Chapter 2: Implementing Public Key Infrastructure Flashcards
This is an asymmetric encryption that has a Certificate Authority and the infrastructure to help with issuing and managing certificates.
Public Key Infrastructure (PKI)
PKI has two different keys; hence why it is an asymmetric encryption. It also has a certificate hierarchy, called the Certificate Authority, that manages, issues, validates, and revokes certificates.
PKI Concepts
It is the ultimate authority as it has the master key, or root key, for signing all certificates.
Certificate Authority
The certificate authority gives signed certificates to the _____ who then turns around and issues the certificate to the requester.
Intermediary
Always up and running so that people in the company can request a certificate and any time. This would not be allowed in a government or top-security environment.
Online CA
This tends to be in a military or top-secret environment where the clearance and vetting must be completed first before even requesting a certificate. Turned
Offline CA
Also known as a third-party CA and is the commercially accepted as an authority for issuing public certificates.
The benefit of using a third-party CA is that all of the management is handled by them; so all you have to do is purchase the service and download it.
Public CA
This list allows you to check whether or not your certificate is valid. A certificate that is not valid will not work if you were trying to sell goods to other companies; this is known as a B2B transaction and it needs a public certificate.
Certificate Revocation List
This certificate can only be used internally. Even though it is free; you must maintain the certificate and that can require a skill set from your company.
Private CA
This authority validates and accepts the incoming requests from certificates from users an then notifies the CA to issue the certificates. These issued certificates are known as X509 certificates.
Registration Authority
It could be the RA that issues the certificates to users. Subordinate CA could also be called an intermediary.
Subordinate CA
This prevents the compromising of a CA and the issuing of fraudulent X509 certificates. It also prevents SSL man-in-the-middle attacks.
Certificate Pinning
This type of certificate trust model in a PKI environment is the root certificate or master key that the whole chain of trust is derived from; this is the root CA.
Trust Anchor
Comprised of two trust models:
Hierarchical Trust Model
Bridge Trust Model
This proves the authenticity of a certificate.
Trust Model
This uses the hierarchy of the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model.
Hierarchical Trust Model
This type of trust is peer-to-peer, where two separate PKI environments trust each other. The CAs communicate with each other, and allow for cross certification.
Bridge Trust Model
The chain of trust uses the CRL to verify the validity of a certificate. It normally consists of three layers, the certificate vendor, the vendor’s CA, and the computer where the certificate is installed.
Certificate Chaining
Every time a certificate is used, it must be checked for validity.
It goes through usually three checkpoints:
Certificate Revocation List
Online Certificate Status Protocol(OCSP)
OCSP Stapling/Certificate Stapling
Certificate validity can only be done by the CRL or OCSP. OCSP is used only when the CRL is going slow or had been replaced by the OCSP
Certificate Validity
This is the process of requesting a new certificate.
Certificate Signing Request(CSR)
This holds the private keys for third parties and stores them in a Hardware Security Module.
Key Escrow
Can either be a piece of hardware that is attached to a server or a portable device that holds onto the keys. It stores and manages certificates.
Hardware Security Module (HSM)
If the user cannot access their data or their private key is corrupted, this helps recover the data. This needs to get the private key from the key escrow.
Data Recovery Agent(DRA)
Two main types:
public key
private key
Certificates
This key is sent to third parties to encrypt the data.
public key
This key will decrypt the data.
private key
The certificate is identified by its OID.
Object Identifier (OID)
Self-signed Certificates Wildcard Domain Validation Subject Alternate Name Code Signing Computer/Machine User Extended Validation
Types of Certificates
This type of certificate is issued by the same entity that is using it. It doesn’t contain a CRL and it cannot be validated or trusted.
Self-Signing Certificate
this type of certificate works for domains and subdomains. For example: securityplus.training has a web server and mail server. Using *.securityplus.training would take the place of a web.securityplus.training, and mail.securityplus.training so that the FQDN works for both.
Wildcard
This type of certificate is equivalent to an X509 certificate that proves the ownership of a domain name.
Domain Validation
This type of certificate can be used on multiple domain names, and you can also insert other information into an SAN certificate like an IP address.
Subject Alternate Name(SAN)
This type of certificate is used to digitally sign software so that is guarantees authenticity.
Code Signing
This type of certificate can be used to identify a computer on the domain.
Computer/Machine
Proves authenticity of a user for the applications that they use.
User
This type of certificate provides a higher level of trust in identifying the entity that is using the certificate. This is normally seen in the financial arena. Companies applying for this certification have to provide more information about their company.
Extended Validation
(TIP)A wildcard certificate can be installed on multiple facing websites as a cheaper option. A self-signed certificate can be installed on internal face websites as a cheaper option.
TIP