3 - 5: Public Key Infrastructure

Question 1

Web of Trust

Answer 1

Based on not knowing everyone you might exchange keys with; participants sign for the people they trust forming indirect trust relationships

Question 2

Problems with Web of Trust

Answer 2

Decentralized; high barrier of entry for new users; somewhat technical

Question 3

Public Key Infrastructure

Answer 3

Introduces certificate authorities to build on trust relationships

Question 4

Certificate Authorities

Answer 4

Third-party authorities who verify the identity of individuals or organizations and issue certs with both identity information and a copy of their public key.

Question 5

Digital certificates

Answer 5

The certificate itself does not contain sensitive data, just a public key that can be checked against the CA itself. Only you have the private key to decrypt public-key encrypted data

Question 6

Hash Function

Answer 6

A one-way function that transforms a variable length input into a unique, fixed-length output; cannot be reversed; outputs are always the same length; no two inputs should produce the same output

Question 7

Hash Function fails

Answer 7

If: they are not reversible, not collision resistant (unique output)

Question 8

Message Digest 5

Answer 8

Created in 1991, produces a 128-bit hash, considered insecure

Question 9

Secure Hash Algorithm - 1

Answer 9

Produces a 160-bit hash value, considered insecure

Question 10

Secure Hash Algorithm - 2

Answer 10

A family of six hash functions, outputs of 224, 256, 384, 512 bits; mathematically similar to SHA-1 and MD5

Question 11

Secure Hash Algorithm - 3

Answer 11

Anticipating risks to SHA-2, NIST adopted SHA-3 using the Keccak algorithm to produce hashes of any length

Question 12

RIPEMD

Answer 12

Created as an alternative to government hash functions, available as 128, 160, 256, and 320-bit hashes. The 128 bit is considered insecure.

Question 13

Hash-based Message Authentication Code

Answer 13

Combines symmetric cryptography and hashing to provide authentication and integrity for messages. A message sender provides a secret key used with the hash function to create a message authentication code. The recipient uses that key to verify the message.

Question 14

Digital signatures

Answer 14

Use asymmetric cryptography to verify a message: 1) owner of public key is the one who signed it; 2) the message was not altered after it was signed; 3) recipient can prove this to a third party. Use depends on collision-resistant has functions and asymmetric cryptography (1 to 1 public/private key pair). Encrypted by a private key to indicate a specific person created the message, unlike regular asymmetric crypto. Digital signing does not provide confidentiality

Question 15

Digital Signature Standard

Answer 15

Supports 3 DS algorithms: 1) DSA, 2) RSA, 3) Elliptic Curve Digital Signature Algorithm

Question 16

Older way of revoking certificate

Answer 16

The CA maintains a list with serial numbers of certificates it has revoked, and requires users to download the list

Question 17

Online certificate status protocol

Answer 17

Users send a request to the CA to verify the certificate is still active, CA checks the serial number, then sends back a yes or no

Question 18

Certificate stapling

Answer 18

Typically, OCSP consists of web browser submits an OCSP request, then sends results to the certificate authority. Certificate Stapling cuts a step out and requests a cert from the CA itself, who provides a timestamped and signed status to the OCSP, then returning it to the browser

Question 19

Certificate Authorities

Answer 19

Trusted organizations who issue digital certificates

Question 20

Self-signed certificates

Answer 20

An organization sets up its own certificate authority for internal use only

Question 21

Certificate chaining

Answer 21

Having a self-signed certificate authority be trusted by an outside/commercial CA, making it an intermediary CA. Chaining also allows for offline certificate use as the private key is kept in an unconnected network

Question 22

Certificate subject

Answer 22

Owner of the certificate’s public key

Question 23

Object Identifier (OID)

Answer 23

A unique number sequence to identify elements in a digital certificate

Question 24

Certificate Pinning

Answer 24

Tells certificate users to not expect a certificate to change, and that they should remember it for a long period of time. An unexpected certificate change may be an attack attempt

Question 25

Root certificate

Answer 25

The core certificate at the foundation of a chain

Question 26

Wildcard certificates

Answer 26

Able to match different subjects associated with a domain. Wildcards only replace a single name feature. Commonly used for load balancers.

Question 27

Domain validation

Answer 27

Verifies domain ownership and communicates with the registered owner (lowest level)

Question 28

Organizational validation

Answer 28

Verifies domain as well as the name of the organization purchasing the certificate matches additional records.

Question 29

Extended validation

Answer 29

With certificate subject information, the CA will investigate the physical existence and legitimacy

Question 30

Distinguished Encoding Rules

Answer 30

A binary certificate format with .DER, .CRT, and .CER file extensions

Question 31

Privacy Enhanced Mail

Answer 31

An ASCII certificate equivalent of DER based on the outdated Privacy Enhanced Mail standard. Easily convert between binary and ASCII with Open SSL. Also uses .CER file extensions

Question 32

Personal Information Exchange (PFX)

Answer 32

A binary certificate format common in Windows systems with .PFX and .P12 file extensions

Question 33

P7B

Answer 33

ASCII equivalent for PFX, commonly used in Windows

Question 34

X.509

Answer 34

Government standard for structure and content of digital certificates