Exploring PKI Components Flashcards
The key benefit of enabling two entities to securely communicate without previously knowing each other is provided by what?
Public Key Infrastructure
What’s the difference between the two types of certificate trust models, Hierarchical (Centralized Trust) and Web of Trust (De-centralized)?
Hierarchical models work using 3 types of Certificate Authorities, where the public CA first creates a root CA. The root CA is issues to organizations who, if they’re very large can create Intermediate CA that can issue their own certificates to Child CAs. Child CAs issue the actual certificates to users and entities.
Web of Trust is implemented in OpenPGP
Root CA’s can issue certificates to devices and users - true or false?
True. If it’s a small organization, the root CA is enough, you don’t need Intermediate or Child CAs
explain the certificate registration process in 2 steps
1) create an RSA-based private key and pubic key
2) complete the Certificate Signing Request and send it, with your public key, to the CA
What do CA’s use to revoke certificates?
Certification Revocation Lists
List the process of a client connecting to a website and checking the certificate in 4 steps, with the first step being the client requesting a connection to a HTTPS site, i.e. describe the next 4 steps.
- client requests a connection to a HTTPS site
- server responds by sending a copy of the certificate with the public key
- the client queries the CA for a copy of the Certificate Revocation List. The CA responds with a copy of the CRL
- the client checks the serial number of the certificate against the serial number in CRL
- Communication begins or there is a certificate error depending on result
What is a quicker way of a client checking if a certificate has been revoked or not?
validating it using the Online Certificate Status Protocol (OCSP). A client will know instantly if the cert has been revoked instead of waiting to download another copy of the CRL
What was developed to reduce lots of OCSP calls to CAs?
How does it work?
OCSP stapling.
The certificate presenter (like web server) gets a timestamped response from the CA and then sends the certificate to connecting clients that tells them “hey, no need to check with CA mate. This is a valid CA because i’ve got a timestamp and signed response from the CA confirming it’s valid.” If the timestamp for whatever reason has passed, the client will reject the certificate.
What security mechanism is used to prevent attackers from impersonating websites using fraudulent certificates?
Public Key Pinning
Describe the public key pinning mechanism in 3 steps
- https server responds to a connection request and sends the client a list of hashes derived from public keys (called pins) the server is using. it also tells the client how long to store the hashes for.
- the client stores the pins to the associated domain name
- next time the client visits the site, it will ensure that 1 or more of hashes/pins the server sends it match the pins it has stored previously by calculating hashes on the keys.
Regarding private key storage, if an organization deems any data loss by loss of a private key unacceptable, what service could they use?
Key Escrow
What kind of certificate would you issue if you wanted a single certificate but had a company that used different domains?
A Subject Alternative Name (SAN)
What kind of certificates would you request if you needed to emphasize to customers you have a trustworthy organization
Domain-validated and Extended validation certificates
DER-based certificates are encoding in…
PEM-based certificates are encoded in…
DER = Binary PEM = ASCII
PEM-based certificate is simply the Base64 ASCII encoded version of a binary DER certificate - true or false?
TRUE