General Security Concepts: Examining Public Key Infrastructure Flashcards
What is a PKI?
PKI is a framework for securing communications through the issuing and lifecycle management of digital keys and certificates. You implement it to facilitate encryption, authentication, and digital signatures in online transactions and communications.
What component is the Root/Offline CA?
Root/offline CA: This is the highest-level authority in the certificate hierarchy and is responsible for issuing and signing certificates to subordinate CAs. This CA’s security is crucial, and this type of CA is commonly taken offline to prevent a compromise.
What component is the Subordinate/issuing CA?
Subordinate/issuing CA: This is an intermediate authority that operates under a root CA, issuing and signing digital certificates. They will issue all certificates lower than the root CA in the PKI hierarchy.
What is the difference between standalone CA vs Enterprise CA?
Standalone CA vs. Enterprise CA: A Standalone CA is an independent CA that issues and manages certificates and that doesn’t rely on a hierarchical structure. It’s typically used in smaller and isolated environments. An Enterprise CA is integrated into an organization’s network, and it issues and manages certificates for internal use.
What is Internal CA vs External CA?
Internal CA vs. external CA: And internal CA is used within an organization’s internal network to issue certificates. The authority isn’t trusted outside the organization. And external CA issues certificates to entities publicly, and the authority is trusted globally.
What is RoT?
Root of trust (RoT): This is a trusted entity or authority whose digital signature and public key are accepted as a foundation of trust in the PKI hierarchy.
What is a digital certificate?
Digital certificate: This is an electronic document that a trusted authority or CA issues. IT binds a public key to an individual, device, or service. These documents serve as a means of authentication and encryption for secure communications, digital signatures, and access control.
What is a CSR?
Certificate signing request (CSR): This is a formal request generated by an entity, such as an organization or user, to request a digital certificate from a CA. A CSR can be sent to an internal or external CA.
What is a CRL?
CRL: This is a dynamically updated list that a CA maintains, and it contains serial numbers of certificates that have been revoked or deemed invalid before they’ve expired. This provides certificate verification and trustworthiness, but is an older resource-intensive method. (old way of confirming vadility)
What is the new way of validating digital certifcates? OSCP and Online Responder?
Online Certificate Status Protocol (OCSP): A real-time network protocol that checks the validity and revocation status of certificates. It provides verification and trustworthiness of certificates.
Online responder: This is a server that processes OCSP requests (certificate validity check requests), providing quick, real-time responses about the validity and revocation status of certificates. It’s less resource intensive and provides great efficiency.
What is a key escrow?
Key escrow: This is the process of storing a copy of cryptographic keys with a trusted third-party. This is commonly done for recovery or backup purposes in case the original key is lost or compromised. Key Recovery Agent (third party)
