Module 07: Public Key Infrastructure and Cryptographic Protocols
expiration
The date of a digital certificate when it ceases to function.
user digital certificate
The endpoint of the certificate chain.
certificate authority (CA)
The entity that is responsible for digital certificates.
intermediate certificate authority (CA)
An entity that processes the CSR and verifies the authenticity of the user on behalf of a certificate authority (CA).
unauthentication mode of operation
An information service that provides a noncredentializing service such as confidentiality by a block cipher mode of operation.
authentication mode of operation
An information service that provides credentialing by a block cipher mode of operation.
.P7B
The file extension for a Cryptographic Message Syntax Standard based on PKCS#7 that defines a generic syntax for defining digital signature and encryption.
.P12
The file extension for a Personal Information Exchange Syntax Standard based on PKCS#12 that defines the file format for storing and transporting a user's private keys with a public key certificate.
.cer
The file extension for an X.509 certificate that is stored in a binary file.
what can a digital certificate NOT be used for?
To verify the authenticity of the CA
True or False: A cipher suite is a named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with TLS.
True
True or False: Counter (CTR) mode requires that both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
True
Transport mode
An IPsec mode that encrypts only the data portion (payload) of each packet yet leaves the header unencrypted.
Authentication Header (AH)
An IPsec protocol that authenticates that packets received were sent from the source.
Encapsulating Security Payload (ESP)
An IPsec protocol that encrypts packets.
Counter (CTR)
A block cipher mode of operation that both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
online CA
A certificate authority that is directly connected to a network.
offline CA
A certificate authority that is not directly connected to a network.
email digital certificate
A certificate that allows a user to digitally sign and encrypt mail messages.
root digital certificate
A certificate that is created and verified by a CA
Personal Information Exchange (PFX)
An X.509 file format that is the preferred file format for creating certificates to authenticate applications or websites.
Privacy Enhancement Mail (PEM)
An X.509 file format that uses DER encoding and can have multiple certificates.
SSL stripping
An attack that manipulates SSL functions by intercepting an HTTP connection.
Secure Sockets Layer (SSL)
An early and widespread cryptographic transport algorithm that is now considered obsolete.
Secure Shell (SSH)
An encrypted alternative to the Telnet protocol that is used to access remote computers.
registration authority
An entity that is responsible for verifying the credentials of the applicant for a digital certificate.
Certificate Revocation List (CRL)
A list of certificate serial numbers that have been revoked.
cipher suite
A named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with TLS and SSL.
stapling
A process for verifying the status of a certificate by sending queries at regular intervals to receive a signed time-stamped response
Key escrow
A process in which keys are managed by a third party, such as a trusted CA.
Online Certificate Status Protocol (OCSP)
A process that performs a real-time lookup of a certificate's status.
Secure Real-time Transport Protocol (SRTP)
A protocol for providing protection for Voice over IP (VoIP) communications.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
A protocol for securing e________ messages.
Internet Protocol Security (IPsec)
A protocol suite for securing Internet Protocol (IP) communications.
self-signed
A signed digital certificate that does not depend upon any higher-level authority for authentication.
Certificate Signing Request (CSR)
A user request for a digital certificate.
Transport Layer Security (TLS)
A widespread cryptographic transport algorithm that replaces SSL.
Subject Alternative Name (SAN)
Also known as a Unified Communications Certificate (UCC), certificate primarily used for Microsoft Exchange servers or unified communications.
tunnel mode
An IPsec mode that encrypts both the header and the data portion.
Which is NOT a means by which a newly approved root digital certificate is distributed
Application Updates
what is achieved by Security Orchestration, Automation, Response (SOAR)?
Automation
A centralized directory of digital certificates is called a(n):
Certificate repository (CR)
Extended Validation (EV) certificate
Certificate that requires more extensive verification of the legitimacy of the business than does a domain validation digital certificate.
domain validation digital certificate
Certificate that verifies the identity of the entity that has control over the domain name.
code signing digital certificate
Certificate used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and that no unauthorized third party has altered it.
wildcard digital certificate
Certificate used to validate a main domain along with all subdomains.
machine/computer digital certificate
Certificate used to verify the identity of a device in a network transaction.
What is the strongest technology that would assure you who is the sender of a message?
Digital certificate
What attributes are required for an x.509 compliant digital certificate?
Encryption Keys, Common Name, & Validation Period
True or False: A block cipher mode of operation specifies how block ciphers should handle streams.
False
True or False: A digital certificate is a technology used to associate a user's identity to a public key and that has been digitally signed by the owner of the private key.
False
True or False: A root CA should always be kept online
False
True or False: SSL is a replacement cryptographic protocol for TLS.
False
True or False: When a digital certificate is revoked, the user must update internal records and any CRL with the required certificate information and time stamp.
False
certificate attributes
Fields in an X.509 digital certificate that are used when parties negotiate a secure connection.
What tasks must be completed before a user requests a certificate from a CA
Generate private and public keys
pinning
Hard-coding a digital certificate within a program that is using the certificate.
block cipher mode of operation
How block ciphers handle blocks of ciphertext by using a symmetric key block cipher algorithm to provide an information service.
which entity in the certificate authority (CA) hierarchy validates the certificate request from a client?
Registration Authority (RA)
True or False: The hierarchical trust model assigns a single hierarchy with one master CA called the root.
True
certificate chaining
Linking several certificates together to establish trust between all the certificates involved.
Which method of threat hunting includes disrupt, deny, destroy, and degrade actions?
Maneuvering
You want the latest status of a digital certificate. Which technology or protocol would you use?
Online Certificate Status Protocol (OCSP)
What is the file extension for a Cryptographic Message Syntax Standard based on PKCS#7 that defines a generic syntax for defining digital signature and encryption?
P7B
Which is a protocol for securely accessing a remote computer in order to issue a command?
Secure Shell (SSH)
Which protocol would you use to access a remote computer and execute commands?
Secure Shell (SSH)
Which of the following is used for continuous monitoring of logs?
Security information and event management (SIEM)
which certificates should you use with a Web server for testing purposes?
Self-Signed
______________ ________ are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity.
Session keys
key management
The administration by PKI of all the elements involved in digital certificates for digital certificate management of public keys and digital certificates.
common name (CN)
The name of the device protected by the digital certificate.
trust model
The type of trust relationship that can exist between individuals or entities.
Public key infrastructure (PKI)
The underlying infrastructure for the management of public keys used in digital certificates.
Which is the first step in a key exchange?
The web browser sends a message ("ClientHello") to the server.
Canonical Encoding Rules (CER) & Distinguished Encoding Rules (DER)
X.509 encoding formats.
Hypertext Transport Protocol Secure (HTTPS)
________ sent over TLS (Transport Layer Security) or SSL (Secure Sockets Layer).