Suppose that you are the COMSEC - Communications Security custodian for a large, multinational corporation. Susie, from Finance approaches you in the break room saying that she lost her smart ID Card that she uses to digitally sign and encrypt emails in the PKI.
What happens to the certificates contained on the smart card after the security officer takes appropriate action?
Correct Answer: A
Smart ID Cards can contain digital certifications user for establishing identity and for digitally encrypting and decrypting messages.
Commonly, there are three types of certificates on an ID Card: Identity certificate, private certificate and public certificate:
- Identity Certificate: This is the cert used to guarantee your identity, as when you swipe to enter a facility or when logging onto a computer
- Public Certificate: This is freely shared with the public. All who have it can use it to decrypt messages that you encrypt with your private key.
- Private Certificate: This is the key that you use to encrypt messages. It is a complimentary key to your public key. Only your public key can decrypt messages encrypted with the private key.
Otherwise known as PKI - Public Key Infrastructure, this is how the keys are used on your card. Ordinarily, there is software on the computer that can, given the appropriate PIN number, log on, digitally sign, encrypt and decrypt messages.
If you should lose your card the only certificate that is vital to be kept secret is your private key because that can decrypt messages encrypt with your public key.
If this happens, the private key is added to the CRL - Certificate Revocation List. It is published by the Certificate Authority or CA server and must periodically be downloaded so that the system knows which certificates to trust and which not to trust.
Notably, revocation lists can become quite large and slow to download, especially over slower or tactical military networks. Also, certificates can be in one of two states on the
CRL: Revoked or Hold. A hold can be reversed but once in revoked status, it is gone forever
ABOUT OCSP
Another way of validating if a certificate is valid is using OCSP.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the
Internet standards track. It was created as an alternative to certificate revocation lists
(CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.
The following answers are incorrect:
- They are reissued to the user: This isn't correct because once a private certificate is lost, it may never again be trusted because it has been out of control of the user.
- New certificates are issued to the user: This is actually correct but not what happens first.
Ordinarily the previous certificates for the users are added to the CRL and THEN the new certificates are issued to the user. This way there is no chance a double set of certs are out there for a single user.
- The user may no longer have certificates: This isn't correct, unless the user is fired or quits. Users must have certificates to operate in a PKI environment. (Public Key
Infrastructure)
The following reference(s) was used to create this question:
2013. Official Security+ Curriculum.
