Muutke küpsiste eelistusi

Security without Obscurity: A Guide to PKI Operations [Kõva köide]

,
  • Formaat: Hardback, 343 pages, kõrgus x laius: 234x156 mm, kaal: 664 g, 101 Tables, black and white; 87 Illustrations, black and white
  • Ilmumisaeg: 17-Feb-2016
  • Kirjastus: Auerbach Publishers Inc.
  • ISBN-10: 1498707475
  • ISBN-13: 9781498707473
Teised raamatud teemal:
  • Kõva köide
  • Hind: 172,00 €*
  • * saadame teile pakkumise kasutatud raamatule, mille hind võib erineda kodulehel olevast hinnast
  • See raamat on trükist otsas, kuid me saadame teile pakkumise kasutatud raamatule.
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Lisa soovinimekirja
Security without Obscurity: A Guide to PKI OperationsSuurem pilt
  • Formaat: Hardback, 343 pages, kõrgus x laius: 234x156 mm, kaal: 664 g, 101 Tables, black and white; 87 Illustrations, black and white
  • Ilmumisaeg: 17-Feb-2016
  • Kirjastus: Auerbach Publishers Inc.
  • ISBN-10: 1498707475
  • ISBN-13: 9781498707473
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781498707473.html
Märksõnad:
Most books on public key infrastructure (PKI) seem to focus on asymmetric cryptography, X.509 certificates, certificate authority (CA) hierarchies, or certificate policy (CP), and certificate practice statements. While algorithms, certificates, and theoretical policy are all excellent discussions, the real-world issues for operating a commercial or private CA can be overwhelming. Security without Obscurity: A Guide to PKI Operations provides a no-nonsense approach and realistic guide to operating a PKI system. In addition to discussions on PKI best practices, the book supplies warnings against bad PKI practices. Scattered throughout the book are anonymous case studies identifying both good and bad practices.

The highlighted bad practices, based on real-world scenarios from the authors experiences, illustrate how bad things are often done with good intentions but cause bigger problems than the original one being solved.

This book offers readers the opportunity to benefit from the authors more than 50 years of combined experience in developing PKI-related policies, standards, practices, procedures, and audits, as well as designing and operating various commercial and private PKI systems.

Arvustused

"Finally a book that cuts through the dense fog surrounding PKI as an intellectual achievement to provide practical insights that can be applied with immediate benefit by the people charged with making PKI work. Security without Obscurity: A Guide to PKI Operations is a valuable reference that information security professionals will turn to again and again." Phillip H. Griffin, CISM, ISSA Fellow, IEEE Senior Member

"Jeff and Clay are certifiable in this practical guide to public key infrastructure (PKI). Because PKI is an operational system employing asymmetric cryptography, information technology (hardware and software), operating rules (policies and procedures), security (physical and logical security), and legal matters, a holistic approach is needed. They have provided the chart essential to navigating the operational aspectswhat takes PKI from theory to practice." Ralph Spencer Poore, CFE, CISA, CISSP, PCIP, ISSA Distinguished Fellow

