Chapter 10 Understanding Cryptography and PKI Flashcards
______ provides assurances that data has not been modified. Hashing ensures that data has retained integrity.
Integrity
A ____ is a number derived from performing a calculation on data, such as a message, patch, or file.
Hash
_______ creates a fixed-size string of bits or hexadecimal characters, which cannot be reversed to re-create the original data.
Hashing
Common hashing algorithms include ___ and ______ ____ ________.
MD5 and Secure Hash Algorithm (SHA)
_________ ensures that data is only viewable by authorized users.
Confidentiality
_______ protects the confidentiality of data.
Encryption
_______ scrambles, or ciphers, data to make it unreadable if intercepted.
Encryption
_______ normally includes an algorithm and a key.
Encryption
_______ _________ uses the same key to encrypt and decrypt data.
Symmetric encryption
_________ _________ uses two keys (public and private) created as a matched pair.
Asymmetric encryption
_________ _________ requires a Public Key Infrastructure (PKI) to issue certificates.
Asymmetric encryption
True or False: Anything encrypted with the public key can only be decrypted with the matching private key.
True
True or False: Anything encrypted with the private key can only be decrypted with the matching public key.
True
_____ ______ encrypt data 1 bit at a time.
Stream ciphers
_____ _______ encrypt data in blocks.
Block ciphers
___________ provides a level of confidentiality by hiding data within other files.
Steganography
A ______ _______ provides authentication, non-repudiation, and integrity.
Digital signature
__________ validates an identity.
Authentication
____________ prevents a party from denying an action.
Non-repudiation
True or False : Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.
True
True or False : Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.
True
True or False : No matter how many times you execute the hashing algorithm against the data, the hash will always be the same if the data is the same.
True
_______ _______ is a common hashing algorithm that produces a 128-bithash.
Message Digest 5 (MD5)
True or False : Although, security experts now consider MD5 cracked and discourage its use, it is still widely used to verify the integrity of files. This includes email, files stored on disks, files downloaded from the Internet, executable files, and more.
True
List the different types of SHA
- SHA-0 - not used
- SHA-1 - creates 160-bit hashes. deprecated by NIST in 2011
- SHA-2 - four version SHA-256, SHA-512, SHA-224, SHA-384. The last two create truncated versions of the first two
- SHA-3 - similar to SHA-2
An ____ is a fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-1
HMAC
True or False : HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key.
True
True or False : Internet Protocol security (IPsec) and Transport Layer Security (TLS) often use a version of HMAC such as HMAC-MD5 and HMAC-SHA1.
True
_____ _________ ________ _______ ______ ______ is another hash function used for integrity, though it isn’t as widely used as MD5, SHA, and HMAC.
RACE Integrity Primitives Evaluation Message Digest (RIPEMD)
True or False : Many applications calculate and compare hashes automatically without any user intervention.
True
_________ is a free program anyone can use to create hashes of files.
sha1sum.exe
True or False : Hashing is a one-way function that creates a string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.
True
___ _________ is a technique used to increase the strength of stored passwords and can help thwart brute force and rainbow table attacks.
Key stretching (sometimes called key strengthening)
True or False : Key stretching techniques salt the passwords with additional random bits to make them even more complex.
True
List two common key stretching techniques
- Bcrypt
2. Password-based key derivation function 2 (PBKDF2)
______ is based on the Blowfish block cipher and is used on many Unix and Linux distributions to protect the passwords stored in the shadow password file.
Bcrypt
_____ salts the password by adding additional random bits before encrypting in.
Bcrypt
True or False: The result of bcrypt is a 60-character string
True
True or False : As an added measure, it’s possible to add some pepper to the salt to further randomize the bcrypt string.
True
The pepper is another set of random bits stored elsewhere
________ uses salts of at least 64 bits and uses a pseudo-random function such as HMAC to protect passwords.
PBKDF2
True or False : Many algorithms such as Wi-Fi Protected Access II (WPA2), Apple’s iOS mobile operating system, and Cisco operating systems use PBKDF2 to increase the security of passwords.
