Chapter 2 Implementing Public Key Infrastructure Flashcards

1
Q

What type of certificate does a CA have?

A

A CA has a root certificate, which it uses to sign keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If you are going to use a CA internally, what type of CA should you choose?

A

You would use a private CA for internal use only; these certificates will not be
accepted outside of your organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If you want to carry out B2B activity with third-party companies or sell products on
the web, what type of CA should you use?

A

You would use a public CA for B2B activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why should you take your CA offline when not in use?

A

If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it from being compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of encryption does PKI use?

A

PKI uses asymmetric encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who signs X509 certificates?

A

The CA signs the X509 certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can you use to prevent your CA from being compromised and fraudulent
certificates from being issued?

A

Certificate pinning can be used to prevent a CA from being compromised and
fraudulent certificates from being issued

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If two entities want to set up a cross-certification, what must they set up first?

A

If two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves, known as a bridge trust model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of trust model does PGP use?

A

PGP uses a trust model known as a web of trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can you tell whether your certificate is valid?

A

A Certificate Revocation List (CRL) is used to determine whether a certificate
is valid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If the CRL is going slowly, what should you implement?

A

If the CRL is going slow, you should use OCSP as it provides faster validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain certificate stapling/OCSP stapling

A

Certificate stapling/OCSP stapling is where a web server uses an OCSP for faster certificate authentication, bypassing the CRL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the process of obtaining a new certificate?

A

You would submit a Certificate Signing Request (CSR) to request a new certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of the key escrow?

A

The key escrow stores and manages private keys for third parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the purpose of the HSM?

A

A hardware security module (HSM) is used by the key escrow to securely store and manage certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of the DRA, and what does it need to complete its role effectively?

A

The purpose of the DRA is to recover data when a user’s private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can you identify each certificate?

A

Each certificate can be identified by its OID, which is similar to a serial number.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What format (PKCS) is a private certificate, and what file extension does it have?

A

A private certificate is in P12 format with a .pfx extension.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What format (PKCS) is a public certificate, and what file extension does it have?

A

A public certificate is in P7B format with a .cer extension.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What format is a PEM certificate?

A

A PEM certificate is in Base64 format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What type of certificate can be used on multiple servers in the same domain?

A

A wildcard certificate can be used on multiple servers in the same domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of certificate can be used on multiple domains?

A

A Subject Alternative Name (SAN) certificate can be used on multiple domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What should you do with your software to verify that it is original and not a fake copy?

A

You would code-sign the software in order to verify that it is the original, and not a copy. This is similar to a digital signature in that it ensures the integrity of the software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the purpose of extended validation of an X509?

A

Extended validation is normally used by financial institutions to provide a higher level of trust for the X509

25
Q

What type of cipher is the Caesar cipher, and how does it work if it uses ROT 4?

A

The Caesar cipher is a substitution cipher; an example would be ROT 4, where each letter would be substituted by a letter four characters along in the alphabet.

26
Q

What is encryption, and what are the inputs and outputs called?

A

Encryption is when plain text (input) is taken and turned into ciphertext (output).

27
Q

What type of encryption will be used to encrypt large amounts of data?

A

Symmetric encryption is used to encrypt large amounts of data as it uses one key.

28
Q

What is the purpose of Diffie-Hellman?

A

Diffie Hellman (DH) is an asymmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.

29
Q

What is the first stage in asymmetric encryption?

A

The first stage in encryption is key exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away.

30
Q

If Carol is encrypting data to send to Bob, what key will each of them use?

A

Carol uses Bob’s public key to encrypt the data, and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair

31
Q

If George encrypted data four years ago with an old CAC card, can he decrypt the data with his new CAC card?

A

No. George must obtain the old private key to decrypt the data as the encryption was done with a different key pair

32
Q

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

A

Janet will digitally sign the email with her private key and John will check its validity with Janet’s public key, which he would have received in advance.

33
Q

What two things does a digital email signature provide?

