558    Chapter 10 • Public Key Infrastructure

             Introduction


             From its earliest days in academia, the Internet was designed with the assumption
             that it was something akin to a “private club,” with the main goal being the free
             exchange of ideas and information.Although many of the research partners
             engaged in developing the networking protocols underlying the Internet were from
             the United States government’s Department of Defense, protection was assumed to
             be present by the sheer complexity and innovativeness of the network itself, and an
             unstated assumption that “gentleman engineers” would not engage in deceitful
             endeavors.With the birth of the World Wide Web (the “Web”) in the early 1990s,
             the Internet was opened up to anyone and everyone, and it soon became clear that
             something would need to be done to allow users, public and technical alike, to
             confirm that they were communicating with correctly identified parties.
                 A related goal was to allow for the secret transmission of data across networks
             that were assumed to be publicly open and under attack by people monitoring
             and/or altering the traffic flowing across them.The protection from monitoring
             and alteration attacks has already been discussed in the chapter on cryptography,
             and the identification of communicating parties was achieved through protocols
             that allow for Public Key Infrastructures (PKIs) to be created and used.
                 The Security+ exam covers PKI completely, due to its extensive integration
             into modern networks for security purposes.The Security+ exam also covers the
             components of PKI, such as certificates, trust models, and specialized servers.The
             Security+ exam tests your knowledge of key management and certificate lifecycle
             issues, including storage, revocation, renewal, and suspension.To survive in this
             evolving world of network security, you need to have a proficient understanding of
             PKI, not only as it is currently implemented in technology, but also as a conceptual
             framework that will be used regardless of the underlying technology.


             PKI

             With the incredible growth of the Internet, there is an increasing need for entities
             (people, computers, or companies) to prove their identity.As the old New Yorker
             cartoon has it,“On the Internet, no one knows you’re a dog” - anyone can be sit-
             ting behind a keyboard at the other end of a transaction or communication, so
             who is responsible for verifying their credentials, and how can those credentials be
             reliably verified?
                 PKI was developed to solve this very problem.The PKI identification process is
             based on the use of unique identifiers known as keys. Each person using PKI cre-



          www.syngress.com