Topic 331: Cryptography
331.1 X.509 Certificates and Public Key Infrastructures (weight: 5)
Key Knowledge Areas:
- Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
- Understand trust chains and public key infrastructures, including certificate transparency
- Generate and manage public and private keys
- Create, operate and secure a certification authority
- Request, sign and manage server and client certificates
- Revoke certificates and certification authorities
- Basic feature knowledge of Let’s Encrypt, ACME and certbot
- Basic feature knowledge of CFSSL
Partial list of the used files, terms and utilities:
- openssl (including relevant subcommands)
- OpenSSL configuration
- PEM, DER, PKCS
- CSR
- CRL
- OCSP
331.2 X.509 Certificates for Encryption, Signing and Authentication (weight: 4)
Key Knowledge Areas:
- Understand SSL, TLS, including protocol versions and ciphers
- Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
- Configure Apache HTTPD with mod_ssl to serve certificate chains and adjust the cipher configuration (no cipher-specific knowledge)
- Configure Apache HTTPD with mod_ssl to authenticate users using certificates
- Configure Apache HTTPD with mod_ssl to provide OCSP stapling
- Use OpenSSL for SSL/TLS client and server tests
Links sobre os assuntos:
- HSTS
- SNI
331.3 Encrypted File Systems (weight: 3)
Key Knowledge Areas:
- Understand block device and file system encryption
- Use dm-crypt with LUKS1 to encrypt block devices
- Use eCryptfs to encrypt file systems, including home directories and PAM integration
- Awareness of plain dm-crypt
- Awareness of LUKS2 features
- Conceptual understanding of Clevis for LUKS devices and Clevis PINs for TMP2 and Network Bound Disk Encryption (NBDE)/Tang
The following is a partial list of the used files, terms and utilities:
- cryptsetup (including relevant subcommands)
- cryptmount
- /etc/crypttab
- ecryptfsd
- ecryptfs-* commands
- mount.ecryptfs, umount.ecryptfs
- pam_ecryptfs