{"id":716,"date":"2021-01-17T05:38:28","date_gmt":"2021-01-16T18:04:51","guid":{"rendered":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0708\/"},"modified":"2021-01-17T05:44:35","modified_gmt":"2021-01-17T05:44:35","slug":"systems-security-certified-practitioner-sscp-question0708","status":"publish","type":"post","link":"https:\/\/exampracticetests.com\/ISC\/SSCP\/systems-security-certified-practitioner-sscp-question0708\/","title":{"rendered":"Systems Security Certified Practitioner &#8211; SSCP &#8211; Question0708"},"content":{"rendered":"<div class=\"question\">Which of the following would best describe certificate path validation? <br \/><strong><br \/>A.<\/strong> Verification of the validity of all certificates of the certificate chain to the root certificate <br \/><strong>B.<\/strong> Verification of the integrity of the associated root certificate <br \/><strong>C.<\/strong> Verification of the integrity of the concerned private key <br \/><strong>D.<\/strong> Verification of the revocation status of the concerned certificate<\/div>\n<p><\/p>\n<style> .hidden-div{ display:none } <\/style>\n<p>\t\t\t\t\t\t\t<button onclick=\"getElementById('hidden-div').style.display = 'block'\"> Show Answer <\/button> <button onclick=\"getElementById('hidden-div').style.display = 'none'\">Hide Answer<\/button><\/p>\n<div class=\"hidden-div\" id=\"hidden-div\"><span style=\"\"><\/p>\n<div class=\"answer\">Correct Answer: <strong>A<\/strong><\/div>\n<p><strong>Explanation:<\/strong> <\/p>\n<div class=\"explanation\">\nWith the advent of public key cryptography (PKI), it is now possible to communicate securely with untrusted parties over the Internet without prior arrangement. One of the necessities arising from such communication is the ability to accurately verify someone&#8217;s identity (i.e. whether the person you are communicating with is indeed the person who he\/she claims to be). In order to be able to perform identity check for a given entity, there should be a fool-proof method of \u201cbinding\u201d the entity&#8217;s public key to its unique domain name (DN).<br \/>\nA X.509 digital certificate issued by a well known certificate authority (CA), like Verisign, Entrust, Thawte, etc., provides a way of positively identifying the entity by placing trust on the CA to have performed the necessary verifications. A X.509 certificate is a cryptographically sealed data object that contains the entity&#8217;s unique DN, public key, serial number, validity period, and possibly other extensions.<br \/>\nThe Windows Operating System offers a Certificate Viewer utility which allows you to double-click on any certificate and review its attributes in a human-readable format. For instance, the &#8220;General&#8221; tab in the Certificate Viewer Window (see below) shows who the certificate was issued to as well as the certificate&#8217;s issuer, validation period and usage functions.<br \/>\n<img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full\" src=\"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-content\/uploads\/exam\/__Page_351_Image_0001.jpg\" \/><br \/>\nCertification Path graphic<br \/>\nThe \u201cCertification Path\u201d tab contains the hierarchy for the chain of certificates. It allows you to select the certificate issuer or a subordinate certificate and then click on \u201cView Certificate\u201d to open the certificate in the Certificate Viewer.<br \/>\nEach end-user certificate is signed by its issuer, a trusted CA, by taking a hash value (MD5 or SHA-1) of ASN.1 DER (Distinguished Encoding Rule) encoded object and then encrypting the resulting hash with the issuer\u2019s private key (CA&#8217;s Private Key) which is a digital signature. The encrypted data is stored in the \u201csignatureValue\u201d attribute of the entity\u2019s (CA) public certificate.<br \/>\nOnce the certificate is signed by the issuer, a party who wishes to communicate with this entity can then take the entity\u2019s public certificate and find out who the issuer of the certificate is. Once the issuer\u2019s of the certificate (CA) is identified, it would be possible to decrypt the value of the \u201csignatureValue\u201d attribute in the entity&#8217;s certificate using the issuer\u2019s public key to retrieve the hash value. This hash value will be compared with the independently calculated hash on the entity&#8217;s certificate. If the two hash values match, then the information contained within the certificate must not have been altered and, therefore, one must trust that the CA has done enough background check to ensure that all details in the entity\u2019s certificate are accurate.<br \/>\nThe process of cryptographically checking the signatures of all certificates in the certificate chain is called \u201ckey chaining\u201d. An additional check that is essential to key chaining is verifying that the value of the &#8220;subjectKeyIdentifier\u201d extension in one certificate matches the same in the subsequent certificate.<br \/>\nSimilarly, the process of comparing the subject field of the issuer certificate to the issuer field of the subordinate certificate is called \u201cname chaining\u201d. In this process, these values must match for each pair of adjacent certificates in the certification path in order to guarantee that the path represents unbroken chain of entities relating directly to one another and that it has no missing links.<br \/>\nThe two steps above are the steps to validate the Certification Path by ensuring the validity of all certificates of the certificate chain to the root certificate as described in the two paragraphs above.<br \/>\nReference(s) used for this question: FORD, Warwick &#038; BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 262. and<br \/>\n<a href=\"https:\/\/www.tibcommunity.com\/docs\/DOC-2197\" title=\"External link\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/www.tibcommunity.com\/docs\/DOC-2197<\/a><\/div>\n<p><\/strong><\/span> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Which of the following would best describe certificate path validation? A. Verification of the validity of all certificates of the certificate chain to the root certificate B. Verification of the integrity of the associated root certificate C. Verification of the integrity of the concerned private key D. Verification of the revocation status of the concerned [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1078,711,3],"class_list":["post-716","post","type-post","status-publish","format-standard","hentry","category-systems-security-certified-practitioner-sscp","tag-choices","tag-question-0708","tag-systems-security-certified-practitioner-sscp"],"_links":{"self":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/comments?post=716"}],"version-history":[{"count":1,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/716\/revisions"}],"predecessor-version":[{"id":1792,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/posts\/716\/revisions\/1792"}],"wp:attachment":[{"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/media?parent=716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/categories?post=716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exampracticetests.com\/ISC\/SSCP\/wp-json\/wp\/v2\/tags?post=716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}