CertiGuide to Security+  9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)

4.5.10.1  Multiple Key Pairs (Single, Dual) 1 2 3 4 5 6 4.7  Success Questions

Cryptography Standards

You learned that cryptography is standardized by a variety of organizations including:

• IEEE
  
  
• ANSI, responsible for the X.509 certificate standard, currently at X.509v3 and the X.509v2 Certificate Revocation List, or CRL, standard; also sponsors X9F1 committee for financial industry cryptography standards.
  
  
• IETF, whose PKIX, or PKI X.509, committee is involved in issues around public key management; PKIX defines certificate formats and protocols for issuing and authenticating certificates.
  
  
• RSA Data Security, a market leader in asymmetric crypto, many ANSI X9 standards were first developed by RSA in their series of PKCS standards, including PKCS #3 dealing with Diffie-Hellman Key Agreement, PKCS #10 for requesting certificates and PKCS #11 which details an interface for accessing data from smartcards.
  
  
• FIPS, a series of standards developed by NIST and used by the government; they include secure hashing, digital signatures and AES encryption standards.

You also learned about the certificate life cycle, including events like:

• Issuance, certificates are requested by the individual or supervising organization; the CA verifies the requester’s identity, generates a key pair and certificate, and sends these items to the requester.
  
  
• Suspension, temporary invalidation of a certificate, often used if you suspect compromise of the private key but don’t know for sure if it has occurred.
  
  
• Expiration, when the certificate reaches the expiration date listed in the certificate, it is no longer valid; the normal valid period for a certificate is a year or two.
  
  
• Status Checking, users of a certificate can AND SHOULD check the status of a certificate to ensure it is still valid before relying on it for anything; practically speaking, client software such as an email client program is notorious for NOT doing this, and thus accepting certificates which may not be valid, so users are encouraged to check certificates independently.
  
  
• Revocation, the irreversible invalidation of a certificate; once revoked, a certificate is no longer considered valid; this can happen if the subscriber informs the CA that the private key for that certificate has been compromised; certificates can be revoked by being placed on a CRL, or by inclusion in an OCSP, or online certificate status protocol, database, which is a newer revocation list management system that enables more up-to-date status tracking.
  
  
• Recovery, the process of reacquiring a private key that has been lost due to hardware failure, user error, etc.; an organization might also want to recover a private key for an ex-employee if required for a business function or law enforcement investigation; relies on key escrow and secure storage.
  
  
• Renewal, the process of re-validating or replacing a certificate that is near or at its expiration date; some CA’s recommend totally replacing a certificate with a new key pair; others think just issuing an updated one with the current key pair is sufficient.
  
  
• Destruction, the permanent removal of a key pair you no longer need.

4.5.10.1  Multiple Key Pairs (Single, Dual) 1 2 3 4 5 6 4.7  Success Questions