Questions

1. What type of certificate does a CA have? Answer

2. If you are going to use a CA internally, what type of CA should you choose? Answer

3. If you want to carry out B2B activity with third-party companies or sell products on the web, what type of CA should you use? Answer

4. Why should you take your CA offline when not in use? Answer

5. What type of encryption does PKI use? Answer

6. Who signs X509 certificates? Answer

7. What can you use to prevent your CA from being compromised and fraudulent certificates from being issued? Answer

8. If two entities want to set up a cross-certification, what must they set up first? Answer

9. What type of trust model does PGP use? Answer

10. How can you tell whether your certificate is valid? Answer

11. If the CRL is going slowly, what should you implement? Answer

12. Explain certificate stapling/OCSP stapling. Answer

13. What is the process of obtaining a new certificate? Answer

14. What is the purpose of the key escrow? Answer

15. What is the purpose of the HSM? Answer

16. What is the purpose of the DRA, and what does it need to complete its role effectively? Answer

17. How can you identify each certificate? Answer

18. What format (PKCS) is a private certificate, and what file extension does it have? Answer

19. What format (PKCS) is a public certificate, and what file extension does it have? Answer

20. What format is a PEM certificate? Answer

21. What type of certificate can be used on multiple servers in the same domain? Answer

22. What type of certificate can be used on multiple domains? Answer

23. What should you do with your software to verify that it is original and not a fake copy? Answer

24. What is the purpose of extended validation of an X509? Answer

25. What type of cipher is the Caesar cipher, and how does it work if it uses ROT 4? Answer

26. What is encryption, and what are the inputs and outputs called? Answer

27. What type of encryption will be used to encrypt large amounts of data? Answer

28. What is the purpose of Diffie-Hellman? Answer

29. What is the first stage in asymmetric encryption? Answer

30. If Carol is encrypting data to send to Bob, what key will each of them use? Answer

31. If George encrypted data four years ago with an old CAC card, can he decrypt the data with his new CAC card? Answer

32. If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use? Answer

33. What two things does a digital email signature provide? Answer

34. What asymmetric encryption algorithm should you use to encrypt data on a smartphone? Answer

35. What should you use to encrypt a military mobile telephone? Answer

Answers

1. A CA has a root certificate, which it uses to sign keys. Back to question

2. You would use a private CA for internal use only; these certificates will not be accepted outside of your organization. Back to question

3. You would use a public CA for B2B activities. Back to question

4. If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it from being compromised. Back to question

5. PKI uses asymmetric encryption. Back to question

6. The CA signs the X509 certificates. Back to question

7. Certificate pinning can be used to prevent a CA from being compromised and fraudulent certificates from being issued. Back to question

8. If two separate PKI entities want to set up cross-certification, the root CAs would set up a trust model between themselves, known as a bridge trust model. Back to question

9. PGP uses a trust model known as a web of trust. Back to question

10. A Certificate Revocation List (CRL) is used to determine whether a certificate is valid. Back to question

11. If the CRL is going slow, you should use OCSP as it provides faster validation. Back to question

12. Certificate stapling/OCSP stapling is where a web server uses an OCSP for faster certificate authentication, bypassing the CRL. Back to question

13. You would submit a Certificate Signing Request (CSR) to request a new certificate. Back to question

14. The key escrow stores and manages private keys for third parties. Back to question

15. A hardware security module (HSM) is used by the key escrow to securely store and manage certificates. Back to question

16. The purpose of the DRA is to recover data when a user's private key becomes corrupt. To do this, it must first obtain a copy of the private key from the key escrow. Back to question

17. Each certificate can be identified by its OID, which is similar to a serial number. Back to question

18. A private certificate is in P12 format with a .pfx extension. Back to question

19. A public certificate is in P7B format with a .cer extension. Back to question

20. A PEM certificate is in Base64 format. Back to question

21. A wildcard certificate can be used on multiple servers in the same domain. Back to question

22. A Subject Alternative Name (SAN) certificate can be used on multiple domains. Back to question

23. You would code-sign the software in order to verify that it is the original, and not a copy. This is similar to a digital signature in that it ensures the integrity of the software. Back to question

24. Extended validation is normally used by financial institutions to provide a higher level of trust for the X509. Back to question

25. The Caesar cipher is a substitution cipher; an example would be ROT 4, where each letter would be substituted by a letter four characters along in the alphabet. Back to question

26. Encryption is when plain text (input) is taken and turned into ciphertext (output). Back to question

27. Symmetric encryption is used to encrypt large amounts of data as it uses one key. Back to question

28. Diffie Hellman (DH) is an asymmetric technique that creates a secure tunnel. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel. Back to question

29. The first stage in encryption is key exchange. During asymmetric encryption, each entity will give the other entity its public key. The private key is secure and never given away. Back to question

30. Carol uses Bob's public key to encrypt the data, and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair. Back to question

31. No. George must obtain the old private key to decrypt the data as the encryption was done with a different key pair. Back to question

32. Janet will digitally sign the email with her private key and John will check its validity with Janet's public key, which he would have received in advance. Back to question

33. A digital signature provides both integrity and non-repudiation. Back to question

34. ECC (Elliptic Curve Cryptography) will be used to encrypt data on a smartphone as it is small and fast and uses the DH handshake. Back to question

35. You would use AES-256 to encrypt a military mobile telephone. Back to question