| Foreword | p. xv |
| About the Authors | p. xvii |
| About the Reviewers | p. xix |
| Preface | p. xxi |
| Introduction | p. 1 |
| Security Trends | p. 2 |
| Electronic Commerce and Security Today | p. 3 |
| Security Services | p. 3 |
| Public Key Infrastructure | p. 6 |
| Applications | p. 7 |
| Audience | p. 7 |
| About this Book | p. 8 |
| About the Authors | p. 10 |
| Introduction to Cryptography | p. 11 |
| My Mom | p. 11 |
| Is Cryptography Really Needed? | p. 12 |
| Cryptography | p. 15 |
| Cryptographic Algorithms | p. 15 |
| Cryptology and Cryptanalysis | p. 16 |
| Security by Obscurity | p. 17 |
| Cryptography 101 | p. 18 |
| The Characters | p. 19 |
| Symmetric Cryptography | p. 21 |
| Pick a Number, Any Number | p. 21 |
| Symmetric Cryptography Recap | p. 28 |
| Asymmetric Cryptography | p. 29 |
| Public and Private Keys | p. 31 |
| The Benefits and Drawbacks of Asymmetric Cryptography | p. 34 |
| Asymmetric Cryptography Recap | p. 35 |
| The Best of Both Worlds | p. 35 |
| Hashes | p. 39 |
| Digital Signatures | p. 41 |
| Digital Certificates | p. 45 |
| Non-Repudiation | p. 49 |
| Congratulationsl | p. 50 |
| Cryptography Recap | p. 50 |
| Securing Web Transactions | p. 51 |
| Why Isn't Cryptography Pervasive Yet? | p. 56 |
| Standards-Based, Interoperable Solutions | p. 57 |
| Getting Burned | p. 57 |
| Migration | p. 59 |
| The Test | p. 60 |
| Reference | p. 61 |
| Public Key Infrastructure Basics | p. 63 |
| Public Key Infrastructure Basics | p. 63 |
| Why Isn't Public Key Cryptography Enough? | p. 64 |
| The Need for Trusted Identities | p. 66 |
| Certification Authorities | p. 68 |
| What Is a Digital Certificate? | p. 70 |
| Application Use of Certificates | p. 77 |
| Why Do You Need a Public Key Infrastructure? | p. 79 |
| User Authentication | p. 80 |
| Public Key Infrastructure Components | p. 83 |
| Key and Certificate Life Cycle Management | p. 88 |
| The Role of Authorization | p. 89 |
| Summary | p. 93 |
| References | p. 94 |
| PKI Services and Implementation | p. 95 |
| Key and Certificate Life Cycle Management | p. 95 |
| Certificate Issuance | p. 96 |
| How Long Will that Key Last? | p. 103 |
| Certificate Revocation | p. 106 |
| Certificate Validation | p. 108 |
| Certification Paths | p. 109 |
| Types of Keys | p. 115 |
| Certificate Distribution | p. 118 |
| Fundamental Requirements | p. 121 |
| Protection of Private Keys | p. 122 |
| Deploying PKI Services | p. 128 |
| Public Certification Authority Services | p. 129 |
| In-House Enterprise Certification Authorities | p. 132 |
| Outsourced Enterprise CAs | p. 133 |
| How Do You Decide? | p. 135 |
| Summary | p. 136 |
| References | p. 137 |
| Key and Certificate Life Cycles | p. 139 |
| Non-Repudiation and Key Management | p. 139 |
| Key Management | p. 141 |
| Key Generation | p. 141 |
| Key Stores | p. 144 |
| Key Transport | p. 145 |
| Key Archival | p. 147 |
| Key Recovery | p. 150 |
| Certificate Management | p. 155 |
| Certificate Registration | p. 156 |
| End-Entity Certificate Renewal | p. 163 |
| CA Certificate Renewal | p. 163 |
| Certificate Revocation | p. 165 |
| Summary | p. 178 |
| A PKI Architecture--The PKIX Model | p. 179 |
| Public Key Infrastructure Architecture | p. 179 |
| The PKIX Model | p. 179 |
| PKIX Architecture | p. 181 |
| PKIX Functions | p. 183 |
| PKIX Specifications | p. 186 |
| PKI Entities | p. 188 |
| Registration Authority | p. 188 |
| Certification Authority | p. 190 |
| Repository | p. 191 |
| PKIX Management Protocols | p. 191 |
| CMP | p. 192 |
| CMC | p. 197 |
| Non-PKIX Management Protocols | p. 200 |
| SCEP | p. 200 |
| PKIX Certificate Validation Protocols | p. 202 |
| OCSP | p. 203 |
| SCVP | p. 205 |
| OCSP-X | p. 207 |
| Summary | p. 208 |
| References | p. 208 |
| Application Use of PKI | p. 211 |
| PKI-Based Services | p. 211 |
| Digital Signature | p. 211 |
| Authentication | p. 212 |
| Timestamp | p. 213 |
| Secure Notary Service | p. 213 |
| Non-Repudiation | p. 214 |
| PKI-Based Protocols | p. 216 |
| Diffie-Hellman Key Exchange | p. 217 |
| Secure Sockets Layer | p. 219 |
| IPsec | p. 223 |
| S/MIME | p. 228 |
| Time Stamp Protocol | p. 229 |
| WTLS | p. 229 |
| Formatting Standards | p. 230 |
| X.509 | p. 230 |
| PKIX | p. 231 |
| IEEE P1363 | p. 231 |
