Public Key Infrastructure

Question 1

An organization is using OCSP to validate certificates within its PKI infrastructure. What is not a legitimate response to a validation request?

Good

Validated

Unknown

Answer 1

Validated

Within the OCSP framework, the legitimate responses from the OCSP responder are “good,” “revoked,” and “unknown.”

Question 2

For your organization’s encryption systems, which of the following should you implement to act as a centralized server to store and distribute your public and private keys?

Key management server

Digital certificate

CRL

Answer 2

Key management server

A key management server is a centralized storage system that takes care of the process of distributing, storing, and backing up keys for users of an enterprise network

Question 3

To improve the integrity and authentication of your encryption systems, you have contacted a certificate authority to generate which of the following items for you?

Digital certificate and public/private key pair

Public key and a private hash

Private key and a certificate

Answer 3

Digital certificate and public/private key pair

When a user’s identification is established, the CA generates public and private keys for the user. A certificate is then generated with the identification and public key information embedded within it. Once the user is registered and receives his certificate, he can begin using it to send encrypted messages

Question 4

You need to store your company’s private key in a safe, secure place. Which of the following would you use?

Save it on a hard drive in plain text.

Seal it in an envelope and store it at your home office.

Encrypt it on a flash memory device.

Answer 4

Encrypt it on a flash memory device.

Private keys should never be stored in plain text. If they’re stolen, an unauthorized user will be able to use them to decrypt messages and files

Question 5

You have started using a third-party key escrow company to protect your encryption keys. Which of the following do you send to them?

Encryption key to decrypt a private key file

Encryption key to decrypt a public key file

Copy of a public key

Answer 5

Encryption key to decrypt a private key file

In a key escrow storage scheme, an encryption key used to encrypt and decrypt the private key file is stored offsite with a third party. If access is needed to the backup copy of the private key, the encryption key needs to be obtained from the third-party company after you’ve been properly authenticated

Question 6

Your recovery encryption key is split between seven of your coworkers, of which only four are required to be present to decrypt the private key. Which of the following methods are you using for key recovery?

Steganography

Key escrow

M of N control

Answer 6

M of N control

In this key-recovery scheme, a prescribed number of the key owners must be present with their parts of the key. M of N control refers to the number of operator keys that must be present to create the recovery key, such as 2 of 3 or 4 of 7. For example, if a recovery key is split into seven parts, only four of those are needed to create the recovery key that will decrypt the backup of the private key

Question 7

Put the steps of the certificate life cycle in the following list in their correct order:

Certificate is published.

Certificate is expired.

Certificate is received.

Certificate is requested.

Answer 7

4, 1, 3, 2

Within the given steps of the certificate life cycle, the certificate would be requested, published, received, and then expired.

Question 8

You have been tasked with contacting your certificate authority and revoking your company’s current web server certificate. Which of the following is the most likely reason to revoke the certificate?

You renewed your certificate after it expired.

The previous network administrator who created the certificate was fired.

You installed a new web server.

Answer 8

The previous network administrator who created the certificate was fired.

The certificate should be revoked because the user assigned to that certificate is no longer with the company. This prevents the user from continuing to use that certificate for encryption and authentication

Question 9

You need to look up the details of a certificate that was revoked. Where can you find this information?

Certificate Expiry List

Registration Suspension List

Certificate Revocation List

Answer 9

Certificate Revocation List

A Certificate Revocation List (CRL) is published by a CA to show certificates that have been revoked. A verifier can examine the list to check the validity of another user’s certificate

Question 10

You need to renew your company’s certificate for its public web server. When should you renew the certificate?

On its expiry date

After it’s revoked

Thirty days before expiry

Answer 10

Thirty days before expiry

Most certificate authorities require that a certificate be renewed within a certain amount of time before the actual expiry date. This provides the CA with enough time to renew the certificate and deliver it back to the client for distribution

Question 11

OCSP _____ improves upon the original OCSP efficiency by including a time-stamped, signed response with the TLS/SSL handshake.

pinning

stapling

assigning

Answer 11

stapling

The TLS Certificate Status Request extension, more commonly known as OCSP stapling, further improves efficiency by allowing the certificate holder to query the OCSP responder itself at set intervals and including (“stapling”) the signed response with the TLS/SSL handshake, rather than query the OCSP responder each time