CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [198]
The series of stages during the process of managing a key or a certificate is called a key/certificate life cycle. A life cycle encompasses all the major aspects of the life of a key or a certificate from the time it’s generated until the time it’s retired. There are 10 areas/ stages of a key’s life cycle:
■ Key generation
■ Key storage and distribution
■ Key escrow
■ Key expiration
■ Key revocation
■ Key suspension
■ Key recovery and archival
■ Key renewal
■ Key destruction
■ Key usage
You need to consider each of these stages when you implement a key or certificate within your organization. If you fail to properly address these issues, you can compromise the process or make more work for yourself. If the process isn’t followed, the entire system is vulnerable.
You must decide whether to use a centralized or a decentralized process to generate keys. Centralized key generation can potentially create a bottleneck or a single point of failure. Decentralized key generation can create administrative and security problems. Most modern implementations support both centralized and decentralized key generation.
Appropriate key storage is critical to maintaining a secure environment. Keys should be stored on hardened systems under close physical control. Keys can be stored in physical cabinets or on servers. Security storage failures are usually the result of human error. Distributing keys and transporting keys can present security challenges. Private keys should never be sent through the communications network; out-of-band transmission should be used to transport or distribute them. If an existing key has been compromised, the new key will be just as compromised. Public keys are intended for circulation; however, steps must be taken to protect their integrity.
Key escrow is the process where keys are made available to law enforcement or other authorized agencies to utilize them to conduct an investigation. Key escrow agents store these keys, and they release them to authorized authorities.
A key expires when it reaches the end of its life cycle. Typically, this is a date-driven event. An expired key may be reissued using a rollover process, but generally this is considered a bad practice. The longer a key is used, the more likely it is to be broken.
When a key or certificate has been identified as corrupt, compromised, or lost, it can be revoked. A CRL informs all of the end users and CAs that the certificate has been revoked. Once a key is revoked, it can no longer be used.
Keys are suspended to disable them for a period of time. Suspension may occur because the key holder has become ill or has taken time off. A key can be unsuspended and reused.
Key recovery is the ability to recover a lost key or to use a previously active key. Three types of keys must be considered in this process: current keys, previous keys, and archived keys. An organization can use a key archival system to recover information that has been encrypted using older keys. Key archival systems usually utilize some type of access control such as the M of N Control method, which stipulates that a certain number of people must be present to access key archives. A key archival system usually works in conjunction with a key-generating system to provide complete archiving.
Key destruction is the process of rendering a key unusable. Physical keys must be physically destroyed. Software keys and smart card keys should have their key files erased to prevent them from being used.
Exam Essentials
Be able to describe the process of a hashing algorithm. Hashing algorithms are used to mathematically derive a key from a message. The most common hashing standards for cryptographic applications are the SHA and MD algorithms.
Know the principles of a symmetric algorithm. A symmetric algorithm