e-Commerce Security—Public Key Infrastructure: Good Practices for Secure Communications 

 

e-Commerce Security - Public Key Infrastructure: Good Practices for Secure Communications

Table of Contents

ACKNOWLEDGEMENTS   

EXECUTIVE SUMMARY

INTRODUCTION
  Defining PKI
  Security and Trust
  Public and Private
  Cryptography and E-commerce
  Purposes of Modern Cryptography
  PKI and the Role of Authentication

A TUTORIAL ON PUBLIC KEY CRYPTOGRAPHY
  How Symmetrical Key Cryptography Can Provide Confidentiality
  How Symmetrical Cryptography Can Provide Integrity Protection
  The Key Management Problem
  Public Key Cryptography

DIGITAL CERTIFICATES AND THEIR ROLE IN PROTECTING MESSAGES
  Digital Certificates: A Simple Explanation (The Original Model)
  Digital Certificates: A Current Explanation
  Sending Plaintext Messages with Digital Certificates and Digital Signatures
  Identity Trust Certification Trees
  Alternate CA Structures
  Attribute Certificates

KEYS AND CERTIFICATES: THE PKI LIFECYCLE
  The Basis for the Lifecycle
  Summary of the Certificate Lifecycle
  Key Generation
  Submission of Registration Information
  Registration
  Certification
  Distribution
  Usage
  Revocation or Expiration
  Renewal
  Recovery
  Archiving Certificates and Actions Taken on Them

APPLICATION OF PKIs TO E-COMMERCE
  The Conceptual Framework for E-commerce
  Cryptographic Functions Supported by PKIs
  PKIs and Nonrepudiation
  PKIs and Business-to-Customer (B2C) Transactions
  PKIs and Business-to-Business (B2B) Transactions

CERTIFICATION AND ITS DISCONTENTS
  Risks Mitigated by Encryption
  Risks Mitigated by a PKI
  The Risks Inherent in a PKI

KERBEROS:AN ALTERNATIVE APPROACH
  Kerberos Explained
  Initializing the Kerberos System
  Exchanging Keys
  Kerberos Protocol Properties
  The Cautionary Tale

CONCLUSION: THE FUTURE OF PKI AND E-COMMERCE

ENDNOTES

FREQUENTLY ASKED QUESTIONS

GLOSSARY

APPENDIX A
  Table of Contents of Verisign DOD IECA Certification
  Practices Statement, Version 2.2, 11 April 2000
APPENDIX B
  Symmetrical (Private) Key Encryption
    Audit Objectives
    Functional Objectives
    Internal Control Questionnaire
  PKI, Digital Certificates in E-commerce
    Audit Objectives
    Functional Objectives
    Internal Control Questionnaire

INDEX
iii

1

7
8
8
9
10
13
15

17
17
20
25
27

33
33
36
37
39
41
42

45
45
49
50
51
52
53
54
55
56
59
60
61

63
63
65
68
69
74

77
77
80
82

87
87
88
89
93
94

97

99

101

103

105


111
111
111
112
115
117
117
118
124

127