Module 2, Unit 2 - Public Key Infrastructure
A notification of the legal status of the uses for which the certificate has been issued and outlines the circumstances. Typically, this is a link back to documentation on the CA's website.
Certificate Policy Statement (CPS)
A Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key.
Certificate Signing Request (CSR)
In the hierarchical trust model, each leaf certificate can be traced back to the root CA along the Certification Path. This is known as?
Certificate chaining or Chain of Trust
Which key lifecycle stage allocates a key pair to a use by embedding it into a digital certificate?
Certificate generation
What type of extensions do public certificates use where an OID is defined in X.509 that should be supported by all clients?
Standard extensions
Which key lifecycle stage the user must take steps to store the private key securely, ensuring that unauthorized access and use is prevented?
Storage
What extension field is used with a web server certificate to support the identification of the server by multiple subdomain labels?
Subject Alternative Name (SAN)
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
Code Signing
A certificate issued to a software publisher following some sort of identity check and validation process by the CA. The publisher then signs the executables or DLLs that make up the program to guarantee the validity of a software application or browser plug-in.
Code Signing Certificate
What is a set of cryptographic algorithms mandated by the National Security Agency (NSA) for use by US government agencies.
Suite B
What type of key may be re-enabled that hasn't been revoked?
Suspended key
What does it mean if a key recovery agent is subject to "M of N" control?
That for "N" number of agents "M" must be present to access the system
A wrapper for a subject's (or end entities) public key. As well as the public key, it contains information about the subject and its issuer and guarantor.
Digital Certificate
Which key lifecycle stage makes the key pair or certificate available to the user?
Distritbution
Proving the ownership of a particular domain. This may be proved by responding to an email to the authorized domain contact or by publishing a text record to the domain.
Domain Validation (DV)
What type of certificate can be used to sign and encrypt email messages, typically using S/MIME or PGP?
Email Certificate
Which key lifecycle stage a key pair that has not been revoked will expire after a certain period?
Expiration
Which field is referred to by Microsoft as Enhanced Key Usage and is a complimentary means of defining usage?
Extended Key Usage (EKU)
Subjecting to a process that requires more rigorous checks on a subject's legal identity and control over the domain or software being signed.
Extended Validation (EV)
What PGP version has been ratified as an open Internet standard with the name OpenPGP?
Gnu Privacy Guard (GPG)
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
Hardware Security Module (HSM)
Which type of trust model is where a single CA (called the root) issues certificates to a number of intermediate CAs, where the intermediate CAs issue certificates to subjects (leaf or end entities)?
Hierarchical (Intermediate CA)
Escorw means that something is held independently. In terms of key management, archiving key or keys with a third-part is known as what?
Key Escrow
A key or key pair is a pseudo randomly generated integer of the required size (1024-bit or 2048-bit for instance), experssed in binary DER or ASCII PEM encoding. This is known as?
Key generation
Which key lifecycle stage creates a secure key pair of the required strength using the chosen cipher?
Key generation
What are the stages in a key's lifecycle?
Key generation, certificate generation, distribution, storage, revocation, and expiration
Apart from validating a user's identity, one of the main functions of a certificate authority is the management of these objects over their lifecycle. Some of the main issues are usage, storage, lifetime, renewal, and recovery and escrow.
Key management
What is referred to as operations occurring at various stages in a key's lifecycle?
Key management
What is the most important standard extension that defines the purpose for which the certificate was issued?
Key usage
What trust model enables users to sign on another's certificates, rather than using CAs?
Web of Trust
What type of certificate is issued to the parent domain and will be accepted as valid for all subdomains, but cannot be issued with Extended Validation (EV)?
Wildcard domain
What type of certificate is issued to servers, PCs, smartphones, and tablets, regardless of function?
Machine Certificate
Any Windows-based server computer configured into a domain but not maintaining the Active Directory database (authenticating users). Servers in a workgroup are referred to as standalone servers.
Member server
The OCSP responder has a privacy issue in that it can be used to monitor and record client browser requests. What is used to resolve this issue?
OSCP stapling (it has SSL / TLS web servers periodically obtain a time-stamped response from the CA)
Because of the high risk posed by compromising the root CA, a secure configuration involves making the root CA into what type of CA?
Offline CA
What type of CA is one that is always available to accept and process certificate signing requests, publish certificate revocation lists, and perform other certificate management tasks?
Online CA
What PGP version is a commercial product and is owned by Symmantec?
PGP Corporation
What is a number of techniques used to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate?
Pinning
An email encryption product providing message confidentiality and integrity using web of trust PGP certificates.
