Chapter 2 Implementing Public Key Infrastructure

Question 1

What type of certificate does a CA have?

Answer 1

A CA has a root certificate, which it uses to sign keys.

Question 2

If you are going to use a CA internally, what type of CA should you choose?

Answer 2

You would use a private CA for internal use only; these certificates will not be
accepted outside of your organization

Question 3

If you want to carry out B2B activity with third-party companies or sell products on
the web, what type of CA should you use?

Answer 3

You would use a public CA for B2B activities.

Question 4

Why should you take your CA offline when not in use?

Answer 4

If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it from being compromised.

Question 5

What type of encryption does PKI use?

Answer 5

PKI uses asymmetric encryption.

Question 6

Who signs X509 certificates?

Answer 6

The CA signs the X509 certificates

Question 7

What can you use to prevent your CA from being compromised and fraudulent
certificates from being issued?

Answer 7

Certificate pinning can be used to prevent a CA from being compromised and
fraudulent certificates from being issued

Question 8

If two entities want to set up a cross-certification, what must they set up first?

Answer 8

If two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves, known as a bridge trust model.

Question 9

What type of trust model does PGP use?

Answer 9

PGP uses a trust model known as a web of trust

Question 10

How can you tell whether your certificate is valid?

Answer 10

A Certificate Revocation List (CRL) is used to determine whether a certificate
is valid

Question 11

If the CRL is going slowly, what should you implement?

Answer 11

If the CRL is going slow, you should use OCSP as it provides faster validation.

Question 12

Explain certificate stapling/OCSP stapling

Answer 12

Certificate stapling/OCSP stapling is where a web server uses an OCSP for faster certificate authentication, bypassing the CRL.

Question 13

What is the process of obtaining a new certificate?

Answer 13

You would submit a Certificate Signing Request (CSR) to request a new certificate.

Question 14

What is the purpose of the key escrow?

Answer 14

The key escrow stores and manages private keys for third parties

Question 15

What is the purpose of the HSM?

Answer 15

A hardware security module (HSM) is used by the key escrow to securely store and manage certificates.

Question 16

What is the purpose of the DRA, and what does it need to complete its role effectively?

Answer 16

The purpose of the DRA is to recover data when a user’s private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow.

Question 17

How can you identify each certificate?

Answer 17

Each certificate can be identified by its OID, which is similar to a serial number.

Question 18

What format (PKCS) is a private certificate, and what file extension does it have?

Answer 18

A private certificate is in P12 format with a .pfx extension.

Question 19

What format (PKCS) is a public certificate, and what file extension does it have?

Answer 19

A public certificate is in P7B format with a .cer extension.

Question 20

What format is a PEM certificate?

Answer 20

A PEM certificate is in Base64 format

Question 21

What type of certificate can be used on multiple servers in the same domain?

Answer 21

A wildcard certificate can be used on multiple servers in the same domain.

Question 22

What type of certificate can be used on multiple domains?

Answer 22

A Subject Alternative Name (SAN) certificate can be used on multiple domains

Question 23

What should you do with your software to verify that it is original and not a fake copy?

Answer 23

You would code-sign the software in order to verify that it is the original, and not a copy. This is similar to a digital signature in that it ensures the integrity of the software.

Question 24

What is the purpose of extended validation of an X509?

Answer 24

Extended validation is normally used by financial institutions to provide a higher level of trust for the X509

Question 25

What type of cipher is the Caesar cipher, and how does it work if it uses ROT 4?

Answer 25

The Caesar cipher is a substitution cipher; an example would be ROT 4, where each letter would be substituted by a letter four characters along in the alphabet.

Question 26

What is encryption, and what are the inputs and outputs called?

Answer 26

Encryption is when plain text (input) is taken and turned into ciphertext (output).

Question 27

What type of encryption will be used to encrypt large amounts of data?

Answer 27

Symmetric encryption is used to encrypt large amounts of data as it uses one key.

Question 28

What is the purpose of Diffie-Hellman?

Answer 28

Diffie Hellman (DH) is an asymmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.

Question 29

What is the first stage in asymmetric encryption?

Answer 29

The first stage in encryption is key exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away.

Question 30

If Carol is encrypting data to send to Bob, what key will each of them use?

Answer 30

Carol uses Bob’s public key to encrypt the data, and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair

Question 31

If George encrypted data four years ago with an old CAC card, can he decrypt the data with his new CAC card?

