PKI Concepts 6.4 Flashcards
Online and Offline CA’s
A compromised CA is very bad. No certificates from that CA can be trusted. Hence it is good to have intermediate CA’s under a root CA so that if one of the intermediate CA’s is compromised, it can be taken off line without shutting down all of the CA’s.
Online Certificate Status Protocol (OCSP) Stapling
Provides scalability for OCSP checks. The CA is responsible for responding to all client OCSP requests. This doesn’t scale well so instead, the certificate holder can verify their own status called OCSP stapling. The certificate holder verifies their own status, the info is stored on their server. When there is a TLS handshake, the OCSP status is “stapled” into it for verification that it came from the CA.
Pinning
Certificate pinning prevents man-in-the middle attacks. Certificate Pinning is when an app has hard coded the certificate into the app itself. The app will talk to the server and compare the certificates. If they match, then everything is ok, if they don’t then there is some sort of shut down or show an error message about the certificate mismatch.
PKI Trust Relationships
Starts with a single CA. Most environments use a Hierarchical structure. In some environments, you can mesh the CA’s together. Mesh’s don’t scale well. Another idea is to have a Web-of-Trust where everyone is a CA. Mutual Authentication is when a server authenticates to the client and the client authenticates to the server.
Key Escrow
Someone else holds your decryption keys. Your private keys are in the hands of a 3rd part. This can be a legitimate business arrangement. A business might need access to employee information or government agencies need to decrypt partner data.
3rd Party Key Handling
There needs to be clear processes and procedures. You must be able to trust the 3rd party and ensure they can secure them properly. In some cases it may require legal action by design to obtain control of the keys.
Certificate Chaining
The connection between multiple certificate authorities within a hierarchy is called a chain of trust. This would be listing all the root and intermediate authorities. We call the certificates, root or chain or intermediate certificates.