Basics Flashcards
What does PKI stand for?
Public Key Infrastructure
What is a PKI (Public Key Infrastructure)?
Two key (asymmetric) cryptosystem
What are the benefits of PKI?
Integrity
Confidentiality
Authenticity
Non-repudiation -
Explain the concept of PKI’s Integrity?
Data doesn’t change in transit. It came from who state it came from.
Explain the concept of PKI Confidentiality?
(Digital Encryption) Ensures the designated person is the only one who can view the document.
Explain the concept of PKI Authenticity?
Logging on, when you enter your password the local security authority runs a hash on your password (Algorithm is called Digest), a Digest is sent over the network to the server. The server (which knows your password) puts a Hash algorithm on your password and it should be the same digest.
Explain the concept or PKI Non-repudiation
A maker of a signed software is not able to repudiate it since the certificate that contains the key pair is on the software.
What is a Certificate Authority?
A Certificate Authority binds public keys with respected identities of entities. This binding is done through a process of registration and issuance of certificates.
What is the concept of Certificate Enrollment?
Where the public key binding is done through registration and issuance of certificates.
What can a private CA do?
Certify Entities such as User accounts, Smart Phone, Router, laptop or a website. It can perform the duties which a CA Infrastructure can do.
What is the difference between a Stand Alone CA vs Enterprise CA?
The stand-alone CA
- Offline
- No AD DS required
- All certificates are approved manually.
Enterprise CA
- Online
- AD DS required.
- Certificates can be issued or denied automatically based on a policy.
What is a two-tier CA?
- Root CA (stand-alone CA), after issuing certificates to Issuing CA it goes offline.
- Issuing CA is Enterprise CA and it’s always online. Auto-enrollment enabled.
Note: This prevents any rogue CA coming into your network since it needs to be certified through the root CA.
What is a policy hierarchy?
- Root CA (stand-alone CA), after issuing certificates to Policy CA it goes offline.
- Policy CA defines policy at granular level and issues certificates to to Issue CA
- Issuing CA is Enterprise CA and it’s always online. Auto-enrollment enabled.
Can Root CA and Issuing CA be on the same server?
Yes, they can, many companies use this method.
What does ADCS stand for?
Active Directory Certificate Services
What is the purpose of Active Directory Certificate Services?
AD CS is the “Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.”
Basically what this means is rather than going to a third party Certificate Authority (CA) to get PKI certificates and using their hosted services, you can actually handle this in-house.
What are the 6 roles in Active Directory Certificate Services?
- Certificate Authority (CA).
- Online Responder.
- Network Device Enrollment Service (NDES).
- Certificate Enrollment Web Service.
- Certificate Enrollment Policy Web Service
- Certification Authority Web Enrollment
In ADCS, what is the purpose of Certificate Authority (CA).?
This is the core component which creates certificates for use. These certificates are issued to users or devices or to a subordinate CA.
In ADCS, what is the purpose of Online Responder?
This component provides a way for certificates to be checked that is uses a small amount of network traffic.
In ADCS, what is the purpose of Network Device Enrollment Service?
This component allows non-domain devices like switches and routers to obtain certificates.
In ADCS, what is the purpose of Certificate Enrollment Web Service?
This allows certificates to be obtained using the web.
In ADCS, what is the purpose of Certification Authority Web Enrollment
This component provides a web interface which end users can use to obtain certificates.
What is a certificate revocation list (or CRL)?
A certificate revocation list (or CRL) is “a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted.”
