |
Applications on a Smart Card | p. 346 |
Smart Card Operating Systems | p. 347 |
Smart Card Tamper Resistance | p. 348 |
Structural Tamper Resistance | p. 351 |
Smart Card Recap | p. 354 |
Smart Cards and PKI | p. 355 |
Biometric Authentication | p. 359 |
How Biometrics Work | p. 359 |
Biometric Data | p. 360 |
Registration | p. 361 |
FAR/FRR | p. 362 |
The Biometric Design Center | p. 362 |
Issues with Biometrics | p. 364 |
Coverage | p. 364 |
Agent-Side Spoofing | p. 365 |
Server-Side Attacks | p. 367 |
Social Issues | p. 368 |
Cross-System Replay | p. 369 |
Revocation | p. 370 |
Recommendations | p. 371 |
The Holy Grail: Biometrics and PKI | p. 372 |
Biometric Recap | p. 373 |
Wrapping Up Authentication | p. 374 |
Deployment and Operation | p. 377 |
PKI Planning | p. 377 |
Business Drivers | p. 378 |
Applications Planning | p. 380 |
Architecture Planning | p. 381 |
User Impact | p. 384 |
Support and Administration | p. 386 |
Infrastructure Impact | p. 387 |
Certificate Content Planning | p. 389 |
Database Integration | p. 391 |
Legal and Policy Considerations | p. 393 |
Trust Models | p. 397 |
Deployment Considerations | p. 403 |
Operational Considerations | p. 405 |
Summary | p. 407 |
PKI and Return on Investment | p. 409 |
Total Cost of Ownership: The "I" in ROI | p. 410 |
Products/Technologies | p. 411 |
Plant (Facilities) | p. 413 |
People | p. 413 |
Process | p. 413 |
Total Cost of Ownership: Summary | p. 414 |
Financial Returns: The "R" in ROI | p. 414 |
Business Process | p. 416 |
Metrics | p. 421 |
Revenues | p. 421 |
Costs | p. 423 |
Compliance | p. 427 |
Risks | p. 428 |
Financial Returns: Summary | p. 430 |
PKI ROI: Summary | p. 431 |
References | p. 433 |
X.509 Certificates | p. 435 |
Solution to the Test | p. 461 |
Privilege Management Infrastructure | p. 469 |
Glossary | p. 487 |
Index | p. 497 |
Table of Contents provided by Syndetics. All Rights Reserved. |