True
True or False : Some security experts believe that PBKDF2 is more susceptible to brute force attacks than bcrypt.
True
True or False : If a question asks what you would use to encrypt data and it lists hashing algorithms, you can quickly eliminate them because hashing algorithms don’t encrypt data.
True
_________ data is in a ciphertext format that is unreadable.
Encrypted
True or False : if data is sent in cleartext, an attacker can capture and read the data using a protocol analyzer.
True
_____ __ ____ refers to any data stored on media and it’s common to encrypt sensitive data.
Data-at-rest
____ __ _______ refers to any data sent over a network and it’s common to encrypt sensitive data-in-transit.
Data-in-transit
____ __ ___ refers to data being used by a computer.
Data-in-use
What two elements are included in symmetric and asymmetric encryption?
- Algorithm
2. Key
The _______ performs mathematical calculations on data and is always the same
Algorithm
The ___ is a number that provides variability for the encryption. It is either kept private and/or changed frequently.
Key
True or False : Many encryption schemes require a random or pseudo-random number as an input.
True
An ______ _____ provides a starting value for a cryptographic algorithm. It is a fixed-size random or pseudo-random number that helps create random encryption keys.
Initialization vector (IV)
A ______ is a number used once.
Nonce
True or False : Many cryptographic algorithms use a random or pseudo- random nonce as a seed or a starting number.
True
___ operations compare two inputs.
XOR
In the context of encryption, _______ means that the ciphertext is significantly different than the plaintext.
Confusion
Effective ______ techniques ensure that small changes in the plaintext result in large changes in the ciphertext.
Diffusion
A _______ algorithm is one that is kept private.
Secret
True or False : A weak algorithm can be cracked, allowing an attacker to easily convert ciphertext back to plaintext.
True
Within cryptography, ____ _______ refers to the security of an encryption key even if an attacker discovers part of the key.
High resiliency
A ____ _____ encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks.
Block cipher
True or False : The block cipher divides large files or messages into these blocks and then encrypts each individual block separately.
True
A _____ ______ encrypts data as a stream of bits or bytes rather than dividing it into blocks.
Stream cipher
In general, ______ _______ are more efficient than block ciphers when the size of the data is unknown or sent in a continuous stream, such as when streaming audio and video over a network.
Stream ciphers
_____ _______ are more efficient when the size of the data is known, such as when encrypting a file or a specific-sized database field.
Block ciphers
True or False : An important principle when using a stream cipher is that encryption keys should never be reused.
True
If a key is reused, it is easier to crack the encryption.
Algorithms that use ___ divide the plaintext into blocks and then encrypt each block using the same key.
Electronic Codeblock ECB
True or False : The Electronic Codebook (ECB) mode of operation is the simplest cipher mode
True
True or False : ECB is not recommended for use in any cryptographic protocols today.
True
_____ ______ ________ mode is used by some symmetric block ciphers. It uses an IV for randomization when encrypting the first block. It then combines each subsequent block with the previous block using an XOR operation.
Cipher Block Chaining (CBC)
Because encryption of each block is dependent on the encryption of all previous blocks, ____ sometimes suffers from pipeline delays, making it less efficient than some other modes.
CBC
_______ mode effectively converts a block cipher into a stream cipher. It combines an IV with a counter and uses the result to encrypt each plaintext block. Each block uses the same IV, but ___ combines it with the counter value, resulting in a different encryption key for each block.
Counter (CTM)
It’s much more common to see it listed as CTR or CM.
True or False : Multiprocessor systems can encrypt or decrypt multiple blocks at the same time, allowing the algorithm to be quicker on multiprocessor or multicore systems.
True
True or False : CTM is not widely used and respected as a secure mode of operation.
True
______ ______ ____ is a mode of operation used by many block ciphers. It combines the _____ mode of operation with the _____ mode of authentication.
Galois/Counter Mode (GCM), Counter, Galois
True or False : In addition to encrypting the data for confidentiality, Galios/Counter Mode includes hashing techniques for integrity.
