Public Key Infrastructure Flashcards

1
Q

You are asked by the senior system administrator to refresh the SSL certificates on the web servers. The process is to generate a certificate signing request (CSR), send it to a third party to be signed, and then apply the return information to the CSR. What is this an example of?

Pinning

Borrowed authority

Third-party trust model

A

Third-party trust model

This is an example of the third-party trust model. Although you are generating the encryption keys on the local server, you are getting these keys signed by a third-party authority so that you can present the third party as the trusted agent for users to trust your keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A certificate authority consists of which of the following?

Hardware and software

Policies and procedures

People who manage certificates

All of the above

A

All of the above

A certificate authority is the hardware and software that manage the actual certificate bits, the policies and procedures that determine when certificates are properly issued, and the people who make and monitor the policies for compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your manager wants you to review the company’s internal PKI system’s CPS for applicability and verification and to ensure that it meets current needs. What are you most likely to focus on?

Revocations

Trust level provided to users

How the keys are stored

A

Trust level provided to users

You are most likely to focus on the level of trust provided by the CA to users of the system, as providing trust is the primary purpose of the CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are preparing an e-mail to send to a colleague at work, and because the message information is sensitive, you decide you should encrypt it. When you attempt to apply the certificate that you have for the colleague, the encryption fails. The certificate was listed as still valid for another year, and the certificate authority is still trusted and working. What happened to this user’s key?

It was using the wrong algorithm.

You are querying the incorrect certificate authority.

Revocation.

A

Revocation.

The certificate has likely been revoked, or removed from that user’s identity and no longer marked valid by the certificate authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is a requirement for a CRL?

It must have the e-mail addresses of all the certificate owners.

It must contain a list of all expired certificates.

It must be posted to a public directory.

A

It must be posted to a public directory.

Certificate Revocation Lists must be posted to a public directory so that all users of the system can query it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does OCSP do?

It reviews the CRL for the client and provides a status about the certificate being validated.

It outlines the details of a certificate authority, including how identities are verified, the steps the CA follows to generate certificates, and why the CA can be trusted.

It provides for a set of values to be attached to the certificate.

A

It reviews the CRL for the client and provides a status about the certificate being validated.

Online Certificate Status Protocol (OCSP) is an online protocol that will look for a certificate’s serial number on CRLs and provide a status message about the certificate to the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The X.509 standard applies to which of the following?

SSL providers

Digital certificates

Certificate Revocation Lists

A

Digital certificates

The X.509 standard is used to define the properties of digital certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are browsing a website when your browser provides you with a warning message that “There is a problem with this website’s security certificate.” When you examine the certificate, it indicates that the root CA is not trusted. What most likely happened to cause this error?

The certificate was revoked.

The certificate does not have enough bit length for the TLS protocol.

The server’s CSR was not signed by a trusted CA.

A

The server’s CSR was not signed by a trusted CA.

In this case, the server’s CSR was not signed by a CA that is trusted by the endpoint computer, so no third-party trust can be established. This could be an indication of an attack, so the certificate should be manually verified before providing data to the web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Taking a root CA offline is important for security purposes, but with the root CA offline, how does the PKI operate?

It has to be started periodically to provide CSR signing and CRL updates.

All services are delegated to an intermediate CA.

The endpoints cache the trust model until the root CA comes back online.

A

All services are delegated to an intermediate CA.

You can take a root CA offline if all its normal services, such as signing CSRs and generating CRLs, are delegated to an intermediate CA. Because root CA certificates tend to have very long timelines, 20 years, and those of intermediate CAs are much shorter, 3 to 5 years, this solution works much better to avoid the problem of a compromised CA certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why is pinning more important on mobile devices?

It uses less power for pinned certificate requests.

It reduces network bandwidth usage by combining multiple CA requests into one.

It allows caching of a known good certificate when roaming to low-trust networks.

A

It allows caching of a known good certificate when roaming to low-trust networks.

Pinning is important on mobile devices because they are much more likely to be used on various networks, many of which have much lower trust than their home network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your organization has recently acquired another company and needs to enable secure communications with them. You register your CA for a certificate from the other CA and the other organization registers for a certificate from your CA and they each trust the other CA. What is this an example of?

Third-party trust model

Bidirectional trust model

Unidirectional trust model

A

Bidirectional trust model

This is an example of the bidirectional trust model, allowing each CA to trust certificates issued by the other CA, and allowing users to trust the certificates issued by the other CA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following models best describes Internet SSL public key infrastructure?

Third-party trust model

Bidirectional trust model

Unidirectional trust model

A

Unidirectional trust model

SSL PKI is based largely on the unidirectional trust model, where the lower servers in the certificate chain all trust the higher ones in the certificate chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are the lead architect of the new encryption project. In a meeting one of your management staff members asks why she will be implementing key escrow as part of the encryption solution. Which reason or reasons would be important with the implementation of key escrow?

Prevent data loss when a user forgets their private key passphrase

Legal action in the form of court ordered discovery

Satisfy security audit findings

Both A and B

A

Both A and B

Both a forgotten key passphrase and a court-ordered government action could be remediated when the system design uses key escrow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What issue does a wildcard certificate solve?

The need for separate certificates for multiple, potentially dynamic subdomains

The failure of proper reverse DNS configurations

The need for certificates to be reissued after expiration

A

The need for separate certificates for multiple, potentially dynamic subdomains

The wildcard certificate will be valid for all possible subdomains of the primary domain. This is good for organizations that have multiple potentially dynamic subdomains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are issued a certificate from a CA, delivered by e-mail, but the file does not have an extension. The e-mail notes that the root CA, the intermediate CAs, and your certificate are all attached in the file. What format is your certificate likely in?

DER

CER

PEM

A

PEM

Because the certificate includes the entire certificate chain, it is most likely delivered to you in PEM format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly