Challenges Flashcards

1
Q

PKI Definition

A
  • Designed to facilitate the use of public key cryptography
  • Consists of hardware, software, people, policies, and procedures
  • Deals with the management of digital certificates in distributed environments
    -> creation, distribution, usage, storage, revocation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Policies

A
  • Certificate policy: States what to comply to
  • Certificate practice statement: States how to comply
  • Policies are enforced by the PKI through:
    -> Selecting standards, parameters, hardware
    -> Monitor behavior of involved parties
    -> Reacting on infringement of the policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Public key certificates Definition

A

Data structures that bind public key values to subjects. The binding is asserted by having a trusted CA digitally sign each certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Certificate properties

A
  • Protected binding of a key to the key holder
  • Its authenticity is independent of the means of transportation
  • It can be used online and offline
  • It is a proof of the binding
  • It can be used for key servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

X.509 certificate contents

A
  • Version
  • Serial Number (unique within PKI)
  • Certificate Signature Algorithm
  • Issuer
  • Validity Period
  • Subject
  • Subject Public Key Info
    V2:
  • Subject Unique ID (worldwide unique)
  • Issuer Unique ID (worldwide unique)
    V3:
  • Extensions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

X.509 extensions

A
  • Subject Key Identifier
  • Authority Key Identifier
  • Key Usage
  • Subject Alternative Name
  • Issuer Alternative Name
  • Subject Directory Attributes
  • Extended Key Usage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

X.509 extensions: Subject Key Identifier

A
  • Identifies certificates that contain a particular public key
  • Must be included in all CA certificates
  • Either derived from the subject public key as 160 bit hash of public key or “0100” followed by the least significant 60 bits of the hash value of the public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

X.509 extensions: Authority Key Identifier

A
  • Identifies the public key that corresponds to the private key that has signed the certificate
  • Must be included in all certificates (unless self-signed) -> non-critical
  • Facilitates certification path construction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

X.509 extensions: Key usage

A
  • Defines the purpose of the key contained in the certificate
  • bit string
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

X.509 extensions: Subject Alternative Name

A
  • Allows additional identities to be bound to the subject of the certificate (e.g. IP, e-mail address)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

X.509 extensions: Issuer Alternative Name

A
  • Associates Internet style identities with the certificate issuer
  • Should not be marked critical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

X.509 extensions: Subject Directory Attributes

A

Used to convey identification attributes of the subject (e.g. nationality)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

X.509 extensions: Extended Key Usage

A
  • Indicates on or more purposes for which the certified public key may be used, in addition to or in place ob the basic purpose indicated in the key usage extension
  • If present, both key usage and extended key usage extensions must be processed independently -> must be consistent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

TBS

A
  • to-be-signed
  • part of certificate which holds all information
    -> version, serial number, signature (algorithm used, is the same as signature algorithm), issuer, validity, subject, subject public key info, issuer unique id, subject unique id, extensions
  • sonst noch: signature algorithm und signature value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why PKI?

A
  • Assure that the public key is
    -> available
    -> authentic (bind public key uniquely to electronic identity)
    -> valid (monitor binding between public key, electronic identity and key owner, establish time constraints, revoke binding)
  • Support security (select suitable algorithms and key sizes, monitor possible security threats and react adequately)
  • Support interoperability (comply to accepted (international) standards)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

X.509 relevant standards

A
  • X.509
  • PKIX
17
Q

Certificate (ASN.1)

A
  • To Be Signed Certificate: this part holds all information; this will be signed
  • Algorithm: The algorithm that is used for signing the TBS part
  • Signature Value: The calculated signature
18
Q

TBSCertificate (ASN.1)

A
  • Version
  • Serial Number
  • Signature: The algorithm OID and needed parameters used to sign the certificate (must be the same as signatureAlgorithm)
  • Issuer: Name of the CA in form of an X.500 distinguished name
  • Validity: NotBefore, NotAfter
  • Subject: Name (X.500 DN) of the certificate holder, same DN is not allowed to be given to two different entities
  • SubjectPublicKeyInfo: algorithm OID of the public key + public key of the certificate holder
  • Issuer/Subject Unique ID
  • Extensions