True
Symmetric encryption is also called ______ ___ encryption or _______ ___ encryption.
Secret-key or session-key
A ________ _____ replaces plaintext with ciphertext using a fixed system.
Substitution cipher
The ______ cipher uses the same substitution algorithm, but always uses a key of 13.
ROT13 (short for rotate 13 places)
True or False : ROT13 uses both the same algorithm and the same key, it doesn’t provide true encryption but instead just obfuscates the data.
True
True or False : Symmetric encryption algorithms change keys much more often than once a day.
True
The _______ _________ _________ is a strong symmetric block cipher that encrypts data in 128-bit blocks.
Advanced Encryption Standard (AES)
True or False : AES can use key sizes of 128 bits, 192 bits, or 256 bits, and it’s sometimes referred to as AES-128, AES-192, or AES-256 to identify how many bits are used in the key.
True
______ keys for a specific algorithm result in stronger key strength.
(Page 691).
Longer
List some of the strengths of AES
- Fast - uses elegant mathematical formulas and only requires a single pass to encrypt and decrypt data
- Efficient - less resource intensive
- Strong - strong encryption of data –> high level of confidentiality
____ ________ ________ is a symmetric block cipher that was widely used for many years, dating back to the 1970s.
Data Encryption Standard (DES)
True or False : DES encrypts data in 64- bit blocks. However, it uses a relatively small key of only 56 bits and can be broken with brute force attacks.
True
DES is not recommended for use today.
____ is a symmetric block cipher designed to encrypt data using the DES algorithm in three separate passes and uses multiple keys.
3DES (pronounced as “Triple DES”)
True or False : 3DES uses key sizes of 58 bits, 116 bits, or 174 bits.
False
52, 112, 168 bits
___ is a symmetric stream cipher and it can use between 40 and 2,048 bits.
RC4 (also called ARC4)
True or False : Microsoft recommend disabling RC4 and using AES instead due to the speculation that NSA can break RC4.
True
True or False: TLS can implement either block or stream ciphers
True
_______ is a strong symmetric block cipher that encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits.
Blowfish
______ is related to Blowfish, but it encrypts data in 128-bit blocks and it supports 128-, 192-, or 256-bit keys.
Twofish
True or False: AES-256 is faster than Blowfish
False
List the type, method, and key size for the following:
- AES
- 3DES
- Blowfish
- Twofish
- RC4
- DES
- Symmetric encryption, 128 bit block cipher, 128, 192, 256 bit key
- Symmetric encryption, 64-bit block cipher, 56, 112, 168 bit key
- Symmetric encryption, 64-bit block cipher, 32 to 448 bit key
- Symmetric encryption, 128-bit block cipher, 128, 192, 256 bit key
- Symmetric encryption, Stream cipher, 40 to 2048 bit key
- Symmetric encryption, 64-bit block cipher, 56-bit key
encryption uses two keys in a matched pair to encrypt and decrypt data—a public key and a private key.
Asymmetric
True or False : If the public key encrypts information, only the matching private key can decrypt the same information.
True
True or False : If the private key encrypts information, only the matching public key can decrypt the same information.
True
True or False : Private keys are always kept private and never shared.
True
True or False : Public keys are freely shared by embedding them in a shared certificate.
True
True or False : Asymmetric encryption is not very resource intensive.
False
Asymmetric encryption is resource intensive
___ ______ is any cryptographic method used to share cryptographic keys between two entities.
Key exchange
A ______ is a digital document that typically includes the public key and information on the owner of the certificate.
Certificate
True or False : Certificate Authorities issue and manage certificates.
True
True or False : Certificates are used for a variety of purposes beyond just asymmetric encryption, including authentication and digital signatures.
True
A key element of asymmetric encryption is a _______.
Certificate
List common elements within a certificate
- Serial number - unique ID of the certificate
- Issuer - the CA that issued the certificate
- Validity dates
- Subject - owner of the certificate
- Public key - RSA asymmetric encryption uses the public key in combination with the matching private key
- Usage
True or False : Email applications often use RSA to privately share a symmetric key between two systems.
