3.9 Given a Scenarior, Implement Public Key Infrastructure Flashcards

1
Q

Public key infrastructure (PKI)

A

A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key management

A

Key management is the process of administering or managing cryptographic keys for a cryptosystem. It involves the generation, creation, protection, storage, exchange, replacement and use of said keys and with another type of security system built into large cryptosystems, enables selective restriction for certain keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Certificate Authority (CA)

A

A certificate authority (CA) issues, manages, validates, and revokes certificates. In some contexts, you might see a CA referred to as a certification authority, but they are the same thing. CAs can be large, such as Comodo, DigiCert, or Symantec, which are public CAs. A CA can also be small, such as a single service running on a server within a private network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Intermediate CA

A

A CA that is signed by a superior CA (e.g., a Root CA or another Intermediate CA) and signs CAs (e.g., another Intermediate or Subordinate CA). The Intermediate CA exists in the middle of a trust chain between the Trust Anchor, or Root, and the subscriber certificate issuing Subordinate CAs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Registration Authority(RA)

A

Users and systems request certificates from a CA using a registration process. In some cases, a user enters information manually into a web site form. In other cases, a user sends a specifically formatted file to the CA. Within a domain, the system handles much of the process automatically. As an example, imagine I wanted to purchase a certificate for GetCertifiedGetAhead.com for secure HTTPS sessions. I would first create a public and private key pair. Many programs are available to automate this process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Certificate revocation list (CRL)

A

CAs use certificate revocation lists (CRLs) to revoke a certificate. The CRL is a version 2 certificate that includes a list of revoked certificates identified by their serial numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Certificate’s attributes

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Online certificate status protocol (OCSP)

A

OCSP allows the client to query the CA with the serial number of the certificate. The CA then responds with an answer of “good,” “revoked,” or “unknown.” A response of “unknown” could indicate the certificate is a forgery. Because OCSP provides a real-time response, it is an excellent example of supporting a common use case of low latency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Certificate signing request (CSR)

A

A certificate signing request (CSR) is an encoded file containing information about your website, service, organization, and domain name. This information is used by a Certificate Authority (CA) to create an SSL/TLS certificate for your website to encrypt traffic to your site.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Common Name

A

CommonName (also known as the Fully Qualified Domain Name such as letsencrypt.org) • o: Organization (such as the Internet Security Research Group) • L: Locality (such as Mountain View) • S: StateOrProvinceName (such as CA) • C: CountryName (such as US)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Subject alternative name

A

A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization. For example, Google uses SANs of *.google.com, *.android.com, *.cloud.google.com, and more. It is often used for systems with the same base domain names, but different top-level domains. For example, if Google used names such as google.com and google.net, it could use a single SAN certificate for both domain names.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Expiration

A

The first check is to ensure that it isn’t expired. If the certificate is expired, the computer system typically gives the user an error indicating the certificate is not valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Wildcard

A

A wildcard certificate starts with an asterisk (*) and can be used for multiple domains if each domain name has the same root domain. For example, Google uses a wildcard certificate issued to *.google.com. This same certificate can be used for other Google domains, such as accounts.google.com and support.google.com. Wildcard certificates can reduce the administrative burden associated with managing multiple certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Code signing

A

Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified. As an example, a PowerShell script can use a code signing certificate to prove the script hasn’t been modified before it is run.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Self-signed

A

A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates. They aren’t trusted by default. However, administrators can use automated means to place copies of the self-signed certificate into the trusted root CA store for enterprise computers. Self-signed certificates from private CAs eliminate the cost of purchasing certificates from public CAs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Machine/computer

A

Certificates issued to a device or a computer are commonly called machine certificates or computer certificates. The certificate is typically used to identify the computer within a domain.

17
Q

Email.

A

Email certificates are used for encryption of emails and digital signatures,

18
Q

User.

A

Certificates can also be issued to users. They can be used for encryption, authentication, smart cards, and more. For example, Microsoft systems can create user certificates allowing the user to encrypt data using Encrypting File System (EFS).

19
Q

Root.

A

The root certificate is the certificate issued by the root CA.

20
Q

Domain validation.

