CISSP PRACTICE QUESTIONS – 20201018

Effective CISSP Questions

Your company implemented an on-premise public key infrastructure (PKI). Certificates are issued directly by a root certificate authority (CA) with a self-signed certificate. Which of the following statements is correct?
A. The certificate of root CA shall be deployed to all servers only.
B. The certificate of root CA and its private key can be packaged into the same file.
C. The root CA manages all key pairs (public and private keys) of users.
D. The root CA issues certificates with a digital signature signed by its public key.


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The certificate of root CA and its private key can be packaged into the same file.

PKCS #12 files are commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

  • The certificate of root CA shall be deployed to not only servers but all hosts.
  • A private key shall always be kept secret by the user. It will not be sent to the root CA for storage.
  • Certificates are signed by the CA using its private key.

X.509 Certificate Formats

In cryptography, PKCS stands for “Public Key Cryptography Standards”. These are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. (Wikipedia)

PKCS #10: Certification Request Syntax Specification

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a registration authority of the public key infrastructure in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).

Source: Wikipedia

The following is a sample certificate signing request (CSR):

-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
/YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+
3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----

PKCS #7: Cryptographic Message Syntax

In cryptography, “PKCS #7: Cryptographic Message Syntax” (a.k.a. “CMS”) is a standard syntax for storing signed and/or encrypted data

PKCS #7 files may be stored both as raw DER format or as PEM format. PEM format is the same as DER format but wrapped inside Base64 encoding and sandwiched in between —–BEGIN PKCS7—– and —–END PKCS7—–. Windows uses the “.p7b” file name extension for both these encodings.

A typical usage of an PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).

Source: Wikipedia

PKCS #12: Personal Information Exchange Syntax

In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

The filename extension for PKCS #12 files is .p12 or .pfx. PKCS #12 is the successor to Microsoft’s “PFX”; however, the terms “PKCS #12 file” and “PFX file” are sometimes used interchangeably. The PFX format has been criticized for being one of the most complex cryptographic protocols.

Source: Wikipedia

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的公司實施了本地公鑰基礎結構(PKI)。 憑書由自簽憑證(self-signed certificate)的的根憑證簽發機構(CA)直接頒發。 下列哪種說法是正確的?
A. 根CA憑證應只部署到所有服務器。
B. 根CA憑證及其私鑰可以打包到同一文件中。
C. 根CA管理用戶的所有密鑰對(公鑰和私鑰)。
D. 根CA頒發帶有公鑰簽名的數字簽名的證書。

 

Leave a Reply