Database Security within the General Security Landscape and a Defense-in-Depth Strategy - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

and a private key that is known only to one party is used to decrypt the

data. This property allows you to generate a key pair and publish the public

key so that anyone who wants to communicate privately with you can

encrypt the communication using the public key. Only you hold the private

key, so only you can decrypt the key.

Public key algorithms made cryptography practical in a world where

confidential interaction among practically limitless numbers of parties was

necessary. If 10,000 users need to interact among themselves using symmet-

ric keys, then you would potentially need a symmetric key for every pair of

users—a total of 100 million keys! Using public keys you only need 10,000

key pairs. Moreover, symmetric keys require the impossible—that you find

a secure way to distribute all of these keys among the counter-parties. Pub-

lic keys do not require this—they may be posted on a Web site. Both of

these factors make public keys significantly easier to manage—the main

role of PKI, which is primarily responsible for creating, distributing, and

managing cryptographic keys. In fact, today's PKI systems also manage

symmetric keys (which are still used because they are more efficient). The

symmetric keys are created on-demand (so they do not need to be man-

aged) and are used to encrypt that data. The public key is then used to

encrypt the symmetric key, thus providing the key-distribution mechanism.

PKI is usually enhanced through the use of certificates that are issued by

Certificate Authorities (CAs). Certificates address the question relating to

how I can trust that the public key I am using to encrypt data that I want to

keep confidential. How do I know I am communicating with you as

opposed to a hacker who is masquerading as you? A CA digitally signs an

identifier tag, a public key, and a validity period. The CA is trusted to issue

certificates only to parties that have been identified and approved and are

important in creating a trust hierarchy. If I trust the CA, I can also trust any

party holding a certificate issued by that CA. When I inspect a certificate

that you give me, besides retrieving your public key from within, I can also

validate your authenticity with the CA. Certificate management and more

elaborate functions dealing with certificate policies are also addressed by

modern PKI.

2.7

Vulnerability management

Vulnerability management is a broad term. In its widest definition it

includes numerous technologies (some of which we have already discussed)

and a set of processes that provide the glue for these technologies. Figure

Search WWH ::

Custom Search

Home