Information Technology /Security+ (SY0-701): Cryptographic Solutions Part 2
Security+ (SY0-701): Cryptographic Solutions Part 2
This deck covers key concepts and definitions related to cryptographic solutions, including certificates, key management, and protocols.
What is packaged in a digitally signed cert?
Information identifying the subject and the public key authenticating the connection presented in X.509 format, and digital signature from the issuing CA.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/40
Key Terms
Term
Definition
What is packaged in a digitally signed cert?
Information identifying the subject and the public key authenticating the connection presented in X.509 format, and digital signature from the issuing...
Define a 'root certificate/trusted root'
Pre-installed self-signed cert and public key from a CA.
What is the purpose/function of a root certificate?
Issues signed certificates to intermediate CAs; Sign other certificates issued by the CA;
How do clients trust a public 3rd party root CA?
CA generates a root certificate, signs it with private key, and publishes it with the public key.
Client obtains CA's certif...
What is the outcome of installing a CA's root certificate?
Host will automatically trust any certificates signed by that CA.
Define a 'Single CA' model
Single root CA issues certificates directly to users and computers; Often used on private networks.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
What is packaged in a digitally signed cert? | Information identifying the subject and the public key authenticating the connection presented in X.509 format, and digital signature from the issuing CA. |
Define a 'root certificate/trusted root' | Pre-installed self-signed cert and public key from a CA. |
What is the purpose/function of a root certificate? | Issues signed certificates to intermediate CAs; Sign other certificates issued by the CA; |
How do clients trust a public 3rd party root CA? |
|
What is the outcome of installing a CA's root certificate? | Host will automatically trust any certificates signed by that CA. |
Define a 'Single CA' model | Single root CA issues certificates directly to users and computers; Often used on private networks. |
What is the shortcoming of the single CA model? | Single CA server is exposed; If it is compromised the whole PKI collapses. |
Define the '3rd party CA model' | Hierarchical model where the root CA issues certs to one or more intermediate CAs; The intermediate CAs issue certs to subjects (end entities). |
Define 'certificate chaining' or 'chain of trust' | Method of validating a certificate by tracing each CA that signs the certificate, up through the hierarchy to the root CA. |
Define a 'Self-signed Certificate' | A digital certificate that has been signed by the entity that issued it (any machine, webserver or code), rather than by a CA. |
What is the process to register with a CA? | End users create an account with the CA and become authorized to request certificates. |
What is the contents of a 'certificate signing request (CSR)'? | A Base64 ASCII file containing the information that the subject wants to use in the certificate, including its public key. |
Define a 'common name (CN)' | X.500 certificate identifier expressing a host or username; The subject identifier for a digital certificate. |
Define a 'subject alternative name (SAN)' | X.500 certificate identifier allowing a host to be represented by multiple host names/subdomains. |
What takes precedence in a certificate, a subject alternative name (SAN) or common name (CN)? | If a certificate is configured with a SAN, the browser should validate that and ignore the CN value. |
Define a 'wildcard certificate' | A digital certificate that will match multiple subdomains of a parent domain using a '' as the subdomain before the parent domain (.comptia.org) |
What are the two types of invalid certificates? |
|
Define a 'certificate revocation list (CRL)' | A list maintained by a CA of all revoked and suspended certificates. |
What is the purpose of a certificate revocation list (CRL)? | To inform users whether a certificate is valid, revoked, or suspended. |
Where can a certificate revocation list (CRL) be found for browsers to check validity of certs? | Each certificate should contain information for the browser on how to check the CRL. |
What are the 4 attributes of a certificate revocation list (CRL)? |
|
Define the 'Publish Period' attribute of a certificate revocation list (CRL) | Date and time at which the CRL is published. Most CAs are set up to publish the CRL automatically. |
Define the 'Distribution Point(s)' attribute of a certificate revocation list (CRL) | Location(s) to which the CRL is published. |
Define the 'Validity Period' attribute of a certificate revocation list (CRL) | Period during which the CRL is considered authoritative. This is usually a bit longer than the publish period |
Define the 'Signature' attribute of a certificate revocation list (CRL) | CRL is signed by the CA to verify its authenticity. |
Define an 'Online Certificate Status Protocol (OCSP)' server | Allows clients to request the status of a digital certificate by querying the certificate database directly instead of relying on a CRL. |
Define 'Key management' | Operational considerations for the various stages in a key's lifecycle. |
What are the 4 stages in a key's lifecycle? |
|
Define the 'Key Generation' stage in the key management lifecycle | Creating an asymmetric key pair or symmetric secret key |
What is the purpose of the 'Storage' stage in the key management lifecycle | Prevents unauthorized access to a private/secret key and protecting against loss or damage. |
Define the 'Revocation' stage in the key management lifecycle | Prevents use of the key if it is compromised. |
What is best practice if a key is revoked? | Re-encrypt any data encrypted by the revoked key with a new key. |
Define the 'Expiration and Renewal' stage in the key management lifecycle | Every certificate expires after a certain period; Certificates can be renewed with the same key pair or with a new key pair. |
Define a decentralized key management model | Keys are generated and managed directly on the computer or user account that will use the certificate. |
Define a key management system | Centralizes generation and storage of cryptographic keys. |
Define 'Key Management Interoperability Protocol (KMIP)' | Client/server communication protocol for the storage and maintenance of key, certificate, and secret objects. |
How are cryptographic keys generated? | Generated using a random process with a high degree of disorder. |
Define 'entropy' | A measure of disorder; Cryptographic systems should exhibit high entropy to better resist brute force attacks. |
What is the drawback of generating a key pair or secret key on a host running general purpose OS? | Computer hardware and software is extremely low entropy. |
What two technical controls can be implemented to ensure strong key generation? | pseudo RNG (PRNG) software and true random number generator (TRNG) hardware. |