Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) > Flashcards

Flashcards in Chapter 18 - Fundamentals of Public Key Infrastructure (PKI) Deck (10):

What is the asymetrical algorithm RSA used for?

RSA (Rivest, Shamir, Adleman) is used for authentication.

aka (PKCS #1) - Public Key Cryptography Standard #1


What is DH (Diffie-Hellman) used for? 

DH is an asymetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network.

Know this: The initial negotiation is asymetical, but once keys are created they can be used with symetrical algorithms like 3DES and AES (fast encryption / decription for bulk data transmission)


What is the minimum key length that is considered secure for asymetrical algorithms?

1024 bits.


What two components when combined form a digital signature?

A Hash (that is created on some data)

This hash is then encrypted with a private key.

The encrypted hash is the digital signature (which can only be decoded by the sending user's public key).


What information is contained in a root certificate?

A root certificate contains the public key of the CA server and other details about the CA server.


What is an identity certificate?

An identiity certificate describes a client and contains the public key of an individual host.


What is SCEP?

SCEP or Simple Certificate Enrollment Protocol, is a Cisco proprietary protocol for Cisco devices to automate requesting and installing identity certificates.


Which 4 pieces of information are found in a typical identity certificate?

- CRL locations

- Validity Dates

- Public Key of the certificate owner

- Serial Number


What are the Public Key Cryptography Standards?

PKCS #10 - Formatting of a certificate request sent to a CA when an organization is asking for a new identity certificate.

PKCS #7 - Formatting here is what a CA responds with when they issue an identity certificate.

PKCS #1 - This is a RSA Cryptography Standard

PKCS #12 - This format is used for storing both public and private keys using a symmetric password-based key to "unlock" the data whenever the key needs to be accessed.

PKCS #3 - Diffie-Hellman key exchange


What are 3 ways to check if a digital certificate has been revoked?

- Certificate Revocation List (CRL): A list of certificates with serial numbers, that have been issued by a CA but have since been revoked.

- Online Certificate Status Protocol (OSCP): A client sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates (as in the case of checking CRLs)

- Authentication, Authorization, and Accounting (AAA): Cisco AAA services also support for validating digital certificates. NOTE: this is Cisco proprietary and as a result is not usually used in conjunction with PKI