Digital Signatures and PKI

Question 1

What is a digital signature?

Answer 1

A digital signature is a certificate that binds a public key to an entity.

Question 2

Who verifies a digital signature?

Answer 2

The certificate that is verified by certificate authorities or trusted third parties.

Question 3

What properties must digital certificates have?

Answer 3

Unforgeable
Authentic
Unalterable
Non-reusable

Question 4

What does a digital certificate contain to preserve its required properties

Answer 4

A message digest (Unalterable)

Encryption via the private key which is unencrypted using the public key (Authentic & Unforgeable)

Label to show identity of the sender (Authentic)

Timestamp for non-repudiation

Question 5

What is the process that a sender goes through when sending a digital signature?

Answer 5

Hash the message
Encrypt using private key
Add expiration dates, serial numbers etc
Authenticate message
Send

Question 6

What is the process that a receiver goes through when receiving a digital signature?

Answer 6

Separate digital signature from the message
Decrypt the signature using the sender’s public key
Hash the message and compare the decrypted hash

Question 7

How is confidentiality of the message preserved when using digital signatures?

Answer 7

A random key can be encrypted using the receiver’s public key and sent with the message

Question 8

What is PGP?

Answer 8

The Pretty Good Privacy Protocol allows common users access to encryption. Uses two key concepts:

1) A key is only valid iff it’s owned by the person who claims to own it.
2) Trust is a mechanism to validate a key.

Question 9

How are certificates issued in PGP?

Answer 9

Certificates are self-signed, and certificates that you trust are signed by you. There is no high-level authority

Question 10

What are the four levels of trust in PGP?

Answer 10

Implicit trust
Full trust
Marginal trust
Untrusted

Question 11

What is implicit trust?

Answer 11

Reserved for only your own keys. If the keyring contains a private key that signed a public key then you trust that public key

Question 12

What is full trust?

Answer 12

Keys that are provided by full trust user are trusted without extra verification.

Question 13

What is marginal trust?

Answer 13

Keys provided by this user need to be vouched by at least one other user in the network.

Question 14

How are untrusted users treated in PGP?

Answer 14

Keys from this user are disregarded

Question 15

What is a PKI?

Answer 15

Set of policies, procedures and products to aid in trusted communications

Question 16

How does PKI allow for pervasive security infrastructure?

Answer 16

By allowing for trusted communications over an untrusted public network

Question 17

What happens to trust when using PKI?

Answer 17

Trust is moved to authorities in the network from individuals. Users must trust that the chain is integral.

Question 18

How are messages authenticated and kept confidential?

Answer 18

Messages are authenticated by using digital signatures and can be kept confidential by using a session key.

Question 19

What are the five stages of PKI certificates go through?

Answer 19

Construction
Issuance
Signing
Confirmation/Denial
Invalidation

Question 20

What do certificate authorities do?

Answer 20

Trustworthy roots of the network that certify user identity through registration, binding public keys to identity.

All certificates in the network depend on the root nodes.

Question 21

What is the certification revocation list?

Answer 21

List of certificates that have been revoked in the network. Suffers from propogation delay.

Question 22

What do certificates consist of?

Answer 22

Public key
Name of owner
Hash of name & key

Question 23

What is X.509?

Answer 23

Standardized format for the issuing of certificates.

Question 24

What is contained in an X.509 certificate?

Answer 24

Serial Number: Used to uniquely identify the certificate.
Subject: The person, or entity identified.
Signature Algorithm: The algorithm used to create the signature.
Signature: The actual signature to verify that it came from the issuer.
Issuer: The entity that verified the information and issued the certificate.
Valid-From
Valid-To
Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing…).
Public Key: The public key.
Thumbprint Algorithm: The algorithm used to hash the public key.
Thumbprint: The hash itself, used as an abbreviated form of the public key

Question 25

What are some of Schneir’s identified risks?

Answer 25

How secure is the verifying computer
Which John Robinson is he
How was the certificate holder identified