Public Key Infrastructure

Question 1

PKI

Answer 1

Public Key Infrastructure:
An entire system of hardware, software, policies, procedures, and people that is based on asymmetric encryption

PKI and public key encryption are related but they are not the same thing

PKI is the entire system and just uses public key cryptography to function

Question 2

Certificates

Answer 2

Digitally-signed electronic documents that bind a public key with a user’s identity

Question 3

X.509

Answer 3

Standard used PKI for digital certificates and contains the owner/user’s information and the certificate authority’s information

Question 4

Wildcard Certificates

Answer 4

Allow all of the subdomains to use the same public key certificate and have it displayed as valid

Wildcard certificates are easier to manage

Question 5

Subject Alternative Name (SAN)

Answer 5

Subject Alternative Name:
Allows a certificate owner to specify additional domains and IP addresses to be supported

Question 6

Single vs. Dual-sided Certificates

Answer 6

Single-sided certificates only require the server to be validated

Dual-sided certificates require both the server and the user to be validated

Question 7

X.690

Answer 7

Uses BER, CER, & DER for encoding

Question 8

Basic Encoding Rules (BER)

Answer 8

Basic Encoding Rules:
The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized

Question 9

Canonical Encoding Rules (CER)

Answer 9

Canonical Encoding Rules:
A restricted version of the BER that only allows the use of only one encoding type

Question 10

Distinguished Encoding Rules (DER)

Answer 10

Distinguished Encoding Rules:
Restricted version of the BER which allows one encoding type and has more restrictive rules for length, character strings, and how elements of a digital certificate are stored in X.509

Question 11

File Formats: Privacy-enhanced Electronic Mail

Answer 11

.pem
.cer
.crt
.key

Question 12

File Formats: Public Key Cryptographic System #12 (PKCS#12)

Answer 12

.p12

Question 13

File Formats: Personal Information Exchange

Answer 13

.pfx

Question 14

File Formats: Public Key Cryptographic Systems #7 (PKCS#7)

Answer 14

.p7b

Question 15

Registration Authority (RA)

Answer 15

Receives certificate signing requests
Validates users/devices requesting the certificate
Revokes credentials if certificate is no longer valid
Requests certificates from the CA if the applicant complies

Question 16

Certificate Authority

Answer 16

The entity that issues certificates to a user

Verisign, Digisign, and many others act as Root CA

Question 17

Certificate Revocation List (CRL)

Answer 17

An online list of digital certificates that the certificate authority has revoked

Question 18

Online Certificate Status Protocol (OCSP)

Answer 18

A protocol that allows you to determine the revocation status of a digital certificate using its serial number

Question 19

OCSP Stapling

Answer 19

Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake

Speeds up secure tunnel creation process

Question 20

Public Key Pinning

Answer 20

Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user’s web browser as part of the HTTP header

Question 21

Key Escrow & Key Recovery Agent

Answer 21

Key Escrow:
Occurs when a secure copy of a user’s private key is held in case the user accidently loses their key

Key Recovery Agent:
A specialized type of software that allows the restoration of a lost or corrupted key to be performed

Question 22

Web of Trust

Answer 22

A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-based PKI system

A peer-to-peer model

Certificates are created as self-signed certificates

Pretty Good Privacy (PGP) is a web of trust