Exploring PKI Components Flashcards

1
Q

The key benefit of enabling two entities to securely communicate without previously knowing each other is provided by what?

A

Public Key Infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What’s the difference between the two types of certificate trust models, Hierarchical (Centralized Trust) and Web of Trust (De-centralized)?

A

Hierarchical models work using 3 types of Certificate Authorities, where the public CA first creates a root CA. The root CA is issues to organizations who, if they’re very large can create Intermediate CA that can issue their own certificates to Child CAs. Child CAs issue the actual certificates to users and entities.
Web of Trust is implemented in OpenPGP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Root CA’s can issue certificates to devices and users - true or false?

A

True. If it’s a small organization, the root CA is enough, you don’t need Intermediate or Child CAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

explain the certificate registration process in 2 steps

A

1) create an RSA-based private key and pubic key

2) complete the Certificate Signing Request and send it, with your public key, to the CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What do CA’s use to revoke certificates?

A

Certification Revocation Lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List the process of a client connecting to a website and checking the certificate in 4 steps, with the first step being the client requesting a connection to a HTTPS site, i.e. describe the next 4 steps.

A
  1. client requests a connection to a HTTPS site
  2. server responds by sending a copy of the certificate with the public key
  3. the client queries the CA for a copy of the Certificate Revocation List. The CA responds with a copy of the CRL
  4. the client checks the serial number of the certificate against the serial number in CRL
  5. Communication begins or there is a certificate error depending on result
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a quicker way of a client checking if a certificate has been revoked or not?

A

validating it using the Online Certificate Status Protocol (OCSP). A client will know instantly if the cert has been revoked instead of waiting to download another copy of the CRL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What was developed to reduce lots of OCSP calls to CAs?

How does it work?

A

OCSP stapling.
The certificate presenter (like web server) gets a timestamped response from the CA and then sends the certificate to connecting clients that tells them “hey, no need to check with CA mate. This is a valid CA because i’ve got a timestamp and signed response from the CA confirming it’s valid.” If the timestamp for whatever reason has passed, the client will reject the certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What security mechanism is used to prevent attackers from impersonating websites using fraudulent certificates?

A

Public Key Pinning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the public key pinning mechanism in 3 steps

A
  1. https server responds to a connection request and sends the client a list of hashes derived from public keys (called pins) the server is using. it also tells the client how long to store the hashes for.
  2. the client stores the pins to the associated domain name
  3. next time the client visits the site, it will ensure that 1 or more of hashes/pins the server sends it match the pins it has stored previously by calculating hashes on the keys.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Regarding private key storage, if an organization deems any data loss by loss of a private key unacceptable, what service could they use?

A

Key Escrow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What kind of certificate would you issue if you wanted a single certificate but had a company that used different domains?

A

A Subject Alternative Name (SAN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What kind of certificates would you request if you needed to emphasize to customers you have a trustworthy organization

A

Domain-validated and Extended validation certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DER-based certificates are encoding in…

PEM-based certificates are encoded in…

A
DER = Binary
PEM = ASCII
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PEM-based certificate is simply the Base64 ASCII encoded version of a binary DER certificate - true or false?

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

which 4 certificate extension types can be formatted in DER or PEM? What 4 classes of certificate can they contain

A

.pem
.cer
.crt
.key

Server Certificates
Certificate Chains
Keys
CRL

17
Q

Which certificate format type is often found with in use with Java certificates?

A

DER-based certificates

18
Q

Which common container format is used to store multiple x.509 certificates in a single file? What is it mostly used for?

A

PKCS#12 (Public Key Cryptography Standards 12)

It’s used mostly to transfer public and private pairs

19
Q

In Windows, what is the file extension it commonly uses for the public key?

A

.cer

20
Q

Certificates that hold the private key is usually stored/transferred using what format extension?

A

.pfx/P12

21
Q

A P7B certificate uses what version of PKCS and what is the common usage of it?

A

It uses PKCS#7

It is commonly used to transfer the public key

22
Q

P7B is often used to transfer the public key but what can it also be used for? What can it NEVER be used for?

A

certificates
certificate chains
CRL
NEVER the private key

23
Q

if you wanted to encrypt all mails using third-party authenticated certificates, which encryption standard would you use?

A

S/MIME

24
Q

What container format is commonly used to transfer just the public key?

A

PKCS#7