Public Key Infrastructure Flashcards
Public Key Infrastructure: PKI
An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption
PKI and public key encryption are related but they are not the same thing
PKI is the entire system and just uses public key cryptography to function
Certificates
links public key to identity
A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are for sharing public keys to be used for encryption and authentication.
Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key the certificate issuer created.
dont learn X.509
Standard used PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information
Wildcard Certificates
a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain.
Wildcard certificates are easier to manage
Subject Alternative Name (SAN)
Subject Alternative Name:
Allows a certificate owner to specify additional domains and IP addresses to be secured by the certificate
Single vs. Dual-sided Certificates
Single-sided certificates have digital signature and the message content in a single certificate, but no encryption
Dual-sided certificates have a ‘digital signature’ and ‘encrypted` message
dont learn X.690
Uses BER, CER, & DER for encoding
May need to add more notes from video course
Basic Encoding Rules (BER)
Basic Encoding Rules:
The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized
Canonical Encoding Rules (CER)
Canonical Encoding Rules:
A restricted version of the BER that only allows the use of only one encoding type
Distinguished Encoding Rules (DER)
Distinguished Encoding Rules:
Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509
don´t learn File Formats: Privacy-enhanced Electronic Mail
.pem
.cer
.crt
.key
dont learn File Formats: Public Key Cryptographic System #12 (PKCS#12)
.p12
dont learn File Formats: Personal Information Exchange
.pfx
dont learn File Formats: Public Key Cryptographic Systems #7 (PKCS#7)
.p7b
Registration Authority (RA)
an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it.
Receives certificate signing requests
Validates users/devices requesting the certificate
Revokes credentials if certificate is no longer valid
Requests certificates from the CA if the applicant complies
Certificate Authority
The entity that issues certificates to a user
Verisign, Digisign, and many others act as Root CA
Certificate Revocation List (CRL)
An online list of digital certificates that the certificate authority has revoked
Online Certificate Status Protocol (OCSP)
A protocol that allows you to determine the revocation status of a digital certificate using its serial number
Online Certificate Status Protocol (OCSP) Stapling
Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake
Speeds up secure tunnel creation process
Public Key Pinning
The whole purpose of public key pinning is to detect when the public key of a certificate for a specific host has changed. That may happen when an attacker compromises a CA such that they are able to issue valid certificates for any domain.
… presenting a set of trusted public keys to the user’s web browser as part of the HTTP header
Key Escrow & Key Recovery Agent
Key Escrow:
Occurs when a secure copy of a user’s private key is held in case the user accidently loses their key
Key Recovery Agent:
A specialized type of software that allows the restoration of a lost or corrupted key to be performed
Web of Trust
A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system
A peer-to-peer model
Certificates are created as self-signed certificates
Pretty Good Privacy (PGP) is a web of trust
