Section 2: Implementing Public Key Infrastructure

Question 1

What type of certificate does a CA have?

Answer 1

Root certificate, which it uses to sign keys.

Question 2

If you are going to use a CA internally, what type of CA should you choose?

Answer 2

Private CA for internal use; these certificates will not be accepted outside the organization.

Question 3

If you want to carry out B2B activity with third-party companies or sell products on the web, what type of CA should you use?

Answer 3

Public CA.

Question 4

Why should you take your CA offline when not in use?

Answer 4

To prevent it from being compromised.

Question 5

What type of encryption does PKI use?

Answer 5

Asymmetric encryption.

Question 6

Who signs X509 certificates?

Answer 6

The CA.

Question 7

What can you use to prevent your CA from being compromised and fraudulent certificates from being issued?

Answer 7

Certificate pinning.

Question 8

If two entities want to set up a cross-certification, what must they set up first?

Answer 8

The root CAs would set up a trust model between themselves, known as a bridge trust model.

Question 9

What type of trust model does PGP use?

Answer 9

Web of trust.

Question 10

How can you tell whether your certificate is valid?

Answer 10

Certificate Revocation List (CRL)

Question 11

If the CRL is going slowly, what should you implement?

Answer 11

Online Certificate Status Protocol (OCSP), as it provides faster validation.

Question 12

Explain certificate stapling/OCSP stapling.

Answer 12

A web server uses an OCSP for faster certificate authentication, bypassing the CRL.

Question 13

What is the process of obtaining a new certificate?

Answer 13

Submit a Certificate Signing Request (CSR) to request a new certificate.

Question 14

What is the purpose of the key escrow?

Answer 14

Stores and manages private keys for third parties.

Question 15

What is the purpose of the HSM?

Answer 15

A Hardware Security Module (HSM) is used by the key escrow to securely store and manage certificates.

Question 16

What is the purpose of the DRA, and what does it need to complete its role effectively?

Answer 16

The Data Recovery Agent (DRA) is to recover data when a user’s private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow.

Question 17

How can you identify each certificate?

Answer 17

The OID, which is similar to a serial number.

Question 18

What format (PKCS) is a private certificate, and what file extension does it have?

Answer 18

P12 format, .pfx extension

Question 19

What format (PKCS) is a public certificate, and what file extension does it have?

Answer 19

P7B format, .cer extension

Question 20

What format is a PEM certificate?

Answer 20

Base64 format

Question 21

What type of certificate can be used on multiple servers in the same domain?

Answer 21

Wildcard certificate

Question 22

What type of certificate can be used on multiple domains?

Answer 22

Subject Alternative Name (SAN) certificate

Question 23

What should you do with your software to verify that it is original and not a fake copy?

Answer 23

Code-sign the software - similar to a digital signature.

Question 24

What is the purpose of extended validation of an X509?

Answer 24

Normally used by financial institutions to provide a higher level of trust for the X509.

Question 25

What type of cipher is the Caesar cipher, and how does it work if it uses ROT 4?

Answer 25

Substitution cipher, each letter would be substituted by a letter four characters along in the alphabet.

Question 26

What is encryption, and what are the inputs and outputs called?

Answer 26

When plain text (input) is taken and turned into ciphertext (output).

Question 27

What type of of encryption will be used to encrypt large amounts of data?

Answer 27

Symmetric encryption, since it uses one key.

Question 28

What is the purpose of Diffie-Hellman?

Answer 28

An asymmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.

Question 29

What is the first stage in asymmetric encryption?

Answer 29

Key exchange. During asymmetric encryption, each entity will will give the other entity its public key. The private key is secure and never given away.

Question 30

If Carol is encrypting data to send to Bob, what key will each of them use?

Answer 30

Carol uses Bob’s public key to encrypt the data. Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair.

Question 31

If George encrypted data four years ago with an old CAC card, can he decrypt the data with his new CAC card?

