Public Key Infrastructure

Question 1

Public Key Infrastructure: PKI

Answer 1

An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

PKI and public key encryption are related but they are not the same thing

PKI is the entire system and just uses public key cryptography to function

Question 2

Certificates

Answer 2

links public key to identity

A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are for sharing public keys to be used for encryption and authentication.

Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key the certificate issuer created.

Question 3

dont learn X.509

Answer 3

Standard used PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information

Question 4

Wildcard Certificates

Answer 4

a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain.

Wildcard certificates are easier to manage

Question 5

Subject Alternative Name (SAN)

Answer 5

Subject Alternative Name:

Allows a certificate owner to specify additional domains and IP addresses to be secured by the certificate

Question 6

Single vs. Dual-sided Certificates

Answer 6

Single-sided certificates have digital signature and the message content in a single certificate, but no encryption

Dual-sided certificates have a ‘digital signature’ and ‘encrypted` message

Question 7

dont learn X.690

Answer 7

Uses BER, CER, & DER for encoding

May need to add more notes from video course

Question 8

Basic Encoding Rules (BER)

Answer 8

Basic Encoding Rules:
The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Question 9

Canonical Encoding Rules (CER)

Answer 9

Canonical Encoding Rules:

A restricted version of the BER that only allows the use of only one encoding type

Question 10

Distinguished Encoding Rules (DER)

Answer 10

Distinguished Encoding Rules:
Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Question 11

don´t learn File Formats: Privacy-enhanced Electronic Mail

Answer 11

.pem
.cer
.crt
.key

Question 12

dont learn File Formats: Public Key Cryptographic System #12 (PKCS#12)

Answer 12

.p12

Question 13

dont learn File Formats: Personal Information Exchange

Answer 13

.pfx

Question 14

dont learn File Formats: Public Key Cryptographic Systems #7 (PKCS#7)

Answer 14

.p7b

Question 15

Registration Authority (RA)

Answer 15

an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it.

Receives certificate signing requests
Validates users/devices requesting the certificate
Revokes credentials if certificate is no longer valid
Requests certificates from the CA if the applicant complies

Question 16

Certificate Authority

Answer 16

The entity that issues certificates to a user

Verisign, Digisign, and many others act as Root CA

Question 17

Certificate Revocation List (CRL)

Answer 17

An online list of digital certificates that the certificate authority has revoked

Question 18

Online Certificate Status Protocol (OCSP)

Answer 18

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Question 19

Online Certificate Status Protocol (OCSP) Stapling

Answer 19

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Speeds up secure tunnel creation process

Question 20

Public Key Pinning

Answer 20

The whole purpose of public key pinning is to detect when the public key of a certificate for a specific host has changed. That may happen when an attacker compromises a CA such that they are able to issue valid certificates for any domain.

… presenting a set of trusted public keys to the user’s web browser as part of the HTTP header

Question 21

Key Escrow & Key Recovery Agent

Answer 21

Key Escrow:
Occurs when a secure copy of a user’s private key is held in case the user accidently loses their key

Key Recovery Agent:
A specialized type of software that allows the restoration of a lost or corrupted key to be performed

Question 22

Web of Trust

Answer 22

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

A peer-to-peer model

Certificates are created as self-signed certificates

Pretty Good Privacy (PGP) is a web of trust