Managing a Public Key Infrastructure Flashcards
After importing a user certificate file to an e-mail program, a user finds she cannot digitally sign sent e-mail messages. What are some possible reasons for this? (Choose two.)
The public key is not in the certificate.
The private key is not in the certificate.
The certificate was not created for e-mail usage.
The PKI is not in the certificate.
The private key is not in the certificate.
The certificate was not created for e-mail usage.
A private key is used to create digital signatures, and the related public key verifies the authenticity of that signature. A certificate lacking a private key cannot be used to digitally sign e-mail messages. Depending on how the certificate file was created, the private key may have been omitted. This is sometimes done when you send your public key to another party so that they can encrypt messages to you. Certificates can be created for specific uses, such as e-mail
Which of the following would not be found in a digital certificate?
Private key
Digital signature of issuing CA
IP address of PKI server
IP address of PKI server
A PKI server does not write its IP address within certificates it issues; however, it does write its digital signature with a private key
You are providing consulting services to a legal firm that has a PKI. The firm would like to enable document workflow where documents are sent electronically to the appropriate internal employees. You are asked whether there is a way to prove that documents were sent from the user listed in the From field. Of the following, what would you recommend?
File encryption
Digital signatures
E-mail encryption
Digital signatures
Digital signatures are created with the sender’s private key (to which only he has access) and verified with the corresponding public key. This is the best solution for workflow documents in this scenario
As a security auditor, you are focusing on hardening an existing PKI. Which of the following should you consider? (Choose two.)
Take the CA offline.
Do not make public keys publicly accessible.
Configure a recovery agent.
Encrypt all digital certificates.
Take the CA offline.
Configure a recovery agent.
The CA is used to issue and renew X.509 certificates and should be taken offline when not in use for security purposes. CAs, especially root CAs, left online present a security risk. Normally, subordinate CAs are used to issue certificates. Recovery agents have the ability to recover encrypted data when the original private key is unavailable. Failure to configure this could result in no access to important data
our colleagues report that there is a short time frame in which a revoked certificate can still be used. Why is this?
The CRL is published periodically.
The CRL is published immediately but must replicate to all hosts.
The CRL lists only revoked certificate serial numbers and is not used in any way.
The CRL is published periodically.
The CRL is not published immediately; it is published either manually or on a schedule, so there may be a small time frame where revoked certificates can still be used
Which of the following best describes the term key escrow?
A trusted third party with decryption keys in case the original keys have expired
A trusted third party with copies of decryption keys in addition to existing original keys
An account that can be used to encrypt private keys
A trusted third party with copies of decryption keys in addition to existing original keys
Key escrow refers to a trusted third party with a copy of decryption keys. A court order may be necessary to use these keys under certain circumstances
Which PKI component verifies the identity of certificate requestors before a certificate is issued?
Public key
RA
PKI
RA
A registration authority (RA) is an optional PKI component that performs requestor verification before certificates are issued
A user reports that she is unable to authenticate to the corporate VPN while traveling. You have configured the VPN to require X.509 user certificate authentication. After investigating the problem, you learn that the user certificate has expired. Which of the following presents the quickest secure solution?
Create a new user certificate and configure it on the user’s computer.
Disable X.509 certificate authentication for your VPN.
Reduce the CRL publishing frequency.
Create a new user certificate and configure it on the user’s computer.
X.509 certificates cannot be renewed if they have expired; a new certificate must be created
When users connect to an intranet server by typing https://intranet.acme.local, their web browser displays a warning message stating the site is not to be trusted. How can this warning message be removed while maintaining security?
Configure the web server to use HTTP instead of HTTPS.
Use TCP port 443 instead of TCP port 80.
Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.
Install the trusted root certificate in the client web browser for the issuer of the intranet server certificate.
