Sec 5 Quiz
What is the key lifecycle stages?
A key's lifecycle may involve the following stages:• Key generation• Certificate generation• Storage• Revocation• Expiration and renewal
What is the difference between a revoked key and a suspended key? A suspended key results from a key being compromised, a revoked key results from a key expiring. A suspended key can be re-enabled, a revoked key cannot. A revoked key results from a key being compromised, a suspended key results from a key expiring. A revoked key can be re-enabled, a suspended key cannot.
A suspended key can be re-enabled, a revoked key cannot.
All certificates use ___________, which converts certificate information into binary. PEM DER Base64 ASCII
DER
The X.509 standard defines the fields (information) that must be present in a digital certificate. Which of the following is NOT a required field? Extensions Endorsement key Public key Version
Endorsement key
Which of the following is NOT a responsibility of a CA? Manage the servers that store and administer the certificates. Ensure the validity of certificates and the identity of those applying for them. Perform key and certificate lifecycle management. Establish a web of trust between a user and other users who are providing verification for their certificate.
Establish a web of trust between a user and other users who are providing verification for their certificate.
What is the purpose of a server certificate? Guarantee the validity of a browser plug-in or software application. Allow signing and encrypting email messages. Guarantee the identity of e-commerce sites and other websites that gather and store confidential information. Provide identification for the certificate authority.
Guarantee the identity of e-commerce sites and other websites that
Evaluate the differences between hardware and software-based key storage and select the true statement. In hardware-based storage, the key is stored on a server. Software-based storage and distribution is typically implemented using removable media or a smart card. In hardware-based storage, security is provided by the operating system Access Control List (ACL). HSM may be less susceptible to tampering and insider threats than software-based storage.
HSM may be less susceptible to tampering and insider threats than software-based storage.
What is a dedicated appliance for generating and storing cryptographic keys? Key Escrow SIM Card Hardware Security Module (HSM) Repository
Hardware Security Module (HSM)
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key management and select the true statements. (Choose 2) It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. The same private key can securely encrypt and sign a document. If a key used for signing and encryption is compromised, it can be easily destroyed and a new key issued. If a private key or secret key is not backed up, the storage system represents a single point of failure.
It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. If a private key or secret key is not backed up, the storage system represents a single point of failure. A key used for encryption cannot be destroyed so easily, as the data encrypted by it has to be recovered first. If the same private key is used for multiple purposes, and the key is compromised, then multiple uses of the key are threatened.
What is key escrow & PGP?
Key escrow - refers to archieving a key with a third party PGP- Pretty Good Privacy -> popular open standard for encrypting email communication or file/desk encryption
Which of the following are ways to inform users whether a certificate is valid, revoked, or suspended? (Choose 2) OCSP RA CRL ASCII
OCSP CRL
What process is described below: The SSL/TLS web server periodically obtains a time-stamped OCSP response from the CA. When a client submits an OCSP request, the web server returns the time-stamped response, rather than making the client contact the OCSP responder itself. PGP Certificate Pinning Key Escrow OCSP Stapling
OCSP Stapling
Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect. The registration function may be delegated by the CA to one or more RAs. Registration is the process where end users create an account with the RA and become authorized to request certificates. CAs ensure the validity of certificates and the identity of those applying for them When a subject wants to obtain a certificate, it completes a CSR.
Registration is the process where end users create an account with the RA and become authorized to request certificates.
A single certificate can be issued for use with multiple subdomains in the following ways: (Choose 2) Subject Alternative Name (SAN) Wildcard Domain FQDN OCSP
Subject Alternative Name (SAN) Wildcard Domain
A digital certificate has been received with a particular extension marked as critical. What does this marker signify? That the application processing the certificate must process the critical extension first before processing any further information on the certificate. That the application processing the certificate must forward the certificate on to the Root CA to handle the extension. That the application processing the certificate must give its best-effort to process the critical extension, but process the remainder of the certificate even if it cannot. That the application processing the certificate must be able to interpret it, or else the certificate should be rejected.
That the application processing the certificate must be able to interpret it, or else the certificate should be rejected.
Which of the following defines key usage with regard to standard extensions? The ability to create a secure key pair The purpose for which a certificate was issued To archive a key with a third party Configuring the security log to record key indicators
The purpose for which a certificate was issued
A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. He also made sure he didn't mistype the address. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Choose 2) The certificate is pinned. The system's time setting is incorrect. The certificate expired. The OCSP staple did not refresh.
The system's time setting is incorrect. The certificate expired.
Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle? Revocation Expiration and renewal Verification Storage
Verification
PGP operates under what kind of model? Web of trust GPG Hierarchial Chain of trust
Web of trust
Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true. X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users. X.509 operates under a hierarchical trust model, where PGP uses a web of trust. X.509 and PGP are both implementations of the PKI Trust Model. X.509 links the identity of a user to a public key, while PGP links that identity to a private key.
X.509 links the identity of a user to a public key, while PGP links that identity to a private key.
What is certificate pinning?
refers to several techniques to ensure that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate.
The hierarchical model, a single CA called the _____ issues certificates to several ____- CAs, which then give certificates to the end subjects.
root intermediate