A

A digital signature provides both integrity and non-repudiation.

34
Q

What asymmetric encryption algorithm should you use to encrypt data on a smartphone?

A

ECC will be used to encrypt data on a smartphone as it is small and fast and uses the DH handshake.

35
Q

What should you use to encrypt a military mobile telephone?

A

You would use AES-256 to encrypt a military mobile telephone.

36
Q

Name two key-stretching algorithms.

A

Two key-stretching algorithms are bcrypt and PBKDF2.

37
Q

Explain how key stretching works.

A

Key stretching salts the password being stored to prevent duplicate passwords. It also increases the length of the keys to make things harder for a brute-force attack.

38
Q

What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

A

Stream ciphers encrypt one bit at a time and block ciphers take blocks of data, such as 128-bit modes. You would use a block cipher for large amounts of data.

39
Q

What happens with cipher block chaining if you don’t have all of the blocks?

A

CBC needs all of the blocks of data to decrypt the data; otherwise, it will not work.

40
Q

If you want to ensure the integrity of data, what should you use? Name two algorithms.

A

Hashing ensures the integrity of data; two examples include SHA-1 (160 bit) and MD5 (128 bit).

41
Q

If you want to ensure the protection of data, what should you use?

A

Encryption is used to protect data so that it cannot be reviewed or accessed.

42
Q

Is a hash a one-way or two-way function, and is it reversible?

A

A hash is one-way and cannot be reversed

43
Q

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

A

POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC).

44
Q

Define Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE).

A

DHE and ECDHE are both ephemeral keys that are short-lived, one-time keys.

45
Q

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel?

A

The strongest encryption for an L2TP/IPSec VPN tunnel is AES, and the weakest
is DES.

46
Q

What is the name of the key used to ensure the security of communication between a computer and a server or a computer to another computer?

A

A session key ensures the security of communications between a computer and a server or a computer and another computer.

47
Q

What should you do to protect data-at-rest on a laptop?

A

You would use an FDE to protect data-at-rest on a laptop

48
Q

What should you do to protect data-at-rest on a tablet or smartphone?

A

You would use FDE to protect data-at-rest on a tablet or smartphone.

49
Q

What should you do to protect data-at-rest on a backend server?

A

Data-at-rest on a backend server is stored on a database. Therefore, to protect it, you would encrypt the database.

50
Q

What should you do to protect data-at-rest on a removable device, such as a USB flash drive or an external hard drive?

A

You would protect data-at-rest on a USB flash drive or external hard drive via full disk encryption.

51
Q

What protocols could you use to protect data in transit?

A

You can secure data-in-transit using TLS, SSL, HTTPS, or an L2TP/IPsec tunnel

52
Q

How can you protect data-in-use?

A

You can protect data-in-use with full memory encryption.

53
Q

What is the purpose of obfuscation?

A

Obfuscation is used to make the source code look obscure so that if it is stolen, it cannot be understood. It masks the data and could use either XOR or ROT13

54
Q

What is the purpose of perfect forward secrecy?

A

Perfect forward secrecy ensures that there is no link between the server’s private key and the session key. If the VPN server’s key was compromised, it could not decrypt the session. It would be great for use on voting machines.

55
Q

What type of attack tries to find two hash values that match?

A

A collision attack is where two hash values match

56
Q

What is the purpose of rainbow tables?

A

Rainbow tables are a list of precomputed words showing their hash value used to crack the hash value of passwords. You will get rainbow tables for MD5 and different rainbow tables for SHA-1

57
Q

Explain the concept of steganography.

A

Steganography is used to conceal data inside another form of data. You can hide a file, image, video, or audio inside another image, video, or audio file.

58
Q

What are the two purposes of Data Loss Protection (DLP)?

A

DLP prevents sensitive or PII information from being emailed out of a company or being stolen from a file server using a USB device.

59
Q

What is the purpose of salting a password?

A

Salting a password ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by increasing the key size (key stretching). It appends the salt to the password making it longer than before hashing