When a user wants to participate in a PKI, what component does he or she need to obtain, and how does that happen?

A. The user submits a certification request to the CA. 

B. The user submits a key pair request to the CRL.

C. The user submits a certification request to the RA.

D. The user submits proof of identification to the CA.

C. 

The user must submit identification data and a certification request to the registration authority (RA). The RA validates this information and sends the certification request to the certificate authority (CA).

How does a user validate a digital certificate that is received from another user?

A. The user will first see whether her system has been configured to trust the CA that digitally signed the other user’s certificate and will then validate that CA’s digital signature.

B. The user will calculate a message digest and compare it to the one attached to the message.

C. The user will first see whether her system has been configured to trust the CA that digitally signed the certificate and then will validate the public key that is embedded within the certificate.

D. The user will validate the sender’s digital signature on the message.

A. 

A digital certificate is validated by the receiver by first determining whether her system has been configured to trust the CA that digitally signed the certificate. If this has been configured, the user’s software uses the CA’s public key and validates the CA’s digital signature that is embedded within the certificate.

What is the purpose of a digital certificate?

A. It binds a CA to a user’s identity.

B. It binds a CA’s identity to the correct RA. 

C. It binds an individual to an RA.

D. It binds an individual to a public key.

D. 

A digital certificate vouches for an individual’s identity and binds that identity to the public key that is embedded within the certificate.

What steps does a user take to validate a CA’s digital signature on a digital certificate?

A. The user’s software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.

B. The user’s software creates a message digest for the digital signature and encrypts the message digest included within the digital certificate. If the encryption performs properly and the message digest values are the same, the certificate is validated.

C. The user’s software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the user can encrypt the message digest properly with the CA’s private key and the message digest values are the same, the certificate is validated.

D. The user’s software creates a message digest for the digital signature and encrypts the message digest with its private key. If the decryption performs properly and the message digest values are the same, the certificate is validated.

A. 

The user’s software calculates a message digest for the digital certificate and decrypts the encrypted message digest value included with the certificate, which is the digital signature. The message digest is decrypted using the CA’s public key. If the two message digest values match, the user knows that the certificate has not been modified in an unauthorized manner, and since the encrypted message digest can be decrypted properly with the CA’s public key, the user is assured that this CA created the certificate.

What is a bridge CA, and what is its function?

A. It is a hierarchical trust model that establishes a root CA, which is the trust anchor for all other CAs.

B. It is an entity that creates and maintains the CRL for several CAs at one time.

C. It is a CA that handles the cross-certification certificates for two or more CAs in a peer-to-peer relationship.

D. It is an entity that validates the user’s identity information for the RA before the request goes to the CA.

C. 

A bridge CA is set up to handle all of the cross-certification certificates and traffic between different CAs and trust domains. A bridge CA is used instead of requiring all of the CAs to authenticate to each other and create certificates with one another, which would end up in a full mesh configuration.

Why would a company implement a key archiving and recovery system within the organization?

A. To make sure all data encryption keys are available for the company if and when it needs them

B. To make sure all digital signature keys are available for the company if and when it needs them

C. To create session keys for users to be able to access when they need to encrypt bulk data

D. To back up the RA’s private key for retrieval purposes

A. 

To protect itself, the company will make backups of the data encryption keys its employees use for encrypting company information. If an employee is no longer available, the company must make sure that it still has access to its own business data. Companies should not need to back up digital signature keys, since they are not used to encrypt data.

Within a PKI environment, where does the majority of the trust actually lie?

A. All users and devices within an environment trust the RA, which allows them to indirectly trust each other.

B. All users and devices within an environment trust the CA, which allows them to indirectly trust each other.

C. All users and devices within an environment trust the CRL, which allows them to indirectly trust each other.

D. All users and devices within an environment trust the CPS, which allows them to indirectly trust each other.

B. 

The trust anchor for a PKI environment is the CA. All users and devices trust the CA, which allows them to indirectly trust each other. The CA verifies and vouches for each user’s and device’s identity, so these different entities can have confidence that they are communicating with specific individuals.

Which of the following properly explains the m of n authentication?

A. This is the process a user must go through to properly register for a certificate through the RA.

B. This ensures that a certificate has to be fully validated by a user before he can extract the public key and use it.

C. This is a control in key recovery to enforce separation of duties.

D. This is a control in key recovery to ensure that the company cannot recover a user’s key without the user’s consent.

C. 

The m of n authentication is the part of the key recovery software that allows a certain number of people to be involved with recovering and reconstructing a lost or corrupted key. A certain number of people (n) are allowed to authenticate to the software, which will allow them to participate in the key recovery process. Not all of those people may be available at one time, however, so a larger number of people (m) need to be involved with the process. The system should not allow only one person to carry out key recovery, because that person could then use the keys for fraudulent purposes.

Which of the following is not a valid field that could be present in an X.509 version 3 digital certificate?

A. Validity dates 

B. Serial number 

C. Extensions

D. Symmetric key

D. 

