CKM

Question 1

1/16

How are the users' private keys stored in a database of an enterprise CA implemented by Microsoft Certificate Services 2003?

encrypted by the Key Recovery Agent’s public key

Answer

without being encrypted, the protection being ensured by the access grants and credentials at the database level

Answer

encrypted with the CA’s private key

Answer

encrypted with the Backup Operator’s private key

Question 2

2/16

RA – Registration Authority is designed to:

Check the issuing certifcate requests and the identity of the final entities

Answer

Archive the private keys used to decrypt data by the end-users

Answer

Record the users private keys used to sign data

Answer

Verify that users are using the key pairs in a correct manner

Question 3

3/16

Certificate Repository serves to:

Hint: 2 choices

Answer

The distribution of digital certificates

Answer

CRL distribution

Answer

Interface used by the end-users for submitting the issuing certificates requests

Answer

Logging the events related to the certificates management

Question 4

4/16

Who can recover a private key within an enterprise CA implemented by Microsoft Certificate Services 2003?

Key Recovery Agent

Answer

CA Administrator

Answer

Backup Operator

Answer

Certificate Manager

Question 5

5/16

What should be done to ensure the protection of the cryptographic keys?

Hint: 3 choices

Answer

Keeping the secret of the encryption algorithms used

Answer

The users’ awareness of the importance of correct cryptographic key management

Answer

To use validated cryptographic algorithms and modules

Answer

The choice of key lengths as large as possible

Question 6

6/16

CA – Certification Authority are designed to:

Hint: 3 choices

Answer

archive the private keys used by the end-users for signing data

Answer

Establish the relationships with other CAs for cross-certification

Answer

issue and revoke digital certificates

Answer

publish the digital certificates in the Repository

Question 7

7/16

Which of the f.ollowing statements about the Microsoft Certificate Services 2003 version Enterprise are true?

Use IIS Web Server as user interface

Answer

Allows the implementation of the "m from n" schemes in order to restore the private keys

Answer

In addition to Active Directory, it can be integrated with any directory server

Answer

Allows the definition of new templates for certificates

Question 8

8/16

What are the minimum recommended key lengths to use for the moment, in order to ensure data protection for 10 years?

128 bits for symmetric algorithms and 2048 bits for public key algorithms

Answer

256 bits for symmetric algorithms and 4096 bits for public key algorithms

Answer

64 bits for symmetric algorithms and 1024 bits for public key algorithms

Answer

192 bits for symmetric algorithms and 3072 bits for public key algorithms

Question 9

9/16

The term "key escrow" refers to:

Arrangement by which the cryptographic keys are stored on a trusted third party and used when necessary

Answer

Check if a user holds the private key associated to the public key from a digital certificate

Answer

Prime number test used in the RSA key generation process

Answer

Protocol which negotiates a session key between two entities

Question 10

10/16

What is the role of an HSM - Hardware Security Module?

Ensures the cryptographic keys protection

Answer

Ensures protection for the computer which tuns the installed CA software

Answer

Allows keeping secret the used cryptographic algorithms

Answer

Accelerates the cryptographic operations

Question 11

11/16

How is possible to determine the level of trust in a digital certificate issued by a Certification Authority:

The analysis of CP and CPS

Answer

Based on Subject Key Identifier extension

Answer

By reading Trust Level attribute from the Repository

Answer

Using the OCSP protocol

Question 12

12/16

Which of the f.ollowing statements are true about the hierarchical PKI architectures?

Hint: 2 choices

Answer

There is a single point of trust - Root Certification Authority

Answer

The compromise of the private key does not affect the other authority

Answer

The certification paths are unidirectional and easy to determine

Answer

The certification paths are dependent by the user who does the validation

Question 13

13/16

The advantages of using a Bridge CA in order to ensure the PKI interoperability are:

Reducing the number of bilateral cross-certification

Answer

Simplifying the process of certification policy equivalency

Answer

All users will use a single point of trust - Bridge CA

Answer

It is a standardized method and therefore supported by most PKI applications

Question 14

14/16

What is the extension that defines the categories of applications that can use a digital certificate?

Hint: 2 choices

Key Usage

Answer

Extended Key Usage

Answer

Policy Constraints

Answer

Subject Public Key Info

Question 15

15/16

The main features of the OCSP protocol are:

Hint: 2 choices

Answer

It is used by the clients in order to access the Certificate Repository

Answer

Relieves the clients by the CRL’s specific complex processing

Answer

It is a simple request / response protocol

Answer

Allows the clients to revoke the certificates in case of the compromise of the private key

Question 16

16/16

When do you need to revoke a digital certificate?

Hint: 2 choices

Answer

If the user leaves the organization

Answer

If the cryptographic algorithms and key lengths are no longer suitable for the necessary protection

Answer

If the private key associated to the public key certificate is compromised

Answer

When the user's digital certificate came into possession of a third party