Lesson 5: Implementing a Public Key Infrastructure
What is an HSM? A) Popular open standard for encrypting email and can also be used for file and disc encryption B) System that provides up-to-date information on a certificate's status C) System for performing cryptographic operations and storing key material securely D) Provides private key backups
C (Hardware Security Module)
True or False: Longer keys are more secure.
True
What type of certificate format can be used if you want to transfer your private key from one host computer to another? A) PKCS #12, .PFX, .P12. B) PEM C) P7b, PKCS#7 D) EDR
A
Which of the following defines key usage with regard to standard extensions? A) The purpose for which a certificate was issued. B) The ability to create a secure key pair. C) Configuring the security log to record key indicators. D) To archive a key with a third party.
A
What cryptographic information is stored in a digital certificate? (Choose all that apply) A) Public key B) Private key C) Algorithms used for encryption and hashing D) Root certificate information E) CA digital signature
A, C, E
A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Choose two) A) The system's time setting is incorrect. B) The certificate is pinned. C) The web address was mistyped. D) The certificate expired.
A, D
Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true. A) X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users. B) X.509 links the identity of a user to a public key, while PGP links that identity to a private key. C) X.509 operates under a hierarchical trust model, where PGP uses a web of trust. D) X.509 and PGP are both implementations of the PKI Trust Model.
B
Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle? A) Storage B) Verification C) Expiration and renewal D) Revocation
B
Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect. A) CAs ensure the validity of certificates and the identity of those applying for them. B) Registration is the process where end users create an account with the domain administrator. C) The registration function may be delegated by the CA to one or more RAs. D) When a subject wants to obtain a certificate, it completes a CSR.
B
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program? A) Machine certificate B) Code signing certificate C) Self-signed certificate D) Root certificate
B
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Choose two) A) If a key used for signing and encryption is compromised, it can be easily destroyed with a new key issued. B) It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. C) If a private key or secret key is not backed up, the storage system represents a single point of failure. D) The same private key can securely encrypt and sign a document.
B, C
What mechanism informs clients about suspended or revoked keys? (Choose all that apply) A) HSM B) CRL C) OCSP D) X.509 E) DSA
B, C
Evaluate the differences between hardware and software-based key storage and select the true statement. A) In hardware-based storage, the key is stored on a server. B) Software-based storage and distribution is typically implemented using removable media or a smart card. C) HSM may be less susceptible to tampering and insider threats than software-based storage. D) In hardware-based storage, security is provided by the operating system Access Control List (ACL).
C
The X.509 standard defines the fields (information) that must be present in a digital certificate. Which of the following is NOT a required field? A) Serial Number B) Issuer Name C) Endorsement key D) Version
C
What does it mean if a certificate extension is marked as critical? A) The certificate is one-time use only B) The certificate is urgent C) If the application processing the certificate cannot interpret the extension correctly, it should reject the certificate D) If the application processing the certificate cannot process the certificate in time, it should reject the certificate
C
What extension field is used with a web server certificate to support the identification of the server by multiple subdomain labels? A) Fully Qualified Domain Name (FQDN) B) Alternative Subdomain (AS) C) Added Name Field (ANF) D) Subject Alternative Name (SAN)
D
What is it called when you archive a key with a third party? A) OCSP stapling B) Certificate chaining C) CRL storage D) Key escrow
D
What is the purpose of a server certificate? A) Allow signing and encrypting email messages. B) Guarantee the validity of a browser plug-in or software application. C) Provide identification for the certificate authority. D) Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.
D
nsider the Public Key Infrastructure (PKI) Trust Model. In which of the following is the root NOT the single point of failure? A) Single CA B) Intermediate CA C) Self-signed CA D) Offline CA
D