Page 606 - StudyBook.pdf
P. 606
590 Chapter 10 • Public Key Infrastructure
■ The ?name of the key owner, along with information verifying that the
person requesting key recovery is authorized to recover the key on behalf of
that key owner. (Note that this is often a subset of the same credentials that
would have been used to create the key in the first place.)
■ The time that the key was created.
■ The issuing CA server.
Once the CA (or the key recovery agent) verifies the KRI, the key recovery
process can begin.
M of N Control
As mentioned, some key recovery servers can break up the key recovery process
between multiple key recovery agents.This type of key recovery security is known
as m of n control. m of n works by splitting the PIN between n number of key
recovery agents, then reconstructing the PIN only if m number of recovery agents
provide their individual passwords. n must be an integer greater than 1 and m must
be an integer less than or equal to n. Going back to the example of Drew, let’s say
that we are using the m of n control and we have three separate key recovery
agents.
To be able to recover Drew’s private key, at least two of the key recovery agents
must be present. If Drew arrives in the office before the key recovery agents, he has
to wait for two of the three to arrive. If only one of the key recovery agents tried
to recover Drew’s key under m of n control, the recovery process would be denied.
TEST DAY TIP
Here is an easy way to remember the m of n control. Think about a
door to a house. Now imagine the door has two locks, one on the
handle and the other a deadbolt lock. If both locks were locked, and
you only had the key to the handle, you would have to wait for
someone who has the other key before you could open the door. That
would be an example of a 2-of-2 control. You could build a 2-of-3 con-
trol by having three doors, each with two locks, covering each combina-
tion of two-out-of-three keys.
www.syngress.com
