Public Key Infrastructure (PKI) Quiz

Questions and Answers

What is the primary purpose of a Public Key Infrastructure (PKI)?

• To manage hardware components in a network.
• To facilitate secure electronic communication. (correct)
• To maintain digital certificates only.
• To enforce user password policies.

Which component of a PKI is responsible for issuing and signing digital certificates?

• Validation Authority (VA)
• Certificate Authority (CA) (correct)
• Registration Authority (RA)
• Encryption Authority (EA)

What must a person present to the Registration Authority (RA) when requesting a personal certificate?

• A social security card.
• A government-issued identification.
• A passport or similar identification. (correct)
• Proof of address document.

What does the PKI bind public keys to?

Identities. (A)

Which of the following is NOT a component of a standard PKI design?

Identity Authority (IA) (A)

In what situation is a PKI particularly necessary?

For security in electronic transactions. (A)

How is proof of ownership of a public key established within a PKI?

Through the issuance of a certificate. (D)

What is required for a web server to request a certificate from a CA like Let's Encrypt?

Registration of a public key. (A)

What is required to verify the validity of a request for a certificate?

Access to the server must be proven. (D)

Which of the following is a challenge used by Let's Encrypt for certificate requests?

HTTP-01 (A)

What is the role of the Validation Authority (VA) in a PKI design?

To verify the validity of issued certificates. (A)

What happens if a Certificate Authority's root certificate is compromised?

All certificates issued by the CA must be revoked. (A)

In the Web of Trust model, what does Alice need to do to trust Bob's public key?

Sign Bob's public key. (B)

Which of the following is a disadvantage of using a CA as a root of trust?

Trust is centralized around the CA. (B)

What is the main purpose of DNS-01 challenge in certificate requests?

To set up a special DNS record. (D)

Which statement about the CA, RA and VA is correct?

The VA verifies issued certificates. (B)

Flashcards

What is a Public Key Infrastructure (PKI)?

A PKI is a system of roles, policies, and tools used to create, manage, distribute, and revoke digital certificates for public-key encryption.

What's the purpose of a PKI?

PKIs enable secure communication and transactions online, especially in situations where simple passwords aren't enough.

How does a PKI work with public keys?

A PKI binds public keys to verified identities. It acts as a registry for verifying ownership of public keys.

What is a Certificate Authority (CA)?

The CA is a trusted third-party organization that issues and manages digital certificates.

What is a Registration Authority (RA)?

The RA verifies the identity of individuals or organizations requesting certificates.

What is a Validation Authority (VA)?

A VA is an optional component of a PKI that checks the validity of certificates and data.

Why is a CA trusted?

Both the owners and verifiers of certificates must trust the CA to ensure the validity and integrity of the certificates.

How are certificates issued for web servers?

Instead of physical documentation, web servers rely on digital methods, like providing domain control, to prove their identity to request a certificate.

Certificate Requestor

The entity that initiates a request for a digital certificate. For example, a website owner requesting a certificate for their website.

Certificate Server Validation

The process of verifying the identity and legitimacy of the server that is requesting a digital certificate.

Let's Encrypt Challenges

Methods used by Let's Encrypt, a popular Certificate Authority, to verify control over a domain when requesting a certificate. These challenges involve specific actions on the server or DNS records.

HTTP-01 Challenge

A Let's Encrypt challenge that requires a specific file to be accessible at a designated path on the webserver.

DNS-01 Challenge

A Let's Encrypt challenge that requires a specific DNS record (a type of data in the Domain Name System) to be set for the domain.

Validation Authority (VA)

An entity responsible for verifying the validity of issued certificates. It receives a list of revoked certificates from the Certificate Authority (CA).

Web of Trust

A decentralized trust model where users directly vouch for each others' identities. It's an alternative to a centralized trust model.

Trust in a Web of Trust

In a web of trust, trust is established through a series of endorsements. If Alice trusts Bob and Bob trusts Carol, then Alice can indirectly trust Carol.

Study Notes

Public Key Infrastructures (PKI)

• PKI is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
• The purpose of PKI is to facilitate secure electronic communication for electronic transactions (e.g., banking, shopping). It's essential when simple password authentication isn't sufficient.
• From a process perspective, PKI links public keys to identities. A public key must be registered within the PKI, proving the identity of the key's owner.
• Successful registration results in a certificate that verifies the public key's ownership.

PKI Components

• A PKI consists of several components:
  • Certificate Authority (CA): Stores, issues, and signs digital certificates. The CA acts as a trusted third party. Both the owner and verifier of a certificate must trust the CA.
  • Registration Authority (RA): Verifies the identity of individuals or organizations requesting a certificate. For personal certificates, the requester must be physically present and show identification (e.g., passport). For functional certificates, other identity verification methods are used. Verification of identity using Let's Encrypt involves specific challenges (HTTP-01 and DNS-01) to prove access to the server.
  • Validation Authority (VA): Verifies the validity of issued certificates. The CA provides a list of revoked certificates to the validation authority. Crucially, the validation authority is publicly accessible.

Problems with a CA

• Relying on a single Certificate Authority (CA) as the root of trust has drawbacks:
  • Every party must trust the CA.
  • If the CA's root certificate is compromised, every other certificate issued by that CA must be revoked.

Alternative to a CA: Web of Trust

• Web of Trust is a decentralized trust model.
• Basic idea: Alice signs Bob's public key; if Carol trusts Alice, she also trusts Bob's public key.
• Alice needs a trustworthy method for verifying Bob's public key.
• Trust can be direct or indirect, potentially involving multiple individuals or entities.

Description

Test your knowledge on Public Key Infrastructure (PKI) and its components. This quiz covers the roles, policies, and procedures that ensure secure communication for electronic transactions. Understand the significant elements like Certificate Authorities and Registration Authorities within a PKI system.