Network Security FAQ: Public Key Infrastructure

Network Security FAQ: Public Key Infrastructure

Q1. How can the exchange of public keys be secured without PKI?

Without PKI, public keys can be exchanged out-of-band or over a secure channel.
Public keys can also be exchanged over an insecure channel, but then the received keys have to be verified out-of-band.

Q2. Describe briefly the concept of trusted introducing.

Answer: Trusted introducing can be defined as having someone you already trust send you the credentials of someone your friend trusts so that you can safely trust that third party. The easiest way to describe this is by an example.
Step 1. Alice and Bob securely exchange their public keys.
Step 2. Alice and Bill also securely exchange their public keys.
Step 3. Alice can now digitally sign Bill’s public key using PGP and send it to Bob.
Step 4. Bob can verify Alice’s signature. He has her public key, and he can consider Bill’s public key to be authentic if Bill trusts Alice.

Q3. Describe briefly the concept of a trusted third party.

Answer: This concept enables scalability for a PKI. One central authority signs all public keys, and everybody trusts that authority. The authority’s public key is distributed among the users, who can use it to verify the signatures on public keys of other users.

Q4. PKIs can form different topologies of trust. List three different topologies.

Answer: Three topologies of trust are as follows:

  • Single root CA
  • Hierarchical CA
  • Cross-certified CA

Q5. Explain the PKI enrollment procedure.

Answer: These steps summarize the PKI enrollment procedure.
Step 1. The user obtains the CA certificate with the CA’s public key. This public key is used to verify the digital signature on other certificates.
Step 2. The user sends identity information and a public key to the CA.
Step 3. The CA authenticates the user, signs the submitted information, and returns the signed data in the form of a certificate.

Q6. Describe three enrollment protocols that are commonly used today.

Answer: Three enrollment protocols commonly used today include the following:

  • File-based requests The end user formats the enrollment request in a form of a PKCS #10 message in a file. This file is transferred to the CA, which signs the information and returns a PKCS #10 response file with the embedded certificate.
  • Web-based requests This protocol runs over the HTTP protocol and is used by web browsers.
  • Simple Certificate Enrollment Protocol (SCEP) A lightweight, HTTP-based protocol for enrollment of VPN devices is used.

Q7. Give at least three reasons for placing a certificate on a CRL.

Answer: A certificate could be placed on a CRL for these reasons:

  • The private key is compromised.
  • The purpose for which the key was issued no longer applies.
  • The private key is lost.
  • A VPN router is replaced.

Q8. Describe the steps needed to put a certificate on a CRL.

Answer: These steps describe the process of putting a certificate on a CRL:
Step 1. The certificate becomes invalid.
Step 2. The CA administrator is contacted and requested to revoke that certificate. The administrator may require additional authentication.
Step 3. The CA administrator places the certificate on the CRL.
Step 4. A new CRL is published.
Step 5. End users check the CA for a new CRL after their old CRL is expired.

Q9. How can you view and verify the certificate of a certain site?

Answer: You can view and verify a site’s certificate by going to the site and using one of two available methods to verify the certificate:

  • Click File > Properties in Internet Explorer. On the Properties page, click Certificates to display the certificate.
  • Click on the Lock icon at the bottom of your web page.

About the author


Leave a Comment