Page 605 - StudyBook.pdf
P. 605

Public Key Infrastructure • Chapter 10  589


                 EXAM WARNING
                      The means to differentiating between a suspended key and a revoked
                      key is to check the reason for revocation. If the certificate appears in a
                      CRL as a Certification Hold, it is suspended and not revoked. Think
                      “drivers license”—if it is revoked, you are not getting it back. If it is sus-
                      pended, you may get it back after a specific period of time.





                 Recovery

                 Sometimes it may be necessary to recover a key from storage. One of the problems
                 that often arises regarding PKI is the fear that documents will be unrecoverable,
                 because someone loses or forgets their private key. Let’s say that employees use
                 Smart Cards to hold their private keys. Drew, one of the employees, accidentally
                 left his wallet in his pants and it went through the wash, Smart Card and all. If
                 there is no method of recovering keys, Drew would not be able to access any doc-
                 uments or e-mail that used his existing private key.
                    Many corporate environments implement a key recovery server for the sole
                 purpose of backing up and recovering keys.Within an organization, there is at least
                 one key recovery agent.A key recovery agent is an employee who has the authority
                 to retrieve a user’s private key. Some key recovery servers require that two key
                 recovery agents retrieve private user keys together for added security (separation of
                 duties).This is similar to certain bank accounts, which require two signatures on a
                 check for added security. Some key recovery servers also have the ability to func-
                 tion as a key escrow server, thereby adding the ability to split the keys onto two
                 separate recovery servers, further increasing the security.

                 Key Recovery Information

                 Now that the contents of Drew’s wallet have been destroyed, he is going to have to
                 get his license, credit cards, and other items replaced. For him to get a new license,
                 Drew is going to have to be able to prove his identity to the DMV. He may need
                 to bring his social security card, birth certificate, passport, and so forth. Since the
                 DMV is a trusted authority, they are going to make sure that Drew is who he
                 claims to be before they will issue him another license.
                    CAs and recovery servers also require certain information before they allow a
                 key to be recovered.This is known as Key Recovery Information (KRI). KRI usu-
                 ally consists of:



                                                                              www.syngress.com
   600   601   602   603   604   605   606   607   608   609   610