Challenges

Question 1

PKI Definition

Answer 1

• Designed to facilitate the use of public key cryptography
• Consists of hardware, software, people, policies, and procedures
• Deals with the management of digital certificates in distributed environments
  -> creation, distribution, usage, storage, revocation

Question 2

Policies

Answer 2

• Certificate policy: States what to comply to
• Certificate practice statement: States how to comply
• Policies are enforced by the PKI through:
  -> Selecting standards, parameters, hardware
  -> Monitor behavior of involved parties
  -> Reacting on infringement of the policy

Question 3

Public key certificates Definition

Answer 3

Data structures that bind public key values to subjects. The binding is asserted by having a trusted CA digitally sign each certificate.

Question 4

Certificate properties

Answer 4

• Protected binding of a key to the key holder
• Its authenticity is independent of the means of transportation
• It can be used online and offline
• It is a proof of the binding
• It can be used for key servers

Question 5

X.509 certificate contents

Answer 5

• Version
• Serial Number (unique within PKI)
• Certificate Signature Algorithm
• Issuer
• Validity Period
• Subject
• Subject Public Key Info
  V2:
• Subject Unique ID (worldwide unique)
• Issuer Unique ID (worldwide unique)
  V3:
• Extensions

Question 6

X.509 extensions

Answer 6

• Subject Key Identifier
• Authority Key Identifier
• Key Usage
• Subject Alternative Name
• Issuer Alternative Name
• Subject Directory Attributes
• Extended Key Usage

Question 7

X.509 extensions: Subject Key Identifier

Answer 7

• Identifies certificates that contain a particular public key
• Must be included in all CA certificates
• Either derived from the subject public key as 160 bit hash of public key or “0100” followed by the least significant 60 bits of the hash value of the public key

Question 8

X.509 extensions: Authority Key Identifier

Answer 8

• Identifies the public key that corresponds to the private key that has signed the certificate
• Must be included in all certificates (unless self-signed) -> non-critical
• Facilitates certification path construction

Question 9

X.509 extensions: Key usage

Answer 9

• Defines the purpose of the key contained in the certificate
• bit string

Question 10

X.509 extensions: Subject Alternative Name

Answer 10

• Allows additional identities to be bound to the subject of the certificate (e.g. IP, e-mail address)

Question 11

X.509 extensions: Issuer Alternative Name

Answer 11

• Associates Internet style identities with the certificate issuer
• Should not be marked critical

Question 12

X.509 extensions: Subject Directory Attributes

Answer 12

Used to convey identification attributes of the subject (e.g. nationality)

Question 13

X.509 extensions: Extended Key Usage

Answer 13

• Indicates on or more purposes for which the certified public key may be used, in addition to or in place ob the basic purpose indicated in the key usage extension
• If present, both key usage and extended key usage extensions must be processed independently -> must be consistent

Question 14

TBS

Answer 14

• to-be-signed
• part of certificate which holds all information
  -> version, serial number, signature (algorithm used, is the same as signature algorithm), issuer, validity, subject, subject public key info, issuer unique id, subject unique id, extensions
• sonst noch: signature algorithm und signature value

Question 15

Why PKI?

Answer 15

• Assure that the public key is
  -> available
  -> authentic (bind public key uniquely to electronic identity)
  -> valid (monitor binding between public key, electronic identity and key owner, establish time constraints, revoke binding)
• Support security (select suitable algorithms and key sizes, monitor possible security threats and react adequately)
• Support interoperability (comply to accepted (international) standards)

Question 16

X.509 relevant standards

Answer 16

• X.509
• PKIX

Question 17

Certificate (ASN.1)

Answer 17

• To Be Signed Certificate: this part holds all information; this will be signed
• Algorithm: The algorithm that is used for signing the TBS part
• Signature Value: The calculated signature

Question 18

TBSCertificate (ASN.1)

Answer 18

• Version
• Serial Number
• Signature: The algorithm OID and needed parameters used to sign the certificate (must be the same as signatureAlgorithm)
• Issuer: Name of the CA in form of an X.500 distinguished name
• Validity: NotBefore, NotAfter
• Subject: Name (X.500 DN) of the certificate holder, same DN is not allowed to be given to two different entities
• SubjectPublicKeyInfo: algorithm OID of the public key + public key of the certificate holder
• Issuer/Subject Unique ID
• Extensions