Some methods of the analysis and risk assessment in the PKI system services providers

  • Jerzy Pejaś
  • Imed El Fray


The PKI systems are one of the main components in the information exchange between employees and customers of the enterprise, and firms as well. Depending on current routing boards, the information which needs to be send can be transferred using many different telecommunication systems. To ensure the confidentiality of the information, the uniform safety policy for the whole enterprise should be defined. Correctly prepared and implemented security policy comprises the rules of authorization for physical access to rooms and objects, and the rules of authorization for access to the network resources as well. As the technical infrastructure introduces the uniform policy, the cryptographical systems can be used, with PKI systems in particular. The PKI system requires the creation of a suitable infrastructure for generation, storage and distribution of keys and certificates. In this article, authors will try to analyze vulnerabilities and threats for the individual components of the PKI infrastructure based on MEHARI method of the risk analysis, which are estimated on a real example. Since even the best system will not guarantee the confidence of users’ keys issued by the Certification Authority, the analysis and assessment is not restricted only to PKI components, but also to the working environment. When subsidiaries of this infrastructure are able to compromise the keys, the whole infrastructure becomes a useless equipment and software storage

Key words

PKI systems risk analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Carlisle Adams, Steve Lloyd: “Podpis elektroniczny. Klucz publiczny” Biblioteka problemów, Wyd. Robomatic 2001Google Scholar
  2. [2]
    PresentationMehari_11-2003, www.clusif.asso.frGoogle Scholar
  3. [3]
    www.signet.plGoogle Scholar
  4. [4]
    Peter Herrmann: “How to Integrate Trust Management into a risk Analysis Process” 2nd Internal iTrust Workshop on Trust Management in Dynamic Open Systems, London, September 2003Google Scholar
  5. [5]
    Carl Ellison, Bruce Schneier: “Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure”; Computer Security Journal Volume XVL Number 1,2000Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  • Jerzy Pejaś
    • 1
  • Imed El Fray
    • 1
  1. 1.Faculty of Computer ScienceUniversity of SzczecinSzczecinPoland

Personalised recommendations