6.0 - Cryptography and PKI Flashcards

1
Q

What are Symmetric algoriithms?

A

Symmetric algorithms have shared secret key. Early cyphers were symmetric, as is the unbreakable one time pad method.

Common Symmetric Algorithms:

  • 3DES
  • AES
  • Blowfish
  • Twofish
  • RC4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are modes of operation?

A

In symmetric or block algorithms, mulltiple blocks of identical data can give away the cipher. Modes of Operation are techniques that resolve this issue.

The NIST lists these Modes of Operation:

  • Electronic Code Book
  • Cipher Block Chaining
  • Cipher Feedback Mode
  • Output Feedback Mode
  • Conter Mode
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do Asymmetric Algorithms work?

A

Asymmetric Algorithms use large numer factoring with a public and a private key (a key pair). This enabled digital signatures and allows secure sending without pre-shared keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Symmetric vs. Asymmetric encryption?

A

Symmetric encryption: Faster, requires a means to pre-share the key

Asymmetric encryption: public key can be sent in the clear, more CPU intensive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What purpose do Hashing functions serve?

A

Hashing functions performa a one-way encryption and can be used for data verification or message authentication.

Common Hash algorithms are:

  • MD2, MD4, MD5
  • SHA-1, SHA-256, SHA-384, SHA-512
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This method adds a high-entropy data piece to a low-entropy user data, which makes the hash harder to break.

A

Salting. The Salt is the extra high-entropy data. This breaks the use of rainbow tables to break password hashes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

These are three similar methods that introduce an extra random string into a cypher.

A

Salting

Initialization Vector

Nonce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe Elliptic Curve cryptography.

A

Elliptic Curve cryptography (ECC) uses calculations involved with eliptical curves to encrypt data. This is less processor intensive, so it is popular with low-power devices. Many secure text, email and voice apps on mobile devices use ECC and AES algorithms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What algorithms are weak or deprecated?

A

Weak or deprecated algorithms include:

  • MD5 - manufactured collisions have been achieved.
  • SHA-1, soon SAH-256
  • DES and 3DES
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What problem did the Diffie-Hellman key exchange solve?

A

Diffie-Hellman key exchange allows a key to be passed in the clear, even with all packets intercepted. This is important for the sharing keys in symmetrical encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the steps in using a digital signature?

A

Digital signature process:

  1. Signature is hashed and the sender keeps a private key
  2. Hashed signature is appended to the message and sent
  3. Recipient decrypts hash with sender’s public key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Does a digital signature protect the message from interception?

A

No. Signature only verifies the sender. Other means must be added to assure confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Diffusion in cryptography?

A

Diffusion states that a single change in the plaintext should result in multiple changes in the ciphertext. This way changes in ciphertext do not reveal the plaintext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Confusion in cryptography?

A

Confusion means that each character of plaintext depends on multiple characters of the ciphertext.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a Collision?

A

A Collision is when two different inputs have the same output on the cryptographic function.

This is possible with hashes, which creates the need for salting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some examples of Steganography?

A

Steganography examples:

  • Invisible ink
  • Hidden tattoos
  • Extra data encoded in digital images or video.
  • LSB - Least Signficant Bit - the last bit of each color pixel is changed in an image file.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Obfuscation?

A

Obfucation is the act of making something unreadable but still useable:

  • Mangling code with extra, recursive functions
  • Salted Hashes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the differences betweek Block and Stream Ciphers?

A

Block vs. Stream Ciphers:

  • Speed - stream is faster
  • Strength - block is more secure
  • Diffusion - block has more diffusion
  • Resistance to insertions/modifications - block is better
  • Error propagation - block has higher chance of error propagation
  • Common Block Algorthims: 3DES, AES
  • Common Stream Algorithms: A5, RC4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Key strength and key length.

A

Larger keys make for stronger encryption, but comparisons across encryption methods are not valid. Some methods, such as 3DES, have only one key length.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a Session Key?

A

A Session Key is a symmetric key created for a given communication session. It can be initially transmitted via a key exchange for greater security. This method offers good strength, speed and simplicity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is an Ephemeral Key?

