Loading...
Menu

CISA Exam-Testing Concept-Elements of PKI i.e CA/RA/CRL/CPS (Domain-5)

p<>{color:#000;}.

Domain-5

Testing Concept-Elements of Public Key Infrastructure (PKI) i.e Certifying Authority/Registration Authority/CRL/CPS

Hemang Doshi

CISA, ACA, DISA, FIII

Details about this E-Book:

The objective of this e-book is to ensure that CISA candidate get adequate knowledge on concept of ‘Elements of Public Key Infrastructure (PKI) ’. Concepts have been simplified for easy reference of CISA candidates.

Questions, Answers and Explanation (QAE) on concept are designed in accordance with CISA exam pattern.

What is PKI?

 

Public key Infrastructure (PKI) is a framework to issue, maintain and revoke public key certificates by a

trusted third party known as Certifying Authority (CA).

 

Process involved in PKI:

 

(1)Applicant will apply for digital certificate from Certifying Authority (CA).

 

(2)Certifying Authority (CA) delegates the process for verification of information (as supplied by applicant) to Registration Authority (RA).

 

(3)Registration Authority (RA) validates the information and if information is correct, tells Certifying Authority (CA) to issue the certificate.

 

(4)Certifying Authority issues the certificate and manages the same through its life cycle.

 

(5)Certifying Authority (CA) maintains a list of certificates which have been revoked/terminated before its expiry date. This list is known as certificate revocation list (CRL).

 

(6)Certifying Authority (CA) will also have Certification Practice Statement (CPS) in which standard operating procedure (SOP) for issuance of certificate and other relevant details are documented.

 

 

Certifying Authority (CA) vis-a-vis Registration Authority (RA)

 

 

 

Functions of Registration Authority:

 

Verifying information supplied by the applicant.

-Verifying that the applicant actually possesses the private key being registered and that is matches public

key requested for certificate. This is generally referred to proof of possession (POP).

-Distributing the physical tokens containing the private keys.

-Generating shared secrets key for use during initialization and certificate pick-up phases of registration.

 

 

Certificate Revocation List (CRL) vis-a-vis Certificate Practice Statement (CPS)

 

 

Point to remember for CISA Exam:

 

(1)In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.

 

(2)In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates.

 

(3)In any given scenario, a digital certificate is composed of public key and information about the owner of public key.

 

(4)In any given scenario, time gap between update of CRL (certificate revocation list) is critical and is also posses risk in certification verification.

 

 

Question, Answer & Explanation on ‘PKI-Elements’ Concept:

Below QAE are solely on the above mentioned concept. Questions have been designed as per CISA Exam pattern. Candidates are advised to attempt below questions multiple times. More emphasis to be given on explanation part for better understanding.

 

Authority that manages the certificate life cycle is the:

 

A. certificate authority (CA)

B. certificate revocation list (CRL)

C. certification practice statement (CPS)

D. registration authority (RA)

 

Answer: A. certificate authority (CA)

 

Explanation:

In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.

Registration authority performs the process of identification and authentication by establishing a link between the identity of the requesting person or organization and the public key. In short, a CA manages and issues certificates, whereas a RA is responsible for identifying and authenticating the information provided by subscribers, but does not sign or issue certificates.

CRL is a list of certificates that have been revoked before their scheduled expiration date.

CPS is a detailed set of rules and processes of Certifying Authority’s (CA) operations.

 

 

In a public key infrastructure, role of a registration authority is to:

 

A. issue the certificate to subscriber.

B. manage certificate throughout its life cycle.

C. maintain list of revoked list.

D. validate the information provided by the subscriber requesting a certificate.

 

Answer: D. validate the information provided by the subscriber requesting a certificate.

 

Explanation:

In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates. Certifying authority (CA) is solely responsible for issuance of digital certificate, managing the certificate throughout its life cycle and maintaining list of revoked certificates.

 

 

(3) Which of the following PKI element control and manage the digital certificate life cycle to ensure proper security exist in digital signature applications?

