Cryptography - Public Key Infrastructure Flashcards

1
Q

Public Key Infrastructure (PKI)

A

Includes systems, software, communication protocols that distribute, manage and control public key cryptography

Can certify that public key is tied to an entity and verify that a public key is valid

X.509 - Framework that PKI’s use. Enables authentication between networks and over the internet.

Includes time stamping and certificate revocation

Provides confidentiality, message integrity, authentication, nonrepudiation

Structure includes CA’s, certificates, registration authorities, CRL’s, cross-certification and Online Certificate Status Protocol (OCSP)`

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Registration Authority

A

Verifies requester’s identity, registers them, passes the request to the CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Certificate Authority (CA)

A

CA creates and signs the digital certificates

Maintains the certificates

Revokes certificates when needed

Certificate binds the participant to his keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Public CA

A

provides PKI as a payable service to companies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Private CA

A

Operated by a company so they can control all aspects of PKI process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Certification path validation

A

Checking legitimacy of the certificates in the certification path

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Online Certificate Status Protocol (OCSP)

A

Protocol that obtains revocation status of an X.509 digital certificate in real-time

Alternative to the CRL used by many PKI’s

Automatically validates and reports back the status by accessing the CRL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Attributes of a certificate

A

Provides entity with credentials to prove its identity and associates that identity with a public key

Must provide the serial number, issuer, subject (owner) and the public key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Verisign’s 3 digital certificate classes

A

Class 1 - for individuals intended for email These certificates get saved by web browsers

Class 2 - For organizations that must provide proof of identity

Class 3 - For servers and software signing where independent verification and identity and authority checking is done by issuing CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Certificate Revocation List (CRL)

A

List of digital certificates that a CA has revoked. Browser must check the CRL or the CA must push out the CRL values to clients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Revocation Request Grace Period

A

Maximum time between when revocation request is received by he CA and when revocation actually occurs

Shorter revocation period is better security but higher implementation cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Steps for requesting a digital certificate

A

User requests digital certificate and Receiving Authority (RA) receives the request

RA requests identifying information from requestor

RA forwards certificate request to the CA

CA creates digital certificate for requestor. Requestors public key and identity information are included as part of certificate.

User receives certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Process for communicating with a PKI

A

Bob requests Alice’s public key from the Certificate Repository

Repository sends Alice’s certificate to Bob

Bob verifies certificate and extracts Alice’s public key

Bob encrypts session key with Alice’s public key and sends the encrypted session key and his certificate to Alice

Alice receives Bob’s certificate and verifies it with a trusted CA

After this, they can communicate with encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cross-Certification

A

Establishes trust relationship between CA’s

i.e. 2 organizations decide to trust each other’s CA’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Key Management

A

Essential to ensure cryptography provides confidentiality, integrity, authentication

ensures keys are protected during creation, distribution, transmission and storage

Keys should always be stored in ciphertext when stored on non-cryptographic device

Key distribution, storage, maintenance should be automatic by integrating them into the application

Backup copies of keys should be made and stored securely

Designated individual should have control of backup copies with others designated as emergency backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key Management

Key recovery process

A

Should require > 1 person to ensure only valid key recovery requests are completed, or keys should be broken into parts and deposited with trusted agents who provide their part of the key to a central authority when authorized

Key recovery personnel should pan the entire organization, not just the IT department

Limit number of keys used and therefore protected

17
Q

Key Management Design

A

Securely store and transmit the keys

Use random keys

Issue keys sufficiently long to ensure protection

Properly destroy keys

Backup keys to ensure they can be recovered