True
The application uses the recipient’s public key to encrypt a symmetric key, and the recipient’s private key decrypts it.
True or False : RSA laboratories recommend a key size of 2,048 bits to protect data through the year 2030. If data needs to be protected beyond 2030, they recommend a key size of 3,072 bits.
True
True or False : RSA is widely used on the Internet and elsewhere due to its strong security.
True
The two primary categories of asymmetric keys are _____ and __________.
Static and ephemeral
A _____ key is semi-permanent and stays the same over a long period of time.
Static
An ________ key has a very short lifetime and is re-created for each session.
Ephemeral
RSA uses _____ keys.
Static
______ _______ ______ indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so. In other words, given the same input, the algorithm will create a different public key.
Perfect forward secrecy
______ _____ ___________ doesn’t take as much processing power as other cryptographic methods and is often considered with common use cases of low-power devices.
Elliptic curve cryptography (ECC)
True or False : ECC uses mathematical equations to formulate an elliptical curve. It then graphs points on the curve to create keys. This is mathematically easier and requires less processing power, while also being more difficult to crack.
True
_____ _______ is a key exchange algorithm used to privately share a symmetric key between two parties.
Diffie-Hellman (DH)
Diffie-Hellman methods support both _____ keys and ________ keys.
Static and ephemeral
______ ________ _________ uses ephemeral keys, generating different keys for each session.
Diffie-Hellman Ephemeral (DHE)
_____ ______ ______ _______ uses ephemeral keys generated using ECC.
Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
______ _____ _______ ________, uses static keys.
Elliptic Curve Diffie-Hellman (ECDH)
True or False: With DH higher group numbers indicate the group is more secure. For example, DH Group 1 uses 768 bits in the key exchange process and DH Group 15 uses 3,072 bits.
True
True or False : Common examples of steganography are hiding data by manipulating bits and hiding data in the white space of a file.
True
True or False :
Email digital signatures
• The sender’s private key encrypts (or signs).
• The sender’s public key decrypts.
True
True or False :
Email encryption
• The recipient’s public key encrypts.
• The recipient’s private key decrypts.
True
True or False :
Web site encryption
• The web site’s public key encrypts.
• The web site’s private key decrypts.
• The symmetric key encrypts data in the web site session.
True
Cryptography provides two primary security methods you can use with email: _______ _________ and _______.
Digital signatures and encryption
The _____ ________ _______ uses an encrypted hash of a message. The hash is encrypted with the sender’s private key.
Digital signature algorithm (DSA)
True or False : If the recipient of a digitally signed email can decrypt the hash, it provides the following three security benefits:
- Authentication
- Non-repudiation
- Integrity
True
True or False : A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.
True
When you’re encrypting email contents, the recipient’s ____ key encrypts and the recipient’s _______ key decrypts.
Public and private
True or False : Most email applications use asymmetric encryption to privately share a session key. They then use symmetric encryption to encrypt the data. They then use symmetric encryption to encrypt the data.
True
______/_____ _____ ___ _____ is one of the most popular standards used to digitally sign and encrypt email.
Secure/Multipurpose Internet Mail Extensions(S/MIME)
S/MIME uses ___ for asymmetric encryption and ___ for symmetric encryption.
RSA and AES
True or False : Because S/MIME uses RSA for asymmetric encryption, it requires a PKI to distribute and manage certificates.
True
True or False : like S/MIME, PGP uses both asymmetric and symmetric encryption.
True
_____ ____ ______ is a method used to secure email communication. It can encrypt, decrypt, and digitally sign email.
Pretty Good Privacy (PGP)
________ encryption methods encrypt data-in-transit to ensure transmitted data remains confidential.
Transport
Both ___ and ___ provide certificate-based authentication and they encrypt data with a combination of both symmetric and asymmetric encryption during a session.
SSL and TLS
True or False : SSL and TLS use asymmetric encryption for the key exchange (to privately share a session key) and symmetric encryption to encrypt data displayed on the web page and transmitted during the session.
