3.9 Given a scenario, implement public key infrastructure Flashcards
What is a registration authority?
The registration authorities, complete identity checking and submit certificate signing requests (CSRs) on behalf of end users, but they do not actually sign or issue certificates.
What is a certificate signing request?
When a subject wants to obtain a certificate, it completes a certificate signing request (CSR) and submits it to the CA. The CSR is a Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.
What is a subject alternative name (SAN)?
The subject alternative name (SAN) extension field is structured to represent different types of identifiers, including domain names. If a certificate is configured with a SAN, the browser should validate that, and ignore the CN value. It is still safer to put the FQDN in the CN as well, because not all browsers and implementations stay up to date with the standards.
What is a common name?
When certificates were first introduced, the common name (CN) attribute was used to identify the FQDN by which the server is accessed, such as www.comptia.org. This usage grew by custom rather than design, however. The CN attribute can contain different kinds of information, making it difficult for a browser to interpret it correctly. Consequently, the CN attribute is deprecated as a method of validating subject identity
What is domain validation?
Domain Validation (DV)—proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain. This process can be highly vulnerable to compromise.
What is the key management lifecycle?
Key management refers to operational considerations for the various stages in a key’s life cycle. A key’s life cycle may involve the following stages:
1.) Key generation—creating a secure key pair of the required strength, using the chosen cipher.
2.) Certificate generation—to identify the public part of a key pair as belonging to a subject (user or computer), the subject submits it for signing by the CA as a digital certificate with the appropriate key usage. At this point, it is critical to verify the identity of the subject requesting the certificate and only issue it if the subject passes identity checks.
3.) Storage—the user must take steps to store the private key securely, ensuring that unauthorized access and use is prevented. It is also important to ensure that the private key is not lost or damaged.
4.) Revocation—if a private key is compromised, the key pair can be revoked to prevent users from trusting the public key.
5.) Expiration and renewal—a certificate key pair that has not been revoked expires after a certain period. Giving the key or certificate a “shelf-life” increases security. Certificates can be renewed with new key material.
Key management can be centralized, meaning that one administrator or authority controls the process, or decentralized, in which each user is responsible for his or her keys.
Certificate and key management can represent a critical vulnerability if not managed properly. If an attacker can obtain a private key, it puts both data confidentiality and identification/authentication systems at risk. If an attacker gains the ability to create signed certificates that appear to be valid, it will be easy to harvest huge amounts of information from the network as the user and computer accounts he or she sets up will be automatically trusted.
What is key escrow?
Escrow means that something is held independently. In terms of key management, this refers to archiving a key (or keys) with a third party. This is a useful solution for organizations that don’t have the capability to store keys securely themselves, but it invests a great deal of trust in the third party.
What is a CRL?
CAs must maintain a certificate revocation list (CRL) of all revoked and suspended certificates, which can be distributed throughout the hierarchy. A list of certificates that were revoked before their expiration date.
What attributes does a CRL have?
A CRL has the following attributes:
Publish period—the date and time on which the CRL is published. Most CAs are set up to publish the CRL automatically.
Distribution point(s)—the location(s) to which the CRL is published.
Validity period—the period during which the CRL is considered authoritative. This is usually a bit longer than the publish period (for example, if the publish period was every 24 hours, the validity period might be 25 hours).
Signature—the CRL is signed by the CA to verify its authenticity.
What is an OCSP?
Another means of providing up-to-date information is to check the certificate’s status on an Online Certificate Status Protocol (OCSP) server, referred to as an OCSP responder. Rather than return a whole CRL, this just communicates the status of the requested certificate. Details of the OCSP responder service should be published in the certificate.
One of the problems with OCSP is that the job of responding to requests is resource intensive and can place high demands on the issuing CA running the OCSP responder. There is also a privacy issue, as the OCSP responder could be used to monitor and record client browser requests. OCSP stapling resolves these issues by having the SSL/TLS web server periodically obtain a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself.
What is certificate pinning?
A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
What is DER?
There are various formats for encoding a certificate as a digital file for exchange between different systems.
Cryptographic data—both certificates and keys—are processed as binary using Distinguished Encoding Rules (DER)×
The binary format used to structure the information in a digital certificate.
. Binary format files are not commonly used, however.
What is PEM?
Privacy enhanced electronic mail.
More typically, the binary data is represented as ASCII text characters using Base64 Privacy-enhanced Electronic Mail (PEM) encoding. ASCII-format data has descriptive headers, such as the “BEGIN CERTIFICATE” string.
Base64 encoding scheme used to store certificate and key data as ASCII text.