Chapter 18 - Fundamentals of Public Key Infrastructure (PKI)

Question 1

What is the asymetrical algorithm RSA used for?

Answer 1

RSA (Rivest, Shamir, Adleman) is used for authentication.

aka (PKCS #1) - Public Key Cryptography Standard #1

Question 2

What is DH (Diffie-Hellman) used for?

Answer 2

DH is an asymetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network.

Know this: The initial negotiation is asymetical, but once keys are created they can be used with symetrical algorithms like 3DES and AES (fast encryption / decription for bulk data transmission)

Question 3

What is the minimum key length that is considered secure for asymetrical algorithms?

Answer 3

1024 bits.

Question 4

What two components when combined form a digital signature?

Answer 4

A Hash (that is created on some data)

This hash is then encrypted with a private key.

The encrypted hash is the digital signature (which can only be decoded by the sending user’s public key).

Question 5

What information is contained in a root certificate?

Answer 5

A root certificate contains the public key of the CA server and other details about the CA server.

Question 6

What is an identity certificate?

Answer 6

An identiity certificate describes a client and contains the public key of an individual host.

Question 7

What is SCEP?

Answer 7

SCEP or Simple Certificate Enrollment Protocol, is a Cisco proprietary protocol for Cisco devices to automate requesting and installing identity certificates.

Question 8

Which 4 pieces of information are found in a typical identity certificate?

Answer 8

• CRL locations
• Validity Dates
• Public Key of the certificate owner
• Serial Number

Question 9

What are the Public Key Cryptography Standards?

Answer 9

PKCS #10 - Formatting of a certificate request sent to a CA when an organization is asking for a new identity certificate.

PKCS #7 - Formatting here is what a CA responds with when they issue an identity certificate.

PKCS #1 - This is a RSA Cryptography Standard

PKCS #12 - This format is used for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be accessed.

PKCS #3 - Diffie-Hellman key exchange

Question 10

What are 3 ways to check if a digital certificate has been revoked?

Answer 10

• Certificate Revocation List (CRL): A list of certificates with serial numbers, that have been issued by a CA but have since been revoked.
• Online Certificate Status Protocol (OSCP): A client sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates (as in the case of checking CRLs)
• Authentication, Authorization, and Accounting (AAA): Cisco AAA services also support for validating digital certificates. NOTE: this is Cisco proprietary and as a result is not usually used in conjunction with PKI