Chapter 2: Public Key Infrastructure Flashcards
is a asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates.
Public Key Infrastructure (PKI)
the ultimate authority as it holds the master key, also known as the root key, for signing all the certificates that it gives the Intermediary who issues the certificate to the requester.
Certificate Authority (CA)
internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night.
Online CA
is for military or secure environment where clearance and vetting must be completed before someone can be issued with a certificate.
Offline CA
is also known as a third party CA and is commercially accepted as an authority for issuing pubic certificates—examples include Sectigo, Symantec, Go Daddy..
Public CA
can only be used internally. However, you must maintain the CA.
Private CA
validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue the certificates. The certificates thare used are known as X509 certificates.
Registration Authority (RA)
prevents the compromising of the CA and the issuing of fraudulent X509 certificates. It prevents SSL man in the middle attacks.
Certificate Pinning
in PKI environment is the root certificate from which the whole chain of trust is derived; this is the root CA
Trust Anchor
proves the authenticity of a certificate
Trust Model
Type of Trust Model that uses hierarchy from the root CA down to the intermediary
Hierarchical Trust Model
peer to peer trust model where two separate PKI environments trust each other
Bridge Trust Model
this chain of trust is used to verify who the CA is. The chain normally has three layers—certificate vendor, the vendors CA, and the computer where the certificate is installed.
Certificate Chaining
first stage in checking whether a certificate is valid. If the certificate is not valid it will be entered into the ____
Certificate Revocation List (CRL
If the CRL is going slow; it is much faster than the CRL and can take the load from CRL in a busy environment
Online Certificate Status Protocol (OSCP)
is used when a web server bypasses the CRL to use the OSCP for faster certificate validation.
OSCP Stapling/Certificate Stapling
This is the process of requesting a new certificate.
Certificate Signing Request (CSR)
holds the private keys for third parties and stores them in a Hardware
Key Escrow
is a device that can store digital keys. It could be as simple as an external hard drive.
Security Module
can be a piece of hardware attached to the server or a portable device that is attached to store the keys.
Hardware Security Module (HSM)
if a user cannot access their data because their private key is corrupted, the ___ will recover the data. The ____needs to get a copy of the private key from the key escrow.
Data Recovery Agent (DRA)
the OID on a certificate is similar to a serial number on a banknote. Banknotes are identified by their serial number. The certificate is identified by the OID.
Object Identifier (OID)