Lesson 6

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Certificate Enrollment Process

1. Entity requests certificate 2. RA authenticates entity 3. Policy applied to request 4. Request sent to CA 5. CA issues certificate 6. Entity notified 7. Certificate installed

Certificate Life Cycle

1. Issuance - Root CA issues its self-signed key pair. Then sub CAs start to issue their certificates. 2. Enrollment 3a. Renewal 3b. Revocation 3c. Expiration 3d. Suspension

Private Key Replacement

1. Recover private key 2. Decrypt any encrypted data 3. Destroy the original private key 4. Obtain a new key pair 5. Re-encrypt the data using the new private key.

SSL Enrollment Process

1. Request - client requests session with server 2. Response - server responds by sending its digital certificate and public key to the client 3. Negotiation - server and client then negotiate encryption level 4. Encryption - once agreed on a level, the client generates a session key, encrypts it, and sends it with the public key from the server 5. Communication - the session key then becomes the key used in the conversation

Digital Certificate

An electronic document that associates credentials with a public key. Validates holder's identity and is a way to distribute the holder's public key.

Private Key Protection Methods

Back it up to removable media and store media securely Delete it from insecure media Require a password to store the private key Never share a key Never transmit a key on the network or across the Internet after it is issued Consider using key escrow to store a private key with trusted third parties

Enterprise CA

CA that is integrated with AD

Standalone CA

CA that is not integrated with AD

What stores digital certificates?

Certificate repository database

PKCS #7

Cryptographic Message Syntax Standard. Describes the general syntax used for cryptographic data, such as digital signatures.

PKCS #10

Cryptographic Request Syntax Standard. Describes the syntax used to request certification of a public key and other info.

PKI Components

Digital certificates - to verify the identity of entities One or more CA's - to issue digital certificates to computers, users, or apps Registration Authority (RA) - responsible for verifying users' identities and approving or denying requests for digital certificates. Certificate repository database - to store the digital certificates Certificate management system - to provide software tools to perform the day-to-day functions of the PKI Certificate signing request (CSR) - a message sent to a CA in which a resource applies for a certificate

What does a CA Hierarchy help?

It distributes the workload and provides certificate services more efficiently.

If a CA is compromised, which certificates are invalid?

It's own and it's children's.

Certificate Life Cycle Factors

Length of private key Strength of crytography used Physical security of the CA and private key Security of issued certificates and their private keys Risk of attack User Trust Administrative involvement

Two types of Root CAs

Private and public

Certificate Management System

Provide software tools to perform the day-to-day functions of the PKI

PKI

Public Key Infrastructure. A system that is composed of a CA, certificates, software, services, and other cryptographic components, for the purpose of enabling authenticity and validation of data and entities.

What are OCSP servers called?

Responders

Which CA issues and self-signs the first certificate in the hierarchy?

Root CA

What is the most secure way to configure a root CA?

Take it offline and let the subordinate CAs issue certificates.

What does the responder use to search for a certificate in a CA's database?

The certificate's serial number

What happens if the root CA's certificate expires?

The entire CA becomes inactive.

Public Key Crytography Standards (PKCS)

The most common CSR format, developed to send info over the internet in a secure manner using a PKI

Certificate Authentication

The process of identifying end users in a transaction that involves a series of steps to be carried out before the user's identity is confirmed.

What happens when certificates are revoked before their expiration date?

They are rendered permanently invalid

M of N Control

Used to prevent a single authorized agent from recovering a key. A mathematical control that takes into account the total number of recovery agents (N) along with the number of agents required to perform a key recovery (M). If the number of agents attempting to recover a key does not meet or exceed M, then the key will not be recovered.

Certificate Signing Request (CSR)

a message sent to a CA in which a resource applies for a certificate

CA Hierarchy/Trust Model

a single CA or group of CAs that work together to issue digital certificates. Each CA in the hierarchy has a parent-child relationship with the CA directly above it.

Online Certificate Status Protocol (OCSP)

an HTTP-based alternative to a CRL for checking the status of revoked certificates.

Key escrow

an alternative to key backups, can be used to store private keys securely, while allowing one or more trusted third parties access to the keys under predefined conditions. the third party is called the key escrow agent

Subordinate CAs

any CAs below the root in the hierarchy. Issue certificates and provide day-to-day management of the certificates, including renewal, suspension, and revocation.

Private Root CA

created by a company for use primarily within the company itself. The root can be set up and configured in-house or contracted to a third-party vendor.

Public Root CA

created by a third-party or commercial vendor for general access by the public.

Certificate Revocation List (CRL)

list of certificates that were revoked before the expiration date. Contains requester's name, request ID number, the reason why the certificate was revoked and other pertinent info.

Registration Authority (RA)

responsible for verifying users' identities and approving or denying requests for digital certificates.

Root CA

the topmost CA in the hierarchy and the most trusted authority.

File encryption keys

used to encrypt files and stored by the public key.

Encrypting File System (EFS)

uses Microsoft NTFS-based public key encryption.


Set pelajaran terkait

Match the reasoning questions in depth (reasoning, main point, principle-match, parallel)

View Set

Chem 1045- Standard Enthalpies of Formation

View Set

Chapter 6: Disorders of Trauma and Stress

View Set