 |
 |
|
|
If this shared session key is ever discovered, messages going in both directions can be deciphered and thus the need for a strong and resilient Key Management and Distribution system is an absolute must. The strength of the Key Management system will determine a good portion of your overall security level.
The guidelines to perform this are outlined in both Financial (ANSI) and Government (FIPS) specifications, however to meet those standards requires quite a bit of work and a lot of this is not possible with software alone.
Along with strong Key Management, a strong User Authentication method is an absolute must. Whether that User Authentication system is based in-house or trusted to 3rd parties depends on your needs, your budget and you manageability of such a system in-house.
Many smaller organizations find it too expensive and thus opt for outsourcing the Authentication portion, but Authentication is another issue discussed later.
Without strong User Authentication, you cannot guarantee that only specified users are allowed access.
Public Key
With these separate key pairs, the Public Key is placed in a Certificate Authority (CA) for anyone/everyone to access; the other Private Key, is only held by you and is usually stored on your local disk somewhere.
Using this pair of related but different keys, allows one to be used for encryption and the other to be used for decryption. As these key pairs are related in that they work as a set, they are totally different and you cannot determine one key by knowing only the other key. Thus it is safe to pass out your Public Key without worry that somebody will derive your private key.
For User Authentication; whether in-house our outsourced to a third party; some kind of Certificate Authority is required
This can even be used between two or more people who don't know each other to verify who the other party is.