Part1 (ch 6-9) Flashcards
PKI
Prove the owners of public keys are who they say they are
To issue a Public Key (used to encrypt messages) should have a digital certificate (public assertion of identity)
CSR
Certificate Signing Request, when someone wants a certificate they fill out a CSR & send it to the CA
RAs
Registration Authority, checks Id & submits CSR, but doesn’t sign or issue certificates
digital certificate
A wrapper for a public key, has the info about the subject & who issued the certificate
based on X.509 standard
PKCS
Public Key Cryptography Standards, RSA created these to promote public key infrastructure
CN & SAN
Common Name used to id FQDN but difficult to use correctly
Subject Alternative Name, browser uses SAN over CN & can have different website subdomains (*.comptia.org)
server certificate
guarantees security of any site a user gives data to
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
How does a subject go about obtaining a certificate from a CA?
the subject generates a key pair then adds the public key along with subject information and certificate type in a (CSR) and submits it to the CA.
If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
What cryptographic information is stored in a digital certificate?
The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, should reject the certificate.
key’s life cycle
Key Generation, Cert generation, storage (keep private key secure), revoke (if private key compromised), expire & renewal
M-of-N control
N # of admin permitted to access (N > M)
M # of admin present to get access (M > 1)
(OCSP)
Online Certificate Status Protocol - gives status of requested certificate
Encoding Certificate: DER & PEM
Distinguished Encoding Rules (binary files)
Privacy-enhanced Mail (ASCII) “BEGIN CERTIFICATE”
cryptographic data for certificates & keys
What are the potential consequences if a company loses control of a private key?
puts both data confidentiality and identification and authentication systems at risk
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow archiving the key
The risk is that an insider attack from your company may be able to decrypt the customer data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator
HTTP Public Key Pinning (HPKP)
ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
Subject vs. Objects
users, devices, or software processes, or anything else that can request and be granted access to a resource
networks, servers, databases, files
IAM
Identity Access Mgmt
Identification: create acct or Id for user or device
Authentication: Prove Identity & make it unique
Authorization: Permissions
Accounting: Track Usage (Resource, Rights,…)
CIA Authentication Design
Confidential: critical to avoid impersonating
Integrity: Reliable, not easily tricked
Availability: Does not impeded workflow
Used for Authentication
What is the difference between authorization and authentication?
Authorization manages the privileges granted on a computer system or resource.
Authentication protects the user account by testing if the person accessing that account is who she/he says she/he is.
What methods can be used to implement location based authentication?
You can query the location service running on a device or geolocation by IP.
You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
KDC aka TGS
AS
TGT
Key Distribution Center (vouches for identity)
Authentication Service
Ticket Granting Ticket (token confirms id)
Client sends AS a request for a TGT
AS checks if PW hash matches Active Directory
If yes, AS gives TGT & TGS session key
Kerberos
Lets nodes confirm identity securely
1) Request Service Ticket from TGS
2) Client gives TGS a TGT
3) TGS gives Service Session Key & service ticket
4) Client forwards service ticket + timestamp
5) App server decrypts service ticket
6) App server may give client timestamp
7) Server responds to client’s request if ACL ok
Offline Attack
Attacker has database of PW hashes
Detect by checking the file system audit log
Packet Sniffer
Monitors network traffic (can be used by attackers in NTLM or CHAP)