M4: Key establishment and certificate management - C.4 & C.8 Flashcards
What is entity authentication?
It’s the process of verifying the identity of a communicating party.
What is a session key?
A session key is a temporary symmetric key used for securing communications during a session.
What’s the difference between key transport and key agreement?
Key transport involves one party choosing and sending the key, while key agreement involves both parties contributing to the key.
What is mutual authentication?
It’s when both parties in a communication prove their identities to each other.
What is a replay attack?
It’s when an attacker captures and reuses a message from a previous session to gain unauthorized access.
What is a reflection attack?
It’s when an attacker tricks a party into proving its identity to itself, often by replaying messages.
What is a relay attack?
It’s when an attacker forwards messages between two parties to make them believe they are communicating directly.
What is a middle-person attack?
It’s when an attacker intercepts and possibly alters the communication between two parties without their knowledge.
What is the purpose of time-variant parameters (TVPs)?
TVPs ensure the uniqueness and freshness of protocol messages to prevent replay attacks.
What is Diffie-Hellman key agreement?
It’s a method for two parties to establish a shared secret over an insecure channel.
main weakness of basic Diffie Hellman?
It is vulnerable to middle-person attacks because it doesn’t authenticate the parties.
What is the Station-to-Station (STS) protocol?
It’s an extension of Diffie-Hellman that includes authentication using digital signatures.
What is a key distribution center (KDC)?
It’s a trusted server that generates and distributes session keys to parties that don’t share long-term keys.
What is a key translation center (KTC)?
It’s a server that helps one party encrypt a session key for another party, reducing key distribution complexity.
Why is it important to avoid reusing session keys?
Reusing session keys can make them vulnerable to attacks and increase the risk of key leakage.
What is a public-key certificate?
It’s a data structure that links a public key to an owner, verified by a Certification Authority (CA).
Why is the authenticity of a public key important?
To ensure the public key belongs to the correct owner and prevent misuse by attackers.
What role does a Certification Authority (CA) play?
A CA verifies and signs certificates, asserting the ownership of public keys.
What is a Distinguished Name (DN) in a certificate?
It’s a unique identifier for the certificate’s owner, including attributes like Country., Organization, and Common-Name.
What is the purpose of the validity period in a certificate?
It specifies the dates between which the certificate is valid and can be trusted.
What is a Certificate Revocation List (CRL)?
It’s a list of certificates that have been revoked before their expiration date, issued by a CA.
What is the difference between a CRL and delta CRLs?
Delta CRLs are updates to a base CRL, making it easier to manage and distribute revocation information.
What is the Online Certificate Status Protocol (OCSP)?
It’s a method for checking the real-time status of a certificate’s validity.
What is Trust on First Use (TOFU)?
It’s when a certificate is trusted the first time it’s seen, without prior verification, assuming it’s genuine.
What is a trust anchor in PKI?
It’s a pre-trusted public key used to start the validation chain for certificates.
What is the purpose of certificate extensions in X.509v3?
They provide additional information and constraints, like key usage and subject alternate names.
What is a bridge CA?
It’s a CA used to connect multiple CA domains, reducing the complexity of cross-certifications.
What is a strict CA hierarchy?
It’s a tree structure of CAs with a single root CA at the top, issuing certificates down the hierarchy.
What is the browser trust model?
Browsers use a list of trusted root CAs to validate server certificates, without cross-certificates between CAs.
What is the main challenge with managing long-term private keys?
Ensuring they are securely stored and protected from offline password-guessing attacks