3.9: Given a scenario, implement public key infrastructure. Flashcards

1
Q

Public Key Infrastructure (PKI)

A

A PKI is composed of several components, all working together to handle the distribution and management of keys in a public key cryptosystem. Keys are carried via a digital structure known as a certificate. Other components, such as certificate authorities and registration authorities, exist to manage certificates. Working together, these components enable seamless use of public key cryptography between systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Registration authorities (RAs)

A

RA will require proof of identity from the individual requesting a certificate and will validate this information. The RA will then advise the CA to generate a certificate, which is analogous to a driver’s license.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Certificate authorities (CAs)

A

The CA will digitally sign the certificate using its private key. The use of the private key assures the recipient that the certificate came from the CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

EXAM TIP

A

A registration authority (RA) verifies digital certificate requests and forwards them to a certificate authority (CA). The CA is a trusted organization that validates and issues digital certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Management

A

The whole purpose for PKI is to provide the structure and components necessary for an organization to manage cryptographic keys that need to be shared between entities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Intermediate CA

A

Intermediate CAs function to transfer trust between different CAs. These CAs are also referred to as subordinate CAs because they are subordinate to the CA that they reference. The path of trust is walked up from the subordinate CA to the higher-level CA; in essence, the subordinate CA is using the higher-level CA as a reference.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Certificate Revocation List (CRL)

A

The CA provides protection against bad certificates by maintaining a certificate revocation list (CRL), a list of serial numbers of certificates that have been revoked. The CRL also contains a statement indicating why the individual certificates were revoked and a date when the revocation took place. The list usually contains all certificates that have been revoked within the lifetime of the CA. Certificates that have expired are not the same as those that have been revoked. If a certificate has expired, it means that its end validity date was reached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

EXAM TIP

A

he certificate revocation list is an essential item to ensure a certificate is still valid. CAs post CRLs in publicly available directories to permit automated checking of certificates against the list before certificate use by a client. A user should never trust a certificate that has not been checked against the appropriate CRL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Certificate Attributes

A

A digital certificate binds an individual’s identity to a public key, and it contains all the information a receiver needs to be assured of the identity of the public key owner. The certificates are created and formatted based on the X.509 standard, which outlines the necessary fields of a certificate and the possible values that can be inserted into the fields.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Certificate Signing Request (CSR)

A

A certificate signing request (CSR) is the actual request to a CA containing a public key and the requisite information needed to generate a certificate. The CSR contains all the identifying information that is to be bound to the key by the certificate-generation process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Online Certificate Status Protocol (OCSP)

A

One of the protocols used for online revocation services is the Online Certificate Status Protocol (OCSP), a request and response protocol that obtains the serial number of the certificate that is being validated and reviews CRLs for the client. The protocol has a responder service that reports the status of the certificate back to the client, indicating whether it has been revoked, it is valid, or its status is unknown. This protocol and service save the client from having to find, download, and process the right lists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Subject Alternative Name (SAN)

A

Subject Alternative Name (SAN) is a field (extension) in a certificate that has several uses. In certificates for machines, it can represent the FQDN of the machine. For users, it can be the user principal name (UPN) or, in the case of an SSL certificate, it can indicate multiple domains across which the certificate is valid. Figure 25-4 shows the multiple domains covered by the certificate in the box below the field details. SAN is an extension that is used to a significant degree, as it has become a standard method used in a variety of circumstances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of Certificates

A

End-entity certificates

  • CA certificates
  • Cross-certification certificates
  • Policy certificates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CA certificates

A

A CA certificate can be self-signed, in the case of a stand-alone or root CA, or it can be issued by a superior CA within a hierarchical model. In the model in Figure 25-5, the superior CA gives the authority and allows the subordinate CA to accept certificate requests and generate the individual certificates itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

End-entity certificates

A

End-entity certificates are issued by a CA to a specific subject, such as Joyce, the Accounting department, or a firewall, as illustrated in Figure 25-5. An end-entity certificate is the identity document provided by PKI implementations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cross-certification certificates

A

Cross-certification certificates, or cross-certificates, are used when independent CAs establish peer-to-peer trust relationships. Simply put, they are a mechanism through which one CA can issue a certificate allowing its users to trust another CA.

17
Q

Wildcard Certificates

A

Certificates can be issued to an entity such as example.com. But what if there are multiple entities under example.com that need certificates? There are two choices: issue distinct certificates for each specific address or use wildcard certificates. Wildcard certificates work exactly as one would expect. A certificate issued for *.example.com would be valid for one.example.com as well as two.example.com.

Images

18
Q

Subject Alternative NameSAN

A

n certificates for machines, it can represent the fully qualified domain name (FQDN) of the machine; for users, it can be the user principal name (UPN).

19
Q

Code-Signing Certificates

A

Certificates can be designated for specific purposes, such as code signing. This is to enable the flexibility of managing certificates for specific functions and to reduce the risk in the event of compromise. Code-signing certificates are designated as such in the certificate itself, and the application that uses the certificate adheres to this policy restriction to ensure proper certificate usage.

20
Q

Self-Signed Certificates

A

Certificates are signed by a higher-level CA, providing a root of trust. As with all chains, there is a final node of trust: the root node. Not all certificates have to have the same root node. A company can create its own certificate chain for use inside the company, and thus it creates its own root node. This company-created “root certificate” is an example of a CA certificate, mentioned earlier, and must be self-signed, as there is no other “higher” node of trust. What prevents one from signing their own certificates? The trust chain would begin and end with the certificate, and the user would be presented with the dilemma of whether or not to trust the certificate because, in the end, all a certificate does is detail a chain of trust to some entity that an end user trusts

21
Q

Domain Validation

A

Domain validation is a low-trust means of validation based on an applicant demonstrating control over a DNS domain. Domain validation is typically used for TLS and has the advantage that it can be automated via checks against a DNS record.

22
Q

Certificate Formats

A

Digital certificates are defined in RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. This RFC describes the X.509 v3 digital certificate format in detail. There are numerous ways to encode the information in a certificate before instantiation as a file, and the different methods result in different file extensions. Common extensions include .der, .pem, .crt, .cer, .pfx, .p12, and .p7b

23
Q

Pinning

A

When a certificate is presented for a host, either identifying the host or providing a public key, this information can be saved in an act called pinning, which is the process of associating a host with a previously provided X.509 certificate or public key. This can be important for mobile applications that move between networks frequently and are much more likely to be associated with hostile networks where levels of trust are low and risks of malicious data are high.

24
Q

Hierarchical Trust Model

A

The first type of trust model we’ll examine is a basic hierarchical structure that contains a root CA, an intermediate CA, leaf CAs, and end-entities. The configuration is that of an inverted tree, as shown in Figure 25-9. The root CA is the ultimate trust anchor for all other entities in this infrastructure, and it generates certificates for the intermediate CAs, which in turn generate certificates for the leaf CAs, and the leaf CAs generate certificates for the end-entities.