True
True or False : Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that have been commonly used to encrypt data-in transit.
True
______ _____ ______ is a replacement for SSL and is widely used in many different applications.
Transport Layer Security (TLS)
True or False : A CA is required to support TLS and SSL.
True
_____ uses asymmetric encryption to transmit a symmetric key using a secure key exchange method.
HTTPS
______ _____ are a combination of cryptographic algorithms that provide several layers of security for TLS and SSL, though most organizations have deprecated the use of SSL.
Cipher suites
True or False : When two systems connect, they negotiate to identify which cipher suite they use. Each system passes a prioritized list of cipher suites it is willing to use. They then choose the cipher suite that is highest on their lists and common to both lists.
True
A _____ ______ is a set of hardware, software, and/or firmware that implements cryptographic functions. This includes algorithms for encryption and hashing, key generation, and authentication techniques such as a digital signature.
Crypto module
A _____ ______ provider is a software library of cryptographic standards and algorithms. These libraries are typically distributed within crypto modules.
Crypto service
True or False : If administrators leave weak or deprecated algorithms functioning on servers, it makes the servers susceptible to attacks such as downgrade attacks.
True
A ______ _____ is a type of attack that forces a system to downgrade its security.
Downgrade attack
__________ ______ are most often associated with cryptographic attacks due to weak implementations of cipher suites.
Downgrade attacks
True or False : Attackers exploit this vulnerability by configuring their systems so that they cannot use TLS. When they communicate with the server, the server downgrades security to use SSL instead of TLS. This allows attackers to launch SSL-based attacks such as the well-known Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.
True
One way to ensure that SSL isn’t used on a site is to modify the server’s protocol list and ensure that SSL is ________.
Disabled
If weak cipher suites are enabled on a server, it _______ the vulnerabilities.
Increases
A _____ ___ ________ is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates.
Public Key Infrastructure (PKI)
True or False : A primary benefit of a PKI is that it allows two people or entities to communicate securely without knowing each other previously.
True
A _______ ______ issues, manages, validates, and revokes certificates.
Certificate Authority (CA)
True or False : If the CA is trusted, all certificates issued by the CA are trusted.
True
CAs are trusted by placing a copy of their root certificate into a _____ ____ __ _____.
Trusted root CA store
The ____ _________ is the first certificate created by the CA that identifies it, and the store is just a collection of these root certificates.
Root certificate
True or False : Public CAs such as Symantec and Comodo negotiate with web browser developers to have their certificates included with the web browser. This way, any certificates that they sell to businesses are automatically trusted.
True
True or False : The most common trust model is the hierarchical trust model, also known as a centralized trust model.
True
_________ _________ combines all the certificates from the root CA down to the certificate issued to the end user.
Certificate chaining
A ___ __ _____ uses self-signed certificates, and a third party vouches for these certificates.
Web of trust
True or False : Many programs are available to automate the process of generating a public and private key pair
True
True or False : Submitted with a certificate signing request (CSR) is the purpose of the certificate, information about the website, the public key, and information about the owner of the site.
True
The CSR includes the ______ ___ but not the _______ ___
Public key, private key
True or False : After receiving the CSR, the CA validates my identity and creates a certificate with the public key. The validation process is different based on the usage of the certificate. In some cases, it includes extensive checking, and in other cases, verification comes from the credit card I use to purchase it.
True
_____ _________ are used to identify specific objects within the certificates
Object identifiers (OIDs)
The ___ is a string of numbers separated by dots. ___ can be used to name almost every object type in certificates.
OID(s)
True or False : In large organizations, a registration authority(RA) can assist the CA by collecting registration information. The RA never issues certificates. Instead, it only assists in the registration process.
True
True or False : An organization may choose to keep some CAs offline to protect them from attacks. Offline CAs can only accept CSRs manually.
True
True or False : an organization may choose to keep some CAs offline to protect them from attacks. Offline CAs can only accept CSRs manually.
