PKI Uncovered
Public Key Cryptography, the underlying technology in Public Key Infrastructures, PKI, is perhaps the most important security innovation of all time. PKI is the engine that makes ecommerce work,; a critical component in the Internet, yet a not so well widely understood, if well deployed. A key element of PKIs is the digital certificate defined in ITU-T X509 and the related RFCs. Digital Certificates are essential to the SSL protocol used in HTTPS, secure FTP, SSH etc), the IPSec protocol (widely used in many VPN architectures) and SMIME (in secure messaging). This book provides one of the few accessible PKI implementation guides out there, and it is completely based on Cisco IOS devices.
An implementation guides, the school is suitable for PKI implementation or support engineers, security architects, security engineers and security solution integrators. While accessible to security executives and perhaps CIOs, its primary audience is security solution implementers.
Organized into three categories, and eleven chapters, the 245 page book provides a cursory overview of PKIs and the underlying technologies including encryption, digital certificates and digital signatures; a set of design guidelines and procedures as well as two cogent case studies.
Chapter one is a thirteen page refresher of what the authors consider pertinent “crypto refresh” where they present the basis for encryption as confidentiality, integrity and non-repudiation and a broad scan of symmetric and asymmetric encryption, hashes, digital signature and internet key exchanges. For an in-depth or even intermediate review of these topics, you must consult other sources.
Chapter two lays out the core components or building blocks of a PKI; certificates and their basic structure, certificate authority aka CA, registration authority or RA, certificate storage in various devices and systems, and endpoint entities. In chapter three, the authors describe some essential PKI processes, including certificate enrollment, expiration and renewal, verification and enforcement, as well as the concept of PKI system resiliency. Additional topics include certificate revocation, certificate rollover and integration with a AAAA server. The last chapter of the core concept section, chapter four focuses on troubleshooting - from troubleshooting issues related to the encryption keys, to the enrollment process as well as certificates in use. While the design guidelines are mostly generic, the commands are only useful for ciscio IOS devices. Many enterprise PKI solutions will rely on Microsoft PKI (in Windows Servers) or OpenSSL based solution on *NIX systems. The commands will of course be different. Also, the recommendation on database storage on an FTP server may not provide the most robust solution for security and resiliency.
Chapters seven through nine addresses several design and deployment solutions from a review of generic PKI designs (chapter 5), to various integration options (chapter 6: large scale site-to-site vpn; chapter7: remote access vpn; chapter 8: 802.1x certificate and identity based networking; and chapter 9: unified communications)
The last section presents two case studies: one highlighting PKI in a cisco virtual private office scenario; and the other in using cisco security manager to configure vpns with PKIs.
This is another good book from the talented cadre of cisco press authors. The authors demonstrated expertise flair on the requisite cisco technologies. This is a handy guide for network administrators, network security engineers, and IAM administrators in a cisco-centric network. A must buy for cisco security certification candidates.