Answer 31

No. George must obtain the old private key to decrypt the data as the encryption was done with a different key pair

Question 32

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

Answer 32

Janet will digitally sign the email with her private key and John will check its validity with Janet’s public key, which he would have received in advance.

Question 33

What two things does a digital email signature provide?

Answer 33

A digital signature provides both integrity and non-repudiation.

Question 34

What asymmetric encryption algorithm should you use to encrypt data on a smartphone?

Answer 34

ECC will be used to encrypt data on a smartphone as it is small and fast and uses the DH handshake.

Question 35

What should you use to encrypt a military mobile telephone?

Answer 35

You would use AES-256 to encrypt a military mobile telephone.

Question 36

Name two key-stretching algorithms.

Answer 36

Two key-stretching algorithms are bcrypt and PBKDF2.

Question 37

Explain how key stretching works.

Answer 37

Key stretching salts the password being stored to prevent duplicate passwords. It also increases the length of the keys to make things harder for a brute-force attack.

Question 38

What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

Answer 38

Stream ciphers encrypt one bit at a time and block ciphers take blocks of data, such as 128-bit modes. You would use a block cipher for large amounts of data.

Question 39

What happens with cipher block chaining if you don’t have all of the blocks?

Answer 39

CBC needs all of the blocks of data to decrypt the data; otherwise, it will not work.

Question 40

If you want to ensure the integrity of data, what should you use? Name two algorithms.

Answer 40

Hashing ensures the integrity of data; two examples include SHA-1 (160 bit) and MD5 (128 bit).

Question 41

If you want to ensure the protection of data, what should you use?

Answer 41

Encryption is used to protect data so that it cannot be reviewed or accessed.

Question 42

Is a hash a one-way or two-way function, and is it reversible?

Answer 42

A hash is one-way and cannot be reversed

Question 43

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

Answer 43

POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC).

Question 44

Define Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE).

Answer 44

DHE and ECDHE are both ephemeral keys that are short-lived, one-time keys.

Question 45

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel?

Answer 45

The strongest encryption for an L2TP/IPSec VPN tunnel is AES, and the weakest
is DES.

Question 46

What is the name of the key used to ensure the security of communication between a computer and a server or a computer to another computer?

Answer 46

A session key ensures the security of communications between a computer and a server or a computer and another computer.

Question 47

What should you do to protect data-at-rest on a laptop?

Answer 47

You would use an FDE to protect data-at-rest on a laptop

Question 48

What should you do to protect data-at-rest on a tablet or smartphone?

Answer 48

You would use FDE to protect data-at-rest on a tablet or smartphone.

Question 49

What should you do to protect data-at-rest on a backend server?

Answer 49

Data-at-rest on a backend server is stored on a database. Therefore, to protect it, you would encrypt the database.

Question 50

What should you do to protect data-at-rest on a removable device, such as a USB flash drive or an external hard drive?

Answer 50

You would protect data-at-rest on a USB flash drive or external hard drive via full disk encryption.

Question 51

What protocols could you use to protect data in transit?

Answer 51

You can secure data-in-transit using TLS, SSL, HTTPS, or an L2TP/IPsec tunnel

Question 52

How can you protect data-in-use?

Answer 52

You can protect data-in-use with full memory encryption.

Question 53

What is the purpose of obfuscation?

Answer 53

Obfuscation is used to make the source code look obscure so that if it is stolen, it cannot be understood. It masks the data and could use either XOR or ROT13

Question 54

What is the purpose of perfect forward secrecy?

Answer 54

Perfect forward secrecy ensures that there is no link between the server’s private key and the session key. If the VPN server’s key was compromised, it could not decrypt the session. It would be great for use on voting machines.

Question 55

What type of attack tries to find two hash values that match?

Answer 55

A collision attack is where two hash values match

Question 56

What is the purpose of rainbow tables?

Answer 56

Rainbow tables are a list of precomputed words showing their hash value used to crack the hash value of passwords. You will get rainbow tables for MD5 and different rainbow tables for SHA-1

Question 57

Explain the concept of steganography.

Answer 57

Steganography is used to conceal data inside another form of data. You can hide a file, image, video, or audio inside another image, video, or audio file.

Question 58

What are the two purposes of Data Loss Protection (DLP)?

Answer 58

DLP prevents sensitive or PII information from being emailed out of a company or being stolen from a file server using a USB device.

Question 59

What is the purpose of salting a password?

Answer 59

Salting a password ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by increasing the key size (key stretching). It appends the salt to the password making it longer than before hashing