Chapter 7 Cryptography and the PKI

Questions and Answers

What role does the OCSP server play in the certificate validation process?

It issues new digital certificates.

It confirms the revocation status of a user.

It verifies the validity of a digital certificate. (correct)

It generates timestamped responses for certificate authorities.

How does certificate stapling improve the process of validating digital certificates?

It reduces the number of requests made to the OCSP server. (correct)

It requires every user to contact the OCSP server independently.

It enables longer validity periods for digital certificates.

It allows users to skip the verification process entirely.

What is the significance of the timestamp included with the stapled OCSP response?

It ensures the signature authority was valid.

It determines how long the certificate will remain valid.

It indicates when the certificate was issued.

It verifies the OCSP response is recent and authentic. (correct)

What is a potentially negative consequence of not utilizing certificate stapling?

The web server has to process all requests without help.

What does the certificate authority (CA) sign in the certificate stapling process?

The OCSP response provided to the user.

Why is it beneficial for a stapled certificate to have a validity period of 24 hours?

It reduces server requests to just once per day.

What happens when a user requests a secure web connection and receives a stapled certificate?

The browser verifies both the certificate and OCSP response.

What is the main purpose of the Online Certificate Status Protocol (OCSP)?

To verify the validity of digital certificates.

What are the implications of a certificate authority (CA) being removed from a major browser's list of trusted CAs?

It greatly limits the usability of certificates issued by that CA.

Why is proper validation of certificate requests essential for a certificate authority?

To maintain a trusted reputation and prevent business loss.

What could lead to the erroneous issuance of a digital certificate?

The CA mistakenly issued a certificate without proper verification

What is a disadvantage of using Certificate Revocation Lists (CRLs)?

CRLs must be downloaded and cross-referenced periodically

What is the primary function of certificate pinning?

To associate a specific site with its public key for security.

What is one common reason for a certificate authority to revoke a digital certificate?

The private key was compromised.

How does the Online Certificate Status Protocol (OCSP) improve upon CRLs?

It eliminates the latency through real-time certificate verification

How can digital certificate verification algorithms benefit users?

They verify digital signatures without user input.

What are the contents of a Certificate Revocation List (CRL)?

Serial numbers of revoked certificates along with their revocation dates

What is the role of the Certificate Practice Statement (CPS)?

To outline the practices a CA employs for certificate management

What was the outcome of the security failures involving Symantec certificates?

Symantec sold its certificate issuing business to DigiCert.

What is the primary issue associated with OCSP servers?

They place a significant burden on the OCSP server resources

What is a potential result of a Certificate Authority not being trusted?

Users will be warned against the CA's certificates.

What happens when a small lapse in the certificate issuance procedure occurs?

It can lead to significant security breaches.

Under what circumstance might a certificate be revoked?

If the subject's name has changed

What does certificate pinning help to protect against?

Man-in-the-middle attacks

What is the primary purpose of a root CA in the CA trust model?

To create subordinate intermediate CAs for certificate chaining.

What is the correct sequence for validating a digital certificate?

Verify the intermediate CA(s) first, then trace the trust path to the root CA.

What differentiates an internal CA from a third-party CA?

Internal CAs provide self-signed certificates that may not be trusted by external browsers.

What information do you provide to a CA during the enrollment process?

A Certificate Signing Request (CSR) and your public key.

What is a primary function of a Certificate Authority (CA)?

To facilitate notarization services for digital certificates

What is certificate chaining?

Establishing a trust path from a root CA through intermediate CAs.

Which statement best explains the importance of trust in Certificate Authorities?

Trust is essential for the validity of any digital certificate issued.

What is the purpose of a Certificate Signing Request (CSR)?

To prove identity and provide the public key to the CA.

How do registration authorities (RAs) support Certificate Authorities (CAs)?

They validate user identities before certificates are issued.

Which of the following is NOT a method of identity verification for obtaining a digital certificate?

Confirmation of existing user accounts by email.

What is the role of an offline CA in a Certificate Authority's infrastructure?

