Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

NetSec > Public Key Infrastructure > Flashcards

Public Key Infrastructure Flashcards

1
Q

Name 2 PKI approaches and explain them.

A

Hierarchical PKIs - We have CA’s and RA’s (registeration authorities) which are responsible for a verification step: identify X, verify it has KX-priv
2. non Hierarchical (web of trust) - Every participant may issue certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

While it is possible to create certificates with wildcard expressions matching multiple subdomains using the SAN field in the certificate Subject header, name one disadvantage of using this feature

A

In case of private key leaks multiple domains/services are affected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why are intermediate certificates employed?

A
  • create a secure layer above and avoid exposing the root certificate
  • when intermediate key is compromised the set of its signed certificates is much smaller than with the root certificates
  • intermediate certificate “easier” to revoke than root certificates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Briefly describe the concept of SSL proxies and its relation to certificate authorities

A

An SSL proxy can be classified as a middlebox (MitM) which itself is a certificate authority -> able to sign and create certificates

  • typically used in companies to inspect traffic
  • SSL proxy as MitM creates self-signed certificates for web domain requests from internal peers and constructs a separate channel with the web server
  • client verifies proxy certificate and uses certificates public key to encrypt
  • proxy then decrypts clients data and relays it to the actual server using the web servers public key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is a certificate issued in practice?

A

Domain validation - proves ownership of domain like sending an email or publishing a CA specified nonce in the web server

Extended validation - additionally, requires legal doc of the claimed identity

organizational validation - between DV and EV , less docs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between Intermediate Certificates, End Certificates and Root Certificates ?

A
  • Root certificates are self-signed certificates which represent Certification Authorities (CA), ie. have the ability to sign certificates.
  • Intermediate Certificates are certificates signed by Root Certificates or other Intermediate Certificates and are also CAs
  • End Certificates are signed by one of the above, however do not have certificate signing capabilities -> no CA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why is Certificate Revocation important?
Name two approaches

A

In case of private key leakage, service shutdown or ownership change a certificate must be invalidated

Approaches:
- Certificate Revocation List (CLR)
- Online Certificate Status Protocol (OCSP)
- In-browser revokation list
- short-lived certificates (< 1 day)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can maliciously issued certificates for previously visited sites be detected? Name one of the shortcomings of that approach

A

Pinning: store the public key of previously visited websites on first contact. Some browsers also employ pre-loaded pings, ie. ship with certificates for some well-known webpages.

Issues:
- Bootstrap problem: Who can guarantee that first contact is genuine?
- Legitimate certificate changes: How to react?
- Scalability: cannot pre-pin all websites available

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

NetSec (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions