7: Elelemts of public key infrastructure Flashcards
What is a public key infrastructure
A centralized function that is used to store and publish public keys and other information
The process involved in PKI for Digital Certificate
1- Applicant applies for Digital certificate from Certifying Authority (CA0.
2- The CA delegates the process for verification of information to Registration Authority (RA).
3- The RA validates the information and if it’s correct, tells CA to issue the certificate.
4- CA issues the certificates and manages the same thought its life cycle.
Certificate revocation list
A list of revoked/terminated certificates maintained by the CA
Certification Practice Statement (CPS)
Contains standard operating procedure for issuance of certificate
What does CA do AFTER the certificate is issued
CA validates and authenticates the holder after issuance of certificate
What does RA do BEFORE the certificate is issued
RA validates and authenticates information of the applicant before issuance of certificate.
Function of RA
1- Verify information supplied by the applicant
2- Verifying that the applicant actually possesses the private key being registered and that matches public key requested for certificate. This is generally referred to as proof of possession
(POP).
3- Distributing the physical tokens containing the private keys.
·4- Generating shared secrets key for use during initialization and certificate pick-up phases of
registration
(1)Authority that manages the certificate life cycle is the:
A. certificate authority (CA)
B. certificate revocation list (CRL)
C. certification practice statement (CPS)
D. registration authority (RA
Answer: A. certificate authority (CA)
Explanation:
In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate
and managing the certificate throughout its life cycle. Registration authority performs the process of
identification and authentication by establishing a link between the identity of the requesting person or organization and the public key. In short, a CA manages and issues certificates, whereas a RA is responsible for identifying and authenticating the information provided by subscribers, but does not sign or issue certificates. CRL is a list of certificates that have been revoked before their scheduled expiration date. CPS is a detailed set of rules and processes of Certifying Authority’s (CA) operations.
(2)In a public key infrastructure, role of a registration authority is to
:
A. issue the certificate to subscriber.
B. manage certificate throughout its life cycle.
C. maintain list of revoked list.
D. validate the information provided by the subscriber requesting a certificate.
Answer: D. validate the information provided by the subscriber requesting a certificate.
Explanation:
In any given scenario, registration authority (RA) is responsible for identifying and authenticating
subscribers, but does not sign or issue certificates. Certifying authority (CA) is solely responsible for issuance of digital certificate, managing the certificate throughout its life cycle and maintaining list
of revoked certificates.
(3)Which of the following PKI element control and manage the digital certificate life cycle to ensure proper security exist in digital signature applications?
A. Certification revocation list
B. Registration authority (RA)
C. Certificate authority (CA)
D. Certification practice statement
Answer: C. Certificate authority (CA)
Explanation:
In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate
and managing the certificate throughout its life cycle. Registration authority is an optional entity
that is responsible for the administrative tasks like identifying and authenticating the information provided by applicants. Choice A is incorrect since a CRL is a list of certificates that have been revoked before their scheduled expiration date. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority’s operations.
(4)Which of the following processes can be delegated by a certificate authority (CA)?
A. issuance of digital certificates.
B. managing the certificate throughout its life cycle.
C. establishing a link between the requesting entity and its public key.
D. maintain list of revoked list.
Answer: C. establishing a link between the requesting entity and its public key.
Explanation:
Establishing a link between the requesting entity and its public key is a function of a registration
authority. This function can be delegated to RA. Other functions have to be managed by CA only.
(5) In public key infrastructure, which of the following would an IS auditor consider a weakness?
A. Certificate authorities are centrally located however customers are widely dispersed geographically.
B. Transactions can be made from any computer or mobile device.
C The certificate authority has multiple data processing centers to manage the certificates.
D. The organization is the owner of the certificate authority
Answer: D. The organization is the owner of the certificate authority.
Explanation:
If an organization is the owner of the certificate authority, this would generate a conflict of interest. Independence of certifying authority will not be there in such cases and the third party may repudiate the transactions. The other options are not weaknesses.
(6)In a public key infrastructure, a registration authority:
A. issues the certificate.
B. verifies information supplied by the subject requesting a certificate.
C. signs the certificate to achieve authentication and non-repudiation.
D. managing the certificate throughout its life cycle.
Answer: B. verifies information supplied by the subject requesting a certificate.
Explanation:
In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates. A registration authority is responsible for verifying information supplied by the subject requesting a certificate. Option A & Option D are the functions of CA. Option C is not the task performed by RA. . On the other hand, the sender who has control of his/her private key, signs the message, not the registration authority.
(7)Detailed descriptions for dealing with a compromised private key is provided in which of the following public key infrastructure (PKI) elements?
A. Certificate policy (CP)
B. Certificate revocation list (CRL)
C. Certification practice statement (CPS)
D. PKI disclosure statement (PDS)
Answer: C. Certification practice statement (CPS)
Explanation:
Certification practice statement (CPS) is a detailed set of rules and processes of Certifying
Authority’s (CA) operations. Certification Practice Statement (CPS) is a document in which standard
operating procedure (SOP) for issuance of certificate and other relevant details are documented.
The CPS is the how-to part in policy-based PKI. CRL is a list of certificates that have been revoked before their scheduled expiration date. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party
(8) In a public key infrastructure, the role of a certificate authority is to:
A. ensure secured communication and secured network services based on certificates.
B. validate the identity and authenticity of the entity owning the certificate and integrity of the
certificate issued by that CA.
C. ensure secured communication infrastructure between parties.
D. hosting of private keys of subscribers in the public domain.
Answer: B. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.
Explanation:
The primary activity of a CA is to issue certificates and to validate the identity and authenticity of
the entity owning the certificate and integrity of the certificate issued by that CA. CAs are not responsible of secured communication channel. Private keys are not made available in public domain.