The first three values are valid fields that are used in digital certificates. Validity dates indicate how long the certificate is good for, the serial number is a unique value used to identify individual certificates, and extensions allow companies to expand the use of their certificates. A public key is included in the certificate, which is an asymmetric key, not a symmetric key.

To what does a certificate path pertain?

A. All of the digital certificates that need to be validated before a received certificate can be fully validated and trusted

B. All of the digital certificates that need to be validated before a sent certificate can be properly encrypted

C. All of the digital certificates that need to be validated before a user trusts her own trust anchor

D. All of the digital certificates that need to be validated before a received certificate can be destroyed

A. 

The certificate path is all of the certificates that must be validated before the receiver of a certificate can validate and trust the newly received certificate. When a user receives a certificate, she must obtain the certificate and public key of all of the CAs until she comes to a self-signed certificate, which is the trusted anchor. So the user must validate each of these certificates until the trusted anchor is reached. The path between the receiver and a trusted anchor is referred to as the certificate path. This is a hierarchical model of trust, and each rung of the trust model must be verified before the end user’s certificate can be validated and trusted.

Which of the following certificate characteristics was expanded upon with version 3 of the X.509 standard?

A. Subject

B. Extensions

C. Digital signature

D. Serial number

B. 

The X.509 standard is currently at version 3, which added more extension capabilities to digital certificates and which added more flexibility for companies using PKIs. Companies can define many of these extensions to mean specific things that are necessary for their proprietary or customized environment and software.

What is a certification practices statement (CPS), and what is its purpose?

A. A CPS outlines the steps a CA goes through to validate identities and generate certificates. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection.

B. A CPS outlines the steps a CA goes through to communicate with other CAs in other states. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection.

C. A CPS outlines the steps a CA goes through to set up an RA at a company’s site. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection.

D. A CPS outlines the steps a CA goes through to become a business within a vertical market. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection.

A. 

The CPS outlines the certificate classes the CA uses and the CA’s procedures for verifying end-entity identities, generating certificates, and maintaining the certificates throughout their lifetimes. Any company that will be using a specific CA needs to make sure it is going through these procedures with the level of protection the company would require of itself. The company will be putting a lot of trust in the CA, so the company should do some homework and investigate how the CA actually accomplishes its tasks.

Which of the following properly describes what a public key infrastructure (PKI) actually is?

A. A protocol written to work with a large subset of algorithms, applications, and protocols

B. An algorithm that creates public/private key pairs

C. A framework that outlines specific technologies and algorithms that must be used

D. A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services

D. 

A PKI is a framework that allows several different types of technologies, applications, algorithms, and protocols to be plugged into it. The goal is to provide a foundation that can provide a hierarchical trust model, which will allow end-entities to indirectly trust each other and allow for secure and trusted communications.

Once an individual validates another individual’s certificate, what is the use of the public key that is extracted from this digital certificate?

A. The public key is now available to use to create digital signatures.

B. The user can now encrypt session keys and messages with this public key and can validate the sender’s digital signatures.

C. The public key is now available to encrypt future digital certificates that need to be validated.

D. The user can now encrypt private keys that need to be transmitted securely.

B. 

Once a receiver validates a digital certificate, the embedded public key can be extracted and used to encrypt symmetric session keys, encrypt messages, and validate the sender’s digital signatures.

Why would a digital certificate be added to a certificate revocation list (CRL)?

A. If the public key had become compromised in a public repository

B. If the private key had become compromised

C. If a new employee joined the company and received a new certificate

D. If the certificate expired

B. 

When certificates are added to a CRL the public/private key pair should no longer be bound to a specific person’s identity. This can happen if a private key is compromised, meaning that it was stolen or captured—this would mean someone else could be using the private key instead of the original user, so the CRL is a protection mechanism that will alert others in the PKI of this incident. Certificates can be added to the CRL if an employee leaves the company or is no longer affiliated with the company for one reason or another. Expired certificates are not added to CRLs.

What is an online CRL service?

A. End-entities can send a request containing a serial number of a specific certificate to an online CRL service. The online service will query several CRL distribution points and respond with information about whether the certificate is still valid or not.

B. CAs can send a request containing the expiration date of a specific certificate to an online CRL service. The online service will query several other RAs and respond with information about whether the certificate is still valid or not.

C. End-entities can send a request containing a public key of a specific certificate to an online CRL service. The online service will query several end-entities and respond with information about whether the certificate is still valid or not.

D. End-entities can send a request containing a public key of a specific CA to an online CRL service. The online service will query several RA distribution points and respond with information about whether the CA is still trustworthy or not.

A. 

Actually getting the data on the CRLs to end-entities is a huge barrier for many PKI implementations. The environment can have distribution points set up, which provide centralized places that allow the users’ systems to query to see whether a certificate has been revoked or not. Another approach is to push down the CRLs to each end-entity or to use an online service. The online service will do the busy work for the end-entity by querying all the available CRLs and returning a response to the end-entity indicating whether the certificate has been revoked or not.

If an extension is marked as critical, what does this indicate?

A. If the CA is not programmed to understand and process this extension, the certificate and corresponding keys can be used for their intended purpose.

