Public Key Infrastructure Implementation and Design / Edition 1

Paperback (Print)
Buy New
Buy New from BN.com
$30.33
Used and New from Other Sellers
Used and New from Other Sellers
from $22.39
Usually ships in 1-2 business days
(Save 55%)
Other sellers (Paperback)
  • All (17) from $22.39   
  • New (10) from $22.39   
  • Used (7) from $32.90   

Overview

Public Key Infrastructure Implementation and Design is a complete, concise guide for professionals. This book offers a complete reference on all aspects of public key infrastructure including architecture, planning, implementation, cryptography, standards and certificates.

Read More Show Less

Product Details

  • ISBN-13: 9780764548796
  • Publisher: Wiley
  • Publication date: 3/15/2002
  • Series: Professional Mindware Series
  • Edition number: 1
  • Pages: 408
  • Product dimensions: 9.25 (w) x 7.50 (h) x 0.79 (d)

Meet the Author

NIIT is a global IT solutions company that develops customized multimedia training products and trains more than 150,000 people in 37 countries every year.
Suranjan Choudhury, MCSE, CACP, CADC, Sun, is a network security specialist for NIIT, a global training and software organization. He has developed security policies and overseen implementations of secure Web sites and messaging systems (using PKI, firewall, portal, and VPN technologies) for GE, Amro Bank, NALCO, the Indian Ministry of Defense, and other organizations.
Kartik Bhatnagar has an MBA in systems and is currently employed as a development executive with NIIT.
Wasim Haque has over 7 years of experience in information technology with expertise in analysis, design, and implementation of enterprise-wide networks using various security solutions for the enterprise.

Read More Show Less

Table of Contents

Preface
Acknowledgments
Ch. 1 Cryptography Basics 1
Ch. 2 Public Key Infrastructure Basics 31
Ch. 3 PKI Architecture 43
Ch. 4 CA Functions 65
Ch. 5 Certificate Management 85
Ch. 6 PKI Management Protocols and Standards 109
Ch. 7 PKI-Enabled Services 137
Ch. 8 Installing Windows 2000-Based PKI Solutions 163
Ch. 9 Installing and Configuring Windows 2000 Certificate Server for SSL, IPSec, and S/MIME 201
Ch. 10 Understanding PGP 237
Ch. 11 Planning for PKI Deployment 255
Ch. 12 AllSolv, Inc. Case Study 277
App. A IDNSSE and SDSI 295
App. B VPN Basics 303
App. C Cryptographic Algorithms 315
App. D LDAP 319
Glossary 323
Index 341
Read More Show Less

First Chapter

Public Key Infrastructure Implementation and Design


By Suranjan Choudhury

John Wiley & Sons

ISBN: 0-7645-4879-4


Chapter One

Cryptography Basics

IN THIS CHAPTER

* The basics of cryptography

* Applications of cryptography

* Digital signatures

From the dawn of civilization, to the highly networked societies that we live in today - communication has always been an integral part of our existence. What started as simple sign-communication centuries ago has evolved into many forms of communication today - the Internet being just one such example. Methods of communication today include

* Radio communication

* Telephonic communication

* Network communication

* Mobile communication

All these methods and means of communication have played an important role in our lives, but in the past few years, network communication, especially over the Internet, has emerged as one of the most powerful methods of communication - with an overwhelming impact on our lives.

Such rapid advances in communications technology have also given rise to security threats to individuals and organizations. In the last few years, various measures and services have been developed to counter these threats. All categories of such measures and services, however, have certain fundamental requirements, which include

* Confidentiality, which is the process of keeping information private and secret so that only the intended recipient is able to understand the information. For example, if Alice has to send a message to Bob, then Bob only (and no other person except for Bob) should be able to read or understand the message.

* Authentication, which is the process of providing proof of identity of the sender to the recipient, so that the recipient can be assured that the person sending the information is who and what he or she claims to be. For example, when Bob receives a message from Alice, then he should be able to establish the identity of Alice and know that the message was indeed sent by Alice.

* Integrity, which is the method to ensure that information is not tampered with during its transit or its storage on the network. Any unauthorized person should not be able to tamper with the information or change the information during transit. For example, when Alice sends a message to Bob, then the contents of the message should not be altered with and should remain the same as what Alice has sent.

* Non-repudiation, which is the method to ensure that information cannot be disowned. Once the non-repudiation process is in place, the sender cannot deny being the originator of the data. For example, when Alice sends a message to Bob, then she should not be able to deny later that she sent the message.