The web browser must trust the digital signature in the intranet web server certificate; this is the digital signature of the server certificate issuer. If a client trusts the signer, it then trusts all certificates signed by the signer—this is how the PKI hierarchical trust model works. In addition, the server certificate must be valid, meaning it must not have expired, and it must not be listed in the CRL. The subject name in the server certificate must match the URL entered by the user
An HTTPS-secured web site requires the ability to restrict which workstations can make a connection. Which option is the most secure?
Configure the web site to allow connections only from the MAC addresses of valid workstations.
Configure the web site to use user authentication.
Configure the web site to require client-side certificates.
Configure the web site to require client-side certificates.
Client-side digital certificates must be installed on each workstation to access the web site. The web server must also be configured to allow access only from workstations with appropriate certificates installed
Which of the following is untrue regarding certificates containing private keys?
They can be used to encrypt mail sent to others.
They can be used to encrypt hard disk contents.
They should be password protected.
They can be used to encrypt mail sent to others.
Private keys are not used to encrypt message to others; for that you must have the recipient’s public key
For which purpose would a computer digital certificate be used? (Choose the best answer.)
Network access control
IPSec
Both A and B
None of the above
Both A and B
Computer digital certificates can be used to authenticate the computer to another device such as with an 802.1x network switch that forwards authentication requests to an authentication server (network access control). IPSec can use computer certificates to ensure secure communication takes place between network hosts
You are responsible for enabling SSL on an e-commerce web site. What should you do first?
Install the web server digital certificate.
Enable SSL on the web server.
Create a CSR and submit it to a CA.
Create a CSR and submit it to a CA.
Creating a certificate signing request (CSR) and submitting it to a CA is the first step that must be completed. Be careful when filling out all fields related to the CSR; for instance, you may need to ensure that the applicant’s name matches the owner name for a DNS domain with a DNS registrar—this is called domain validation. To prove DNS domain ownership, extended validation verifies additional information such as business name, address, e-mail addresses of applications, and so on. Another consideration is whether the e-commerce site uses multiple subordinate DNS domains such as products.acme.com and services.acme.com; a wildcard certificate (*.acme.com) could be acquired instead of separate certificates. To protect multiple different domains, a subject alternative name (SAN) certificate could be used for domains such as acme.uk and acme.ca. There are various Internet certificate authorities such as VeriSign and Entrust with varying pricing structures. Then the CA digitally signed certificate must be installed on your web server. Finally, you must configure your web site to use the digital certificate. Note that using a self-signed CA and resultant certificates would require connecting devices to trust the certificate signer; public CAs are already trusted by computing devices
A national company with headquarters in Dallas, Texas, is implementing a PKI. There are corporate locations in 12 other major U.S. cities. Each of those locations has a senior network administrator. Which option presents the best PKI solution?
Install a root CA in Dallas. Create subordinate CAs for each city and use these to issue certificates for users and computers in that city. Take the root CA offline.
Install a root CA in Dallas. Issue certificates for users and computers in all locations.
Install a root CA in Dallas. Issue certificates for users and computers in all locations. Take the root CA offline.
Install a root CA in Dallas. Create subordinate CAs for each city and use these to issue certificates for users and computers in that city. Take the root CA offline.
Because there is IT expertise in each city, create a subordinate CA (also called an intermediate CA) for each city and issue certificates using these CAs for their respective cities. The root CA should be taken offline for security purposes. If a single subordinate CA is compromised, you should revoke that certificate. This will invalidate all certificates issued by this CA. The other subordinate city CAs and their issued certificates would still be valid
To secure your server, you would like to ensure server hard disk data cannot be accessed if the hard disks are stolen. What should you do?
Configure EFS.
Configure TPM with PKI encryption keys.
Configure NTFS security.
Configure TPM with PKI encryption keys.
Trusted Platform Module (TPM) is a firmware security solution that can use PKI certificate keys to encrypt and decrypt hard disk contents. TPM-encrypted disks placed in a different computer (with or without a TPM chip) are unreadable
