Security+ - Chapter 15 - Certificates
The original file extension for .509 certificates is ______.
.pfx
What Windows utility is used to implement certificates? For security purposes, should be done before using this tool?
Active Directory Certificate Services (ADCS) Obtain OIDs.
In host-to-host IPSec connections, who uses IPSec? In gateway-to-gateway IPSec connections, who uses IPSec?
1. All the hosts. 2. None of the hosts--the gateways use it instead.
What are two components of an X.509 certificate?
1. Owner information (includes public key). 2. Certificate authority information.
The original ruleset governing the encoding of ASN.1 data structures is _______.
Basic Encoding Rules (BER)
A restricted version of BER that only allows the use of one encoding type is ______.
Canonical Encoding Rules (CER)
A restricted version of BER typically used for X.509 certificates is ______. What are three things is restricts?
Distinguished Encoding Rules (DER); 1. Length. 2. Character strings. 3. Sorting.
In an IPSec environment, the ______ offers integrity, authenticity, and confidentiality of packets.
Encapsulating Security Paylord
X.690
ITU-T standard that specifies coding formats.
How does a user obtain a digital identity certificate from a CA?
Initiates a certificate signing request (CSR) and present proof of identity and a public key.
A certificate format that uses base64-encoded ASCII character is ______. This uses the X.690 standard _____.
Privacy-enhanced Electronic Mail (PEM); DER
Two forms of certificate invalidation are _____ and ______. What is the difference between the two?
Revoked: a certificate can never be used again. Hold: a certificate is temporarily invalidated.
A binary certificate format based on PKCS#12 is _____.
P12/PFX
When using SSH to connect remotely, the computer that is controlled runs the ______.
SSH daemon
A device that provides additional processing power for SSL/TLS servers is a ______.
SSL/TLS accelerator
One alternative name for OCSP stapling is _____.
TLS Certificate Status Request
What is one way to avoid corrupting the CA chain of trust?
Use an offline CA and transmit certificates via removable media.
A common PKI standard that digital certificates are based on is _______.
X.509
An end-entity certificate handshakes with _____. This then communicates with the root certificate authority by first ______ and then ______.
an intermediate certificate; handshaking; self-signing with its public key
To recover lost or corrupted keys, the first step is to ______. Once this is done, a ______ can be employed to retrieve them.
archive them at an Enterprise-level CA; key recovery agent
When sharing session keys via SSL/TLS, session keys are encrypted via ______.
asymmetric encryption
In an IPSec environment, the ______ offers authentication and integrity by using ______.
authentication header; keyed hashes
A decentralized, peer-to-peer model that uses self-signed certificates is known as a _______.
web of trust
A certificate that applies to a website and all subdomains is known as a ______.
wildcard certificate
A certificate that validates a software, application, or other executable file is called a ______ certificate.
code signing
SSL certificates that validate the rights of an applicant to use a domain name are _______ certificates.
domain validation
SSL/TLS are often targeted by attacks that reduce their quality or version. This is called a _______, and one method used to mitigate this is by ______.
downgrade attack; disabling backwards compatibility
When a secure copy of a user's private key is held in case the key is lost, it is known as ______.
key escrow
______ are optional extensions for X.509 certificates that can provide additional information about a certificate.
object identifiers (OIDs)
A ______ verifies requests for a certificate.
registration authority
The anchor of the certificate chain of trust is the _______.
root certificate authority
In an IPSec environment, the ______ establishes secure connections and shared security information. This is usually done through ______.
security association; Internet Key Exchange (IKE)
What part of a certificate allows for the certification of additional hostnames, domain names, IP addresses, etc.?
subject alternative name (SAN)
When using SSL/TLS, session data is encrypted via ______.
symmetric encryption
What is the first step of submitting a CSR to a CA?
Generating a private key via RSA.
When a browser validates a single certificate, it uses ______.
Online Certificate Status Protocol (OCSP)
How can you tell if a certificate is in PEM format?
Open it with a text editor and look for the "Begin/End Certificate" statements.
What is one additional way to create a .pfx file?
Combining a private key with a PKCS #7 .p7b file.
What is the difference between OCSP and CRL?
OCSP allows a browser to check the status of a single certificate from a CA, whereas the CRL downloads an entire list of revoked certificates from a CA.
What is the difference between one-to-one and many-to-one certificate mapping?
One-to-one: maps one certificate to one user. Many-to-one: maps multiple certificates to one user.
What layer do SSL/TLS function at?
Transport (L4). They begin there but the actual encryption occurs at the Session layer (L5).
What is the function of PPTP?
Used with PPP in dial-up connections for VPN access.
What is the best way to secure PPTP?
Using EAP-TLS or PEAP.
SSL certificates that thoroughly vet an organization are ______ certificates.
extended validation
SSL certificates that validate the authenticity of an organization are ______ certificates.
organizational validation
What are the two types of file extensions used by P12/PFX?
1. .p12 2. .pfx
What are the four types of file extensions used by PEM?
1. .pem 2. .cer 3. .crt 4. key
What are two drawbacks of OCSP? How does OCSP stapling fix this?
1. High overhead on the CA because it must respond to every client request. 2. Doesn't require encryption. OCSP stapling requires the presenter of a certificate to bear the resource cost rather than the CA.
What does S/MIME provide? What is one downside of this protocol?
Authentication, integrity, non-repudiation of origin. Encrypts malware along with the message.
PEM is a certificate type that uses ______ as its coding format.
Base64 ASCII
What are the downsides of a web of trust?
Doesn't use a certificate authority, so users must decide which certificates to trust.
What IPSec mode is for host-to-host communications and which is used for network-to-network communications?
Host-to-host: transport. Network-to-network: tunnel.
What is the P12/PFX typically used for? How does it store files?
Importing/exporting certificates and private keys. Stores server certificate, intermediate certificates, and private keys in a single encryptable file.
What is the difference between IPSec tunnel and transport modes?
In tunnel mode, the entire packet is encrypted by encapsulating the packet within a new packet. In transport mode, only the payload is encrypted; the header is not.
At what layer does IPSec operate? What are the three protocols it uses?
Network (L3). 1. Security Association (SA). 2. Authentication Header (AH). 3. Encapsulating Security Payload (ESP).
To secure email communications, you might use ______ or ______. To secure e-commerce or website logins. you might use ______. To secure direct connections with other machines, you might use ______. To secure virtual connections to other networks, you might use ______.
PGP or S/MIME; TLS; SSH; L2TP or PPP
What is the difference between single-sided and dual-sided certificates?
Single-sided certificates only validate the server, not the user, whereas dual-sided certificates validate both.
How is L2TP secured?
Via IPSec.
When communicating via SSL/TLS, two keys are required: ______.
a public key and session key
A website is encrypted via SSL/TLS by using a ______ and then encrypting it via ______.
a random session key; the server's public key
PKCS#12 and DER certificates use _____ as their coding format.
binary
The ______ issues certificates and verifies identities. It is usually a _______. In a PKI system, it is known as a _______.
certificate authority (CA); server; trusted third party
When a client checks the public key in the server's certificate against a hashed public key used for the server name, it is known as ______ (a.k.a. ______, a.k.a. _____). This can be used to prevent ______ attacks.
certificate pinning; SSL pinning; public key pinning; man in the middle
A list of certificates that are no longer valid is known as the ________.
certificate revocation list (CRL)
Digitally signed electronic documents that bind a public key with a user identity are known as _____.
certificates