Answer 31

No. George must obtain the old private key to decrypt the data. Encryption was done with a different key pair.

Question 32

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

Answer 32

Janet will digitally sign the email with her private key. John will check it’s validity with Janet’s public key, which he would have received in advance.

Question 33

What two things does a digital email signature provide?

Answer 33

Integrity
Non-repudiation

Question 34

What asymmetric encryption algorithm should you use to encrypt data on a smartphone?

Answer 34

Elliptic Curve Cryptography (ECC) will be used. It is small, fast, and uses the Diffie-Hellman (DH) handshake.

Question 35

What should you use to encrypt a military mobile telephone?

Answer 35

AES-256.

Question 36

Name two key-stretching algorithms.

Answer 36

bcrypt and PBKDF2.

Question 37

Explain how key stretching works.

Answer 37

Key stretching salts the password being stored to prevent duplicate passwords. Also increases the length of the keys to make brute-force attacks harder.

Question 38

What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

Answer 38

Stream ciphers encrypt one bit at a time. Block ciphers take blocks of data, such as 128-bit modes. You would use a block cipher for large amounts of data.

Question 39

What happens with cipher block chaining if you don’t have all the blocks?

Answer 39

CBC needs all blocks of data to decrypt the data.

Question 40

If you want to ensure the integrity of data, what should you use? Name two algorithms.

Answer 40

SHA-1 (160-bit)
MD5 (128-bit)

Question 41

If you want to ensure the protection of data, what should you use?

Answer 41

Encryption.

Question 42

Is a hash a one-way or two-way function, and is it reversible?

Answer 42

One-way, non-reversible.

Question 43

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

Answer 43

POODLE.

Question 44

Define Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE).

Answer 44

DHE and ECDHE are both ephemeral keys that are short lived, one-time keys.

Question 45

What are the strongest and weakest methods of encryption with an L2TP/IPSec VPN tunnel?

Answer 45

Strongest: AES
Weakest: DES

Question 46

What is the name of the key used to ensure the security of communication between a computer and a server or a computer to another computer?

Answer 46

Session key.

Question 47

What should you do to protect data-at-rest on a laptop?

Answer 47

Full Disk Encryption (FDE).

Question 48

What should you do to protect data-at-rest on a tablet or smartphone?

Answer 48

Full Disk Encryption (FDE).

Question 49

What should you do to protect data-at-rest on a backend server?

Answer 49

Data-at-rest on a backend server is stored in a database. You would need to encrypt the database.

Question 50

What should you do to protect data-at-rest on a removable device, such as a USB flash drive or an external hard drive?

Answer 50

Full Disk Encryption (FDE).

Question 51

What protocols could you use to protect data in transit?

Answer 51

TLS
SSL
HTTPS
L2TP/IPSec tunnel

Question 52

How can you protect data-in-use?

Answer 52

Full Memory Encryption.

Question 53

What is the purpose of obfuscation?

Answer 53

Make source code look obscure so that if it is stolen, it cannot be understood. It masks data using either XOR or ROT13.

Question 54

What is the purpose of perfect forward secrecy?

Answer 54

PFS ensures no link between the server’s private key and the session key. If a VPN server’s key was compromised, it could not decrypt the session. Great for voting machines.

Question 55

What type of attack tries to find two hash values that match?

Answer 55

Collision attack.

Question 56

What is the purpose of rainbow tables?

Answer 56

Lists precomputed words showing their hash value used to crack the hash value of passwords. Different tables are used for MD5 and SHA-1.

Question 57

Explain the concept of steganography.

Answer 57

Used to conceal data inside another form of data.

Question 58

What are the two purposes of Data Loss Prevention (DLP)?

Answer 58

Prevents sensitive or PII from being emailed out of a company.
Prevents sensitive or PII from being stolen from a file server using a USB device.

Question 59

What is the purpose of salting a password?

Answer 59

Ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by increasing the key size (key stretching).