A certificate repository (CR) is a publicly accessible centralized directory of digital certificates.
Click the card to flip 👆
1 / 50
Terms in this set (50)
Cipher Block Chaining (CBC) is a common cipher mode. After being encrypted, each ciphertext block gets "fed back" into the encryption process to encrypt the next plaintext block. Using CBC, each block of plaintext is XORed with the previous block of ciphertext before being encrypted. Unlike ECB in which the ciphertext depends only upon the plaintext and the key, CBC is also dependent on the previous ciphertext block, making it much more difficult to break.
(Page 150)
There are multiple entities that make up strong certificate management. These include a certificate repository and a means for certificate revocation.
--Certificate Repository (CR)--
A certificate repository (CR) is a publicly accessible centralized directory of digital certificates that can be used to view the status of a digital certificate. This directory can be managed locally by setting it up as a storage area that is connected to the CA server.
--Certificate Revocation--
Digital certificates normally have an expiration date, such as one year from the date they were issued. However, there are circumstances that might be cause for the certificate to be revoked before it expires. Some reasons might be benign, such as when the certificate is no longer used or the details of the certificate, such as the user's address, have changed. Other circumstances could be more dangerous. For example, if someone were to steal a user's private key, she could impersonate the victim through using digital certificates without the other users being aware of it. In addition, what would happen if digital certificates were stolen from a CA? The thieves could then issue certificates to themselves that would be trusted by unsuspecting users. It is important that the CA publishes approved certificates as well as revoked certificates in a timely fashion; otherwise, it could lead to a situation in which security may be compromised.
(Page 156)
List the four stages of a certificate life cycle.1. Creation. 2. Suspension. 3. Revocation. 4. Expiration. (Page 170)List the three PKI trust models that use a CA.Essentially three PKI trust models use a CA. These are the hierarchical trust model, the distributed trust model, and the bridge trust model. (Page 167)Root digital certificates are should never be self-signed. -True -FalseFalseSelect the secure alternative to the telnet protocol: -HTTPS -TLS -IPsec -SSHSSHSelect the term that is used to describe a trusted third-party agency that is responsible for issuing digital certificates: -Registration Authority -Delegation Authority -Certification Authority -Participation AuthorityCertification AuthoritySome CAs issue only entry-level certificates that provide domain-only validation. -True -FalseTrueSome cryptographic algorithms require that in addition to a key another value can or must be input. -True -FalseTrueSSL v3.0 served as the basis for TLS v1.0. -True -FalseTrueStream ciphers work on multiple characters at a time. -True -FalseFalseThe Authentication Header (AH) protocol is a part of what encryption protocol suite below? -TLS 3.0 -IPSec -GPG -SSLIPSecThe process by which keys are managed by a third party, such as a trusted CA, is known as? -Key escrow -Key destruction -Key renewal -Key managementKey escrowWhat allows an application to implement an encryption algorithm for execution? -Counters -Crypto service providers -Initialization vectors -Crypto modulesCrypto service providersWhat are the three areas of protection provided by IPSEC?IPsec provides three areas of protection that correspond to three IPsec protocols: 1. Authentication. 2. Confidentiality. 3. Key management. (Page 178)What block cipher mode of operation encrypts plaintext and computes a message authentication code to ensure that the message was created by the sender and that it was not tampered with during transmission? -Electronic Code Book -Galois/Counter -Cipher Block Chaining -CounterGalois/CounterWhat block cipher mode of operation uses the most basic approach where the plaintext is divided into blocks, and each block is then encrypted separately? -Electronic Code Book -Galois/Counter -Cipher Block Chaining -CounterElectronic Code BookWhat common method is used to ensure the security and integrity of a root CA? -Keep it in an offline state from the network. -Only use the root CA infrequently. -Password protect the root CA -Keep it in an online state and encrypt it.Keep it in an offline state from the network.What cryptographic transport algorithm is considered to be significantly more secure than SSL? -AES -HTTPS -ESSL -TLSTLSWhat is a cipher suite?A cipher suite is a named combination of the encryption, authentication, and message authentication code (MAC) algorithms that are used with SSL and TLS. (Page 175)What is a cryptographic key?A cryptographic key is a value that serves as input to an algorithm, which then transforms plaintext into ciphertext (and vice versa for decryption). A key, which is essentially a random string of bits, serves as an input parameter for symmetric and asymmetric cryptographic algorithms and selected hash algorithms. (Page 147)What is a value that can be used to ensure that plaintext, when hashed, will not consistently result in the same digest? -Salt -Initialization vector -Counter -NonceSaltWhat is the S/MIME protocol used for?Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol for securing email messages. It allows users to send encrypted messages that are also digitally signed. (Page 177)What is used to create session keys? -Master secret -Crypto modules -Validation -Domain validationMaster secretWhat kind of digital certificate is typically used to ensure the authenticity of a web server to a client? -Private -Web server -Public web -ClientWeb serverWhat length SSL and TLS keys are generally considered to be strong? -128 -1024 -2048 -40964096What process links several certificates together to establish trust between all the certificates involved? -Certificate pairing -Certificate linking -Certificate joining -Certificate chainingCertificate chainingWhat process will remove all private and public keys along with the user's identification information in the CA? -Suspension -Deletion -Destruction -RevocationDestructionWhat protocol below supports two encryption modes: transport and tunnel? -HTTPS -IPSec -SSL -TLSIPSecWhat protocol, developed by Netscape in 1994, is designed to create an encrypted data path between a client and server that could be used on any platform or operating system? -SSL -TLS -PEAP -EAPSSLWhat protocol uses SSL or TLS to secure communications between a browser and a web server?Hypertext Transport Protocol Secure (HTTPS) (Page 176)What role does a key recovery agent fulfill in an enterprise environment?Some CA systems have an embedded key recovery system in which a key recovery agent (KRA) is designated, who is a highly trusted person responsible for recovering lost or damaged digital certificates. (Page 173)What term best represents the resiliency of a cryptographic key to attacks? -Key bits -Key resiliency -Key strength -Key spaceKey strengthWhat type of trust model has a single CA that acts as a facilitator to interconnect all other CAs? -Bridge trust -Distributed trust -Third-party trust -Transitive trustBridge trustWhat type of trust model is used as the basis for most digital certificates used on the Internet? -Third-party trust -Related trust -Managed trust -Distributed trustDistributed trustWhen two individuals trust each other because of the trust that exists between the individuals and a separate entity, what type of trust has been established? -Web of -Mutual -Third-party -DistributedThird-partyWhich of the following certificates are self-signed? -trusted digital certificates -Correct Answer root digital certificates -web digital certificates -You Answered user digital certificateRoot digital certificatesWhich of the following certificates verifies the identity of the entity that has control over the domain name? -Validation digital certificate -Root digital certificates -Domain validation digital certificate -Web digital certificatesDomain validation digital certificateWhich of the following is an enhanced type of domain digital certificate? -Primary Validation -Extended Validation -Authorized Validation -Trusted ValidationExtended ValidationWhich of the following is an input value that must be unique within some specified scope, such as for a given period or an entire session? -Salt -Initialization vector -Counter -NonceNonceWhich of the following is a valid way to check the status of a certificate? (Choose all that apply.) -Online Certificate Status Protocol -Certificate Revocation Authority -Certificate Revocation List -Revocation List ProtocolOnline Certificate Status Protocol Certificate Revocation ListWhy is IPsec considered to be a transparent security protocol? -You Answered IPsec packets can be viewed by anyone. -IPsec is designed to not require modifications of programs, or additional training, or additional client setup. -IPsec's design and packet header contents are open sourced technologies. -IPsec uses the Transparent Encryption (TE) algorithm.IPsec is designed to not require modifications of programs, or additional training, or additional client setup.