Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) > Flashcards

Flashcards in Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) Deck (10)
Loading flashcards...
1
Q

What is the asymetrical algorithm RSA used for?

A

RSA (Rivest, Shamir, Adleman) is used for authentication.

aka (PKCS #1) - Public Key Cryptography Standard #1

2
Q

What is DH (Diffie-Hellman) used for?

A

DH is an asymetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network.

Know this: The initial negotiation is asymetical, but once keys are created they can be used with symetrical algorithms like 3DES and AES (fast encryption / decription for bulk data transmission)

3
Q

What is the minimum key length that is considered secure for asymetrical algorithms?

A

1024 bits.

4
Q

What two components when combined form a digital signature?

A

A Hash (that is created on some data)

This hash is then encrypted with a private key.

The encrypted hash is the digital signature (which can only be decoded by the sending user’s public key).

5
Q

What information is contained in a root certificate?

A

A root certificate contains the public key of the CA server and other details about the CA server.

6
Q

What is an identity certificate?

A

An identiity certificate describes a client and contains the public key of an individual host.

7
Q

What is SCEP?

A

SCEP or Simple Certificate Enrollment Protocol, is a Cisco proprietary protocol for Cisco devices to automate requesting and installing identity certificates.

8
Q

Which 4 pieces of information are found in a typical identity certificate?

A
  • CRL locations
  • Validity Dates
  • Public Key of the certificate owner
  • Serial Number
9
Q

What are the Public Key Cryptography Standards?

A

PKCS #10 - Formatting of a certificate request sent to a CA when an organization is asking for a new identity certificate.

PKCS #7 - Formatting here is what a CA responds with when they issue an identity certificate.

PKCS #1 - This is a RSA Cryptography Standard

PKCS #12 - This format is used for storing both public and private keys using a symmetric password-based key to “unlock” the data whenever the key needs to be accessed.

PKCS #3 - Diffie-Hellman key exchange

10
Q

What are 3 ways to check if a digital certificate has been revoked?

A
  • Certificate Revocation List (CRL): A list of certificates with serial numbers, that have been issued by a CA but have since been revoked.
  • Online Certificate Status Protocol (OSCP): A client sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates (as in the case of checking CRLs)
  • Authentication, Authorization, and Accounting (AAA): Cisco AAA services also support for validating digital certificates. NOTE: this is Cisco proprietary and as a result is not usually used in conjunction with PKI