Public Key Infrastructure Flashcards
You are asked by the senior system administrator to refresh the SSL certificates on the web servers. The process is to generate a certificate signing request (CSR), send it to a third party to be signed, and then apply the return information to the CSR. What is this an example of?
Pinning
Borrowed authority
Third-party trust model
Third-party trust model
This is an example of the third-party trust model. Although you are generating the encryption keys on the local server, you are getting these keys signed by a third-party authority so that you can present the third party as the trusted agent for users to trust your keys
A certificate authority consists of which of the following?
Hardware and software
Policies and procedures
People who manage certificates
All of the above
All of the above
A certificate authority is the hardware and software that manage the actual certificate bits, the policies and procedures that determine when certificates are properly issued, and the people who make and monitor the policies for compliance
Your manager wants you to review the company’s internal PKI system’s CPS for applicability and verification and to ensure that it meets current needs. What are you most likely to focus on?
Revocations
Trust level provided to users
How the keys are stored
Trust level provided to users
You are most likely to focus on the level of trust provided by the CA to users of the system, as providing trust is the primary purpose of the CA
You are preparing an e-mail to send to a colleague at work, and because the message information is sensitive, you decide you should encrypt it. When you attempt to apply the certificate that you have for the colleague, the encryption fails. The certificate was listed as still valid for another year, and the certificate authority is still trusted and working. What happened to this user’s key?
It was using the wrong algorithm.
You are querying the incorrect certificate authority.
Revocation.
Revocation.
The certificate has likely been revoked, or removed from that user’s identity and no longer marked valid by the certificate authority
Which of the following is a requirement for a CRL?
It must have the e-mail addresses of all the certificate owners.
It must contain a list of all expired certificates.
It must be posted to a public directory.
It must be posted to a public directory.
Certificate Revocation Lists must be posted to a public directory so that all users of the system can query it
What does OCSP do?
It reviews the CRL for the client and provides a status about the certificate being validated.
It outlines the details of a certificate authority, including how identities are verified, the steps the CA follows to generate certificates, and why the CA can be trusted.
It provides for a set of values to be attached to the certificate.
It reviews the CRL for the client and provides a status about the certificate being validated.
Online Certificate Status Protocol (OCSP) is an online protocol that will look for a certificate’s serial number on CRLs and provide a status message about the certificate to the client
The X.509 standard applies to which of the following?
SSL providers
Digital certificates
Certificate Revocation Lists
Digital certificates
The X.509 standard is used to define the properties of digital certificates
You are browsing a website when your browser provides you with a warning message that “There is a problem with this website’s security certificate.” When you examine the certificate, it indicates that the root CA is not trusted. What most likely happened to cause this error?
The certificate was revoked.
The certificate does not have enough bit length for the TLS protocol.
The server’s CSR was not signed by a trusted CA.
The server’s CSR was not signed by a trusted CA.
In this case, the server’s CSR was not signed by a CA that is trusted by the endpoint computer, so no third-party trust can be established. This could be an indication of an attack, so the certificate should be manually verified before providing data to the web server
Taking a root CA offline is important for security purposes, but with the root CA offline, how does the PKI operate?
It has to be started periodically to provide CSR signing and CRL updates.
All services are delegated to an intermediate CA.
The endpoints cache the trust model until the root CA comes back online.
All services are delegated to an intermediate CA.
You can take a root CA offline if all its normal services, such as signing CSRs and generating CRLs, are delegated to an intermediate CA. Because root CA certificates tend to have very long timelines, 20 years, and those of intermediate CAs are much shorter, 3 to 5 years, this solution works much better to avoid the problem of a compromised CA certificate
Why is pinning more important on mobile devices?
It uses less power for pinned certificate requests.
It reduces network bandwidth usage by combining multiple CA requests into one.
It allows caching of a known good certificate when roaming to low-trust networks.
It allows caching of a known good certificate when roaming to low-trust networks.
Pinning is important on mobile devices because they are much more likely to be used on various networks, many of which have much lower trust than their home network
Your organization has recently acquired another company and needs to enable secure communications with them. You register your CA for a certificate from the other CA and the other organization registers for a certificate from your CA and they each trust the other CA. What is this an example of?
Third-party trust model
Bidirectional trust model
Unidirectional trust model
Bidirectional trust model
This is an example of the bidirectional trust model, allowing each CA to trust certificates issued by the other CA, and allowing users to trust the certificates issued by the other CA
Which of the following models best describes Internet SSL public key infrastructure?
Third-party trust model
Bidirectional trust model
Unidirectional trust model
Unidirectional trust model
SSL PKI is based largely on the unidirectional trust model, where the lower servers in the certificate chain all trust the higher ones in the certificate chain
You are the lead architect of the new encryption project. In a meeting one of your management staff members asks why she will be implementing key escrow as part of the encryption solution. Which reason or reasons would be important with the implementation of key escrow?
Prevent data loss when a user forgets their private key passphrase
Legal action in the form of court ordered discovery
Satisfy security audit findings
Both A and B
Both A and B
Both a forgotten key passphrase and a court-ordered government action could be remediated when the system design uses key escrow
What issue does a wildcard certificate solve?
The need for separate certificates for multiple, potentially dynamic subdomains
The failure of proper reverse DNS configurations
The need for certificates to be reissued after expiration
The need for separate certificates for multiple, potentially dynamic subdomains
The wildcard certificate will be valid for all possible subdomains of the primary domain. This is good for organizations that have multiple potentially dynamic subdomains
You are issued a certificate from a CA, delivered by e-mail, but the file does not have an extension. The e-mail notes that the root CA, the intermediate CAs, and your certificate are all attached in the file. What format is your certificate likely in?
DER
CER
PEM
PEM
Because the certificate includes the entire certificate chain, it is most likely delivered to you in PEM format