Preface ix
Authors xi
1 Introduction
1(18)
1.1 About This Book
3(3)
1.2 Security Basics
6(5)
1.3 Standards Organizations
11(8)
2 Cryptography Basics
19(42)
2.1 Encryption
22(4)
2.2 Authentication
26(7)
2.3 Nonrepudiation
33(3)
2.4 Key Management
36(10)
2.5 Cryptographic Modules
46(15)
3 PKI Building Blocks
61(40)
3.1 PKI Standards Organizations
62(21)
3.2 PKI Protocols: SSL and TLS
83(7)
3.3 PKI Protocol: IPsec
90(1)
3.4 PKI Protocol: S/MIME
91(1)
3.5 PKI Methods: Legal Signatures and Code Sign
92(2)
3.6 PKI Architectural Components
94(7)
4 PKI Management and Security
101(62)
4.1 Introduction
109(11)
4.2 Publication and Repository Responsibilities
120(3)
4.3 Identification and Authentication
123(7)
4.4 Certificate Lifecycle Operational Requirements
130(13)
4.5 Facility, Management, and Operational and Physical Controls
143(7)
4.6 Technical Security Controls
150(5)
4.7 Certificate, CRL, and OCSP Profiles
155(2)
4.8 Compliance Audits and Other Assessments
157(1)
4.9 Other Business and Legal Matters
158(5)
5 PKI Roles and Responsibilities
163(20)
5.1 Certificate Authority
163(8)
5.1.1 Root CA
165(2)
5.1.2 Online CA
167(3)
5.1.3 OCSP Systems
170(1)
5.2 Registration Authority
171(2)
5.3 Policy Authority
173(2)
5.4 Subscribers
175(1)
5.5 Relying Party
176(1)
5.6 Agreements
177(6)
5.6.1 Certificate Authority Agreements
178(3)
5.6.2 Registration Authority Agreements
181(1)
5.6.3 Subscriber Agreements
181(1)
5.6.4 Relying Party Agreements
182(1)
6 Security Considerations
183(30)
6.1 Physical Security
185(7)
6.2 Logical Security
192(11)
6.3 Audit Logs
203(4)
6.4 Cryptographic Modules
207(6)
7 Operational Considerations
213(30)
7.1 CA Architectures
216(8)
7.2 Security Architectures
224(3)
7.3 Certificate Management
227(3)
7.4 Business Continuity
230(5)
7.5 Disaster Recovery
235(5)
7.6 Affiliations
240(3)
8 Incident Management
243(26)
8.1 Areas of Compromise in a PKI
244(8)
8.1.1 Offline Root CA
244(1)
8.1.2 Online Issuing CA That Has Multiple CA Subordinates
245(1)
8.1.3 Online Issuing CA That Does Not Have Subordinate CAs
246(1)
8.1.4 Online RA
246(1)
8.1.5 Online CRL Service HTTP or HTTPS Location for Downloading CRLs
246(1)
8.1.6 OCSP Responder
247(1)
8.1.7 End User's Machine That Has a Certificate on It
247(1)
8.1.7.1 Private Key Compromise
247(5)
8.1.7.2 Private Key Access
252(1)
8.1.7.3 Limited Access to the Private Key
252(1)
8.1.7.4 Other Attacks
252(1)
8.2 PKI Incident Response Plan
252(4)
8.3 Monitoring the PKI Environment Prior to an Incident
256(3)
8.4 Initial Response to an Incident
259(2)
8.5 Detailed Discovery of an Incident
261(2)
8.6 Collection of Forensic Evidence
263(2)
8.7 Reporting of an Incident
265(4)
9 PKI Governance, Risk, and Compliance
269(38)
9.1 PKI Governance
269(2)
9.2 Management Organization
271(3)
9.3 Security Organization
274(3)
9.4 Audit Organization
277(3)
9.5 PKI Risks
280(1)
9.6 Cryptography Risks
280(7)
9.6.1 Aging Algorithms and Short Keys
282(2)
9.6.2 Modern Algorithms and Short Keys
284(1)
9.6.3 Aging Protocols and Weak Ciphers
284(3)
9.6.4 Aging or Discontinued Products
287(1)
9.7 Cybersecurity Risks
287(4)
9.7.1 Framework Core
288(1)
9.7.2 Framework Profile
288(1)
9.7.3 Framework Implementation Tiers
288(3)
9.8 Operational Risks
291(3)
9.8.1 Monitoring
291(1)
9.8.2 Capacity
292(1)
9.8.3 Continuity
292(1)
9.8.4 Resources
293(1)
9.8.5 Knowledge
293(1)
9.9 PKI Compliance
294(1)
9.10 Evaluation Criteria
295(5)
9.11 Gap Assessment
300(4)
9.12 Audit Process
304(3)
10 Advanced PKI
307(14)
10.1 Industry Initiatives
308(3)
10.2 Certificate Trust Levels
311(2)
10.3 Relying Party Unit
313(2)
10.4 Short-Term Certificates
315(2)
10.5 Long-Term Certificates
317(4)
Bibliography 321(10)
Index 331
Jeff J. Stapleton is the author of Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity (CRC Press). Stapleton began his career at Citicorp Information Resources, St. Louis, Missouri, in 1982, as a software engineer writing 8-bit assembler code for a turnkey savings and loan teller system. He continued his work in the financial service industry at MasterCard International (St. Louis, Missouri), maintaining and developing credit card and debit card transaction applications on its global network, Banknet.

His introduction to cryptography began when he was assigned to develop a global key management system for MasterCard, and as part of that assignment, he began attending an Accredited Standards Committee (ASC) X9 Workgroup for retail banking security in 1989.

During his career, he has spoken at many conferences; participated in the development of numerous ANSI and ISO standards; and published various papers, articles, chapters, and his first bookSecurity without Obscurity. W. Clay Epstein holds a bachelor of science in computer science from the University of Utah and a master of business administration in management information systems from Westminster College (Salt Lake City, Utah). He has international experience developing and managing public key infrastructures primarily for the financial services industry.

Epstein was the CTO for Digital Signature Trust Co., a start-up company formed to address the legal and technical issues of secure electronic commerce across the Internet, and one of the first licensed Certificate Authorities (CAs) in the United States. He was the third employee, responsible for the overall operations and strategic technology development, implementation, and maintenance of the various CA systems.