Study sets, textbooks, questions
Upgrade to remove ads
Computer Security and Reliability
Chapter 29: Public Key Infrastructure
Terms in this set (48)
Public Key Infrastructure (PKI)
A framework of all the necessary components for different types of users and systems to be able to communicate securely.
Made up of:
Hardware, Applications, Policies, Services, Programming interfaces, Cryptographic Algorithms, Protocols, Users, and Utilities.
These components work together to allow communication and to manage asymmetric keys facilitating the use of public key cryptography for digital signatures, data encryption, and integrity.
Certificate Authority (CA)
The trusted authority that certifies an individual's identity and creates electronic documents (digital certificates) indicating that individuals are who they say they are.
The digital certificate establishes an association between the subject's identity and public key.
When signed by the CA the principle of non-repudiation is created, commonly used when sending e-mails.
Certificates can be revoked prior to its expiration date (i.e. theft or loss of a laptop), making the certificate invalid.
Certificate Revocation List (CRL)
Database of suspended or revoked certificates.
Contains a list of serial numbers or public keys. The CRL is locally assessable and needs to be requested.
Online Certificate Status Protocol (OCSP)
Provides real time certificate status and returns a status of "good", "unknown", or "revoked".
Meaning the certificate is placed on temporary hold.
Key destruction is removal from the systems and destruction of a key once it is no longer useful.
When the time comes, there needs to be proper procedures and policies in place for key
Key Pair Generation
A key pair can be generated locally by an application and stored in a local key store on
the local machine.
Key pairs generated by a central key-management server will require secure transmission of the keys.
Most PKI implementations user have two key pairs:
One key pair is used for encryption and key transfers Another key pair used for digital signatures
The public key pairs are published to a central server or global address list for e-mail
Certificate Signing Request (CSR)
A specially formatted encrypted message that validates the information the CA requires to issue a digital certificate.
Actual request to a CA containing a public key and the prerequisite information needed to generate a certificate.
Process required when the certificate has fulfilled its lifetime and it's end validity date has been met.
Requires a new Certificate Signing Request (CSR) to be processed.
Binds the individual's identity to a public key.
Certificates are created based on the X.509 standard.
Digital Certificate Version Number & Subject
Identifies the version of X.509 that was followed and specifies the owner of the certificate
Digital Certificate Public Key
Identifies the public key bound to the users identity and the algorithm used (usually RSA).
Digital Certificate Issuer
Field within the certificate that identifies the CA that generated and digitally signed the certificate.
Digital Certificate Serial Number
A unique number identifying this one specific certificate.
Digital Certificate Validity
Dates through which the certificate is valid for.
Approved use of the certificate.
Digital Certificate Signature Algorithm
Specifies the hashing and digital signature algorithms.
Digital Certificate Extensions
Allows additional data to be encoded into the certificate to expand the functionality of the certificate.
The process of combining related items to reduce communication steps.
When someone requests a certificate, this process sends both the certificate and Online Certificate Status Protocol (OCSP) responder information in the same request. This avoids additional fetches.
This process can assist with attackers compromising a CA and issuing unauthorized X.509 certificates.
The process of associating a host with a previously provided X.509 certificate or public key.
When a certificate is presented for a host, either identifying the host or providing a public key,
this information can be saved via this process.
This process can be important for mobile devices that move between networks where levels of trust are low and risks of malicious data are high.
A construction of systems, personnel, applications, protocols, technologies, and policies that work together to provide a certain level of protection.
A trust relationship must be established between two issuing authorities (CAs).
Hierarchical Trust Model
A Root CA (ultimate "trust anchor"), An intermediate CA, Leaf CAs, End-entities
In this model, one CA is not subordinate to the other CA and no established "trust anchor" is
The two CAs will verify the public key for each other, creating a bidirectional trust, this is called cross-certification.
Walking The Certificate Path
When a user in one trust domain needs to communicate with another user in another trust domain, one user will need to validate the other's certificate.
Each certificate for each CA, all the way up to a shared trusted anchor, must also be validated.
Hybrid Trust Model
A combination of hierarchical and peer-to-peer models.
Another configuration would be the implementation of a "bridge" CA.
A system by which your private key is kept both by you and by a third party.
Key escrow allows people with a court order to retrieve your private key to gain access to anything
encrypted with your public key.
It provides a method of obtaining a key in the event that the key holder is not available.
