Page 609 - StudyBook.pdf
P. 609

Public Key Infrastructure • Chapter 10  593

                 Key Usage


                 In today’s networking environment, key pairs are used in a variety of different
                 functions.This book discusses topics such as virtual private network (VPN), digital
                 signatures, access control (SSH), secure Web access (Secure Sockets Layer [SSL]),
                 and secure e-mail (PGP, S/MIME). Each of these topics implements PKI for man-
                 aging communications between a host and a client. In most PKI implementations,
                 only single key pairs are used. However, certain situations may be presented where
                 you have to offer users multiple key pairs.
                 Multiple Key Pairs (Single, Dual)

                 Sometimes it becomes necessary for a CA to generate multiple key pairs. Normally,
                 this situation arises when there is a need to back up private keys, but the fear of a
                 forged digital signature exists. For example, consider Joe the backup operator. Joe is
                 responsible for the backup of all data, including user’s private keys. Joe comes in
                 after a long weekend and decides that he deserves a raise. Since Joe has access to all
                 of the private keys, he can recover the CIO’s private key, send a message to the
                 Human Resources department requesting a raise, and sign in using the CIO’s cer-
                 tificate. Since the CIO’s digital signature provides non-repudiation, the Human
                 Resources manager would have no reason to question the e-mail.
                    To circumvent this problem, many PKIs support the use of dual keys. In the
                 example above, the CIO has two separate key pairs.The first key pair is used for
                 authentication or encryption, while the second key pair is used for digital signa-
                 tures.The private key used for authentication and encryption can still be backed up
                 (and therefore recovered) by Joe for safekeeping. However, the second private key
                 would never be backed up and would not provide the security loophole that using
                 single keys creates.The CIO could continue using his second private key for signing
                 e-mails without fear of the key being misused.



                 TEST DAY TIP

                      Remember that multiple key scenarios usually exist in cases where
                      forged digital signatures are a concern. Multiple keys may also be used
                      when there are different purposes for the certificates. For example, a
                      user may wish to identify himself to a number of different Web sites,
                      with a certificate for each, or he may wish to sign e-mail using a dif-
                      ferent certificate from that which he uses to authenticate.





                                                                              www.syngress.com
   604   605   606   607   608   609   610   611   612   613   614