A

An Ephemeral Key is generated and used only once. Diffie-Hellman uses an ephemeral key to create perfect forward secrecy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a Secret Algorithm?

A

A Secret Algorithm is when the cryptographic method is kept a secret. For instance, using multiple hash functions. The drawback is limited testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How does the data state affect encryption?

A

Data States:

  • Data-in-Transit - needs end to end encryption such as TLS or SSL
  • Data-at-Rest - can use whole disc encyption or other forms of data encryption. Applies to cloud data as well.
  • Data-in-Use - data in the CPU and memory. Suscepible to data-scraping malware.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What to look for in a random number generator?

A

Truely random number generators rarely exist.

Look for a cryptographicaly secure RNG to seed encryption systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is Key Stretching?

A

Key Stretching is adding iterative rounds of computation to a hash function, making it more difficult to brute force.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a Crypto Service Provider (CSP)?

A

A Crypto Service Provider (CSP) is a software library of various encoding and decoding functions. Microsoft CryptoAPI (CAPI) is a CSP for windows development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a Crypto Module?

A

A Crypto Module is a hardware or software device that peforms the encryption operations securely within a physical or logical boundary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is Perfect Foward Secrecy?

A

Perfect Foward Secrecy is when a public key system can derive new secure keys even when the original key is known. This is imporant to session key generation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How important is Obscurity?

A

Obscurity - using obtuse names for servers, etc. - is not a fool-proof solution, but it does make the attacker’s job harder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

List some common use cases for cryptographic services.

A

Cryptographic use cases:

  • Low power devices - eliptical curve crypto is good
  • Low latency systems - stream ciphers are an example
  • High resiliency - crypto can help restore system quickly after a disruption
  • Supporting Confidentiality - crypt keeps data in the right hands
  • Supporting Integrity - crypto keep data from being destroyed during transit
  • Supporting Obfuscation - encrypted data is opaque
  • Supporting Authentication - session keys, digital signatures
  • Supporting Non-repudiation - private key holders need to revoke the key if it is stolen
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

DES

A

DES (Data Encryption Standard):

  • Symmetric Encryption
  • Decertified, recertified, then decertified again by the NSA
  • Replaced by AES
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

3DES

A

3DES (Triple DES):

  • Symmetric Encryption
  • More CPU intensive then DES
  • Uses two or three keys - encrypt, decrypt, encrypt again
  • Still popular but being eplaced by AES
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

AES

A

AES (Advanced Encryption Standard):

  • Symmetric Encryption
  • 128, 192 and 256 bit key sizes
  • NIST RFP Finalists: MARS, RC6, Rijndael, Serpent, Twofish (Rigndael was chosen)
  • Current gold standard, considered secure and computationally efficient
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

RC4

A

RC4 (Rivest Cipher):

  • Generic term for RC1 - RC6
  • Symmetric Encryption
  • Stream Cipher
  • 8 - 2048 key length, 128 is most common
  • Ten times faster then DES
  • Need to include weak key detection when implementing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Blowfish/Twofish

A

Bluefish/Twofish:

  • Symmetric Encryption
  • Finalist for AES
  • Available for public use
  • Full 16-round version has not been broken
  • Twofish is an improvement over Blowfish
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a Cipher Mode?

A

A Cipher Mode, or mode of operation, deals with identical blocks of ciphertext, which would give away identical blocks of input data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

CBC

A

CBC (Cipher Block Chaining):

  • Cipher Mode of Operation
  • Each block is XORed with the previous block
  • Cannot be parallelized
  • Plaintext can be recovered from two adjacent ciphertext blocks - POODLE attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

GCM

A

GCM (Galios Counter Mode):

  • Cipher Mode of Operation
  • Adds an authetication function to the ciphertext
  • Can be parallelized
  • Recoginized by NIST - AES-GCM, GCM, and GMAC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

ECB

A

ECB (Electronic Code Block):

  • Cipher Mode of Operation
  • Simplest mode
  • Each block is encrypted separately
  • Identical blocks yield identical encrypted blocks
  • Not recomended in cryptographic protocols
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

CTR / CTM

A

CTR (Counter Mode):

  • Cipher Mode of Operation
  • Uses counter function to generate a nonce this is used for each block encryption
  • Can be multithreaded
  • Sometimes called CTM
  • Considered secure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What are the most widely used Cipher Modes?

