PKI – the public key infrastructure

Security Engineering
Ross Anderson
2001, New York, NY: John Wiley & Sons
The Code Book
Simon Singh
1999, London, UK: Fourth Estate
CESG (The "information assurance arm" of GCHQ)
In 1973, inspired by the pioneering work of James Ellis a few years earlier, Cliff Cocks of CESG invented the first practical method for what we now call public key cryptography (PKC). The technology was subsequently discovered independently and developed into RSA; it was not until 1997 that it was publicly revealed that CESG had got there first!
Netscape glossary of PKI terms
What is a PKI?
The comprehensive system required to provide public-key encryption and digital signature services is known as a public-key infrastructure.
PGP Desktop Security, Appendix C
"If all the personal computers in the world—260 million—were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message.” —William Crowell, Deputy Director, National Security Agency, March 20, 1997.
X.509 Certificates and Certificate Revocation Lists (CRLs)
In One Sentence: What is a Certificate?
Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI.
Are your secrets safe?
... Two cryptographers have discovered that the randomness of the "keys" that are used to encode encrypted documents could be their downfall ... The more random a private signature key is, the harder it is to crack encrypted files. But by scanning hard drives for chunks of data that are particularly random, the pair found that it is possible to weed out keys stored on a disc. Most programs organise data into some sort of level of structure, so blocks of randomness stand out and can be spotted with the same ease that a human eye can tell the difference between a good TV picture from one with lots of interference ... "It would be possible to write a program that searches the hard disc automatically and sends the key to the villain," says van Someren. This, he says, could be carried out by a virus that runs only when the screensaver is on, making it extremely difficult for the user to detect. A running screensaver could contain viral code that would tell a hacker when the user is away from their desk—and thus wouldn't notice the computer slowing down as the virus hunts for keys.

© 2002-2007 Business Consultancy Services Ltd
on behalf of Dematerialised ID Ltd