B. If the end-entity is programmed to understand and process this extension, the certificate and corresponding keys cannot be used.

C. If the RA is not programmed to understand and process this extension, communication with the CA is not allowed.

D. If the end-entity is not programmed to understand and process this extension, the certificate and corresponding keys cannot be used.

D. 

Digital certificates have extensions that allow companies to expand the use of certificates within their environments. When a CA creates a certificate, it is certifying the key pair to be used for a specific purpose (for digital signatures, data encryption, validating a CA’s digital signature, and so on). If a CA adds a critical flag to an extension, it is stating that the key pair can be used only for the reason stated in the extension. If an end-entity receives a certificate with this critical flag set and cannot understand and process the marked extension, the key pair cannot be used at all. The CA is stating, “I will allow the key pair to be used only for this purpose and under these circumstances.” If an extension is marked noncritical, the end-entity does not have to be able to understand and process that extension.

How can users have faith that the CRL was not modified to present incorrect information?

A. The CRL is digitally signed by the CA.

B. The CRL is encrypted by the CA.

C. The CRL is open for anyone to post certificate information to.

D. The CRL is accessible only to the CA.

A. 

The CRL contains all of the certificates that have been revoked. Only the CA can post information to this list. The CA then digitally signs the list to ensure that any modifications will be detected. When an end entity receives a CRL, it verifies the CA’s digital signature, which tells the end-entity whether the list has been modified in an unauthorized manner and guarantees that the correct CA signed the list.

When would a certificate be suspended, and where is that information posted?

A. It would be suspended when an employee leaves the company. It is posted on the CRL.

B. It would be suspended when an employee changes his or her last name. It is posted on the CA.

C. It would be suspended when an employee goes on vacation. It is posted on the CRL.

D. It would be suspended when a private key is compromised. It is posted on the CRL.

C. 

A certificate can be suspended if it needs to be temporarily taken out of production for a period of time. If an employee goes on vacation and wants to make sure no one can use his certificate, he can make a suspension request to the CA, which will post the information to the CRL. The other answers in this question would require the certificate to be revoked, not suspended, and a new certificate would need to be created for the user.

What does cross certification pertain to in a PKI environment?

A. When a company uses an outsourced service provider, it needs to modify its CPS to allow for cross certification to take place between the RA and CA.

B. When two end-entities need to communicate in a PKI, they need to exchange certificates.

C. When two or more CAs need to trust each other so that their end-entities can communicate, they will create certificates for each other.

D. An RA needs to perform a cross certification with a user before the certificate registration is terminated.

C. 

Cross certification means that two or more CAs create certificates for each other. This takes place when two trust domains, each with their own CA, need to be able to communicate—a trusted path needs to be established between these domains. Once the first CA validates the other CA’s identity and creates a certificate, it then trusts this other CA, which creates a trusted path between the different PKI environments. The trust can be bidirectional or unidirectional.

-Revocation is when a cert. needs to be revoked before its actual expiration date is met. Happens for a number of reasons:

- Lost laptop or token that stored the private key.

- Improper software mod. uncovers the key.

- A user falls prey to a social engineering technique and gives up his/her key.

- Data held within the cert. may no longer apply to the specified invididual. 

- Employee has left the company.

- The CA (Cert. Authority) provides this type of protection by maintaining a certificate revocation list (CRL), a list of serial numbers of certificates that have been revoked

The RA verifies the identity of the certificate requestor on behalf of the CA. 

The CA generates the certificate using information forwarded by the RA. 

What are the "Certificate Authorities" (CA)? 

What are "Digital Certificates"?

What are "Certification Practices Statements"?

- The CA is the trusted authority that certifies individuals' identities and creates electronic documents (digital certificate) that indicate the individuals are who they say they are.

- The digital cert. establishes an association between the subjects identity and a public key. The private key that is paired with the public key in the cert. is stored separately. 

- Every CA should have a certification practices statement (CPS) that outlines how identities are verified; the steps the CA follows to generate, maintain, and transmit certs, and why it's secure. 

- The RA is the compent that accepts a request for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the cert.

- There are three typical types of certificates:

1. Class 1 (verifies a person's identity through email)
2. Class 2 (used for software signing)
3. Class 3 (a company wants to set up its own CA, which will allow it to carry out its own identification verification and generate certs. internally).

- A digital certificate binds an individual's identity to a public key, and it contains all of the information a receiver needs to be assured of the identity of the public key owner.

- After an RA verifies an individual's identity, the CA generates the digital cert and adds the standard X.509 information:

• Version Number (specifies which standard was used)

• Subject (specifies the owner)

• Public key (specifies the public key being bound to the cert. subject, and, also identifies the algorithm used to create the private/public key pair)

• Issuer (Identifies the CA)

• Validity (specifies the valid dates that the cert can be used)

• Certificate usage (specifies the approvd use of the cert.)

• Signature algorithm (specifies the hashing and digital signature algorithms used to digitally sign the cert)

• Extensions (Allows additional data to be encoded into the cert. to expand functionality of the cert.)

What is "Key Recovery"?

How does it differ from "Key Archiving"??