Public key Infrastructure
A
Public Key Infrastructure (PKI) enables users of an unsecure public network,
such as the Internet, to securely and privately exchange data through the use
of a public cryptographic key and a private cryptographic key pair that are obtained
and shared through a trusted authority. The key pair consists of one public key
and one private key that are mathematically related. An individual must keep
the private key a secret. Content encrypted by using one of the keys can be
decrypted by using the other. PKI can be a very complex but important subject. A
PKI lets you:
-
Authenticate
users more securely than standard usernames and passwords
-
Encrypt sensitive
information
-
Electronically
sign documents more efficiently
PKI's provide a digital certificate that can identify an
individual, an organization, and directory services that can store, and when
necessary, revoke the certificates. A PKI allows you to bind public keys
contained in certificates, with a person in a way that allows you to trust the
certificate. Public Key Infrastructures most commonly use a Certificate
Authority (also known as a Registration Authority) to verify the identity of an
entity and create unforgeable certificates. Web browsers, web servers, email
clients, smart cards, and many other types of hardware and software all have
integrated standards-based PKI support that can be used with each other.
Understanding Digital Certificates
Certificates
are electronic credentials that bind the identity of the certificate owner to a
pair (public and private) of electronic keys that can be used to encrypt and
sign information digitally. These electronic credentials assure that the keys
actually belong to the person or organization specified. Messages can be
encrypted with either the public or the private key and then decrypted with the
other key. Each certificate contains at least the following information:
-
Owner's public
key
-
Owner's name or
alias
-
Expiration date
of the certificate
-
Serial number of
the certificate
-
Name of the
organization that issued the certificate
-
Digital signature
of the organization that issued the certificate
Certificates
can also contain other user-supplied information, including a postal address,
an e-mail address, and basic registration information, such as the country or
region, postal code, age, and gender of the user. Certificates form the basis
for secure communication and client/server authentication on the Web. You can
use certificates to do the following:
-
Verify the
identity of clients and servers on the Web
-
Encrypt channels
to provide secure communication between clients and servers
-
Encrypt messages
for secure Internet e-mail communication
-
Verify the
sender's identity for Internet e-mail messages
-
Put your digital
signature on executable code that users can download from the Web
-
Verify the source
and integrity of signed executable code that users can download from the Web
Using Digital Certificates
You
can install certificates and configure certificate settings for Internet
Explorer by using the following methods:
- Within the
browser, you can use the Internet Explorer Certificate Manager to install certificates
-
Configure
advanced security options for certificates on the advanced tab in the Internet Options dialog box
-
Use the Internet
Explorer Customization Wizard to create custom packages of Internet Explorer
that include preconfigured lists of trusted certificates, publishers, and CAs
for your user groups
-
If you are a
corporate administrator, you can also lock down these settings to prevent users from changing them
-
After deploying
the browser, you can use the IEAK Profile Manager to manage certificate settings through the automatic browser configuration feature of Internet
Explorer
-
Automatically
push the updated information to each user's desktop computer, enabling you t to
manage security policy dynamically across all computers on the network
Hardening your computer for internet use
Hardening
your computer is an important step in the fight to protect your personal data
and information. Hardening a computer for internet use requires several steps
to form layers of protection. This process works to eliminate means of attack
by patching vulnerabilities and turning off inessential services. This approach
to safer computing is often called “defense in depth”.
The
first step in layering to help harden your computing system is to regularly
apply vendor security patches. Many security experts recommend installing a
firewall on your computer. Windows and MAC operating systems have firewalls on
by default. Additional hardening actions include closing server ports,
disabling Windows and other programs file-sharing, and hardening email
programs. Another layer of protection for your computer is to install and
regularly use virus and spyware protection software. Scheduling daily automatic
definition updates and scans to be performed on your computer are vital steps
to harden your system.
Here are some helpful tips
for hardening computers:
-
Patch Microsoft
Windows automatically
-
Use strong
passwords or pass phrases for all Windows user accounts on your PC
-
Use and properly
maintain good anti-virus software, and anti-spyware software
-
Do not open
suspicious email attachments or respond to suspicious requests
-
If you're not
using it, disable the Windows File and Printer Sharing service
-
Disable any
unneeded user accounts
-
Where possible,
consider using a web browser other than Internet Explorer, and treat all "free"
software with suspicion
Good
computer security is about finding the right balance between hardening your
system against potential threats and maintaining usability. If you do not require
a particular software application or service it should be disabled and removed.
Extra software just requires more work on your part to make it harder to a
computer attack to be successful.