 

A. Certification revocation list

B. Registration authority (RA)

C. Certificate authority (CA)

D. Certification practice statement

 

Answer: C. Certificate authority (CA)

 

Explanation:

In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle.Registration authority is an optional entity that is responsible for the administrative tasks like identifying and authenticating the information provided by applicants.

Choice A is incorrect since a CRL is a list of certificates that have been revoked before their scheduled expiration date. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority’s operations.

 

 

(4) Which of the following processes can be delegated by a certificate authority (CA)?

 

A. issuance of digital certificates.

B. managing the certificate throughout its life cycle.

C. establishing a link between the requesting entity and its public key.

D. maintain list of revoked list.

 

Answer: C. establishing a link between the requesting entity and its public key.

 

Explanation:

Establishing a link between the requesting entity and its public key is a function of a registration

authority. This function can be delegated to RA.

Other functions have to be managed by CA only.

 

 

(5) In public key infrastructure, which of the following would an IS auditor consider a weakness?

 

A.Certificate authorities are centrally located however customers are widely dispersed geographically. B.Transactions can be made from any computer or mobile device.

C The certificate authority has multiple data processing centres to manage the certificates.

D.The organization is the owner of the certificate authority.

 

Answer: D. The organization is the owner of the certificate authority.

 

Explanation:

If organization is the owner of the certificate authority, this would generate a conflict of interest. Independence of certifying authority will not be there in such cases and third party may repudiate the transactions.

The other options are not weaknesses.

 

 

In a public key infrastructure, a registration authority:

 

A. issues the certificate.

B. verifies information supplied by the subject requesting a certificate.

C. signs the certificate to achieve authentication and non-repudiation.

D. managing the certificate throughout its life cycle.

 

Answer: B. verifies information supplied by the subject requesting a certificate.

 

Explanation:

In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates. A registration authority is responsible for verifying information supplied by the subject requesting a certificate.

Option A & Option D are the functions of CA. Option C is not the task performed by RA. . On the other hand, the sender who has control of his/her private key, signs the message, not the registration authority

 

 

(7) Detailed descriptions for dealing with a compromised private key is provided in which of the following public key infrastructure (PKI) elements?

 

A. Certificate policy (CP)

B. Certificate revocation list (CRL)

C. Certification practice statement (CPS)

D. PKI disclosure statement (PDS)

 

Answer: C. Certification practice statement (CPS)

 

Explanation:

Certification practice statement (CPS) is a detailed set of rules and processes of Certifying Authority’s (CA) operations. Certification Practice Statement (CPS) is a document in which standard operating procedure (SOP) for issuance of certificate and other relevant details are documented.

The CPS is the how-to part in policy-based PKI. CRL is a list of certificates that have been revoked before their scheduled expiration date. The PDS covers critical items, such as the warranties, limitations and obligations that legally bind each party.

 

 

(8) In a public key infrastructure, role of a certificate authority is to:

 

A. ensure secured communication and secured network services based on certificates.

B. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.

C. ensure secured communication infrastructure between parties.

D. hosting of private keys of subscribers in public domain.

 

Answer: B. validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.

 

Explanation:

The primary activity of a CA is to issue certificates and to validate the identity and authenticity of the entity owning the certificate and integrity of the certificate issued by that CA.

CAs are not responsible of secured communication channel. Private keys are not made available in public domain.

 

[* Other CISA Exam- Study Material *]

 

Domain 1

 

Steps of Risk Assessment

 

https://www.youtube.com/watch?v=F2j8xhPaFTg

 

https://www.Shakespir.com/books/view/622303

 

Types of Risk

 

https://www.youtube.com/watch?v=FvuvARXcjss

 

 

Compliance & Substantive Testing

https://youtu.be/3-u2mpIZzW8

 

https://www.Shakespir.com/books/view/625599

 

 

Difference between Inherent Risk & Residual Risk

 

https://www.youtube.com/watch?v=72kv6yOpXEI

 