A

A domain-validated certificate indicates that the certificate requestor has some control over a DNS domain. The CA takes extra steps to contact the requestor such as by email or telephone. The intent is to provide additional evidence to clients that the certificate and the organization are trustworthy.

21
Q

Extended validation.

A

Extended validation (EV) certificates use additional steps beyond domain validation. Some browsers display the name of the company before the URL when an extended validation certificate is used. Usage of EV certificates is on the decline. Most web browsers stopped including the name in the URL. Part of the reason is that the absence of the company name doesn’t mean anything to many users. Think of the user who clicks on a phishing email. He probably doesn’t know to look for a company name in the URL, so its absence doesn’t alarm him.

22
Q

Certificate formats

A

Most certificates use one of the X.509 v3 formats. The primary exception is certificates used to distribute certificate revocation lists that use the X.509 v2 format.

23
Q

Distinguished Encoding Rules (DER).

A

CER and DER formats are defined by the International Telegraph Union Telecommunication Standardization Sector (ITU-T) in the X.690 standard. They use a variant of the Abstract Syntax Notation One (ASN.1) format, which defines data structures commonly used in cryptography. CER is an ASCII format and DER is a binary format.

24
Q

Privacy enhanced mail (PEM)

A

The Privacy Enhanced Mail (PEM) certificate name implies that PEM-based certificates are used for email only, but that is misleading. PEM-based certificates can be used for just about anything.

25
Q

Personal information exchange (PFX)

A

Personal Information Exchange (PFX) is a predecessor to the P12 certificate and it has the same usage. Administrators often use this format on Windows systems to import and export certificates.

26
Q

Cer

A

CER is an ASCII format for certificates and DER is a binary format.

27
Q

P12

A

P12 certificates use the PKCS version 12 (PKCS#12) format and they are DER based (binary). They are commonly used to hold certificates with the private key. For example, when installing a certificate on a server to support HTTPS sessions, you might install a P12 certificate with the private key. Because it holds the private key, it’s common to encrypt P12 certificates. It’s also possible to include the full certificate chain in a P12 certificate.

28
Q

P7B

A

P7B certificates use the PKCS version 7 (PKCS#7) format and they are CER-based (ASCII). They are commonly used to share public keys with proof of identity of the certificate holder. Recipients use the public keys to encrypt or decrypt data. For example, a web server might use a P7B certificate to share its public key. P7B certificates can also contain a certificate chain or a CRL. However, they never include the private key.

29
Q

Online vs offline CA

A

If the CA is online, meaning it is accessible over a network, it’s possible to submit the CSR using an automated process. However, an organization may choose to keep some CAs offline to protect them from attacks. Offline CAs can only accept CSRs manually. Large organizations typically keep the root CA offline to reduce the risk of compromise. The root CA issues certificates to the intermediate and child CAs that are online and accessible.

30
Q

Stapling

A

Certificate stapling is an alternative to OCSP. The certificate presenter (such as a web server) appends the certificate with a timestamped digitally signed OCSP response from the CA.

31
Q

Pinning

A

Public key pinning is a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates. When configured on a web site server, the server responds to client HTTPS requests with an extra header. This extra header includes a list of hashes derived from valid public keys used by the web site. It also includes a max-age field specifying how long the client should store and use the data.

32
Q

Trust model

A

CAs are trusted by placing a copy of their root certificate into a trusted root CA store. The root certificate is the first certificate created by the CA that identifies it, and the store is just a collection of these root certificates. If the CA’s root certificate is placed in this store, all certificates issued by this CA are trusted.

33
Q

Key escrow

A

Key escrow is the process of placing a copy of a private key in a safe environment. This is useful for recovery. If the original key is lost, the organization retrieves the copy of the key to access the data. Key escrow isn’t required, but if an organization determines that data loss is unacceptable, it will implement a key escrow process.

34
Q

Certificate chaining

A

Certificate chaining combines all the certificates from the root CA down to the certificate issued to the end user. For example, the certificate chain for a wildcard certificate issued to google.com. A certificate chain would include all three certificates. In a small organization, the root CA can simply issue certificates to the devices and end users. It’s not necessary to have intermediate and child CAs.