A

CBC and CTM/CTR are the most widely used cipher modes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Describe the differences between Symmetric and Asymmetric encryption.

A

Differences between Symmetric and Asymmetric encryption:

  • Asymmetric is based on hard to reverse math problems.
  • In Asymmetric, the public key is known
  • Asymmetric is slower, and not good for bulk encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

RSA

A

RSA (named after inventors):

  • Asymmetric / PKI Encryption
  • Product of two larger primes - best to choose 100 to 200 digit primes, both same number of digits
  • 100 times slower than DES, symmetric cipher
44
Q

DSA

A

DSA (Digital Signature Authentication):

  • Asymmetric / PKI crypto
  • Includes authenticity and identity of sender
  • Sender signs with their private key
  • Hash codes for integrity check
  • Broke on Sony’s PS3 due to incorrect implementation
45
Q

Diffie-Hellman

A

Diffie-Hellman:

  • Asymmetric crypto
  • One of the most common encryption protocols
  • Used in key exchange for SSL and TLS
  • Also used by SSH and IPSec.
  • Can share a secret key between parties who have not contacted each other before
  • Gold standard for key exchange
46
Q

DH Groups

A

Diffie-Hellman Groups determine the strength of the key exchange process. Higher group numbers are more secure, but more CPU intensive

  • Group 1 - 768-bit key
  • Group 2 - 1024-bit key
  • Group 5 - 1536-bit key
  • higher numbers also supported
47
Q

DHE

A

DHE (Diffie-Hellman Ephemeral)

  • Temporary key varient of DH, instead of using the same key more than once.
48
Q

ECDH / ECDHE

A

ECDH (Eliptical Curve Diffie-Hellman)

ECDHE (Eliptical Curve Diffie-Hellman Ephemeral)

DH varients with elipitical curve keys. EDCHE has perfect forward secrecy

49
Q

ECC

A

ECC (Eliptical Curve Cryptography)

  • Asymmetric Crypto
  • Good for limited CPU platforms
  • Security has been questioned mostly due to lack of analysis.
  • ECC and AES are popular with mobile applications.
50
Q

PGP / GPG

A

PGP (Pretty Good Privacy):

  • Asymmetric and symmetric crypto
  • Was freeware, now owned by Symantec
  • Can be applied to popular email apps, using symmetric and asymmetric protocols
  • GPG (Gnu Privacy Guard) is an open-source command-line implementation
51
Q

What are hashing algorithms used for?

A

Hashing Algorithms are most commonly used to store computer passwords and to ensure message intregrity.

52
Q

MD5

A

MD (Message Direct):

  • Hashing Algorithm
  • Not entirely secure
  • SHA is a better option
53
Q

SHA

A

SHA (Secure Hash Algorithm):

  • Hash Algorithms
  • Set of hashes published by NIST and NSA
  • SHA-1 - vulnerable to collission attacks
  • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512) - most commonly used
  • SHA-3 - new, not in common use yet
54
Q

HMAC

A

HMAC (Hashed Message Authentication Code):

MAC is used to determine if message has changed during transmission. HMAC adds authenticity to this integrity check. Can use MD5, SHA or RIPEMD algorithms.

55
Q

RIPEMD

A

RIPEMD (RACE Integrity Primitives Evaluation Message Digest):

  • Hashing function
  • Original version has problems with collisions
  • Later versions: RIPEMD-160, RIPEMD-256, RIPEMD-320
  • Larger keys offer larger output sizes, but do not make the function inherently stronger.
56
Q

What does a key stretching algorithm do?

A

A key stretching algorithm takes a weak key and makes it stronger against brute force attacks.

CPU intensive, but ok for single-use, such as password lists.