Pretty Good Privacy (PGP)
What type of certificate encoding is a DER-encoded binary file that can be represented as ASCII characters using Base64, uses extensions .CER and .CRT, and starts with "-----BEGIN CERTIFICATE-----"?
Privacy-enhanced Electronic Mail (PEM)
What standards help vendors create security products that are interoperable?
Public Key Cryptography Standards (PKCS)
What options exist for creating a key repository?
Software based the key is stored on a server and secured with its ACL; Hardware based uses removable media, a smart card, or a dedicated key storage Hardware Security Module (HSM)
When a key expires it is no longer trusted by the users. What can be done with these keys?
Archived or destroyed (destroying offers more security but data encrypted by these keys will no longer be readable)
The person or body responsible for issuing and guaranteeing certificates.
Certificate Authority (CA)
Defined in X.509 version 3, what allows extra information to be included about a certificate?
Certificate Extensions
What defines the different uses of certificate types issued by the CA, typically following the framework set out in RFC 2527?
Certificate Policies
What type of certificate format can be used if you want to transfer your private key from one host computer to another?
.PFX or .P12
What mechanism informs users about suspended or revoked keys?
A Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP)
What are the drawbacks associated with offline CAs?
CRL must be published manually and root CA will have to be brought online to add or update intermediate CAs
Asymmetric encryption provides a solution to the problem of secure key distribution for symmetric encryption. The main problem is making a link between a particular public-private key pair and a specific user. One way of solving this problem is through this system. Under this system, keys are issued as digital certificates by a Certificate Authority (CA). The CA acts as a guarantor that the user is who he or she says he or she is. Under this model, it is necessary to establish trust relationships between users and CAs. In order to build trust, CA must publish and comply with Certificate Policies and Certificate Practice Statements.
Public Key Infrastructure (PKI)
A user configured to restore encrypted data in the event that the original key is lost. This agent is granted access to a backup of the key, stored in some secure location. Access is often subject to "M of N" control, requiring more than on user to authorize the operation, to deter fraud.
Recovery Agent
The process by which end users create an account with the CA and become authorized to request certificates.
Registration
Entities that complete identity checking and submit certificate signing requests (CSR) on behalf of end users but do not actually sign or issue certificates.
Registration Authorities (RA)
In PKI, the functions of registration and identity proofing users may be delegated from the Certificate Authority (CA) to this.
Registration Authority (RA)
Which key lifecycle stage is where a key can be revoked before it expires if it has been compromised?
Revocation
What type of key is no longer valid and may not be "un-revoked"?
Revoked key
A certificate that identifies the CA itself and is self-signed. This certificate would normally use a key size of at least 2048 bits. Many providers are switching to 4096 bits.
Root Certificate
Who signs the root CA's certificate?
Self-signed
What type of certificate can be deployed with any machine, web server, or program code, but will be marked as untrusted by the operating system or browser?
Self-signed Certificate
Guarantees the identity of eCommerce sites or any sort of website to which users submit data that should be kept confidential.
Server Certificate
A protocol developed by Cisco to provision users and appliance (such as routers and switches or smartphones) with certificates. SCEP uses HTTP to submit a Certificate Signing Request (CSR) then monitors the status of the request. It can also automatically renew certificates that are about to expire.
Simple Certificate Enrollment Protocol (SCEP)
Which type of trust model uses a single CA to issue certificates to users, and these users only trust certificates issued by this CA and not other, but if the single CA is compromised then the who structure collapses?
Single CA
What does it mean if a certificate extension is marked as critical?
The application processing the certificate must be able to interpret the extension correctly; otherwise the certificate should be rejected
What should be done before a certificate expires?
The certificate should be renewed
What cryptographic information is stored in a digital certificate?
The owners public key and algorithm, and hashing; the CA's digital signature
What are the weaknesses of a hierarchical trust model?
The root is a single point of failure (if the root is compromised the entire structure collapses) and limited opportunity to trust the CA of another organization (operational difficulties are presented when multiple organizations work together)
What does it mean if a cryptographic module is FIPS?
They have been tested and adhere to standards for US federal computer systems
How does a subject go about obtaining a certificate from a CA?
They submit a CSR to the CA that contains the public key and other information (subject information/supported algorithms/key strengths) the subject wants to use; the CA reviews CSR and if accepts it they sign the certificate and sends it to the subject.
Allows a client providing an update to a dynamic DNS server to be authenticated by a password (MD5 HMAC).
Transaction Signature (TSIG)
What PKI idea shows how users and different CAs are able to trust one another?
Trust model