Information Security Professional Exam - PKI Keyword

1. Basic Concepts of PKI

  • Public Key Infrastructure (PKI) definition and purpose
  • Difference between Public Key Cryptography and Symmetric Key Cryptography
  • Hybrid Cryptosystem
  • Digital Signature mechanism and purpose
  • Non-repudiation
  • Use cases for Encryption vs Signature

Sub-keywords:

  • Asymmetric encryption algorithms
  • Key pair generation (public/private keys)
  • Authentication vs confidentiality objectives

2. Digital Certificates

  • X.509 Certificate structure
  • Information contained in certificates (Issuer, Subject, Public Key, Validity Period, Serial Number, etc.)
  • Server Certificate, Client Certificate
  • Root Certificate
  • Intermediate Certificate
  • Certificate Chain
  • Cross Certification
  • EV Certificate (Extended Validation)
  • DV Certificate (Domain Validation)
  • OV Certificate (Organization Validation)
  • Wildcard Certificate
  • SAN Certificate (Subject Alternative Name)

Sub-keywords:

  • Certificate attributes and extensions
  • Distinguished Name (DN) format
  • Certificate fingerprint verification

3. Certificate Authority (CA)

  • Role and responsibilities of Certificate Authority
  • Root CA and Intermediate CA
  • Registration Authority (RA)
  • CA Hierarchical Structure
  • Private CA vs Public CA
  • CP (Certificate Policy)
  • CPS (Certificate Practice Statement)

Sub-keywords:

  • Trusted third-party model
  • CA key management practices
  • Audit and compliance requirements

4. Certificate Lifecycle Management

  • Certificate Issuance
  • Certificate Renewal
  • Certificate Revocation
  • CRL (Certificate Revocation List)
  • OCSP (Online Certificate Status Protocol)
  • OCSP Stapling
  • Validity Period management
  • Key Escrow
  • Key Renewal and Key Recovery

Sub-keywords:

  • Certificate enrollment process
  • Grace period and expiration handling
  • Emergency revocation procedures

5. Cryptographic Algorithms

Public Key Cryptography

  • RSA (Key lengths: 2048-bit, 4096-bit)
  • Elliptic Curve Cryptography (ECC)
  • DSA (Digital Signature Algorithm)
  • ECDSA (Elliptic Curve DSA)
  • ElGamal Cryptosystem

Hash Functions

  • SHA-2 (SHA-256, SHA-384, SHA-512)
  • SHA-3
  • MD5 (deprecated)
  • SHA-1 (deprecated)
  • Hash Value, Message Digest

Sub-keywords:

  • Algorithm strength and key size recommendations
  • Collision resistance properties
  • Migration from deprecated algorithms

6. SSL/TLS

  • SSL (Secure Sockets Layer)
  • TLS (Transport Layer Security)
  • TLS 1.2, TLS 1.3
  • TLS Handshake process flow
  • Server Authentication and Client Authentication
  • Cipher Suite
  • HTTPS
  • HSTS (HTTP Strict Transport Security)
  • Man-in-the-Middle (MITM) Attack countermeasures

Sub-keywords:

  • Perfect Forward Secrecy (PFS)
  • Session resumption mechanisms
  • Protocol downgrade attack prevention

7. Trust Models

  • Hierarchical Trust Model
  • Cross-Certification Trust Model
  • Web of Trust (PGP model)
  • Trust Anchor
  • Chain of Trust

Sub-keywords:

  • Trust store management
  • Bridge CA architecture
  • Trust propagation mechanisms

8. PKI Threats and Countermeasures

  • Man-in-the-Middle Attack
  • Certificate Forgery
  • Spoofing/Impersonation
  • Private Key Leakage
  • Timing Attack
  • Rainbow Table Attack
  • CA Compromise
  • Importance of Certificate Validity Verification

Sub-keywords:

  • Key compromise detection
  • Incident response procedures
  • Cryptographic algorithm weaknesses

9. PKI-Related Protocols & Technologies

  • S/MIME (Secure/MIME): Email encryption and signing
  • IPsec: Certificate usage in VPN
  • Code Signing Certificate
  • Timestamp
  • PKCS (Public-Key Cryptography Standards)
    • PKCS#7, PKCS#10, PKCS#12, etc.
  • PEM Format, DER Format

Sub-keywords:

  • Certificate enrollment protocols (SCEP, EST)
  • Timestamping Authority (TSA)
  • Certificate format conversion

10. Implementation & Operational Considerations

  • Secure Storage of Private Keys
  • HSM (Hardware Security Module)
  • Appropriate Key Length Selection
  • Certificate Inventory Management
  • Revocation Checking Implementation
  • Certificate Pinning
  • CT (Certificate Transparency)
  • CAA (Certification Authority Authorization) record

Sub-keywords:

  • Key backup and disaster recovery
  • Certificate lifecycle automation
  • Monitoring and alerting systems

11. Related Electronic Signature Laws & Regulations

  • Electronic Signature Act
  • Qualified Certificate Services
  • CRYPTREC (Cryptography Research and Evaluation Committees)
  • Accredited Certification Business
  • Time Business Trust and Security Accreditation System

Sub-keywords:

  • Legal recognition of digital signatures
  • Compliance requirements for CAs
  • International standards (eIDAS, etc.)

12. Frequently Tested Calculations & Mechanisms

  • RSA encryption calculation principles (prime factorization)
  • Digital signature verification process
  • Hash value calculation and tampering detection
  • Certificate chain verification procedure
  • Key exchange flow (Diffie-Hellman key exchange, etc.)

Sub-keywords:

  • Modular arithmetic operations
  • Signature generation vs verification steps
  • Certificate path validation algorithm

Study Tips

  1. Be able to diagram the certificate verification process
  2. Understand the differences and use cases between CRL and OCSP
  3. Be able to explain each step of the TLS handshake
  4. Clearly distinguish between keys used for encryption vs signing
  5. Review PKI-related attack methods and countermeasures from past exams

In afternoon (practical) exam questions, scenarios frequently appear where you analyze system architecture diagrams to determine PKI application points, or identify flaws in certificate verification processes. Both theoretical understanding and practical operational knowledge are required.