Lesson 6 Public and Private Keys, CAs Flashcards

1
Q

CA

A

Certification Authority

Stores public keys for users, ensuring valid keys are available for users

If CA fails then PKI falls apart

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Certification from CA

A

A cert is your public key signed by the CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

PKI

A

Public Key Infrastructure

Relies on Cert Authorities to manage public keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RA

A

Registration Authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CSR

A

Certificate Signing Request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Registration Authorities and CSRs

A

A process of identification and authentication for end users to create an account with the CA

A users want to get a cert it completes a certificate signing request (CSR) and submits it to the CA

Registration can be delegated by the CA to a registration authority (RA), which perform the identity checking

the CA issues the certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Digital certificate

A

Issued by the CA and is a wrapper for the subjects public key

The CA digitally signs (private key) the certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

X509.1 standard

A

standard used to create digital certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

PKCS (Public Key Cryptography Standards)

A

Public Key Cryptography Standards (PKCS)

promotes the use of the public key infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DV (Domain Validation)

A

Domain Validation (DV) a web server cert type proving the ownership of a particular domain

Highly vulnerable to compromise

process is to respond to an email to the authorized domain contact or by publishing a text record to the domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

EV (Extended Validation)

A

Extended Validation (EV), a web server cert with even more rigorous identity checks than DV

This standard is maintained by the CA/Browser forum

An EV cannot be issued for a wildcard domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Other Cert Type Uses

A

Certificate to identify:
Machine/computer - used to keep machines off of networks
Email/User - used to secure emails
Code signing - sw publishers as to the validity of the application
Root - identifies the Root CA itself, and is self signed
Self signed Cert - used for one device only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key life cycle

A
  • Key generation
  • Certificate generation
  • Storage
  • Revocation
  • Expiration and renewal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cert management vulnerabilities

A

A private key compromise puts the confidentiality and identification/authorization at risk

If an attacker can perform the CA functions, he can have trusted nodes on the network to utilize in other attacks, as they are trusted nodes

Destruction of the key used for encryption will cause encrypted data to be inaccessible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

M-of-N

A

M-of-N is a process for maintaining the CA root private key, due to it’s importance

M-of-N means keeping people honest by requiring some number of admins allowed to access the key

M must be less than N and N must be more than 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Escrow Key Backup

A

placing archived keys with a trusted 3rd party

17
Q

Certificate Expiration

A

Cert duration
Cert renewal - re-key with newly generated key pair
Expiration - public key not longer accepted, archive or destroy keys, need secure erasing methods

18
Q

CRL

A

Cert Revocation List
have code for reason of revocation
could be keys were compromised, etc.

19
Q

OCSP Responder

A

Online Certificate Status Protocol
provides real-time status information
client queries single cert per transaction

20
Q

OCPS stapling

A

used by clients to make lots of cert queries for a chain of trust
queries can be used to track clients
Stapling proxies the OCSP response
remembers the query for longer amount of time using the proxy?

21
Q

HPKP

A

HTTP Public Key Pinning
ensures the client is inspecting the correct/proper certificate
Web Servers references authorized keys in the HTTP header
defends against MitM attacks on chain of trust

22
Q

Certificate Formats

A

.DER - Distinguished Encoding Rules - binary format
.PEM - Privacy-enhanced Electronic Mail - represent binary as ASCII
.CER and .CRT file formats can be binary for ASCII
.PFX or P12 - personal information exchange binary password protected
.P7B - export a certificate chain

Content
PKCS #12 format allows for export of private key with the certificate

P7B bundles multiple certificates in the same file

23
Q

Managing certificate tools

A

Win uses Active directory ‘certutil’ tool

Linux uses openssl

24
Q

Certificate issues

A
Rejection of cert
verify expiration dates of exiting cert
new cert
-check key usage settings and requirement
-check subject name
-check chain of trust/root certs

Should audit cert and PKI infrastructure