To protect the CA's root certificate from unauthorized access.

What action must a CA take if a digital certificate is compromised?

Revoke the compromised certificate to prevent further use.

Why might a digital certificate for www.cissp.certmike.com not be valid if issued for certmike.com?

Subdomain and domain must match for validation.

Which of the following is a widely accepted Certificate Authority?

IdenTrust

What is the effect of configuring a browser to trust a particular Certificate Authority?

The browser will automatically trust any certificates issued by that CA.

What is a potential consequence of a compromised Certificate Authority?

Mistrust can spread to all certificates issued by that CA.

What is the fundamental principle behind a substitution cipher?

It alters each character to another predetermined character.

In the Caesar cipher, what is the effect of a left shift of three on the letter 'D'?

A

Which method utilizes a shift of 13 to encrypt and decrypt messages?

ROT13

What happens when the Caesar cipher reaches the end of the alphabet during encryption?

It wraps around to the beginning of the alphabet.

Which of the following best describes the difference between substitution and transposition ciphers?

Substitution ciphers replace characters, while transposition ciphers rearrange them.

Which of the following statements about ROT13 is accurate?

It decrypts messages by shifting letters 13 places in the opposite direction.

What is required to decrypt a message encoded with the Caesar cipher?

The number of positions shifted for encryption.

Which substitution cipher was used historically by Julius Caesar?

Caesar cipher

What is the primary role of a cryptographic key in encryption?

It maintains the security of the encryption process.

How is the key space for a cryptographic algorithm defined?

By the number of bits in the key.

What does the Kerckhoffs’ principle imply about cryptographic systems?

The system is secure even if the algorithm is public.

What is a potential consequence of not adequately protecting cryptographic keys?

Compromise of the entire encryption process.

Which of the following statements best describes a cipher's function?

A cipher is a method that can secure data by modifying its structure.

What is the maximum value for a 256-bit cryptographic key?

$2^{256}$

What aspect of a cryptographic algorithm does the term 'key length' refer to?

The total number of bits in the key.

Why is it said that all cryptographic security relies on key secrecy?

If the algorithm is public, the key must be secret to maintain security.

What is the primary focus of early cryptographic efforts?

Translation of messages between languages

Which method relies on scrambling text without the use of mathematics?

Classical cryptography methods

What distinguishes a substitution cipher from a transposition cipher?

A substitution cipher alters character values; a transposition cipher changes their positions.

Which of the following best describes the Caesar cipher?

A cipher that substitutes characters based on a fixed shift

What is a characteristic of the Vigenère cipher?

It employs a keyword to determine the letter offset.

How do modern cryptographic methods primarily differ from historical methods?

Modern cryptography mostly incorporates advanced mathematical techniques.

Which of the following statements about ciphers is accurate?

Ciphers are methods used to scramble or obfuscate characters to hide their value.

What is the main challenge faced by cryptographers in modern times?

Utilizing sophisticated encryption to protect data from advanced threats

Study Notes

Digital Certificate Verification

• Certificates like those issued to Bill Jones vouch for associated personal information, including name, address, and telephone number.
• Most web browsers and email clients have built-in digital certificate verification algorithms, simplifying the user's experience.
• Understanding underlying technical details helps organizations make informed security decisions.

Importance of Trusted Certificate Authorities (CAs)

• Choosing a widely trusted CA is crucial for the effectiveness of the certificate.
• A CA's removal from a major browser's trusted list can severely limit a certificate's utility.

Significant Events in Digital Certificate Security

• In 2017, Symantec faced a security crisis due to allegations of issuing substandard certificates.
• Google’s Chrome stopped trusting Symantec certificates, forcing Symantec to sell its issuing business to DigiCert.
• Importance of rigorous validation processes is emphasized, as lapses can severely damage a CA's reputation.

Certificate Pinning

• Certificate pinning involves associating a site with its public key for extended durations, allowing users to identify unauthorized certificate changes.

Certificate Revocation

• CAs may revoke certificates if they are compromised, erroneously issued, or if the subject's credentials change.
• Revocation requests are managed according to a grace period defined in the Certificate Practice Statement (CPS).

