If a company is going to perform key recovery and maintain a

If a company is going to perform key recovery and maintain a key recovery system, it will generally back up only the key pair used to encrypt data, not the key pairs that are used to generate digital signatures. True or False? Explain your answer.

Solution

support two key pairs:

• support for key backup and non-repudiation
To support data recovery, private keys for decrypting must be backed up

securely. To support non-repudiation, private keys for signing must not be backed up. These conflicting requirements can only be solved by a comprehensive PKI that supports two key pairs in this manner.

• update of encryption and signing key pairs
When updating encryption key pairs, the private keys for decryption need to

be retained and managed. When updating signing key pairs, the private keys for digitally signing must be securely destroyed to prevent future recovery. These conflicting requirements can only be solved by a comprehensive PKI that supports two key pairs.

As discussed, encryption and signing key pairs are fundamentally different entities that have distinct business requirements. These business requirements can only be met with a comprehensive PKI that works across applications and platforms.

This paper also described how Entrust provides automatic and transparent key update at no cost to administrators, users, or application developers. Entrust’s solution for key update and managing two key pairs has been proven to work effectively for customers and application development partners since 1994. Finally, this paper discussed the business benefits of key update and the hidden costs and inadequacies of other vendors’ “certificate renewal”schemes.

Like many features in Entrust, key update and support for two key pairs put the customer in control. Entrust’s unique key and certificate management solution ensures applications meet customer requirements— not vice versa.

The need for two key pairs

It is challenging for most PKI vendors to simultaneously support key backup and recovery and non-repudiation. To support key backup and recovery, the decryption keys must be backed up securely. To support non-repudiation, the keys used for digitally signing cannot be backed up and must be under control of the user.

Thus, to meet these requirements, a PKI must support two key pairs for each user. Entrust provides this capability because each user has one current key pair for encryption and decryption, and a second key pair for digital signature and signature verification.

While other PKI vendors claim to support two key pairs, Entrust has provided comprehensive management of two key pairs since its initial release in 1994. Other PKI vendors frequently only issue certificates to applications and require each individual application developer to support two key pairs. There is little chance that general application developers, the vast majority of whom are not experts in cryptography and data security, will support two key pairs properly— if at all. Entrust removes the complexity of managing two key pairs from application developers and users.

Benefits of Key Update

On the one hand, certificate renewal is not required and does not benefit users— in fact, it can make me their lives more difficult and cumbersome than

Generation of encryption key pair

End of encryption public key life

Transition period

time

With Entrust, customers choose the lifetimes of their key pairs and control how key update occurs. Automatic and transparent update of encryption key pairs is driven by the expiration of the encryption public key. The following shows a sample lifeline of an encryption key pair:

First attempt to update encryption key pair

The transition period represents the time between the first attempt at updating the key pair and the official expiration date of the encryption public key. Entrust provides a transition period of one hundred days (or 50% of the key’s lifetime, whichever is less). Attempting to update the encryption key pair well