Chapter 6 - Implementing Public Key Infrastructure Flashcards - Quizlet

17/04/2023, 21:23 Chapter 6: Implementing Public Key Infrastructure Flashcards | Quizlet
Science Computer Science Computer Security and Reliability
Chapter 6: Implementing Public Key

Infrastructure
Terms in this set (36)
This is a public assertion of

identity, validated by a
certificate authority (CA).
-asserting identity
-Can be issued for protecting
web server communications
or signing messages.
This solves the problem of

distributing encryption keys
when you want to
communicate securely with
others or authenticate a
message that you send to
others.
-basic problem is that you
may not really know with
whom you are communicating
-vulnerable to man-in-the-
middle attacks (e-commerce)
https://quizlet.com/589103945/chapter-6-implementing-public-key-infrastructure-flash-cards/ 1/14
This aims to prove that the

owners of public keys are
who they say they are.
-Under this anyone issuing
public keys should obtain a
digital certificate.
-The validity of the certificate
is guaranteed by a certificate
authority (CA).
This is the entity responsible

for issuing and guaranteeing
certificates
This CA (root) issues

certificates to users; users
trust certificates issued by that
CA and no other.
-The problem with this
approach is that this CA
server is very exposed.
-If it is compromised, the
whole PKI collapses.
In this model, a single CA

(called the root) issues
certificates to several
intermediate CAs. The
intermediate CAs issue
certificates to subjects (leaf or
end entities)
-Each leaf certificate can be
traced back to the root CA
along the certification path.
(certificate chaining, or a chain
of trust.)
-root's certificate is self-
signed.
-root is still a single point of
failure
--To mitigate against this,
however, the root server can
be taken offline,
. Because of the high risk

posed by compromising the
root CA, a secure
configuration involves making
the root an _____________. This
means that it is disconnected
from any network and usually
kept in a powered-down
state. The root CA will need to
be brought online to add or
update intermediate CAs.
When a subject wants to

obtain a certificate, it
completes a
___________________________ and
submits it to the CA. It is a
Base64 ASCII file containing
the information that the
subject wants to use in the
certificate, including its public
key.
This is essentially a wrapper

for a subject's public key. As
well as the public key, it
contains information about
the subject and the
certificate's issuer or
guarantor. The certificate is
digitally signed to prove that
it was issued to the subject by
a particular CA.
This certificate guarantees the

identity of e-commerce sites
or any sort of website to
which users submit data that
should be kept confidential.
-Domain Validation (DV)—
proving the ownership of a
particular domain.
This defines the different uses

of certificate types issued by
the CA.
A certificate type is set by
configuring the the Key Usage
attribute
-An extension can be tagged
as critical, meaning that the
application processing the
certificate must be able to
interpret the extension
correctly; otherwise, the
certificate should be rejected.
This will be marked as

untrusted by the operating
system or browser, but an
administrative user can
choose to override this.
Types of certifications
____________________________refers to
operational considerations for
the various stages in a key's
life cycle.
It can be centralized, meaning
that one administrator or
authority controls the process,
or decentralized, in which
each user is responsible for his
or her keys.
A key's life cycle may involve

the following stages:
-Key generation
-Certificate geneartion
-Storage
-Revocation
-Expiration/renewal
Access to critical encryption

keys must be logged and
audited and is typically
subject to ___________or ______________
CAs must maintain a

certificate revocation list
(CRL) of all revoked and
suspended certificates, which
can be distributed throughout
the hierarchy. A revoked
means?
This server, referred to as an

OCSP responder. Rather than
return a whole CRL, this just
communicates the status of
the requested certificate.
-OCSP stapling resolves high
demands on the issuing CA
running the OCSP responder,
by having the SSL/TLS web
server periodically obtain a
time-stamped OCSP response
from the CA
__________refers to several
techniques to ensure that
when a client inspects the
certificate presented by a
server or a code-signed
application, it is inspecting the
proper certificate.
-This might be achieved by
embedding the certificate
data in the application code,
or by submitting one or more
public keys to an HTTP
browser via an HTTP header,
which is referred to as HTTP
Public Key Pinning (HPKP
Configure a root CA in
OpenSSL
The most common problem

when dealing with certificate
issues is that of a
Consider the life cycle of an

encryption key. Which of the
following is NOT a stage in a
key's life cycle?
A.) Storage
B.) Verification
C.) Expiration and renewal
D.) Revocation
Which certificate field shows

the name of the Certificate
Authority (CA) expressed as a
Distinguished Name (DN)?
A.) Version
B.) Signature algorithm
C.) Issuer
D.) Subject
This certificate field provides

the algorithm used by the CA
to sign the certificate. The
signature algorithm is used to
assert the identity of the
server's public key and
facilitate authentication.
This certificate field gives the

