Module 7

Question 1

What are the two keys used with asymmetric cryptography? What are the uses of assymetric cryptography?

Answer 1

• 2 keys: Public key (can be distributed and shared), private key (must be kept confidential)
• 2 uses:
  
  1. Encrypts or decrypts a set of data
  2. used as proof to verify a “signature” of the sender

Question 2

What is a digital signature? What is it’s weakness?

Answer 2

• Electronic verification of the sender
• Weakness: Only proves the owner of the private and key and does not confirm the true identity of the sender

Question 3

What is a digital certificate?

Answer 3

A technology used to associate a user’s identity to a public key and that has been “digitally signed” by a trusted third party”

Question 4

What is a certification authority (CA)?

Answer 4

Entity that is responsible for digital certificates

Question 5

What are some of the ways a digital certificate may be authenticated?

Answer 5

• Email
• Documents
• In person

Question 6

What is a certificate repository (CR)?

Answer 6

• A certificate repository (CR) is a publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate

Question 7

What is certificate revocation? What are two ways you check if a certificate is revoked?

Answer 7

Expiration of a digital certificate to ensure security is not compromised

Methods to see if a certificate is revoked:

1. certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked
2. Online Certificate Status Protocol (OCSP)

Question 8

What is a root digital certificate?

Answer 8

• A certificate that is created and verified by a CA.
• Root certificate trusts the intermediate certificates which is the next level down
• Self signed and does not depend on higher authority for authentication

Question 9

What is a domain digital certificate?

Answer 9

• Certificates that ensure the authenticity of the web server to the client and the authenticity of the cryptographic connection to the web server

Question 10

What are the different types of domain validation digital certificates? (hint 4)

Answer 10

1. Domain Validation: Certification that verifies the identity of the entity that has control over the domain name
2. Extended Validation (EV): Certificate that requires more extensive verification of the legitimacy of the business than does a domain validation digital certificate.
3. Wildcard: Certificate used to validate a main domain along with all subdomains.
4. Also known as a Unified Communications Certificate (UCC), certificate primarily used for Microsoft Exchange servers or unified communications.

Question 11

Name 3 Hardware and Software Digital Certificates:

Answer 11

1. Machine/Computer digital Certificate: Certificate used to verify the identity of a device in a network transaction.
2. Code signing digital certificate: Used by software developers to digitally sign a program to prove that the software comes from the entity that signed it
3. Email Digital certificate: certificate that allows a user to digitally sign and encrypt mail messages.

Question 12

What is the standard format for digital certificates? What certificate attributes make up this format?

Answer 12

• X.509
• Attributes that must be included are the certificate validity period, end-host identity information, encryption keys that will be used for secure communications, the signature of the issuing CA, and the common name (CN).

Question 13

What is public key infrastructure? (PKI)

Answer 13

underlying infrastructure for the management of public keys used in digital certificates.

Question 14

What is a trust model?

Answer 14

The type of trust relationship that can exist between individuals or entities.

Question 15

What is the Hierarchical trust model?

Answer 15

• Public Key infrstructure (PKI) trust model
• assigns a single hierarchy with one master CA called the root. The root signs all digital certificate authorities with a single key

Question 16

What is a Distributed trust model?

Answer 16

• Public Key infrstructure (PKI) trust model
• has multiple CAs that sign digital certificates.

Question 17

What is a Bridge trust model?

Answer 17

• Public Key infrstructure (PKI) trust model
• one CA acts as a facilitator to interconnect all other CAs. The facilitator CA does not issue digital certificates; instead, it acts as the hub between hierarchical trust models and distributed trust models, linking the models together

Question 18

What is a certificate policy?

Answer 18

• published set of rules that govern the operation of a PKI. The CP provides recommended baseline security requirements for the use and operation of CA, intermediate CA, and other PKI components.

Question 19

What is a certificate practice statement (CPS)?

Answer 19

describes in detail how the CA uses and manages certificates.

Question 20

What are the 4 parts of a certificate life cycle?

Answer 20

1. Creation
2. Suspension
3. Revocation
4. Expiration

Question 21

Proper key management includes ______________, _____________, and _________________ procedures.

Answer 21

1. Key storage
2. Key usage
3. Key handling

Question 22

Name 7 of the key handling procedures:

Answer 22

1. Escrow: A process in which keys are managed by a third party, such as a trusted CA.
2. Expiration: Date at which keys no longer function
3. Renewal: renewing a key
4. Revocation: getting rid of key before its expiration permanently
5. Recovery: Key recovery agent recovers lost or damaged digital certificates
6. Suspension: Temporarily getting rid of a key
7. Destruction: Removes all private and public keys along with the user’s identification information in the CA

Question 23

What is Secure sockets layer (SSL)?

Answer 23

• An early and widespread cryptographic transport algorithm that is now considered obsolete.

Question 24

What is SSL stripping?

Answer 24

An attack that manipulates SSL functions by intercepting an HTTP connection.

Question 25

What is Transport layer security (TLS)?

Answer 25

• A widespread cryptographic transport algorithm that replaces SSL.
  
  • More secure and fixes vulnerabilities

Question 26

What is a cipher suite?

Answer 26

A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with TLS and SSL.

Question 27

What is Secure shell (SSH)?

Answer 27

• An encrypted alternative to the Telnet protocol that is used to access remote computers.

Question 28

What is Hypertext Transport Protocol Secure (HTTPS)?

Answer 28

• HTTP sent over TLS (Transport Layer Security) or SSL (Secure Sockets Layer).

Question 29

What is Secure/Multipurpose Internet Mail Extensions (S/MIME)?

Answer 29

A protocol for securing email messages.

Question 30

What is Secure Real-time Transport Protocol (SRTP)?

Answer 30

• A protocol for providing protection for Voice over IP (VoIP) communications.

Question 31

What is Internet Protocol Security (IPsec)?

Answer 31

• A protocol suite for securing Internet Protocol (IP) communications.
  
  • authenticates each IP packet of a session between hosts or networks.
• Provides authentication, confidentiality, and key management
• Two encryption modes:
  
  1. Transport Mode: An IPsec mode that encrypts only the data portion (payload) of each packet yet leaves the header unencrypted.
  2. Tunnel Mode: An IPsec mode that encrypts both the header and the data portion.

Question 32

What is a cryptographic key?

Answer 32

• a value that serves as input to an algorithm, which then transforms plaintext into ciphertext (and vice versa for decryption).
• A key, which is essentially a random string of bits, serves as an input parameter for hash, symmetric encryption, and asymmetric cryptographic algorithms.

Question 33

What characteristics determine key strength?

Answer 33

• Randomness (no predictable pattern)
• cryptoperiod, or the length of time for which a key is authorized for use.
• Length of the key (key space)

Question 34

What is a block cipher mode of operation?

Answer 34

• How block ciphers handle blocks of ciphertext by using a symmetric key block cipher algorithm to provide an information service.
• Could either be an:
  
  • authentication mode of operation** **(credentialing service)
  • Unathentification** **mode of operation** **(confidentiality service)

Question 35

Provide 4 examples of block cipher mode of operation:

Answer 35

1. Electronic Code Book (ECB).
2. Cipher Block Chaining (CBC)
3. Counter (CTR)
4. Galois/Counter (GCM)

Question 36

What does a crypto service provider do?

Answer 36

• allows an application to implement an encryption algorithm for execution.
• providers implement cryptographic algorithms, generate keys, provide key storage, and authenticate users by calling various crypto modules to perform the specific tasks.