57
Q

BCRYPT

A

BCRYPT:

  • Key Stretching algorithm
  • Uses Blowfish cipher and salting
  • Makes brute forcing unfeasible
58
Q

PBKDF2

A

PBKDF2 (Password-Based Key Derivation Function 2):

  • Key Stretching algorithm
  • Uses Password and salt and applies and HMAC to the input thousands of times.
  • Makes brute forcing unfeasible
59
Q

XOR

A

XOR (Exclusive OR):

  • Obfuscation method
  • Applies XOR operator to every character given a key
  • Reappling the XOR function with the key will remove the cipher.
  • Very fast
  • Common component of many complex algorithms
  • On perfect if the key is as long as the text being encrypted
60
Q

ROT13

A

ROT13:

  • Special case of Caesar cipher, with alphabet shifted 13 characters.
  • Since 13 is half of 26, running it a second time decodes the cipher
61
Q

Substitution Ciphers

A

Substitution Ciphers:

  • Character by character substitution, using same cipher for entire message.
  • Only 88 bit entropy
  • Easy to hack with frequency analysis, due to the structure of language.
62
Q

WEP

A

WEP (Wired Equivalent Privacy):

  • Early 80.11 crypto
  • Has been exploited
  • 16 million keys, so they are reused
  • AirSnort can crack WEP in a couple of hours on a busy WAP
63
Q

WPA

A

WPA (Wi-Fi Protected Access):

  • Wi-Fi crypto
  • Flawed WEP algorithm with TKIP
  • Key must be manually entered on devices
  • No forward secrecy - if attacker gets the key, they can decrypt every packet
  • Was a stop-gap until WPA2 arrived
64
Q

WPA2

A

WPA2 (Wi-Fi Protected Access 2):

  • Wi-Fi Crypto
  • Uses AES as the encryption protocol, better than RC4 used in WEP and WPA
65
Q

CCMP

A

CCMP (Counter Mode with CBC-MAC Protocol):

  • Specified in 802.11i, an amendment to the 802.11 standards
  • Works with AES, but requires new hardware
  • Provides message integrity
66
Q

TKIP

A

TKIP (Temporal Key Integrity Protocol):

  • Wi-Fi cryto
  • Replaced WEP without needing new hardware
  • Stopgap measure
  • Mixed a secret root key with IV before the RD4 encryption
  • Vulnerable to same attacks as WEP
67
Q

Wi-Fi Cryptographic protocols vs. Authentication protocols?

A

Cryptographic protocols:

  • Encrypts the data
  • WEP, TKIP, WPA, WPA2, CCMP

Authentication protocols:

  • Authenticates the device
  • EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS
  • Also IEEE 802.11x and RADIUS
68
Q

EAP

A

EAP (Extensible Authentication Protocol):

  • Wi-Fi framework for authentication methods (not an authenication method itself)
  • Supports multiple authentication methods
  • Can work with tokens, smart cards, certificates, one-time passwords, and public keys
  • Expanded from PPP
69
Q

PEAP

A

PEAP (Protected EAP):

  • Wi-Fi Authentication protocol
  • EAP encapsulated in a TLS tunnel
  • Widely supported by vendors for use over wireless networks
70
Q

EAP-FAST

A

EAP-FAST (EAP Flexible Authentication via Secure Tunneling):

  • Wi-Fi Authentication protocol
  • EAP inside a lightweight tunnel
  • Passes a Protected Access Credential (PAC) that used to establish the tunnel.
  • Replacement for Cisco LEAP
71
Q

EAP-TLS

A

EAP-TLS:

  • Wi-Fi Authentication Protocol
  • Uses client-side certificates, so attacker would need the certificate key
  • Popular
72
Q

EAP-TTLS

A

EAP-TTLS (EAP Tunneled TLS):

  • Wi-Fi Authentication Protocol
  • Similar to EAP-TLS, but tunnels the client side of the authentication
  • Allows for legacy authentication protocols such as POP, CHAP, MS-CHAP and MS-CHAP-V2
  • Protects from man-in-the-middle attacks
  • Client-side certificates are optional, making it easier to setup than EAP-TLS
73
Q

IEEE 802.1X

A

IEE 802.1X:

  • Authentication standard
  • Port-based authentication to a device, such as an edge router
  • Often used to authenticate the Wi-Fi device prior to admission to the wireless network
  • Used in tandem with a RADIUS server.
74
Q

RADIUS Federation

A

RADIUS Federation:

There are a few world-wide Federated RADIUS schemes, such as EDUROAM, which allows users to connect at education facilities worldwide.