name of the certificate holder,
expressed as a distinguished
name (DN). Within this, the
common name (CN) part
should usually match either
the fully qualified domain
name (FQDN) of the server or
a user email address.
An employee has requested a

digital certificate for a user to
access the Virtual Private
Network (VPN). It is
discovered that the certificate
is also being used for digitally
signing emails. Evaluate the
possible extension attributes
to determine which should be
modified so that the certificate
only works for VPN access.
A.) Extension ID
B.) Critical
C.) Value
D.) Distinguished encoding
rules
These are what certificates

use to encode a certificate as
a digital file for exchange
between different systems.
A website with many

subdomains has a single
Domain Validation (DV) server
certificate. The certificate has
been issued to the parent
domain and all subdomains
are accepted as valid down
one level. Determine which
type of certificate is in use.
A.) Subject Alternative Name

(SAN)
B.) Wildcard domain
C.) Root
D.) Code signing
A domain is one in which the

certificate is issued to the
parent domain and will be
accepted as valid for all
subdomains down a single
level. These certificates
cannot be issued with
Extended Validation (EV).
The X.509 standard defines

the fields (information) that
must be present in a digital
certificate. Which of the
following is NOT a required
field?
A.) Extensions
B.) Public key
C.) Endorsement key
D.) Subject
This is not required for a digital

certificate. It is part of a
Trusted Platform Module and
used to create subkeys for key
storage, signature, and
encryption operations.
What is the purpose of a

server certificate?
A.) Allow signing and

encrypting email messages.
B.) Guarantee the validity of a
browser plug-in or software
application.
C.) Provide identification for
the certificate authority.
D.) Guarantee the identity of
e-commerce sites and other
websites that gather and store
confidential information.
If not managed properly,

certificate and key
management can represent a
critical vulnerability. Assess
the following statements
about key management and
select the true statements.
(Select all that apply.)
A.) If a key used for signing

and encryption is
compromised, it can be easily
destroyed with a new key
issued.
B.) It is exponentially more
difficult to ensure the key is
not compromised with
multiple backups of a private
key.
C.) If a private key, or secret
key, is not backed up, the
storage system represents a
single point of failure.
D.) The same private key can
securely encrypt and sign a
document.
An employee handles key

management and has learned
that a user has used the same
key pair for encrypting
documents and digitally
signing emails. Prioritize all
actions that should be taken
and determine the first action
that the employee should
take.
A.) Revoke the keys.

B.) Recover the encrypted
data.
C.) Generate a new key pair.
D.) Generate a new certificate.
An employee handling key

management discovers that a
private key has been
compromised. Evaluate the
stages of a key's life cycle and
determine which stage the
employee initiates upon
learning of the compromise.
A.) Certificate generation

B.) Key generation
C.) Expiration and renewal
D.) Revocation
A company has a critical

encryption key that has an M-
of-N control configuration for
protection. Examine the
examples and select the one
that correctly illustrates the
proper configuration for this
type of protection of critical
encryption keys.
A.) M=1 and N=5

B.) M=3 and N=5
C.) M=6 and N=5
D.) M=0 and N=5
A Certificate Revocation List

(CRL) has a publish period set
to 24 hours. Based on the
normal procedures for a CRL,
what is the most applicable
validity period for this
certificate?
A.) 26 hours
B.) 1 hour
C.) 23 hours
D.) 72 hours

Chapter 6 - Implementing Public Key Infrastructure Flashcards - Quizlet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 6 - Implementing Public Key Infrastructure Flashcards - Quizlet

Uploaded by

Copyright:

Available Formats

17/04/2023, 21:23 Chapter 6: Implementing Public Key Infrastructure Flashcards | Quizlet

Science Computer Science Computer Security and Reliability

Chapter 6: Implementing Public Key

This is a public assertion of

This solves the problem of

This aims to prove that the

This is the entity responsible

This CA (root) issues

In this model, a single CA

. Because of the high risk

When a subject wants to

This is essentially a wrapper

This certificate guarantees the

This defines the different uses

This will be marked as

A key's life cycle may involve

Access to critical encryption

CAs must maintain a

This server, referred to as an

The most common problem

Consider the life cycle of an

Which certificate field shows

This certificate field provides

This certificate field gives the

An employee has requested a

These are what certificates

A website with many

A.) Subject Alternative Name

A domain is one in which the

The X.509 standard defines

This is not required for a digital

What is the purpose of a

A.) Allow signing and

If not managed properly,

A.) If a key used for signing

An employee handles key

A.) Revoke the keys.

An employee handling key

A.) Certificate generation

A company has a critical

A.) M=1 and N=5

A Certificate Revocation List

You might also like