PKI Components 6.4 Flashcards

1
Q

Public Key Infrastructure (PKI)

A

A way to describe policies, procedures, hardware, software, and people that are used to manage digital certificates. This is the process of creating, distributing, managing, storing, and revoking them.

There is a great deal of planning associated with this. It also refers to the associations we make with a public key to a person or a device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key Generation

A

We decide on a strength of the key (number of bits), and then decide the cipher of the key. We then generate a certificate to associate the public key with a user or device. Then the key is distributed to its associate, and then store it in a protected area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Digital Certificates

A

It’s a public key combined with a digital signature. It may include other important details as well. PKI uses a certificate authority for additional trust. Web’s of Trust add other users for additional trust. Certificates can be built into the OS. You can create certificates through Windows Domain services, and Linux has 3rd party options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s in a Digital Certificate?

A

Certificates follow the X.509 certificate format. It contains:

Serial Number
Issuer
Signature Algorithm
Validity Dates
Subject
Public Key
Extensions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Certificate Extensions

A

You can add more information to a digital certificate to extend the functionality.

DigitalSignature The key used to verify a digital signature

KeyEncipherment The key used to encrypt other keys used for secure key distribution

DataEncipherment The key used to encrypt data, which cannot be used to encrypt other keys

CRLSign The key used to verify a CA signature on a revocation list

KeyCertSign The key used to verify CA signatures on certificates

NonRepudiation The key used when a nonrepudiation service is being provided

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Commercial Certificate Authorities

A

Built-in to your browser. Web site owner/managers get the CA’s to sign your digital certificate so anyone who connects to your site, is trusted by the browser. It’s an easy process, you create a key pair, public/private. You send the public key to the CA for a Certificate Signing Request (CSR). They perform a number of checks to verify you are who you say you are and that you own the site. It then provides the signatures and may provide additional features.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Private Certificate Authorities

A

You build an in house CA. All of your devices must be configured to trust your own CA. It is common for medium-to-large orgs. Instead of paying for every certificate, you build them in house for your own network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PKI Trust Relationships

A

Some orgs use a single CA authority, though it’s not very common. Most orgs use a hierarchical authority. The single CA issues certs to intermediate CA’s and it forms a CA tree. This allows orgs to distribute the load of the CA creation, or allow different regions to create and manage their own CA’s. It also helps the revokation process. If someone gains access to a private sign in key on an intermediate CA, you only have to revoke those CA’s, and not the entire orgs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Key Revocation

A

This occurs through a Certificate Revocation List (CRL). There are many reasons this could potentially happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Getting Revocation Details to the Browser

A

There is a protocol called the Online Certificate Status Protocol (OCSP) to give the browser a way to check the status of its certificates. These are usually sent via HTTP and is easily supportable over existing internet connections. Not all browser support this, usually older browsers. Some browsers do not check this at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly