cna 210 chapter 6

A less secure trust model that uses no CA is called what?

"web of trust"

Steps for requesting digital certificate are?

1. Generate public and private keys 2. Generate Certificate Signing Request (CSR) - Specially formatted encrypted message that validates information CA requires 3. CA receives and verifies the CSR 4. Inserts the public key into certificate 5. Certificates digitally signed with private key of the issuing CA

Secure Shell (SSH)

A Linux/UNIX-based command interface and protocol for securely accessing a remote computer.

public key infrastructure (PKI)

A framework for managing all of the entities involved in creating, storing, distributing, and revoking digital certificates.

This can be used in an organization where one CA is responsible for only the digital certificates for that organization.

A hierarchical trust model

key recovery agent (KRA)

A highly trusted person responsible for recovering lost or damaged digital certificates.

cipher suite

A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with SSL and TLS.

key escrow

A process in which keys are managed by a third party, such as a trusted CA.

Secure Sockets Layer (SSL)

A protocol originally developed by Netscape for securely transmitting data.

Transport Layer Security (TLS)

A protocol that is more secure than SSL and guarantees privacy and data integrity between applications.

Online Certificate Status Protocol (OCSP)

A protocol that performs a real-time lookup of a certificate's status.

Certificate Repository (CR)

A publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate.

Certificate Revocation List (CRL)

A repository that lists revoked digital certificates.

Hypertext Transport Protocol Secure (HTTPS)

A secure version of HTTP sent over SSL or TLS.

Internet Protocol Security (IPsec)

A set of protocols developed to support the secure exchange of packets between hosts or networks.

Certificate Signing Request (CSR)

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate

Registration Authority (RA)

A subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.

digital certificate

A technology used to associate a user's identity to a public key, in which the user's public key is digitally signed by a trusted third party.

third-party trust

A trust model in which two individuals trust each other because each individually trusts a third party.

hierarchical trust model

A trust model that has a single hierarchy with one master CA.

distributed trust model

A trust model that has multiple CAs that sign digital certificates.

bridge trust model

A trust model with one CA that acts as a facilitator to interconnect all other CAs.

Certificate Authority (CA)

A trusted third-party agency that is responsible for issuing digital certificates.

direct trust

A type of trust model in which a relationship exists between two individuals because one person knows the other person.

An entity that issues digital certificates is a . a. Certificate Authority (CA) b. Signature Authority (SA) c. Certificate Signatory (CS) d. Digital Signer (DS)

A. Certificate Authority (CA)

A is a specially formatted encrypted message that validates the information the CA requires to issue a digital certificate. a. Certificate Signing Request (CSR) b. digital digest c. FQDN form d. digital certificate

A. Certificate Signing Request (CSR)

__________ refers to a situation in which keys are managed by a third party, such as a trusted CA. a. Key escrow b. Remote key administration c. Trusted key authority d. Key authorization

A. Key escrow

Which of these is considered the weakest cryptographic transport protocol? a. SSL v2.0 b. TLS v1.0 c. TLS v1.1 d. TLS v1.3

A. SSL v2.0

20. is a protocol for securely accessing a remote computer. a. Secure Shell (SSH) b. Secure Sockets Layer (SSL) c. Secure Hypertext Transport Protocol (SHTTP) d. Transport Layer Security (TLS)

A. Secure Shell (SSH)

3. are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity. a. Session keys b. Encrypted signatures c. Digital digests d. Digital certificates

A. Session keys

Public Key Cryptography Standards (PKCS) . a. are widely accepted in the industry b. are used to create public keys only c. define how hashing algorithms are created d. have been replaced by PKI

A. are widely accepted in the industry

IPsec is transparent to what entities?

Applications Users Software

This type of cryptography must be used to create the public and private keys.

Asymmetric

IPsec provides three areas of protection that correspond to three IPsec protocols what are they?

Authentication Confidentiality Key management

A centralized directory of digital certificates is called a(n) . a. Digital Signature Approval List (DSAP) b. Certificate Repository (CR) c. Authorized Digital Signature (ADS) d. Digital Signature Permitted Authorization (DSPA)

B. Certificate Repository (CR)

2. performs a real-time lookup of a digital certificate's status. a. Certificate Revocation List (CRL) b. Online Certificate Status Protocol (OCSP) c. CA Registry Database (CARD) d. Real-Time CA Verification (RTCAV)

B. Online Certificate Status Protocol (OCSP)

Which of these is NOT part of the certificate life cycle? a. revocation b. authorization c. creation d. expiration

B. authorization

Which of these is NOT where keys can be stored? a. in tokens b. in digests c. on the user's local system d. embedded in digital certificates

B. in digests

Public key infrastructure (PKI) . a. creates private key cryptography b. is the management of digital certificates c. requires the use of an RA instead of a CA d. generates public/private keys automatically

B. is the management of digital certificates

Which statement is NOT true regarding hierarchical trust models? a. The root signs all digital certificate authorities with a single key. b. It assigns a single hierarchy with one master CA. c. It is designed for use on a large scale. d. The master CA is called the root.

C. It is designed for use on a large scale.

A(n) is a published set of rules that govern the operation of a PKI. a. enforcement certificate (EF) b. certificate practice statement (CPS) c. certificate policy (CP) d. signature resource guide (SRG)

C. certificate policy (CP)

The strongest technology that would assure Alice that Bob is the sender of a message is a(n) . a. digital signature b. encrypted signature c. digital certificate d. digest

C. digital certificate

In order to ensure a secure cryptographic connection between a web browser and a web server, a(n) would be used. a. web digital certificate b. email web certificate c. server digital certificate d. personal digital certificate

C. server digital certificate

The -party trust model supports CA. a. first b. second c. third d. fourth

C. third

Digital certificates can be used for each of these EXCEPT . a. to encrypt channels to provide secure communication between clients and servers b. to verify the identity of clients and servers on the Web c. to verify the authenticity of the Registration Authorizer d. to encrypt messages for secure email communications

C. to verify the authenticity of the Registration Authorizer

Technologies used for managing digital certificates include what?

Certificate Authority (CA) Registration Authority (RA) Certificate Repository (CR) Means to revoke certificate

This is a publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate.

Certificate Repository (CR)

Revoked digital certificates are listed in a(n) ____, which can be accessed to check the certificate status of other users.

Certificate Revocation List (CRL)

A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate is known as a(n)______.

Certificate Signing Request (CSR)

This is a specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.

Certificate Signing Request (CSR)

Circumstances that may be cause for certificate to be revoked before expires include what?

Certificate no longer used Details of certificate changed Someone steal a user's private key (impersonate victim through using digital certificates) Digital certificates stolen from CA Current status of certificate can be checked to determine if has been revoked Certificate Revocation List (CRL) - Serves as list of certificate serial numbers that have been revoked Many CAs maintain an online CRL that can be queried by entering the certificate's serial number Local computer receives updates on the status of certificates and maintains a local CRL

Two more specialized classes of digital certificates are what?

Class 4 Class 5

Certificate life cycle divided into four parts what are they?

Creation - Occurs after user is positively identified Suspension - May occur when employee on leave of absence Revocation - Certificate no longer valid Expiration - Key can no longer be used

A digital certificate that turns the address bar green is a(n) . a. Personal Web-Client Certificate b. Advanced Web Server Certificate (AWSC) c. X.509 Certificate d. Extended Validation SSL Certificate

D. Extended Validation SSL Certificate

A digital certificate associates . a. a user's private key with the public key b. a private key with a digital signature c. a user's public key with his private key d. the user's identity with his public key

D. the user's identity with his public key

____ can be used to associate or "bind" a user's identity to a public key.

Digital certificates

Weakness of using digital signatures include what?

Do not confirm true identity of the sender Digital signatures only show that private key of the sender was used to encrypt the digital signature Do not definitively prove who the sender was Imposter could post a public key under a sender's name

There are different means for a digital certificate requestor to identify themselves to request authority what are some?

E-mail - Insufficient for activities that must be very secure Documents - Birth certificate, employee badge In person - Providing government-issued passport or driver's license

Certain procedures can help ensure that keys are properly handled. These procedures include what?

Escrow Expiration Renewal Revocation Recovery Suspension Destruction

An enhanced type of server digital certificate is what?

Extended Validation SSL Certificate (EV SSL)

What can a Certificate Authority be?

External to organization, such as a commercial CA that charges for the service Internal to organization that provides this service to employees

Duties of Certificate Authority include?

Generate, issue, an distribute public key certificates Distribute CA certificates Generate and publish certificate status information Provide a means for subscribers to request revocation Revoke public-key certificates Maintain security, availability, and continuity of certificate issuance signing functions

This is a protocol suite for securing Internet Protocol (IP) communications.

Internet Protocol Security (IPsec)

To simplify the relationships in the chain, all certificates contain these fields so that the web browser can determine the trusted root CA.

Issued To and Issued By fields

Using one or more RAs, sometimes called _____________ who can "off-load" these registration functions, can create an improved workflow.

Local Registration Authorities (LRAs)

This is a variation of OCSP.

OCSP stapling

Information contained in digital certificate includes what?

Owner's name or alias Owner's public key Issuer's name Issuer's digital signature Digital certificate's serial number Expiration date of public key

These are frequently used to secure email transmissions.

Personal digital certificates (Class 1)

These are issued by an RA directly to individuals

Personal digital certificates (Class 1)

These are a numbered set of PKI standards that have been defined by the RSA Corporation.

Public key cryptography standards (PKCS)

These standards are based on the RSA public key algorithm.

Public key cryptography standards (PKCS)

This is a framework for all of the entities involved in digital certificates for digital certificate management

Public key infrastructure (PKI)

This is sometimes defined as that which supports other public key-enabled security services or certifies users of a security application.

Public key infrastructure (PKI)

This is the underlying infrastructure for the management of public keys used in digital certificates.

Public key infrastructure (PKI)

____ is a framework for all of the entities involved in digital certificates—including hardware, software, people, policies and procedures—to create, store, distribute, and revoke digital certificates

Public key infrastructure (PKI)

____ is a numbered set of PKI standards that have been defined by the RSA Corporation.

Public-key cryptography standards (PKCS)

General duties of Registrtation Authority are?

Receive, authenticate, and process certificate revocation requests Identify and authenticate subscribers Obtain a public key from the subscriber Verify that subscriber possesses asymmetric private key corresponding to public key submitted for certification

This is a subordinate entity designed to handle specific CA tasks such as processing certificate requests and authenticating users.

Registration Authority (RA)

This is a Linux/UNIX-based command interface and protocol for securely accessing a remote computer

SSH

This is an encrypted alternative to the Telnet protocol that is used to access remote computers.

SSH

This protocol was developed by Netscape in 1994 in response to the growing concern over Internet security.

Secure Sockets Layer (SSL)

Most common cryptographic transport algorithms are?

Secure Sockets Layer (SSL) Transport Layer Security (TLS) Secure Shell (SSH) Hypertext Transport Protocol Secure (HTTPS) IP security (IPsec)

These are often issued from a web server to a client, although they can be distributed by any type of server, such as an email server.

Server digital certificates

These are provided by software publishers.

Software publisher digital certificates

session keys

Symmetric keys to encrypt and decrypt information exchanged during a handshake session between a web browser and web server.

trust model

The type of trust relationship that can exist between individuals or entities.

This refers to a situation in which two individuals trust each other because each trusts a third party.

Third-party trust

This encrypts only the data portion (payload) of each packet yet leaves the header unencrypted

Transport mode

This encrypts both the header and the data portion.

Tunnel mode

Aspects of using digital certificates are?

Understanding their purpose Knowing how they are managed Determining which type of digital certificate is appropriate for different situations

What is the purpose of trusted third party?

Used to address problem of verifying identity Verifies owner and that public key belongs to that owner Helps prevent man-in-the-middle attack that impersonates owner of public key

The most widely accepted format for digital certificates is what?

X.509 international standard

The current version is X.509 is what?

X.509 v3

If there are many entities that require a digital certificate, or if these are spread out across geographical areas, using a single centralized CA may create issues what are they?

bottlenecks or inconveniences

With this model there is one CA that acts as a "facilitator" to interconnect all other CAs.

bridge trust model

A(n) ____ is a published set of rules that govern the operation of a PKI.

certificate policy (CP)

This is a published set of rules that govern the operation of a PKI.

certificate policy (CP)

This describes in detail how the CA uses and manages certificates.

certificate practice statement (CPS)

This is a more technical document than a CP.

certificate practice statement (CPS)

This is a named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with SSL and TLS.

cipher suite

In addition to email messages, _________ also can be used to authenticate the authors of documents

digital certificates

In this type of trust relationship, a relationship exists because one person knows the other person.

direct trust

This has multiple CAs that sign digital certificates.

distributed trust model

This is the basis for most end-user digital certificates used on the Internet

distributed trust model

This assigns a single hierarchy with one master CA called the root.

hierarchical trust model

Three PKI trust models use a CA name them.

hierarchical trust model the distributed trust model the bridge trust model.

Additional topics for a CPS include what?

how end users register for a digital certificate how to issue digital certificates when to revoke digital certificates procedural controls key pair generation and installation private key protection.

A hierarchical trust model has several limitations what are some?

if the CA's single private key were to be compromised, then all digital certificates would be worthless having a single CA who must verify and sign all digital certificates may create a significant backlog

A process in which keys are managed by a third party, such as a trusted CA, is known as _____.

key escrow

Digital certificates normally have an expiation date what is it?

one year from date issued

What is the normal expiration date of digital certificates?

one year from the issue date

The most common categories of digital certificates are?

personal digital certificates server digital certificates software publisher digital certificates

Public key infrastructure involves what?

public key cryptography standards trust models managing PKI

One of the important management tools for the use of digital certificates and asymmetric cryptography is what?

public key infrastructure

Most server digital certificates combine both server authentication and what?

secure communication between clients and servers on the web

____ digital certificates are often issued from a Web server to a client, although they can be distributed by any type of server, such as a mail server.

server

The master secret is used to create _______, which are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity.

session keys

Clicking this displays information about the digital certificate along with the name of the site.

the padlock icon

Once the CA receives and verifies the CSR, it inserts this into the certificate.

the public key

Server digital certificates perform two functions what are they?

they can ensure the authenticity of the web server can ensure the authenticity of the cryptographic connection to the web server .

There is a weakness with digital signatures what is an example?

they do not confirm the true identity of the sender.

The current status of a certificate can be checked to determine if it has been revoked by two means. What are they?

to use a Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP),

The primary function of an RA is what?

to verify the identity of the individual

IPsec supports two encryption modes what are they?

transport and tunnel

X.509 systems also include a method for creating a Certificate Revocation List (CRL). (true/false)?

true

Digital signatures only show that the private key of the sender was used to encrypt the digital signature (true/false)?

true (but they do not definitively prove who the sender was)

This is defined as confidence in or reliance on another person or entity

trust

A(n) ____ refers to the type of trusting relationship that can exist between individuals or entities.

trust model

What are 2 types of certification authorities?

trusted root certification authorities subordinate intermediate certification authorities

What does a third party do?

verifies the owner and that the public key belongs to that owner