Challenges Flashcards
1
Q
PKI Definition
A
- Designed to facilitate the use of public key cryptography
- Consists of hardware, software, people, policies, and procedures
- Deals with the management of digital certificates in distributed environments
-> creation, distribution, usage, storage, revocation
2
Q
Policies
A
- Certificate policy: States what to comply to
- Certificate practice statement: States how to comply
- Policies are enforced by the PKI through:
-> Selecting standards, parameters, hardware
-> Monitor behavior of involved parties
-> Reacting on infringement of the policy
3
Q
Public key certificates Definition
A
Data structures that bind public key values to subjects. The binding is asserted by having a trusted CA digitally sign each certificate.
4
Q
Certificate properties
A
- Protected binding of a key to the key holder
- Its authenticity is independent of the means of transportation
- It can be used online and offline
- It is a proof of the binding
- It can be used for key servers
5
Q
X.509 certificate contents
A
- Version
- Serial Number (unique within PKI)
- Certificate Signature Algorithm
- Issuer
- Validity Period
- Subject
- Subject Public Key Info
V2: - Subject Unique ID (worldwide unique)
- Issuer Unique ID (worldwide unique)
V3: - Extensions
6
Q
X.509 extensions
A
- Subject Key Identifier
- Authority Key Identifier
- Key Usage
- Subject Alternative Name
- Issuer Alternative Name
- Subject Directory Attributes
- Extended Key Usage
7
Q
X.509 extensions: Subject Key Identifier
A
- Identifies certificates that contain a particular public key
- Must be included in all CA certificates
- Either derived from the subject public key as 160 bit hash of public key or “0100” followed by the least significant 60 bits of the hash value of the public key
8
Q
X.509 extensions: Authority Key Identifier
A
- Identifies the public key that corresponds to the private key that has signed the certificate
- Must be included in all certificates (unless self-signed) -> non-critical
- Facilitates certification path construction
9
Q
X.509 extensions: Key usage
A
- Defines the purpose of the key contained in the certificate
- bit string
10
Q
X.509 extensions: Subject Alternative Name
A
- Allows additional identities to be bound to the subject of the certificate (e.g. IP, e-mail address)
11
Q
X.509 extensions: Issuer Alternative Name
A
- Associates Internet style identities with the certificate issuer
- Should not be marked critical
12
Q
X.509 extensions: Subject Directory Attributes
A
Used to convey identification attributes of the subject (e.g. nationality)
13
Q
X.509 extensions: Extended Key Usage
A
- Indicates on or more purposes for which the certified public key may be used, in addition to or in place ob the basic purpose indicated in the key usage extension
- If present, both key usage and extended key usage extensions must be processed independently -> must be consistent
14
Q
TBS
A
- to-be-signed
- part of certificate which holds all information
-> version, serial number, signature (algorithm used, is the same as signature algorithm), issuer, validity, subject, subject public key info, issuer unique id, subject unique id, extensions - sonst noch: signature algorithm und signature value
15
Q
Why PKI?
A
- Assure that the public key is
-> available
-> authentic (bind public key uniquely to electronic identity)
-> valid (monitor binding between public key, electronic identity and key owner, establish time constraints, revoke binding) - Support security (select suitable algorithms and key sizes, monitor possible security threats and react adequately)
- Support interoperability (comply to accepted (international) standards)