lesson 5 quiz
What is key escrow?
Archiving a key with a third party.
What mechanism informs clients about suspended or revoked keys?
Either a published certificate revocation list (CRL) or an Online Certificate Status Protocol (OCSP) responder.
The X.509 standard defines the fields (information) that must be present in a digital certificate. Which of the following is NOT a required field?
Endorsement key
What is the purpose of a server certificate?
Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.
Evaluate the differences between hardware and software-based key storage and select the true statement.
HSM may be less susceptible to tampering and insider threats than software-based storage.
What mechanism does HPKP implement?
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
If not managed properly, certificate and key management can represent a critical vulnerability. Assess the following statements about key managment and select the true statements. (Choose two)
It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. If a private key or secret key is not backed up, the storage system represents a single point of failure.
What are the potential consequences if a company loses a private key used in encrypted communications?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
Consider the Public Key Infrastructure (PKI) Trust Model. In which of the following is the root NOT the single point of failure?
Offline CA
What type of certificate format can be used if you want to transfer your private key from one host computer to another?
PKCS #12 / .PFX / .P12.
Consider the process of obtaining a digital certificate and determine which of the following statements is incorrect.
Registration is the process where end users create an account with the domain administrator.
What does it mean if a certificate extension is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate
What extension field is used with a web server certificate to support the identification of the server by multiple subdomain labels?
The Subject Alternative Name (SAN) field.
Which of the following defines key usage with regard to standard extensions?
The purpose for which a certificate was issued.
Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle?
Verification
Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following is NOT true.
X.509 links the identiy of a user to a public key, while PGP links that identity to a private key.
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions
What is an HSM?
A hardware security module (HSM) is any type of system for performing cryptographic operations and storing key material securely. An HSM is usually provisioned as a network-connected appliance, but it could also be a portable device connected to a PC management station or a plugin card for a server.
What cryptographic information is stored in a digital certificate?
The owner's public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
How does a subject go about obtaining a certificate from a CA?
The subject generates a key pair then adds the public key along with subject information and supported algorithms and key strengths to a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it puts the public key and subject information into a certificate and signs it to guarantee its validity.
A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. Applying knowledge of server certificates, select the circumstances that could cause this error message. (Choose two)
The system's time setting is incorrect. The certificate expired.
What trust model enables users to sign one another's certificates, rather than using CAs?
The web of trust model. You might also just refer to this as PGP encryption