Implementing PKI Flashcards
What type of certificate does CA have?
A CA has a root certificate which it uses to sign keys
If you are going to use a CA internally what type of CA should you use
Private CA for internal use only; these certificate will not be accepted outside of your organization
If you want to carry out B2B activity with third-party companies or sell products on the web, what type of CA Sshoukd you use
Public CA
Why you should take your CA offline when not in use
To prevent it from being compromised specially if you were a military, security or banking organization.
What type of encryption does PKI use?
Assymetric encryption
Who signs x509 certificate
Certificate Authority
What can you use to prevent your CA from being compromised and faudulent certificates from being issued?
Certificate pinning
If two entities wants to set up a cross-certification, what must they set up first
Bridge trust model -if two separate PKI entities wants to set up cross-certification, the root CAs would set up a trust model between themselves.
What type of trust model does PGP use
Web of trust or network trust model
How can you tell whether your certificate is valid?
Certificate Revocation List is used to detemine whether a certificate is valid
If the CRL is going slowly what should you implement?
OCSP provides faster validation
Explain certificate stapling/OCSP stapling
The webserver uses ocsp for faster certificate authentication, by passing CRL
What is the process of obtaining a new certificate?
Submitting certificate signing request to request a new certificate
What is the purpose of the key escrow
Stores and manages private key for third parties
What the purpose of HSM
Hardware Security Module is used by the Key escrow to securely store and manage certificate
What is the purpose of DRA and what does it need to complete its role effectively
Data Recovery Agent is to recover data when a user’s private key becomes corrupt. To do this you must obtain a copy of the private key from the key escrow
How can you identify each certificate?
By its Object Identifier, which is similar to a serial number
What format PKCS is a private certificate and what file extension does it have
A private certificate is in P12 format with a .pfx extension
What format PKCS is a public certificate and what file extension does it have
A public certificate is in P7B format wirh a .cer extension
What format is PEM certificate
Pem certificate is in base64 format
What type of certificate can be used on multiple servers in the same domain
A wildcard certificate can be used on multiple server in the same domain
What certificate can be used on multiple domain
Subject Alternative Name SAN
What should you do with your software to verify that it is original and not a fake copy?
Code signing, this is similar to a digital signature in that it ensure the integrity of the software
What is the purpose of Extended validation of an x509
To provide higher level of trust, normally used by financial instituions
What type oof cipher is the Caesar Cipher and how does it work if it uses rot 4
Caesar cioher is a substitution cipher; an example would be ROT 4 where wach letter would be substituted by a letter four characters along in the alphabeth
What is encryption and what are the inputs and outputs called
Encryption is when the plain text (input) is taken and turned into ciphertext (output)
What type of encryption will be used to encrypt large amounts of data?
Symmetric encryption us used to encrypt large amount of data as it uses one key
What is the purpose of diffie-Hellman
DH is an symmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel
What is the first stage in asymmetric encryption
Key Exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away
If Carol is encrypting the data to send to bob what key will each of them use
Carol uses Bob’s public key to encrypt the data and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair.
If George enrtpted data for years ago with an old CAC card, can he decrypt the data with his new CAC card
No, George must obtain the old private ket to decrypt the data as the encryption was done with a different key pair
If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?
Janet will digitally sign the email with her private key and john will check the validity with janets public key which he would have received un advance
What asymmetric encryption algorithm should you use to encrypt data on a smart phone
ECC will be used to encrypt data on a smartphone as it is small and fast and uses DH handshake
What should you use to encrypt a military monile telephone
AES 256
Name two key stretching algorithms
Bcrypt and PBKDF2
What two thinfs does a digital email signature provide
Integrity and Non repudiation
Explain how key stretching works
Key stretching salts the password being stored to prevent duplicate passwords. It also increases the length of the keys to make things harder for a brute-force attack.
What is the difference between stream and block cipher modes and which one will you use to encrypt large blocks of data
Stream ciphers encrypt one bit at a time and block ciphers take blocks of data, such as 128-bit modes. You would use a block cipher for large amounts of data.
What happens with cipher block chaining if yoy dont have all of the blocks
CBC needs all of the blocks of data to decrypt the data; otherwise, it will not work.
If you want to ensure the integrity of data, what should you use? Name two algorithm
Hashing ensures the integrity of data; two examples include SHA-1 (160 bit) and MD5 (128 bit).
If you want to ensure the protection of data what should
Encryption is used to protect data so that it cannot be reviewed or accessed.
Is a hash one way or two function and is it reversible
A hash is one-way and cannot be reversed.
What type of a man in the middle attack is SSL 3.0 CBC vulnerable to
POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC).
Define Diffie Hellman Ephemeral ans Elliptic Curve Diffie Hellman Ephemeral
DHE and ECDHE are both ephemeral keys that are short-lived, one-time keys.
What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel
The strongest encryption for an L2TP/IPSec VPN tunnel is AES, and the weakest isDES.
What is the name of the key used to ensure the security of communication between a conputer and server or a computer to another computer
A session key ensures the security of communications between a computer and a server or a computer and another computer.
What should you do to protect a data at rest on the laptop?
Full Disk Encryption
What should you do to protect data at rest on the tablet or smartphone
Full device encryption
What should you do to protect data at rest on a backend server
Data-at-rest on a backend server is stored on a database. Therefore, to protect it, you would encrypt the database.
What should you do to protectdata at rest on a removable device, such as a USB flash drive or an external hard drive
You would protect data-at-rest on a USB flash drive or external hard drive via full disk encryption.
