Security without Obscurity

Security without Obscurity

by Jeff Stapleton, W. Clay Epstein
Released February 2016
Publisher(s): Auerbach Publications
ISBN: 9781498788212

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This book provides a no-nonsense approach for operating a public key infrastructure (PKI) system. In addition to discussions on PKI best practices, it warns against bad PKI practices. Scattered throughout the book are anonymous case studies that illustrate both good and bad practices. The highlighted bad practices, based on real-world scenarios from the authors' experiences, demonstrate how bad things are often done with good intentions but can end up causing bigger problems than the original one being solved. This book offers the insight readers need to avoid these types of problems.

Table of contents

  1. Preface
  2. Authors
  3. Chapter 1: Introduction
    1. 1.1 About This Book
    2. 1.2 Security Basics
    3. 1.3 Standards Organizations
  4. Chapter 2: Cryptography Basics
    1. 2.1 Encryption
    2. 2.2 Authentication
    3. 2.3 Nonrepudiation
    4. 2.4 Key Management
    5. 2.5 Cryptographic Modules
  5. Chapter 3: PKI Building Blocks
    1. 3.1 PKI Standards Organizations
    2. 3.2 PKI Protocols: SSL and TLS
    3. 3.3 PKI Protocol: IPsec
    4. 3.4 PKI Protocol: S/MIME
    5. 3.5 PKI Methods: Legal Signatures and Code Sign
    6. 3.6 PKI Architectural Components
  6. Chapter 4: PKI Management and Security
    1. 4.1 Introduction
    2. 4.2 Publication and Repository Responsibilities
    3. 4.3 Identification and Authentication
    4. 4.4 Certificate Lifecycle Operational Requirements
    5. 4.5 Facility, Management, and Operational and Physical Controls
    6. 4.6 Technical Security Controls
    7. 4.7 Certificate, CRL, and OCSP Profiles
    8. 4.8 Compliance Audits and Other Assessments
    9. 4.9 Other Business and Legal Matters
  7. Chapter 5: PKI Roles and Responsibilities
    1. 5.1 Certificate Authority
      1. 5.1.1 Root CA
      2. 5.1.2 Online CA
      3. 5.1.3 OCSP Systems
    2. 5.2 Registration Authority
    3. 5.3 Policy Authority
    4. 5.4 Subscribers
    5. 5.5 Relying Party
    6. 5.6 Agreements
      1. 5.6.1 Certificate Authority Agreements
      2. 5.6.2 Registration Authority Agreements
      3. 5.6.3 Subscriber Agreements
      4. 5.6.4 Relying Party Agreements
  8. Chapter 6: Security Considerations
    1. 6.1 Physical Security
    2. 6.2 Logical Security
    3. 6.3 Audit Logs
    4. 6.4 Cryptographic Modules
  9. Chapter 7: Operational Considerations
    1. 7.1 CA Architectures
    2. 7.2 Security Architectures
    3. 7.3 Certificate Management
    4. 7.4 Business Continuity
    5. 7.5 Disaster Recovery
    6. 7.6 Affiliations
  10. Chapter 8: Incident Management
    1. 8.1 Areas of Compromise in a PKI
      1. 8.1.1 Offline Root CA
      2. 8.1.2 Online Issuing CA That Has Multiple CA Subordinates
      3. 8.1.3 Online Issuing CA That Does Not Have Subordinate CAs
      4. 8.1.4 Online RA
      5. 8.1.5 Online CRL Service HTTP or HTTPS Location for Downloading CRLs
      6. 8.1.6 OCSP Responder
      7. 8.1.7 End User’s Machine That Has a Certificate on It
        1. 8.1.7.1 Private Key Compromise
        2. 8.1.7.2 Private Key Access
        3. 8.1.7.3 Limited Access to the Private Key
        4. 8.1.7.4 Other Attacks
    2. 8.2 PKI Incident Response Plan
    3. 8.3 Monitoring the PKI Environment Prior to an Incident
    4. 8.4 Initial Response to an Incident
    5. 8.5 Detailed Discovery of an Incident
    6. 8.6 Collection of Forensic Evidence
    7. 8.7 Reporting of an Incident
  11. Chapter 9: PKI Governance, Risk, and Compliance
    1. 9.1 PKI Governance
    2. 9.2 Management Organization
    3. 9.3 Security Organization
    4. 9.4 Audit Organization
    5. 9.5 PKI Risks
    6. 9.6 Cryptography Risks
      1. 9.6.1 Aging Algorithms and Short Keys
      2. 9.6.2 Modern Algorithms and Short Keys
      3. 9.6.3 Aging Protocols and Weak Ciphers
      4. 9.6.4 Aging or Discontinued Products
    7. 9.7 Cybersecurity Risks
      1. 9.7.1 Framework Core
      2. 9.7.2 Framework Profile
      3. 9.7.3 Framework Implementation Tiers
    8. 9.8 Operational Risks
      1. 9.8.1 Monitoring
      2. 9.8.2 Capacity
      3. 9.8.3 Continuity
      4. 9.8.4 Resources
      5. 9.8.5 Knowledge
    9. 9.9 PKI Compliance
    10. 9.10 Evaluation Criteria
    11. 9.11 Gap Assessment
    12. 9.12 Audit Process
  12. Chapter 10: Advanced PKI
    1. 10.1 Industry Initiatives
    2. 10.2 Certificate Trust Levels
    3. 10.3 Relying Party Unit
    4. 10.4 Short-Term Certificates
    5. 10.5 Long-Term Certificates
  13. Bibliography
    1. B.1 ASC X9
    2. B.2 ETSI
    3. B.3 IETF
    4. B.4 ISO
    5. B.5 NIST
    6. B.6 PKCS
    7. B.7 Miscellaneous

Product information

  • Title: Security without Obscurity
  • Author(s): Jeff Stapleton, W. Clay Epstein
  • Release date: February 2016
  • Publisher(s): Auerbach Publications
  • ISBN: 9781498788212