Page 448 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 448

Asymmetric Key Management


               When working within the public key infrastructure, it’s important that
               you comply with several best practice requirements to maintain the
               security of your communications.


               First, choose your encryption system wisely. As you learned earlier,
               “security through obscurity” is not an appropriate approach. Choose
               an encryption system with an algorithm in the public domain that has
               been thoroughly vetted by industry experts. Be wary of systems that
               use a “black-box” approach and maintain that the secrecy of their
               algorithm is critical to the integrity of the cryptosystem.


               You must also select your keys in an appropriate manner. Use a key
               length that balances your security requirements with performance
               considerations. Also, ensure that your key is truly random. Any
               patterns within the key increase the likelihood that an attacker will be
               able to break your encryption and degrade the security of your
               cryptosystem.

               When using public key encryption, keep your private key secret! Do

               not, under any circumstances, allow anyone else to gain access to your
               private key. Remember, allowing someone access even once
               permanently compromises all communications that take place (past,
               present, or future) using that key and allows the third party to
               successfully impersonate you.

               Retire keys when they’ve served a useful life. Many organizations have
               mandatory key rotation requirements to protect against undetected

               key compromise. If you don’t have a formal policy that you must
               follow, select an appropriate interval based on the frequency with
               which you use your key. You might want to change your key pair every
               few months, if practical.

               Back up your key! If you lose the file containing your private key
               because of data corruption, disaster, or other circumstances, you’ll
               certainly want to have a backup available. You may want to either

               create your own backup or use a key escrow service that maintains the
               backup for you. In either case, ensure that the backup is handled in a
   443   444   445   446   447   448   449   450   451   452   453