What is the asymetrical algorithm RSA used for?
RSA (Rivest, Shamir, Adleman) is used for authentication.
aka (PKCS #1) - Public Key Cryptography Standard #1
What is DH (Diffie-Hellman) used for?
DH is an asymetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network.
Know this: The initial negotiation is asymetical, but once keys are created they can be used with symetrical algorithms like 3DES and AES (fast encryption / decription for bulk data transmission)
What is the minimum key length that is considered secure for asymetrical algorithms?
What two components when combined form a digital signature?
A Hash (that is created on some data)
This hash is then encrypted with a private key.
The encrypted hash is the digital signature (which can only be decoded by the sending user's public key).
What information is contained in a root certificate?
A root certificate contains the public key of the CA server and other details about the CA server.
What is an identity certificate?
An identiity certificate describes a client and contains the public key of an individual host.
What is SCEP?
SCEP or Simple Certificate Enrollment Protocol, is a Cisco proprietary protocol for Cisco devices to automate requesting and installing identity certificates.
Which 4 pieces of information are found in a typical identity certificate?
- CRL locations
- Validity Dates
- Public Key of the certificate owner
- Serial Number
What are the Public Key Cryptography Standards?
PKCS #10 - Formatting of a certificate request sent to a CA when an organization is asking for a new identity certificate.
PKCS #7 - Formatting here is what a CA responds with when they issue an identity certificate.
PKCS #1 - This is a RSA Cryptography Standard
PKCS #12 - This format is used for storing both public and private keys using a symmetric password-based key to "unlock" the data whenever the key needs to be accessed.
PKCS #3 - Diffie-Hellman key exchange
What are 3 ways to check if a digital certificate has been revoked?
- Certificate Revocation List (CRL): A list of certificates with serial numbers, that have been issued by a CA but have since been revoked.
- Online Certificate Status Protocol (OSCP): A client sends a request to find the status of a certificate and gets a response without having to know the complete list of revoked certificates (as in the case of checking CRLs)
- Authentication, Authorization, and Accounting (AAA): Cisco AAA services also support for validating digital certificates. NOTE: this is Cisco proprietary and as a result is not usually used in conjunction with PKI