True
True or False : A CA can use any of the following reasons when revoking a certificate: • Key compromise • CA compromise • Change of affiliation • Superseded • Cease of operation • Certificate hold
True
CAs use ________ ________ ____ to revoke a certificate.
Certificate revocation lists (CRLs, pronounced “crill”)
True or False : The CRL is a version 2 certificate that includes a list of revoked certificates by serial number.
True
List some common certificate issues
- Expired
- Certificate not trusted
- Improper certificate and key management
- Revoked
True or False : A common method of validating a certificate is by requesting a copy of the CRL
True
CRLs are typically ______ after being downloaded the first time.
Cached
True or False : Another method of validating a certificate is with the Online Certificate Status Protocol (OCSP). OCSP allows the client to query the CA with the serial number of the certificate. The CA then responds with an answer of “good,” “revoked,” or “unknown.” A response of “unknown” could indicate the certificate is a forgery.
True
OCSP ________ solves the problem of heavy traffic generation between clients and CAs
Stapling
True or False : In OCSP stapling, the certificate presenter obtains a timestamped OCSP response from the CA. Before sending it, the CA signs it with a digital signature. The certificate presenter then appends (or metaphorically staples) a timestamped OCSP response to the certificate during the TLS handshake process. This eliminates the need for clients to query the CA.
True
Public key ________ is a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates.
Pinning
True or False : When configured on a web site server, the server responds to client HTTPS requests with an extra header. This extra header includes a list of hashes derived from valid public keys used by the web site. It also includes a max-age field specifying how long the client should store and use the data. When clients connect to the same web site again, they recalculate the hashes and then compare the recalculated hashes with the stored hashes. If the hashes match, it verifies that the client is connected to the same web site.
True
___ ______ is the process of placing a copy of a private key in a safe environment and is useful for recovery.
Key escrow
A ___ ______ ______ is a designated individual who can recover or restore cryptographic keys.
Key recovery agent
List some usage types of certificates
- Machine/computer - The certificate is typically used to identify the computer within a domain.
- User - Certificates can also be issued to users. They can be used for encryption, authentication, smart cards, and more.
- Email - The two uses of email certificates are for encryption of emails and digital signatures.
- Code signing - Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified.
- Self-signed - A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates.
- Wildcard - A wildcard certificate starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.
- SAN - A Subject Alternative Name (SAN) is used for multiple domains that have different names, but are owned by the same organization.
- Domain validation - A domain-validated certificate indicates that the certificate requestor has some control over a DNS domain.
- Extended validation - Extended validation certificates use additional steps beyond domain validation.
A ________ _______ starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.
Wildcard certificate
A _______ _________ ____ is used for multiple domains that have different names, but are owned by the same organization.
Subject Alternative Name (SAN)
True or False : Extended validation certificates use additional steps beyond domain validation.
True
True or False : Certificates are typically stored as binary files or as BASE64 American Standard Code for Information Interchange (ASCII) encoded files and some certificates are also encrypted to provide additional confidentiality.
True
The base format of certificates is _______ _______ _____ or ___________ ________ _______.
Canonical Encoding Rules (CER)
or
Distinguished Encoding Rules (DER)
True or False : CER-based certificates include headers and footers to identify the contents.
False it is DER
____ is derived from the Privacy Enhanced Mail format, but that is misleading. It implies that these certificates are used for email only.
PEM
True or False : PEM-based certificates can be used for just about anything.
True
___ certificates use the PKCS version 7 (PKCS#7) format and they are DER-based (ASCII). They are commonly used to share public keys with proof of identity of the certificate holder.
P7B
True or False: P7B can include the private key
False
It never includes the private key
___ certificates use the PKCS version 12 (PKCS#12) format and they are CER-based (binary).
P12
True or False : P12 are commonly used to hold certificates with the private key.
True
______ ________ ______ is a predecessor to the P12 certificate and it has the same usage. Administrators often use this format on Windows systems to import and export certificates.
Personal Information Exchange (PFX)
True or False : CER is a binary format for certificates and DER is an ASCII format. PEM is the most commonly used certificate format and can be used for just about any certificate type. P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.
True
