Re: Multi-layered PKI implementation
- From: Digby Tarvin <digbyt@xxxxxxx>
- Date: Fri, 5 May 2006 02:00:32 +0100
On Thu, May 04, 2006 at 07:16:05PM -0500, Grant Thomas wrote:
Thanks for the explanations, they are rather more indepth than I was
expecting for an idle curiosity.
Thanks for the verbosity and the need for clarification, they are
always appreciated. As with many things, it is better to cut too long
and adjust than to start short and really mess up.
I did figure that the access control wasn't built into the scheme and
would take an external ACL implementation to do something like this.
In retrospect, I probably did have a slightly distorted impression of
PKI, but the core I did understand.
To all, thanks for the responses, they were greatly interesting.
So, one final question:
I would like to know more about encryption, the underlying
infrastructures, etc. What would be, in the lists recommendation, a
good place to start?
Thanks for any help again,
I wasn't sure of the sense of your original question, but if your
reference to PKI was in relation to encryption for privacy (vs
euthentication) and access to the same encrypted material
using more than one key - then yes, that can be and is routinely
done.
For example, I use the 'EncryptToSelf' option for PGP:
If on, automatically encrypts all mes-
sages to your default key, as well as to the
intended recipient.
to add my personal key as 'master key' to any messages I
encrypt to send to others.
I don't know of any ciphers that inherently support multiple keys.
I doubt that it is possible to do without weakening the cipher.
The main thing to be aware of is that public key crypto are those
for which the ability to encode and the ability to decode are
separate - and this functionality provides solutions both for
the authentication problem as well as the 'shared key' problem
for secure communication between people that do not have a secure
communications link.
However the public key systems are normally computationally expensive,
so what is normally done when encrypting data is to generate a random
key and encrypt the data with a symmetric key algorithm, and then the
randomly generated key is encrypted using the PK algorithm and appended
to it. If you want multiple keys to be able to decypt the data, then
you encrypt the original key with each of the desired public keys and
append them all - which is what PGP does.
If you want to get experience with public key systems, both for
privacy and authentication (digital signatures), install and
experiment with PGP/GPG. There is plenty of good documentation
which will help you understand how it all works.
If you want to understand how all the algorithms work, then
"Applied Cryptography" by Schneier is probably one of the best
references I have found. For a more readable popular account,
try Simon Singh's book..
Regards,
DigbyT
--
Digby R. S. Tarvin digbyt(at)digbyt.com
http://www.digbyt.com
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- References:
- Multi-layered PKI implementation
- From: Grant Thomas
- Re: Multi-layered PKI implementation
- From: James Westby
- Re: Multi-layered PKI implementation
- From: Paul E Condon
- Re: Multi-layered PKI implementation
- From: James Westby
- Re: Multi-layered PKI implementation
- From: Grant Thomas
- Multi-layered PKI implementation
- Prev by Date: Re: Multi-layered PKI implementation
- Next by Date: Re: kernel upgrade message
- Previous by thread: Re: Multi-layered PKI implementation
- Next by thread: sensors, alarms, crashes!
- Index(es):
Relevant Pages
|
