Validity Models Flashcards

1
Q

Certification service provider

A
  • Serves as trust anchor in hierarchical PKIs
  • Responsible for correct operation of the PKI
  • Trusted third party
  • “Home” of the issuer
  • Provides entities with PKI services
  • Usually composted of various components (authorities)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CSP components (authorities)

A
  • Registration authority
  • Certification Authority
  • Directory Services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Registration authority

A
  • Contact point for (prospective) PKI entities
  • Register prospective entities
  • Establish “customer relationship”
  • Accept requests from entities
  • Usually online
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RA: Registration

A
  • Establish identity, contact information, client preferences, billing data, public keys and proof-of-possession (optional)
  • Secure “Out-of-Band” communication channel
  • Checking the prospective participant’s authorization
  • Storing of the registration dataset
  • Creation of a unique digital name (for the certificate)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Proof of Possession: Certificate request message format

A
  • Defines a PoP field to include PoP information into certificate request messages
  • Content of PoP field depend on key type:
    -> Signature keys: signature on a piece of data containing the requestor’s identity
    -> Encryption keys: providing private key to CA/RA, direct method, indirect method
  • Key agreement keys: establishing ephemeral key + employing one of the methods defined for encryption keys or providing a MAC over certificate request computed with the ephemeral key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PoP: Encryption keys

A
  • Direct: Encrypt a value and have the entity decrypt it
  • Indirect: Encrypt the certificate and have the entity decrypt it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

PoP: Key agreement keys

A

Establishment of a shared secret key between CSP and entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Secure “Out-of-Band” channel

A
  • Independent of the PKI:
    -> Face-to-Face communication (i.e. local presence)
    -> Previously established shared secrets (e.g. passwords)
    -> Third-party services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RA models

A
  • Centralized: One RA for all participants
  • Decentralized (Local RA): Different RAs for different participant groups
  • Hybrid models: E.g. distributed collection of data, but centralized data management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Reasons for decentralization

A
  • Topology (e.g. lots of company branches)
  • Separation of responsibilities
  • On-site registration
    -> better identification (known requester)
    -> distribution of the cost (registration is time consuming)
    -> less work for the end-entity (e.g. registration at the workplace)
    -> use of established workflows
  • Fail-safeness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security requirements for registration

A
  • Correctness of the registration data set
    -> checking during ascertainment
    -> obsolete data refresh
  • Enforce the Certificate Policy
    -> Completeness of the registration data set
    -> Authorization
  • Data protection
    -> Access control for registration data sets
  • Integrity protection of the data
    -> CRC, MAC, digital signature, …
  • Availability of the data
    -> Backup
  • Verifiability of the processes (auditing acceptability)
    -> Logging
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Certificate classes

A
  • Not part of X.509 specification
  • Classification depends on vendor
  • Verisign (not existing anymore) - to differentiate certificate purposes:
    -> Class 1 for individuals, intended for email
    -> Class 2 for organizations, for which proof of identity is required
    -> Class 3 for servers and software signing
  • GlobalSign, Secorio - to different strength of identity validation for personal certificates
    -> Class 1 only include the validation of the email address
    -> Class 2 includes more thorough validation (e.g. company existence, passport and/or address validation)
  • No universal meaning, mainly marketing purposes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Classification for TLS certificates

A
  • Also not part of X.509 standard but commonly agreed
  • Describes the strength of performed identity validation
  • Indicated via OID in the X.509 Certificate Policies extension
  • 3 types:
    -> domain validation (DV), existence & control over domain verified
    -> organization validation (OV), some additional checks regarding the requesting organization
    -> extended validation (EV), thorough validation of the requesting organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

EV certificates: Scope

A

Are intended for use in establishing web-based data communication conduits via TLS/SSL protocols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

EV certificates: Primary purposes

A
  • Identify the legal entity that controls a website
  • Provide reasonable assurance that the website is controlled by a specific legal entity identified by:
    -> name
    -> address of place of business
    -> jurisdiction of incorporation
    -> and registration number
  • Enable the encrypted communication of information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

EV certificates: Secondary purposes

A
  • Establish legitimacy of a business by confirming its legal and physical existence
  • Assist in addressing problems related to phishing and other forms of online identity fraud
    -> Make it more difficult to mount phishing and other online identity fraud attacks
    -> Assist companies by providing a tool to better identify themselves and their legitimate websites
    -> Assist law enforcement in investigations including contacting, investigating, or taking legal action against the subject
17
Q

EV certificates: What is verified

A
  • Applicant’s legal existence and identity
  • Applicant’s physical existence
  • Applicant’s operational existence
  • Applicant’s domain name
  • Name, title, and authority of contract signer
18
Q

Certification authority

A
  • Conduct issuing tasks
  • Use issuer private key(s)
  • Handle entity key pairs
  • Generate PSEs
  • Often offline and physically shielded
19
Q

Directory services

A
  • Publish PKI information
  • Deliver PSEs
  • Manage certificate lifecycle
  • Usually online
20
Q

Chain model - problems

A
  • Signature key compromise
    -> Signatures and time information in certificates are unreliable
    -> Usage of time stamping?
    –> doubling of overhead: issuance and verification
    –> does not fit to business model, infrastructure and processes
21
Q

Certification request construction

A
  1. Requesting entity generates CertificationRequestInfo (DN, Pk, set of attributes)
  2. CertificationRequestInfo value signed with the subject entity’s private key
  3. CertificationRequestInfo + a signature algorithm identifier + signature value = CertificationRequest
22
Q

Key/certificate life cycle and CA

A
  • Initialization
    -> Registration
    -> Certificate Creation and Key/Certificate Distribution
    -> Certificate Dissemination
    -> Key Backup (if appropriate)
  • Issued
    -> Certificate Retrieval
    -> Certificate Validation
    -> Key Recovery
    -> Key Update
  • Cancellation
    -> Certificate Expiration
    -> Key History
    -> Key Archive