Module 1-5b Public Key Infrastructure (PKI) Overview

Questions and Answers

What is the primary function of a symmetric key in PKI?

It is only applicable for digital signature certificates.

It is used for both encryption and decryption. (correct)

It can only be used for encryption.

It requires users to have different keys.

Which of the following best describes the role of the Certification Authority (CA) in PKI?

It encrypts messages for secure communication.

It manages the hardware infrastructure of the PKI.

It is responsible for generating all symmetric keys.

It issues digital certificates to verify identities. (correct)

What is a key characteristic of the Common Access Card (CAC) in the DoD PKI program?

It eliminates the need for user names and passwords for network logins. (correct)

It must be used in combination with a username.

It is issued only to contractors, not permanent employees.

It can only be used for email encryption.

How does the DoD PKI manage personnel information for CAC issuance?

Via 1800 computer terminals linked to the PKI architecture.

Which factor is NOT part of Public-Key Infrastructure (PKI) components?

User passwords saved on local servers.

What distinguishes asymmetric keys from symmetric keys in PKI?

Asymmetric keys require the use of different keys for encryption and decryption.

What kind of credential is NOT provided by the DoD PKI program?

Network monitoring credential.

What is a key purpose of encryption algorithms in PKI?

To secure data transmission through encryption and decryption processes.

What is a primary function of asymmetric keys in encryption?

To offer advantages of authentication and nonrepudiation

Which component of the PKI infrastructure is responsible for issuing certificates?

Registration Authority (RA)

How does the PKI system utilize the advantages of both symmetric and asymmetric encryption?

By encrypting the symmetric key with the recipient's public key

What ensures the integrity of a public key in the PKI infrastructure?

Completion of a certification process by a Certification Authority (CA)

What is the primary purpose of the Certificate Database in PKI infrastructure?

To maintain a record of issued and revoked certificates

Which one of the following statements about the Certificate Authority (CA) is correct?

The CA serves as the root of trust within the PKI system

What does the Key Archival Server provide in the context of PKI?

It archives encrypted private keys for disaster recovery

In a PKI environment, what role does a subordinate CA typically serve?

To issue certificates under the authority of a root CA

What is the primary purpose of a Certification Authority (CA)?

To verify and authenticate the identity of users and their public keys

Which process involves the verification of a digital certificate's validity?

Certificate Revocation List (CRL) usage

In the context of PKI, which statement is true regarding symmetrical and asymmetrical keys?

Asymmetrical keys allow for secure communication without a prior exchange of keys

What does the CAC stand for, and what is its role?

Common Access Card, providing non-cryptographic data management

What is contained within a Certificate Revocation List (CRL)?

Data of revoked certificates and their reasons for revocation

Which of the following statements best describes middleware?

Middleware acts as a bridge between the operating system and other applications.

What is the consequence of revoking a digital certificate?

The certificate can no longer be trusted or used for secure transactions.

Which component is responsible for issuing certificates to users in a PKI infrastructure?

Certificate Authority (CA)

Study Notes

Public Key Infrastructure (PKI)

• The Department of Defense (DoD) implemented a PKI program in late 1990s to replace the User ID/Password authentication method for its communications and computer networks.
• The DoD PKI program is overseen by the National Security Agency (NSA) and the Defense Information Systems Agency (DISA).
• The program has issued over 16 million PKI certificates and nearly 7 million Common Access Cards (CACs) by 2005.
• PKI credentials include an identity credential or certificate for each employee CAC, an email encryption certificate, and a digital signature certificate for personnel with email accounts.
• PKI leverages symmetric and asymmetric algorithms to generate keys for authentication and message encryption.
• Symmetric key schemes use a single key for both encryption and decryption.
• Asymmetric key schemes consist of a public key (freely available) and a private key (kept secret).
• Asymmetric keys offer authentication and non-repudiation but are slower than symmetric keys.
• PKI combines asymmetric and symmetric encryption for security and speed.
• The integrity of the Public Key is assured through a certification process conducted by a Certification Authority (CA).

PKI Infrastructure

• The PKI infrastructure consists of five components:
  • Certification Authority (CA): Serves as the root of trust for authenticating identities.
  • Registration Authority (RA): Issues certificates under the CA's authorization. In Microsoft PKI, it's a subordinate CA.
  • Certificate Database: Stores issued and revoked certificates.
  • Certificate Store: Holds issued certificates and pending/rejected requests.
  • Key Archival Server: Stores encrypted private keys for disaster recovery.

Certificate Authority (CA) Server

• The CA publishes PKI digital certificates upon issuance.
• It acts as a repository for certificates.
• It ensures the authenticity of cryptographic connections, data encryption, and public/private key information for encryption.

Certificate Revocation List (CRL)

• Certificates can be revoked before their expiration date for reasons such as compromised private keys or untrustworthy entities.
• The CRL distributes revocation information to ensure the validity of certificates.
• It notifies the community about revoked certificates.

CAC Middleware

• It provides services beyond the operating system for software applications.
• It acts as a bridge between the operating system, other applications, or two applications.
• CAC middleware interfaces with host applications and the Common Access Card (CAC).
• It provides access to cryptographic services, CAC data, and CAC management features.

Cryptographic Services

• These are functions for cryptographic operations, such as signing and encrypting emails.

CAC Data

• It refers to non-cryptographic data stored on the Common Access Card (CAC), such as name, rank, and identifier.

Description

This quiz explores the fundamentals of Public Key Infrastructure (PKI), focusing on its implementation by the Department of Defense and the role of the National Security Agency. It covers the issuance of PKI certificates, types of credentials, and the cryptographic algorithms used in PKI systems. Test your knowledge on these key aspects of cybersecurity!