Before we look at the various mechanisms that provide these security services, let us look at the various types of security attacks that can be faced by an organization:

* Interruption: In an attack where one or more of the systems of the organization become unusable due to attacks by unauthorized users. This leads to systems being unavailable for use. Figure 1-1 displays the process of interruption.

* Interception: An unauthorized individual intercepts the message content and changes it or uses it for malicious purposes. After this type of attack, the message does not remain confidential; for example, if the contents of message that Alice sends to Bob are read or altered during its transmission of message by a hacker or an interceptor. In this situation, Bob cannot consider such a message to be a confidential one. Figure 1-2 displays the process of interception.

* Modification: The content of the message is modified by a third party. This attack affects the integrity of the message. Figure 1-3 displays the process of modification.

* Fabrication: In this attack, a third party inserts spurious messages into the organization network by posing as a valid user. This attack affects the confidentiality, authenticity, and integrity of the message. Figure 1-4 displays fabrication.

From securing sensitive military information to securing personal messages, you often would be confronted with the need of masking information to protect it. One of the most important methods that help provide security to messages in transit is cryptography. It helps overcome the security issues as described above, involved in the delivery of messages over any communication channel. This chapter provides an overview of cryptography and popular cryptographic techniques.

NOTE

The term cryptology has its origin in the Greek kryptós lógos, which means "hidden word." Other examples of cryptography date back to circa 1900 B.C. when Egyptians began using hieroglyphics in inscriptions.

The Basics of Cryptography

Cryptography is the science of protecting data, which provides means and methods of converting data into unreadable form, so that

* The data cannot be accessed for unauthorized use.

* The content of the data frames is hidden.

* The authenticity of the data can be established.

* The undetected modification of the data is avoided.

* The data cannot be disowned by the originator of the message.

Cryptography is one of the technological means to provide security to data being transmitted on information and communications systems. Cryptography is especially useful in the cases of financial and personal data, irrespective of the fact that the data is being transmitted over a medium or is stored on a storage device. It provides a powerful means of verifying the authenticity of data and identifying the culprit, if the confidentiality and integrity of the data is violated. Because of the development of electronic commerce, cryptographic techniques are extremely critical to the development and use of defense information systems and communications networks.

History of Cryptography

As already discussed, the messages were first encrypted in ancient Egypt as a result of hieroglyphics. The Egyptians encrypted messages by simply replacing the original picture with another picture. This method of encryption was known as substitution cipher. In this method, each letter of the cleartext message was replaced by some other letter, which results in an encrypted message or ciphertext. For example, the message

WELCOME TO THE WORLD OF CRYPTOGRAPHY

can be encrypted by using substitution cipher as

XFMDPNF UP UIF XPSME PG DSZQUPHSBQIZ

In the preceding example, each letter of the plaintext message has been replaced with the next letter in the alphabet. This type of substitution is also known as Caesar cipher.

Caesar cipher is an example of shift cipher because it involves shifting each letter of the plaintext message by some number of spaces to obtain the ciphertext. For example, if you shift the letters by 5, you get the following combination of plaintext and ciphertext letters:

Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Ciphertext F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

However, simple substitution ciphers are not a very reliable type and can easily be broken down. In such a case, an alternative way is to use multiple alphabets instead of one alphabet. This type of a cipher, which involves multiple cipher alphabets, is known as a polyalphabetic substitution cipher. An example of the polyalphabetic substitution cipher is the Vigenere cipher.

With the recent advances in mathematical techniques, there has an acceleration in the development of newer methods of encryption. Today, cryptography has emerged so powerful that it is considered rather impossible to break some ciphers.

Cryptography has now become an industry standard for providing information security, trust, controlling access to resources, and electronic transactions. Its use is no longer limited to just securing sensitive military information. In fact, cryptography is now recognized as one of the major components of the security policy of an organization.

Before moving further with cryptography, let us first look at a few terms that are commonly associated with cryptography:

* Plaintext: Is the message that has to be transmitted to the recipient. It is also commonly referred to as cleartext.

* Encryption: Is the process of changing the content of a message in a manner such that it hides the actual message.

* Ciphertext: Is the output that is generated after encrypting the plain text.

* Decryption: Is the reverse of encryption and is the process of retrieving the original message from its encrypted form. This process converts ciphertext to plaintext.

* Hash algorithm: Is an algorithm that converts text string into a string of fixed length.

