InfoSec Reviews – PKI Uncovered

Book Title: PKI Uncovered

Subtitle: Certificate-Based Security Solutions for Next-Generation Networks

Author(s): Andre Karamanian, Srinivas Tenneti, Francois Dessart

Publisher: Cisco Press

Date of Publishing: February 2011

ISBN(13): 9781587059162

Price (UK&US):  £40.79,   $65.00

URL of Publisher Site:  Cisco Press

URL of Amazon UK web page: PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks (Cisco Press Networking Technology)

URL of Amazon UK (Kindle) web page: PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks (Networking Technology: Security)

URL of Amazon US web page: PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks (Networking Technology: Security)

URL of Amazon US (Kindle) web page: PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks (Networking Technology: Security)

The book is 260 pages in length (including the preliminaries) and comprises 11 chapters. It book opens with a display of icons of, which, oddly, very few are used in the book. See the end of this review for more detail. Chapter 1 is entitled, ‘Crypto Refresh’ and, sadly, contains many inaccuracies. These are further detailed at the end of this review. Chapter 2 would benefit from more specific detail. On page 16, for example, it would have been helpful to state that the signature from a Certificate Authority (CA), that is part of a digital certificate, is in fact a hash of the primary certificate attributes (explained in the first three bullet points on page 16) and that the hash has been signed by the issuing CA or sub-CA’s private key. What is further confusing is that the certificate is then referred to as a ‘package’.There is no mention of the advantages of differing key lengths (either for CAs, sub-CAs or individual certificates) until the ‘Troubleshooting’ section of the book.Also, the ‘topics covered’ list at the start of Chapter 2 is incomplete. A typical PKI actually comprises:* A Certificate Authority (to issue certificates)* A Registration Authority (to ensure that certificates are given out to the right person/installed in the right device)* A Validation Authority (to provide the ability to revoke lost/stolen certificates)No mention is made of a validation authority. Furthermore, on page 23 it is stated that the CA is responsible for ensuring that an entity requesting a certificate with a specific identity actually owns that identity. This is actually the responsibility of the Registration Authority and could have been explained better on page 26.In Chapter 3 I believe the Enrolment ‘Common Events’ bullet list on page 37 to be inaccurate. A Certificate Authority actually generates the end-host (or user’s) certificate, hashes it, and then signs the hash with its private key. The signed hash is included as part of the certificate. Providing the CA’s Public Key is made available securely, the CA’s signed hash on every certificate issued by it can be checked for validity. The Manual Enrolment high-level steps on page 38 refer to the verification of the CA’s fingerprint with no explanation of what a fingerprint is or how such verification occurs.Certificate Revocation Lists (CRLs) can be both segmented and signed – neither of which are mentioned in Chapter 3. Also, the sentence at the top of page 49 is confusing. It reads, “After the certificate is revoked, the information will not be updated until the CRL expires, which might be many hours from the time of expiration”. The word ‘expiration’ should be replaced with ‘revocation’ for the sentence to make sense. Furthermore, in the chapter summary on page 54, the statement that “CRLs are not real-time and may take many hours for information to be propagated about the expiration of a certificate” is confusing. CRLs are only required to contain details of revoked certificates. Each certificate carries its own expiry date as part of the content and will not be accepted after that date. No mention is made in this chapter of Authority Revocation Lists (ARLs). These are used to revoke the certificates of sub-CAs rather than endpoints.The troubleshooting section in Chapter 4 is quite detailed but better information is available on the Cisco documentation site.In Chapter 5, certificate chaining is poorly explained. For an endpoint to trust other endpoints signed by different sub-CAs it must be provided with, by secure means, the certificates of each of the sub-CAs and the Root CA. Only then may the endpoint confirm that the certificates of each sub-CA in the chain have indeed been signed by the sub-CA at the next level, up to and including the Root. Failing that, a ‘chaining file’ must be securely distributed to all endpoints.Chapter 6 concentrates on the configuration and troubleshooting of DMVPN and GETVPN but pays little attention to the use of certificate revocation in such solutions. Furthermore, it should be stressed that when deploying such enterprise-level topologies, the Root CA should remain offline; the renewal of sub-CA certificates can be performed offline and then securely transported to the live environment for installation.Chapter 7 provides a good explanation of deploying the an IPSec VPN using the Cisco ASA but fails to explain the benefits of an IPSec VPN over an SSL tunnel. As the ASA requires certificate chaining to be operational, it is good to see this mentioned.Chapter 8 brings in 802.1x certificates used with EAP-TLS. What are not made clear are the management differences between the initial X.509 v3 certificates in the early part of the book and the 802.1 certificates to identify remote network endpoints. An 802.1 certificate revocation process is not mentioned.Chapter 9 discusses the topic of Unified Communications and shows how to link the different certificates in IP-telephony and management servers by using a Certificates Trusted List file. A useful aspect of this chapter is the explanation of how to overcome the expiry date and Cisco-wide trust relationship of each certificate preinstalled by the manufacturer of each IP telephone.Chapter 10 discusses Cisco Virtual Office and assumes familiarity with Virtual Office solutions set. I do not have such familiarity and so provide no comment on this particular chapter.

Finally, Chapter 11 pulls together the content of many of the previous chapters by taking the reader through the benefits of deploying the various solutions of DMVPN, GETVPN and PKI using Cisco Security Manager (CSM).

I found the content of this book somewhat disappointing. As a security architect familiar with the high-level PKI architectures implemented in UK government and the NHS, I was looking forward to learning how the main concepts can be applied across enterprise networks to ensure certificated authentication between organisational servers. Overall, the book would benefit from a more organised structure and a glossary would have been helpful (many terms, such as ‘IPSec’, are used with no expansion). Basic concepts should have been more thoroughly explained in the first sections of the book and configuration examples left to the latter. In contrast, I found the content to be a mishmash of old concepts, extracts from various RFCs, coupled  with example output from Cisco devices. Far more detailed information on the various topics is available from the Cisco documentation site, and that’s free of charge.

My advice would be to rename this book to what it really is: a low-level PKI guidance document for Cisco engineers.

Marks:  2 out of 5