Difference between Vulnerability & Threat

 

https://www.youtube.com/watch?v=6KxEbth2Ziw

 

Audit Charter

 

https://www.youtube.com/watch?v=rbCJ3ceDuso

 

https://www.Shakespir.com/books/view/633923

 

COBIT-5

 

https://youtu.be/WfwjpDdBqr4

 

Internal Controls

 

https://youtu.be/RuX2hLnm3vY

 

Control Self Assessment (CSA)

 

https://youtu.be/cGcMmt-03as

 

https://www.Shakespir.com/books/view/658967

 

Sampling

 

https://youtu.be/Ynif7SqvkvM

 

https://www.Shakespir.com/books/view/661847

 

 

Domain 2

 

Outsourcing Functions

 

https://youtu.be/vQsX6ZQSDXk

 

IT Strategy Committee & IT Steering Committee

 

https://youtu.be/Za9VMrSe094

 

IT Alignment with Business Objectives

 

https://www.youtube.com/watch?v=FEsP2LXSF9U

 

https://www.Shakespir.com/books/view/633047

 

IT Balanced Score Card

 

https://youtu.be/tvNAvAL9ZIg

 

https://www.Shakespir.com/books/view/639816

 

Roles of various functions of IT

 

https://youtu.be/UMDZrfp1W2Q

 

https://www.Shakespir.com/books/view/645822

 

 

 

Domain 3

 

Online Auditing Techniques

 

https://www.youtube.com/watch?v=HmGFIJlLu-4

 

https://www.Shakespir.com/books/view/637926

 

Parity-Checksum-CRC

 

https://youtu.be/Y14jVvOKqaU

 

https://www.Shakespir.com/books/view/656262

 

Check Digit

 

https://youtu.be/VH2yd3A6bMc

 

https://www.Shakespir.com/books/view/656262

 

PERT-CPM-Gantt Chart-FPA-EVA-Timebox

 

https://youtu.be/zYZYvcr_-3M

 

https://www.Shakespir.com/books/view/666753

 

Domain 4

 

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

 

https://youtu.be/2rDusGnW9qw

 

https://www.Shakespir.com/books/view/646456

 

 

Alternate Recovery Site

 

https://youtu.be/jCpcqaazkY4

 

https://www.Shakespir.com/books/view/647476

 

Domain 5

 

Digital Signature

 

https://youtu.be/_N3jisd1Vis

 

https://www.Shakespir.com/books/view/648923

 

Wireless (Wi-Fi)Security

 

https://youtu.be/csbd_V9PknI

 

https://www.Shakespir.com/books/view/651918

 

Firewall Types

 

https://youtu.be/x650kcv6Mfk

 

https://www.Shakespir.com/books/view/654726

 

Firewall Implementation

 

https://youtu.be/lltKNTdjg4Y

 

https://www.Shakespir.com/books/view/654726

 

Logical Access

 

https://www.Shakespir.com/books/view/630325

 

Classification of Information Assets

 

https://youtu.be/z7MwD8_ayCs

 

https://www.Shakespir.com/books/view/669437

 

 

Asymmetric Encryption

 

https://www.Shakespir.com/books/view/674900

 

 


CISA Exam-Testing Concept-Elements of PKI i.e CA/RA/CRL/CPS (Domain-5)

Point to remember for CISA Exam: (1)In any given scenario, certifying authority (CA) is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle. (2)In any given scenario, registration authority (RA) is responsible for identifying and authenticating subscribers, but does not sign or issue certificates. (3)In any given scenario, a digital certificate is composed of public key and information about the owner of public key. (4)In any given scenario, time gap between update of CRL (certificate revocation list) is critical and is also posses risk in certification verification.

  • ISBN: 9781370126262
  • Author: Hemang Doshi
  • Published: 2016-11-05 22:05:09
  • Words: 1549
CISA Exam-Testing Concept-Elements of PKI i.e CA/RA/CRL/CPS (Domain-5) CISA Exam-Testing Concept-Elements of PKI i.e CA/RA/CRL/CPS (Domain-5)