Review 6.3
Where should you store your private keys to ensure security for them? In your email client Only on your hard drive in the local keystore A key escrow with a trusted third party A universal serial bus (USB) thumb drive that you carry on your keychain
For better security, you should store the key in a key escrow with a trusted third party. This third party storage ensures that if your key is lost or damaged, you will be able to retrieve it.
Which of the following is NOT a reason for certificate revocation? The certificate was obtained by fraudulent means. The certificate holder is no longer trusted. The certificate owner's private key has been lost or compromised. The certificate has exceeded its expiration date.
If a certificate has expired, then there is no need for revocation.
What is the first step in the process of setting up public key security on your network? Building a certificate library Identifying a Certificate Authority (CA) Installing Certificate Authority (CA) servers Creating digital certificates
Installing Certificate Authority (CA) servers
A public key infrastructure
It is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
What is the primary disadvantage to using the Online Certificate Status Protocol (OCSP)? Revocation statuses are updated only monthly. It is not encrypted by default. The service is non-trivial to set up and use. It is not as current as the traditional Certificate Revocation List (CRL).
It is not encrypted by default.
Online Certificate Status Protocol (OCSP)
It is used to check the revocation status of X509 certificates. OCSP provides revocation status on certificates in real time and is useful in time-sensitive situations such as bank transactions and stock trades. Certificate Revocation is used within PKI (Public Key Infrastructure) to instruct the client that the certificate can no longer be trusted.
Which of the following components is NOT a part of a public key infrastructure (PKI) system? Certificate Authorities (CAs) Digital certificates The encryption methodology Certificate repository databases
The encryption methodology
What is the primary limitation of Certificate Revocation Lists (CRLs)? Updates must be frequently downloaded to keep the list current. Downloading a CRL is a manual process. Expired certificates are not included in the CRL. There is a lot of overhead to maintaining CRLs.
Updates must be frequently downloaded to keep the list current.
If you send your coworker an encrypted email message using your coworker's public key, how does your coworker read the message? Your coworker decrypts the message with their private key. Your coworker decrypts the message with their public key. Your coworker decrypts the message using your public key. Your coworker decrypts the message using your private key.
Your coworker decrypts the message with their private key.
Why should you use a commercial Certificate Authority (CA) instead of creating your own and self-signing certificates? Commercial certificates offer better security than self-signed certificates do. Your information has been verified by a trusted source. Commercial certificates take the burden of encryption off of your servers. Self-signed certificates can reveal personal information.
Your information has been verified by a trusted source.
What is another name for a group of Certificate Authorities (CAs) that work together to issue digital certificates, in which each CA in the group has a parent-child relationship with the CA directly above it? A CA trust model A CA consortium A CA family A CA family trust
A CA trust model
Which two entities can hold certificates? Users and devices Websites and servers Servers and workstations Users and workstations
A digital certificate is an electronic document that associates credentials with a public key. Both users and devices can hold certificates.
What happens to all of the certificates issued by child Certificate Authorities (CAs) if the root CA is compromised? All compromised certificates are immediately expired. All certificates from the root CA downward become invalid. Only self-signed certificates become invalid. Nothing—only the root CA's certificates are invalid.
All certificates from the root CA downward become invalid.
Which public key infrastructure (PKI) component do you send to a Certificate Authority (CA) to apply for a certificate? PKCS RA CSR CMS
CSR (Certificate Signing Request)
Which information is NOT included in a Certificate Revocation List (CRL)? Reason for revocation Requester's name Original request information Request ID number
Original request information
A user has left your organization and you've deleted the user's account in accordance with organizational policies. You then realize you need to retrieve files that the user has encrypted, even though the user no longer exists. Lucky, you designated an individual who has the necessary credentials to retrieve files that were encrypted by another user. What is the name for this type of individual? Key holder Decryption agent EFS agent Recovery agent
Recovery agent
To create an extremely secure Certificate Authority (CA) hierarchy, what can you do to your root CA? Use least privilege to secure it Take it offline Distribute its authority to all CAs Restrict access to it on a private network
Take it offline
Which entity issues certificates and their associated public/private key pairs? The Certificate Authority (CA) The electronic notary system The federal government The National Security Agency (NSA)
The Certificate Authority (CA)
You can maintain your public key infrastructure (PKI) in one of two ways for your organization. What are the two ways? Publicly or privately Certificates or passphrases Commercially or open source Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
The PKI can be implemented in various hierarchical structures and can be publicly available or maintained privately.
What is a purpose of a Registration Authority (RA) in public key infrastructure (PKI)? The RA stores the digital certificates in its database. The RA revokes maligned certificates. The RA is the encrypting mechanism for PKI procedures. The RA is responsible for verifying a user's identity.
The RA has two purposes: to verify a user's identity and to approve or deny requests for digital certificates.
How does a certificate work when your coworker Bob sends you an encrypted message? Bob uses the certificate to decrypt his message. You use your public key to decrypt Bob's message. You use Bob's certificate private key to decrypt his message. The certificate allows you to verify that Bob sent you the message.
The certificate allows you to verify that Bob sent you the message.