Only EAP methods with certificates can be used, as the connection will be tunneled.

75
Q

Wi-Fi Method: PSK

A

PSK (Pre-shared Key):

  • Typical for home routers
  • WPA or WPA2
  • Key of 20 random characters or longer is safe
76
Q

Wi-Fi Method: Enterprise

A

Enterprise Wi-Fi:

  • Uses IEEE 802.1X and RADIUS authentication
  • Uses usernames and passwords
  • Can provide Network Access Control (NAC), and multiple random keys instead of a single PSK
77
Q

Wi-Fi Method: Open

A

Open Wi-Fi:

  • Not truly authentication, but sharing of a secret key based on the SSID.
  • Key is a random number for use during that session.
78
Q

WPS

A

WPS (Wi-Fi Protected Setup):

  • Wi-Fi Security Standard
  • Eight-digit PIN
  • Easy to use
  • Popular on home and small business networks
  • Can be brute forced
79
Q

Captive Portals

A

Captive Portals:

  • Wi-Fi security method
  • Browser point to a webpage for authentication
  • Popular on public hotspots
80
Q

What is a Certificate Authority?

A

A Certificate Authority takes the information from the registering authority (RA) and creates a certificate for a user. They combine the user’s public key with the certificate. The certificate is then digitally signed with the CA’s private key.

81
Q

What is an Intermediate CA?

A

An Intermediate Certficate Authority uses the CA as a reference and can transfer trust between different CAs.

82
Q

How does certificate revocation work?

A

Once a certificate is deemed to be compromized, (or if the individual has left the company in the case of an in-house PKI), the certificate is revoked by the CA. This is permanent for security reasons.

A good PKI system will check for revocation before trusting a certificate.

The individual requesting revocation must be authenticated themselves, to avoid fraud. Also a user cannot request their own revocation.

83
Q

What is a CRL?

A

The CRL (Certificate Revocation List):

  • Lists all revoked certificates for that CA.
  • It is stored in a publicly accessable directory.
  • Signed with its own certificate
  • Can only be modified by the CA
  • How often the CRL is updated is determined by the CA and listed in their Certification Practices Statement (CPS)
84
Q

How are CRL files updated?

A

The CRL file can be pushed to a local PKI periodically, or the CRL can be requested (pulled) by an individual user.

Delta CRLs can also be pushed after the initial CRL is received, for less data transfer.

An online service can also be used to check for revoked certificates. These requests use OCSP (Online Certficate Status Protocol).

85
Q

What is a CSR?

A

A CSR (Certificate Signing Request) is the request to a CA needed to generate a certificate. It will contain and public key and other information.

86
Q

What does a Certificate contain?

A

Under the X.509 standard, version 3, certificates contain the following fields:

  • Version Number - V3 currently
  • Subject - the person or network device that the certificate verifies
  • Public Key
  • Issuer
  • Serial Number
  • Validity - dates of use
  • Signature algorithm
  • Extensions - free text for added functionality
87
Q

Public vs. Private key

A

Public Key:

  • Is attached to the message it protects.
  • Can be shared freely

Private Key:

  • Is the other half of the asymmetric encryption
  • Must be protected. Rarely leaves the CA that created it.
88
Q

What are Object Identifiers (OID)

A

Each extenstion, or optional field, in a certificate has an ID or OID, along with a critical or noncritical indication.

The system must reject a certificate if it encounters a critical extension it does not recognize or cannot process.

89
Q

Why have an offline CA?