Key escrow can solve many problems resulting from an inaccessible key, and the nature of
cryptography makes the access of the data impossible without the key.
Certificate Chaining/Intermediate Certificates
Certificates that sit between the presented certificate and the root certificate.
The intermediate certificate is the signer/issuer or the presented certificate, indicating that it trusts
The root certificate is the signer/issuer of the intermediate certificate.
The chaining of certificates is a manner of passing trust down from a trusted root certificate.
Issued by the CA to a specific subject, such as Joyce, Accounting Department, or the firewall. The certificate is the identity document provided in PKI.
Can be self-signed or can be issued by a superior CA within the hierarchical mode.
Independent CAs establish peer-to-peer relationships.
Required to provide centrally controlled policy information to PKI clients.
Often done by placing the policy information in the policy certificate.
Can be issued if there are multiple entities under a domain.
A certificate issued to *.example.com could be used to cover the following:
Wildcard certificates can lessen the administrative burden, due to not requiring a distinct certificate
for each domain covered.
Certificates are signed by a higher-level CA, providing a root of trust or a known "trust
A company can create its own certificate for internal use inside the origination, and thus creates it's own root node.
Certificates can be issued to machine/computer certificates, allowing validation of either the machine certificate or the user certificate.
The CA's public key would be obtainable while by examining a server's certificate.
Digital certificates can be used with e-mail systems for items such as digital signatures. It is common for a separate e-mail certificate to be used for identity associate with an e-mail.
If a user is able to successfully log on to the domain, but is receiving a message that the e-mail
certificate can not be trusted or verified. A new e-mail certificate for that user needs to be published
to GAL (Global Address List).
Used to identify a user.
A certificate that forms the initial basis of trust in the trust chain.
What determines whether or not a system trusts a root certificate is whether or not the root certificate is in the system's store of trusted certificates.
Domain Validation Certificate
A low trust means of validation based on an application demonstrating control over a DNS domain.
Domain validation is typically used for TLS and can be automated via checks against a DNS record.
External Validation (EV) Certificate
Used for HTTPS websites and software to provide a high level of assurance as to the organization's identity.
Additional information is required prior to the certificate being issued.
Digital certificates are defined in RFC 5280 known as the X.509 v3 certificate and CRL profile.
Distinguished Encoding Rules (DER)
One of the Abstract Syntax Notation One (ASN.1) encoding rules that can be used to encode any data object into a binary file.
A DER file (.der extension) contains binary data and can be used for a single certificate.
Privacy Enhanced Electronic Mail (PEM)
The most common format used by CAs when issuing certificates. The PEM format for certificate data is used in multiple file types including .pem, .cer, .crt, and .key files.
The .cer file extension is used to denote an alternative form, from Microsoft of CRT files. The
.cer/crt extension is used for certificates and may be encoded as binary DER or as ASCII PEM.
.cer is commonly associated with Windows systems
.crt is commonly associated with Unix systems
KEY (Certificate Format)
KEY files, denoted by the file extension .key, can be used both for public and private PKCS#8
keys. These may be encoded as binary DER or as ASCII PEM.
PFX (Certificate Format)
A PKCS#12 file is a portable file format with a .pfx extension. It is a binary format for storing the
server certificate, intermediate certificate, and the private key in one file.
PFX files are typically used on Windows machines to import and export certificates and private keys.
P12 (Certificate Format)
An alternative file extension for the PKCS#12 file format.
P7B (Certificate Format)
PKCS#7 or P7B is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.
The most common formats that support P7B files are:
Microsoft Windows and Java Tomcat
Recommended textbook explanations
Computer Organization and Design MIPS Edition: The Hardware/Software Interface
David A. Patterson, John L. Hennessy
John Buck, William Hayt
Introduction to Algorithms
Charles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen
Starting Out with C++ from Control Structures to Objects
Sets found in the same folder
Chapter 15: Cloud and Virtualization
Chapter 16: Resiliency and Automation St…
Chapter 1: Malware and Indicators of Compromise
Chapter 17: Physical Security Controls
Sets with similar terms
Unit 4 - Asymmetric Encryption
IS 672: Chapter 04
Other sets by this creator
ISC2 CCSP Flash Cards
Tableau Desktop Specialist Practice Questions
Tableau Desktop Fundamentals
CISSP Practice Exams Knowledge Gaps