Certificate Validity Verification Techniques

• Certificate Revocation Lists (CRLs) compile serial numbers of revoked certificates but may introduce latency due to the need for periodic updates.
• Online Certificate Status Protocol (OCSP) offers real-time verification, reducing latency as requests are processed immediately.
• Certificate Stapling reduces OCSP server load by allowing web servers to present a timestamped OCSP response alongside the digital certificate, speeding up subsequent requests.

Certificate Authorities Structure and Function

• Offline root CAs generate subordinate intermediate CAs for issuing certificates.
• Validation involves checking the identity of intermediary CAs and tracing the trust path back to a root CA.

Internal Certificate Authorities (CAs)

• Organizations can establish internal CAs for internal certificate issuance, saving on costs associated with third-party certificates, although these may not be trusted outside the organization.

Certificate Enrollment Process

• Obtaining a digital certificate requires identity verification to the satisfaction of the CA through various methods including physical appearance or alternative verification means.
• A Certificate Signing Request (CSR) is submitted containing the user's public key.

Certificate Authority and Trust Relationships

• Major CAs include IdenTrust, Amazon Web Services, DigiCert Group, and others, providing widely trusted certificates.
• Trust in a CA is crucial; if a CA's name is unrecognized, the associated certificate should not be trusted.
• Browsers are pre-configured to trust established CAs, alleviating individual user burdens.

Role of Registration Authorities (RAs)

• RAs assist CAs in verifying user identities prior to certificate issuance, not issuing certificates directly but facilitating the certification process.

Security of CA Private Keys

• CAs must safeguard their private keys to maintain trust, often utilizing offline CAs to protect their root certificates, forming the foundational trust for all issued certificates.

Ciphering Process

• Ciphering scrambles messages using a specific algorithm or cipher.
• Two main types of ciphering methods: substitution and transposition.

Substitution Ciphers

• Substitution ciphers change characters or symbols into others.
• The Caesar cipher shifts letters a certain number of spaces; Julius Caesar used a shift of three.
• Example: "I WILL PASS THE EXAM" becomes "L ZLOO SDVV WKH HADP" with a shift of three.
• Decryption reverses the shift by moving letters back to their original positions.

ROT13 Cipher

• ROT13 is a substitution cipher that rotates each letter 13 places in the alphabet.
• An A turns into an N, a B into an O, etc.
• Because the alphabet has 26 letters, applying ROT13 twice returns the original message.

Cryptography Goals

• Authentication uses encryption to validate individual identities.
• Nonrepudiation ensures proof of message origin for the sender and recipient.
• Different cryptographic systems target various goals, extending beyond the CIA triad's "availability."

Historical Context of Cryptography

• Cryptography dates back 4,000 years, focusing initially on confidentiality.
• Early methods used basic techniques easily broken; modern cryptography employs sophisticated algorithms.
• Historical methods relied on text scrambling rather than mathematics.

Cryptographic Algorithm Overview

• A cipher scrambles characters to hide their value, producing ciphertext from plain-text using an algorithm.
• Sending parties encrypt messages, while recipients decrypt them using predetermined algorithms.

Cryptographic Keys

• Cryptographic algorithms use keys, primarily large binary numbers ranging in defined key space.
• Key space varies based on key length, with possible values running from 0 to 2^n.
• Example: A 128-bit key spans from 0 to approximately 3.4 x 10^38.
• Protecting the confidentiality of secret keys is vital for overall security.

Kerckhoffs’ Principle

• All cryptographic systems depend on algorithms—a set of rules for encoding and decoding messages.
• Kerckhoffs’ principle asserts that systems should remain secure even if the algorithm is public; only the key remains secret.
• This principle promotes transparency, allowing examination and testing of algorithms by cryptographers.

Description

This quiz covers the essentials of digital certificate verification, including the role of trusted Certificate Authorities (CAs) and the importance of certificates in verifying personal information online. Understanding these concepts is crucial for making informed security decisions in organizations.