Storing and Revoking Keys

by Bill Kuriko.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on data security  

You are here: Categories » Computers and technology » Data security

Key storage arises when a user needs to protect a cryptographic key in a way other than by remembering it. If the key is public, of course, any certificate-based mechanism will suffice, because the goal is to protect the key's integrity. But secret keys (for classical cryptosystems) and private keys (for public key cryptosystems) must have their confidentiality protected as well.

Key Storage

Protecting cryptographic keys sounds simple: just put the key into a file, and use operating system access control mechanisms to protect it. Unfortunately, operating system access control mechanisms can often be evaded or defeated, or may not apply to some users. On a single-user system, this consideration is irrelevant, because no one else will have access to the system while the key is on the system. On a multiuser system, other users have access to the system. On a networked system, an attacker could trick the owner into downloading a program that would send keystrokes and files to the attacker, thereby revealing the confidential cryptographic key. We consider these systems.

On such systems, enciphering the file containing the keys will not work, either. When the user enters the key to decipher the file, the key and the contents of the file will reside in memory at some point; this is potentially visible to other users on a multiuser system. The keystrokes used to decipher the file could be recorded and replayed at a later date. Either will compromise the key.

A feasible solution is to put the key onto one or more physical devices, such as a special terminal, ROM, or smart card. The key never enters the computer's memory. Instead, to encipher a message, the user inserts the smart card into a special device that can read from, and write to, the computer. The computer sends it the message to be protected, and the device uses the key on the smart card to encipher the message and send it back to the computer. At no point is the cryptographic key exposed.

A variant relies on the observation that if the smart card is stolen, the thief has the cryptographic key. Instead of having it on one card, the key is split over multiple devices (two cards, a card and the physical card reader, and so on.) Now, if a thief steals one of the cards, the stolen card is useless because it does not contain the entire key.

Key Revocation

Certificate formats contain a key expiration date. If a key becomes invalid before that date, it must be revoked. Typically, this means that the key is compromised, or that the binding between the subject and the key has changed.

We distinguish this from an expired certificate. An expired certificate has reached a predesignated period after which it is no longer valid. That the lifetime has been exceeded is the only reason. A revoked certificate has been canceled at the request of the owner or issuer for some reason other than expiration.

There are two problems with revoking a public key. The first is to ensure that the revocation is correctin other words, to ensure that the entity revoking the key is authorized to do so. The second is to ensure timeliness of the revocation throughout the infrastructure. This second problem depends on reliable and highly connected servers and is a function of the infrastructure as well as of the locations of the certificates and the principals who have copies of those certificates. Ideally, notice of the revocation will be sent to all parties when received, but invariably there will be a time lag.

The X.509 and Internet public key infrastructures (PKIs) use lists of certificates.

A certificate revocation list is a list of certificates that are no longer valid.

A certificate revocation list contains the serial numbers of the revoked certificates and the dates on which they were revoked. It also contains the name of the issuer, the date on which the list was issued, and when the next list is expected to be issued. The issuer also signs the list [865]. Under X.509, only the issuer of a certificate can revoke it.

PGP allows signers of certificates to revoke their signatures as well as allowing owners of certificates, and their designees, to revoke the entire certificates. The certificate revocation is placed into a PGP packet and is signed just like a regular PGP certificate. A special flag marks it as a revocation message.

Share
Leave a comment or ask a question
Total comments: 0

Data security Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
How to protect against Spoofing and Session Hijacking - Spoofing is the term hackers use to describe the act of faking information sent to a computer. This is a broad definition of spoofing, but there are many subtle variations of this attack. Howev (more...)
Online Security on Public Computers - Using public computers can put you at risk for password hackers who use tools such as keystroke logging devices. Find out how to protect yourself from criminals preying on public computers. (more...)
How to Create a Strong Password - Using a password keeper can help you keep your online information more secure by allowing you to create more complex passwords for your Internet accounts without having to remember them. Here a (more...)
How Many Passwords do You Know to Protect Your Computer Privacy - 1.Administrators Password: It is the most common way to lock your computer. But is it the safest way? Mostly, it is the easiest way to lock your computer. How to (more...)
What will be a perfect password - Myth: if it is encrypted, it is secure Truth: if it is not encrypted, it is not secure Before creating a password you should know: ⑴ NO passwo (more...)
How to bypass Windows Password - Forgot or lost windows password? Have been locked out of computer? Do not want to reinstall the computer because there is vital data on your computer? Oh, well, it is not that scar (more...)
UniKey API protection scheme ensures the highest security for software vendors - A question that regularly was come up is whether software could be one hundred percent secured by a dongle, or thought some dongles have been seriously cracked, why most expensive software still us (more...)
Sharing online passwords with important people - On the surface, it might seem ludicrous to think that anyone would want to share their important Internet passwords with other people. But the truth is that there are many instances where you might (more...)
Using tags can help you organize your passwords - For people with multiple Internet log-ins, keeping them organized can be incredibly complex. A service like Mitto.com can simplify the process by allowing you to attach tags to your log-in info (more...)
Rogue antispyware is a danger for all Internet users - There are several common but very popular viruses that everyone can catch nowadays. That's swine flue and malicious software. Swine flue can be dangerous to your health though in the most cases it (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.