Exploring PKI Components

Question 1

The key benefit of enabling two entities to securely communicate without previously knowing each other is provided by what?

Answer 1

Public Key Infrastructure

Question 2

What’s the difference between the two types of certificate trust models, Hierarchical (Centralized Trust) and Web of Trust (De-centralized)?

Answer 2

Hierarchical models work using 3 types of Certificate Authorities, where the public CA first creates a root CA. The root CA is issues to organizations who, if they’re very large can create Intermediate CA that can issue their own certificates to Child CAs. Child CAs issue the actual certificates to users and entities.
Web of Trust is implemented in OpenPGP

Question 3

Root CA’s can issue certificates to devices and users - true or false?

Answer 3

True. If it’s a small organization, the root CA is enough, you don’t need Intermediate or Child CAs

Question 4

explain the certificate registration process in 2 steps

Answer 4

1) create an RSA-based private key and pubic key

2) complete the Certificate Signing Request and send it, with your public key, to the CA

Question 5

What do CA’s use to revoke certificates?

Answer 5

Certification Revocation Lists

Question 6

List the process of a client connecting to a website and checking the certificate in 4 steps, with the first step being the client requesting a connection to a HTTPS site, i.e. describe the next 4 steps.

Answer 6

1. client requests a connection to a HTTPS site
2. server responds by sending a copy of the certificate with the public key
3. the client queries the CA for a copy of the Certificate Revocation List. The CA responds with a copy of the CRL
4. the client checks the serial number of the certificate against the serial number in CRL
5. Communication begins or there is a certificate error depending on result

Question 7

What is a quicker way of a client checking if a certificate has been revoked or not?

Answer 7

validating it using the Online Certificate Status Protocol (OCSP). A client will know instantly if the cert has been revoked instead of waiting to download another copy of the CRL

Question 8

What was developed to reduce lots of OCSP calls to CAs?

How does it work?

Answer 8

OCSP stapling.
The certificate presenter (like web server) gets a timestamped response from the CA and then sends the certificate to connecting clients that tells them “hey, no need to check with CA mate. This is a valid CA because i’ve got a timestamp and signed response from the CA confirming it’s valid.” If the timestamp for whatever reason has passed, the client will reject the certificate.

Question 9

What security mechanism is used to prevent attackers from impersonating websites using fraudulent certificates?

Answer 9

Public Key Pinning

Question 10

Describe the public key pinning mechanism in 3 steps

Answer 10

1. https server responds to a connection request and sends the client a list of hashes derived from public keys (called pins) the server is using. it also tells the client how long to store the hashes for.
2. the client stores the pins to the associated domain name
3. next time the client visits the site, it will ensure that 1 or more of hashes/pins the server sends it match the pins it has stored previously by calculating hashes on the keys.

Question 11

Regarding private key storage, if an organization deems any data loss by loss of a private key unacceptable, what service could they use?

Answer 11

Key Escrow

Question 12

What kind of certificate would you issue if you wanted a single certificate but had a company that used different domains?

Answer 12

A Subject Alternative Name (SAN)

Question 13

What kind of certificates would you request if you needed to emphasize to customers you have a trustworthy organization

Answer 13

Domain-validated and Extended validation certificates

Question 14

DER-based certificates are encoding in…

PEM-based certificates are encoded in…

Answer 14

DER = Binary
PEM = ASCII

Question 15

PEM-based certificate is simply the Base64 ASCII encoded version of a binary DER certificate - true or false?

Answer 15

TRUE

Question 16

which 4 certificate extension types can be formatted in DER or PEM? What 4 classes of certificate can they contain

Answer 16

.pem
.cer
.crt
.key

Server Certificates
Certificate Chains
Keys
CRL

Question 17

Which certificate format type is often found with in use with Java certificates?

Answer 17

DER-based certificates

Question 18

Which common container format is used to store multiple x.509 certificates in a single file? What is it mostly used for?

Answer 18

PKCS#12 (Public Key Cryptography Standards 12)

It’s used mostly to transfer public and private pairs

Question 19

In Windows, what is the file extension it commonly uses for the public key?

Answer 19

.cer

Question 20

Certificates that hold the private key is usually stored/transferred using what format extension?

Answer 20

.pfx/P12

Question 21

A P7B certificate uses what version of PKCS and what is the common usage of it?

Answer 21

It uses PKCS#7

It is commonly used to transfer the public key

Question 22

P7B is often used to transfer the public key but what can it also be used for? What can it NEVER be used for?

Answer 22

certificates
certificate chains
CRL
NEVER the private key

Question 23

if you wanted to encrypt all mails using third-party authenticated certificates, which encryption standard would you use?

Answer 23

S/MIME

Question 24

What container format is commonly used to transfer just the public key?

Answer 24

PKCS#7