Implementing PKI

Question 1

What type of certificate does CA have?

Answer 1

A CA has a root certificate which it uses to sign keys

Question 2

If you are going to use a CA internally what type of CA should you use

Answer 2

Private CA for internal use only; these certificate will not be accepted outside of your organization

Question 3

If you want to carry out B2B activity with third-party companies or sell products on the web, what type of CA Sshoukd you use

Answer 3

Public CA

Question 4

Why you should take your CA offline when not in use

Answer 4

To prevent it from being compromised specially if you were a military, security or banking organization.

Question 5

What type of encryption does PKI use?

Answer 5

Assymetric encryption

Question 6

Who signs x509 certificate

Answer 6

Certificate Authority

Question 7

What can you use to prevent your CA from being compromised and faudulent certificates from being issued?

Answer 7

Certificate pinning

Question 8

If two entities wants to set up a cross-certification, what must they set up first

Answer 8

Bridge trust model -if two separate PKI entities wants to set up cross-certification, the root CAs would set up a trust model between themselves.

Question 9

What type of trust model does PGP use

Answer 9

Web of trust or network trust model

Question 10

How can you tell whether your certificate is valid?

Answer 10

Certificate Revocation List is used to detemine whether a certificate is valid

Question 11

If the CRL is going slowly what should you implement?

Answer 11

OCSP provides faster validation

Question 12

Explain certificate stapling/OCSP stapling

Answer 12

The webserver uses ocsp for faster certificate authentication, by passing CRL

Question 13

What is the process of obtaining a new certificate?

Answer 13

Submitting certificate signing request to request a new certificate

Question 14

What is the purpose of the key escrow

Answer 14

Stores and manages private key for third parties

Question 15

What the purpose of HSM

Answer 15

Hardware Security Module is used by the Key escrow to securely store and manage certificate

Question 16

What is the purpose of DRA and what does it need to complete its role effectively

Answer 16

Data Recovery Agent is to recover data when a user’s private key becomes corrupt. To do this you must obtain a copy of the private key from the key escrow

Question 17

How can you identify each certificate?

Answer 17

By its Object Identifier, which is similar to a serial number

Question 18

What format PKCS is a private certificate and what file extension does it have

Answer 18

A private certificate is in P12 format with a .pfx extension

Question 19

What format PKCS is a public certificate and what file extension does it have

Answer 19

A public certificate is in P7B format wirh a .cer extension

Question 20

What format is PEM certificate

Answer 20

Pem certificate is in base64 format

Question 21

What type of certificate can be used on multiple servers in the same domain

Answer 21

A wildcard certificate can be used on multiple server in the same domain

Question 22

What certificate can be used on multiple domain

Answer 22

Subject Alternative Name SAN

Question 23

What should you do with your software to verify that it is original and not a fake copy?

Answer 23

Code signing, this is similar to a digital signature in that it ensure the integrity of the software

Question 24

What is the purpose of Extended validation of an x509

Answer 24

To provide higher level of trust, normally used by financial instituions

Question 25

What type oof cipher is the Caesar Cipher and how does it work if it uses rot 4

Answer 25

Caesar cioher is a substitution cipher; an example would be ROT 4 where wach letter would be substituted by a letter four characters along in the alphabeth

Question 26

What is encryption and what are the inputs and outputs called

Answer 26

Encryption is when the plain text (input) is taken and turned into ciphertext (output)

Question 27

What type of encryption will be used to encrypt large amounts of data?

Answer 27

Symmetric encryption us used to encrypt large amount of data as it uses one key

Question 28

What is the purpose of diffie-Hellman

Answer 28

DH is an symmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel

Question 29

What is the first stage in asymmetric encryption

Answer 29

Key Exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away

Question 30

If Carol is encrypting the data to send to bob what key will each of them use

Answer 30

Carol uses Bob’s public key to encrypt the data and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair.

Question 31

If George enrtpted data for years ago with an old CAC card, can he decrypt the data with his new CAC card

Answer 31

No, George must obtain the old private ket to decrypt the data as the encryption was done with a different key pair

Question 32

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

Answer 32

Janet will digitally sign the email with her private key and john will check the validity with janets public key which he would have received un advance

Question 33

What asymmetric encryption algorithm should you use to encrypt data on a smart phone

Answer 33

ECC will be used to encrypt data on a smartphone as it is small and fast and uses DH handshake

Question 34

What should you use to encrypt a military monile telephone

Answer 34

AES 256

Question 35

Name two key stretching algorithms

Answer 35

Bcrypt and PBKDF2

Question 36

What two thinfs does a digital email signature provide

Answer 36

Integrity and Non repudiation

Question 37

Explain how key stretching works

Answer 37

Key stretching salts the password being stored to prevent duplicate passwords. It also increases the length of the keys to make things harder for a brute-force attack.

Question 38

What is the difference between stream and block cipher modes and which one will you use to encrypt large blocks of data

Answer 38

Stream ciphers encrypt one bit at a time and block ciphers take blocks of data, such as 128-bit modes. You would use a block cipher for large amounts of data.

Question 39

What happens with cipher block chaining if yoy dont have all of the blocks

Answer 39

CBC needs all of the blocks of data to decrypt the data; otherwise, it will not work.

Question 40

If you want to ensure the integrity of data, what should you use? Name two algorithm

Answer 40

Hashing ensures the integrity of data; two examples include SHA-1 (160 bit) and MD5 (128 bit).

Question 41

If you want to ensure the protection of data what should

Answer 41

Encryption is used to protect data so that it cannot be reviewed or accessed.

Question 42

Is a hash one way or two function and is it reversible

Answer 42

A hash is one-way and cannot be reversed.

Question 43

What type of a man in the middle attack is SSL 3.0 CBC vulnerable to

Answer 43

POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC).

Question 44

Define Diffie Hellman Ephemeral ans Elliptic Curve Diffie Hellman Ephemeral

Answer 44

DHE and ECDHE are both ephemeral keys that are short-lived, one-time keys.

Question 45

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel

Answer 45

The strongest encryption for an L2TP/IPSec VPN tunnel is AES, and the weakest isDES.

Question 46

What is the name of the key used to ensure the security of communication between a conputer and server or a computer to another computer

Answer 46

A session key ensures the security of communications between a computer and a server or a computer and another computer.

Question 47

What should you do to protect a data at rest on the laptop?

Answer 47

Full Disk Encryption

Question 48

What should you do to protect data at rest on the tablet or smartphone

Answer 48

Full device encryption

Question 49

What should you do to protect data at rest on a backend server

Answer 49

Data-at-rest on a backend server is stored on a database. Therefore, to protect it, you would encrypt the database.

Question 50

What should you do to protectdata at rest on a removable device, such as a USB flash drive or an external hard drive

Answer 50

You would protect data-at-rest on a USB flash drive or external hard drive via full disk encryption.