A

A CA that is only used periodically may be kept offline except when needed for added security. Other requests such as CRL and validation can be moved to second authority.

90
Q

What is Stapling?

A

Extra information, such as OCSP responder info, can be submitted along with a certificate request to avoid additional fetches. This is Stapling.

91
Q

What is Pinning?

A

Pinning is the process of associating a host with a previously provided certificate or public key.

This is useful with mobile applications that cross networks often, and travel to untrusted networks.

Pinning avoids the user of DNS, it related security issues.

This technique is called key continuity. Safe as long as an attacker did not witness the initial contact. The certificate or the public key can be pinned.

92
Q

Define some trust models.

A

Trust models:

  • Hierarchical: Root CA > Intermediate CAs > Leaf CAs > users and devices. Root CA is the ultimate trust anchor. Many steps to follow certificate path.
  • Peer-to-Peer: CAs will cross-certify each other. Difficult to scale.
  • Hybrid: Multiple hierachical trusts that are cross-certified to each other, sometimes through a bridge CA. Good for multiple companies what want to establish trust with each other.
93
Q

What is Key Escrow

A

Key Escrow:

  • A third party, often government, keeps a second copy of your private key.
  • Under court order, they can see all of your communications.
  • Also used by corporations, in case the user is unavailable
  • Key escrow outside of your organization creates a possible security issue
94
Q

What is Certificate Chaining?

A

The certificate chain, is the chain of trust from the CA’s Root Certificate, down to the user’s certificate. Each certificate in the chain should be verified.

95
Q

What are the four main types of certificates?

A

Types of certificates:

  • End-Entity
  • CA - self-signed at root or issued by higher CA
  • Cross-Certification
  • Policy - controls policy info to PKI clients in high-security situations
96
Q

What is a Wildcard Certificate?

A

A Wildcard Certificate authenticates and entire entity: *.example.com instead of just one individual at the entity.

97
Q

What is the SAN field used for in a certificate?

A

The SAN (Subject Alternative Name) is a field/extension in a certificate that can be used for:

  • Machine: The FQDN
  • User: the User Principal Name (UPN)
  • SSL: can indicate multiple domains across which the certificate is valid
98
Q

What is a code signing certificate?

A

A Code Signing Certificate certifies the authenticity of a piece of code.

99
Q

What is a Self-Signed Certificate?

A

A Self-Signed Certificate has no greater authority of trust. An internal corporate PKI would have a self-signed certificated on the root CA.

100
Q

What is a Machine/Computer Certificate?

A

A Machine or Computer Certificate is used in Active Directory to identify the PC. This is an end-entity certificate.

101
Q

E-Mail and Certificates

A

Specialized certificates are often issued for email. These are end-entity certificates.

102
Q

User Certificates

A

User Certficates are used for EFS encryption, email, and client authentication.

103
Q

Root Certificates

A

Root Certificates:

  • Initial basis of trust
  • Issued and signed by CA
  • Can be chained in a trust structure
  • Different vendors (MS, Apple, etc.) have differing lists of trusted root certificates.
104
Q

Domain Validation

A

Domain Validation:

  • A low-trust means of validation to demonstrate control over a DNS domain
  • Used for TLS
  • Little assurance that the identity has not been spoofed
  • Extended Validation is better
105
Q

Extended Validation

A

Extended Validation (EV):

  • Better method of Domain Validation
  • Used on HTTPS sites and apps
  • Better validation before certificate is issued by CA
106
Q

List Certificate Formats

A

Certificate Formats:

  • DER - can contain only a single certificate
  • PEM - Most common. Can contain multiple certificates, including a certficate chain.
  • CER - Used for website SSL Certificates. Microsoft alternative to CRT
  • CRT - used on Unix systems
  • KEY - used for public or private PKCS#8 keys
  • PFX - PKCS#12 file - stores server cert, intermediate cert and private key in one file. Used to import and export certificates and private keys in Windows.
  • P12 - Alternative extension for PKCS#12
  • P7B - PKCS#7 - stores certs and chain certs, not the private key. Used in Windows and Java Tomcat.