Lesson 6 Public and Private Keys, CAs

Question 1

CA

Answer 1

Certification Authority

Stores public keys for users, ensuring valid keys are available for users

If CA fails then PKI falls apart

Question 2

Certification from CA

Answer 2

A cert is your public key signed by the CA

Question 3

PKI

Answer 3

Public Key Infrastructure

Relies on Cert Authorities to manage public keys

Question 4

RA

Answer 4

Registration Authority

Question 5

CSR

Answer 5

Certificate Signing Request

Question 6

Registration Authorities and CSRs

Answer 6

A process of identification and authentication for end users to create an account with the CA

A users want to get a cert it completes a certificate signing request (CSR) and submits it to the CA

Registration can be delegated by the CA to a registration authority (RA), which perform the identity checking

the CA issues the certificate

Question 7

Digital certificate

Answer 7

Issued by the CA and is a wrapper for the subjects public key

The CA digitally signs (private key) the certificate

Question 8

X509.1 standard

Answer 8

standard used to create digital certificates

Question 9

PKCS (Public Key Cryptography Standards)

Answer 9

Public Key Cryptography Standards (PKCS)

promotes the use of the public key infrastructure

Question 10

DV (Domain Validation)

Answer 10

Domain Validation (DV) a web server cert type proving the ownership of a particular domain

Highly vulnerable to compromise

process is to respond to an email to the authorized domain contact or by publishing a text record to the domain

Question 11

EV (Extended Validation)

Answer 11

Extended Validation (EV), a web server cert with even more rigorous identity checks than DV

This standard is maintained by the CA/Browser forum

An EV cannot be issued for a wildcard domain

Question 12

Other Cert Type Uses

Answer 12

Certificate to identify:
Machine/computer - used to keep machines off of networks
Email/User - used to secure emails
Code signing - sw publishers as to the validity of the application
Root - identifies the Root CA itself, and is self signed
Self signed Cert - used for one device only

Question 13

Key life cycle

Answer 13

• Key generation
• Certificate generation
• Storage
• Revocation
• Expiration and renewal

Question 14

Cert management vulnerabilities

Answer 14

A private key compromise puts the confidentiality and identification/authorization at risk

If an attacker can perform the CA functions, he can have trusted nodes on the network to utilize in other attacks, as they are trusted nodes

Destruction of the key used for encryption will cause encrypted data to be inaccessible

Question 15

M-of-N

Answer 15

M-of-N is a process for maintaining the CA root private key, due to it’s importance

M-of-N means keeping people honest by requiring some number of admins allowed to access the key

M must be less than N and N must be more than 2

Question 16

Escrow Key Backup

Answer 16

placing archived keys with a trusted 3rd party

Question 17

Certificate Expiration

Answer 17

Cert duration
Cert renewal - re-key with newly generated key pair
Expiration - public key not longer accepted, archive or destroy keys, need secure erasing methods

Question 18

CRL

Answer 18

Cert Revocation List
have code for reason of revocation
could be keys were compromised, etc.

Question 19

OCSP Responder

Answer 19

Online Certificate Status Protocol
provides real-time status information
client queries single cert per transaction

Question 20

OCPS stapling

Answer 20

used by clients to make lots of cert queries for a chain of trust
queries can be used to track clients
Stapling proxies the OCSP response
remembers the query for longer amount of time using the proxy?

Question 21

HPKP

Answer 21

HTTP Public Key Pinning
ensures the client is inspecting the correct/proper certificate
Web Servers references authorized keys in the HTTP header
defends against MitM attacks on chain of trust

Question 22

Certificate Formats

Answer 22

.DER - Distinguished Encoding Rules - binary format
.PEM - Privacy-enhanced Electronic Mail - represent binary as ASCII
.CER and .CRT file formats can be binary for ASCII
.PFX or P12 - personal information exchange binary password protected
.P7B - export a certificate chain

Content
PKCS #12 format allows for export of private key with the certificate

P7B bundles multiple certificates in the same file

Question 23

Managing certificate tools

Answer 23

Win uses Active directory ‘certutil’ tool

Linux uses openssl

Question 24

Certificate issues

Answer 24

Rejection of cert
verify expiration dates of exiting cert
new cert
-check key usage settings and requirement
-check subject name
-check chain of trust/root certs

Should audit cert and PKI infrastructure