Some methods of the analysis and risk assessment in the PKI system services providers

Abstract

The PKI systems are one of the main components in the information exchange between employees and customers of the enterprise, and firms as well. Depending on current routing boards, the information which needs to be send can be transferred using many different telecommunication systems. To ensure the confidentiality of the information, the uniform safety policy for the whole enterprise should be defined. Correctly prepared and implemented security policy comprises the rules of authorization for physical access to rooms and objects, and the rules of authorization for access to the network resources as well. As the technical infrastructure introduces the uniform policy, the cryptographical systems can be used, with PKI systems in particular. The PKI system requires the creation of a suitable infrastructure for generation, storage and distribution of keys and certificates. In this article, authors will try to analyze vulnerabilities and threats for the individual components of the PKI infrastructure based on MEHARI method of the risk analysis, which are estimated on a real example. Since even the best system will not guarantee the confidence of users' keys issued by the Certification Authority, the analysis and assessment is not restricted only to PKI components, but also to the working environment. When subsidiaries of this infrastructure are able to compromise the keys, the whole infrastructure becomes a useless equipment and software storage