| PKCS | p. 232 |
| XML | p. 234 |
| Application Programming Interfaces | p. 234 |
| Microsoft CryptoAPI | p. 235 |
| Common Data Security Architecture | p. 236 |
| Generic Security Service API | p. 238 |
| Lightweight Directory Access Protocol | p. 238 |
| Application and PKI Implementations | p. 239 |
| Signed Data Application | p. 240 |
| Summary | p. 241 |
| Trust Models | p. 243 |
| What Is a Trust Model? | p. 243 |
| Trust | p. 244 |
| Trust Domains | p. 245 |
| Trust Anchors | p. 246 |
| Trust Relationships | p. 247 |
| General Hierarchical Organizations | p. 249 |
| Trust Models | p. 251 |
| Subordinated Hierarchical Models | p. 251 |
| Peer-to-Peer Models | p. 256 |
| Mesh Models | p. 260 |
| Hybrid Trust Models | p. 268 |
| Who Manages Trust? | p. 273 |
| User Control | p. 273 |
| Local Trust Lists | p. 276 |
| Managed Trust | p. 278 |
| Certificate Policy | p. 280 |
| Constrained Trust Models | p. 281 |
| Path Length | p. 281 |
| Certificate Policies | p. 282 |
| Path Construction and Validation | p. 286 |
| Path Construction | p. 287 |
| Path Validation | p. 289 |
| Implementations | p. 290 |
| Identrus Trust Model | p. 290 |
| ISO Banking Trust Model | p. 292 |
| Bridge CA | p. 294 |
| Summary | p. 296 |
| References | p. 296 |
| Authentication and PKI | p. 299 |
| Who Are You? | p. 299 |
| Authentication | p. 299 |
| Authentication and PKI | p. 301 |
| Secrets | p. 302 |
| Passwords | p. 302 |
| Passwords in the Clear | p. 302 |
| Something Derived from Passwords | p. 304 |
| Adding a Little Randomness | p. 306 |
| Password Update | p. 311 |
| Here Come the Problems | p. 312 |
| The Costs of Passwords | p. 315 |
| Passwords Recap | p. 316 |
| Passwords and PKI | p. 316 |
| Moore's Law Has Got UsI | p. 318 |
| Work to Strengthen Passwords | p. 319 |
| Authentication Tokens | p. 320 |
| 2-Factor Authentication | p. 321 |
| Types of Authentication Tokens | p. 322 |
| PIN Management | p. 331 |
| Authentication Token Recap | p. 334 |
| Authentication Tokens and PKI | p. 334 |
| Smart Cards | p. 337 |
| Smart Card Construction | p. 337 |
| Talking to a Smart Card | p. 339 |
| Smart Card Classifications | p. 341 |
| Non-Crypto Cards | p. 342 |
| Crypto Cards | p. 343 |
| When Are Smart Cards Not Smart Cards? | p. 345 |
| Applications on a Smart Card | p. 346 |
| Smart Card Operating Systems | p. 347 |
| Smart Card Tamper Resistance | p. 348 |
| Structural Tamper Resistance | p. 351 |
| Smart Card Recap | p. 354 |
| Smart Cards and PKI | p. 355 |
| Biometric Authentication | p. 359 |
| How Biometrics Work | p. 359 |
| Biometric Data | p. 360 |
| Registration | p. 361 |
| FAR/FRR | p. 362 |
| The Biometric Design Center | p. 362 |
| Issues with Biometrics | p. 364 |
| Coverage | p. 364 |
| Agent-Side Spoofing | p. 365 |
| Server-Side Attacks | p. 367 |
| Social Issues | p. 368 |
| Cross-System Replay | p. 369 |
| Revocation | p. 370 |
| Recommendations | p. 371 |
| The Holy Grail: Biometrics and PKI | p. 372 |
| Biometric Recap | p. 373 |
| Wrapping Up Authentication | p. 374 |
| Deployment and Operation | p. 377 |
| PKI Planning | p. 377 |
| Business Drivers | p. 378 |
| Applications Planning | p. 380 |
| Architecture Planning | p. 381 |
| User Impact | p. 384 |
| Support and Administration | p. 386 |
| Infrastructure Impact | p. 387 |
| Certificate Content Planning | p. 389 |
| Database Integration | p. 391 |
| Legal and Policy Considerations | p. 393 |
| Trust Models | p. 397 |
| Deployment Considerations | p. 403 |
| Operational Considerations | p. 405 |
| Summary | p. 407 |
| PKI and Return on Investment | p. 409 |
| Total Cost of Ownership: The "I" in ROI | p. 410 |
| Products/Technologies | p. 411 |
| Plant (Facilities) | p. 413 |
| People | p. 413 |
| Process | p. 413 |
| Total Cost of Ownership: Summary | p. 414 |
| Financial Returns: The "R" in ROI | p. 414 |
| Business Process | p. 416 |
| Metrics | p. 421 |
| Revenues | p. 421 |
| Costs | p. 423 |
| Compliance | p. 427 |
| Risks | p. 428 |
| Financial Returns: Summary | p. 430 |
| PKI ROI: Summary | p. 431 |
| References | p. 433 |
| X.509 Certificates | p. 435 |
| Solution to the Test | p. 461 |
| Privilege Management Infrastructure | p. 469 |
| Glossary | p. 487 |
| Index | p. 497 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