* Key: Is a word, number, or phrase that is used to encrypt the cleartext. In computer-based cryptography, any text, key word, or phrase is converted to a very large number by applying a hash algorithm on it. The large number, referred to as a key, is then used for encryption and decryption.

* Cipher: Is a hash algorithm that translates plaintext into an intermediate form called ciphertext, in which the original message is in an unreadable form.

* Cryptanalysis: Is the science of breaking codes and ciphers.

Before looking at the details of various cryptographic techniques, let us now look at the steps involved in the conventional encryption model:

1. A sender wants to send a Hello message to a recipient.

2. The original message, also called plaintext, is converted to random bits known as ciphertext by using a key and an algorithm. The algorithm being used can produce a different output each time it is used, based on the value of the key.

3. The ciphertext is transmitted over the transmission medium.

4. At the recipient end, the ciphertext is converted back to the original text using the same algorithm and key that were used to encrypt the message.

This process is also shown in Figure 1-5.

Having looked at an overview of cryptography, let us now look at the various cryptography techniques available. For the purpose of classification, the techniques are categorized on the basis of the number of keys that are used. The two main cryptography techniques are

* Single key cryptography: This cryptography technique is based on a single key. It is also known as symmetric key or private key or secret key encryption.

* Public key cryptography: This cryptography technique is based on a combination of two keys-secret key and public key. It is also known as asymmetric encryption.

Let us look at each of these methods in detail.

Single Key Cryptography

The process of encryption and decryption of information by using a single key is known as secret key cryptography or symmetric key cryptography. In symmetric key cryptography, the same key is used to encrypt as well as decrypt the data. The main problem with symmetric key algorithms is that the sender and the receiver have to agree on a common key. A secure channel is also required between the sender and the receiver to exchange the secret key.

Here's an example that illustrates the process of single key cryptography. Alice wants to send a "For Your Eyes" message to Bob and wants to ensure that only Bob is able to read the message. To secure the transmission, Alice generates a secret key, encrypts the message with this key, and sends the message to Bob.

Figure 1-6 represents the process of secret key cryptography.

Now, to read the encrypted message, Bob would need the secret key that has been generated by Alice. Alice can give the secret key to Bob in person or send the key to Bob by any other means available. If Alice sends the key to Bob in person, it could be time-consuming depending on the physical distance between the two of them or other circumstances such as Bob's availability. After Bob receives the secret key, he can decrypt the message to retrieve the original message.

Many secret key algorithms were developed on the basis of the concept of secret key cryptography. The most widely used secret key algorithms include

* Data Encryption Standard (DES)

* Triple-DES (3DES)

* International Data Encryption Algorithm (IDEA)

* RC4

* CAST-128

* Advanced Encryption Standard (AES)

Let us consider these algorithms in detail in the following sections.

DATA ENCRYPTION STANDARD (DES)

DES, which is an acronym for the Data Encryption Standard, is the common name for the Federal Information Processing Standard (FIPS) 46-3. It describes the Data Encryption Algorithm (DEA). DEA is also defined in the ANSI standard X3.92. The DES algorithm is one of the most widely used encryption algorithms in the world. The Data Encryption Standard (DES) algorithm was developed by the IBM team in the 1970s and was adopted by National Institute of Standards and Technology (NIST) for commercial applications.

NOTE

Refer to RFCs 1827 and 2144 for more information on DES.

DES is still surrounded by controversy. This controversy was originally fueled by the following facts:

* The key length used by this algorithm was reduced to 56 bits by the U.S. government, although the original design called for a key length of 128 bits, leading to a compromise on security. Although the algorithm for DES was published, the rationale for the design was never published.

* DES became widely available to the U.S. public and to approved users in other countries. However, DES was excluded by the U.S. government from protection of any of its own classified information.

The major weaknesses and attacks that are faced by DES are described below.

BRUTE FORCE ATTACK The simplest attack to decipher a DES key is the brute force attack. The brute force attack on the DES algorithm is feasible because of the relatively small key length (56 bit) and ever-increasing computational power of the computers. Until the mid-1990s, brute force attacks were beyond the capabilities of hackers because the cost of computers that were capable of hacking was extremely high and unaffordable. With the tremendous advancement in the field of computing, high-performance computers are relatively cheaper and, therefore, affordable.

Continues...


Excerpted from Public Key Infrastructure Implementation and Design by Suranjan Choudhury Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)