The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the
BEST solution to securely store the private keys?
The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the
BEST solution to securely store the private keys?
The best solution to securely store the private keys for an internal certification authority is the Trusted Platform Module (TPM). The TPM is a specialized chip embedded in devices that provides a hardware-based security approach, which is critical for protecting cryptographic keys from unauthorized access and tampering. TPMs offer a secure environment for key storage and management, making it an appropriate choice over other software-based or generalized storage options. Other options like physically secured storage devices and encrypted flash drives do not offer the same level of integrated security and protection inherent in TPMs.
Every employee will have a digital certificate. That means every of the them will have a private key stored in his device. The private keys will be stored in the TPM of the users' devices. PKI is a framework and irrelevant to storing the keys.
B is correct
Could A refer to HSM ? If yes then that would be the correct answer.
Cloud-based HSMs exist as well.
A TPM wouldn't hold all employee's keys. A *public* key infrastructure surely isn't the right place to hold everyone's *private* keys?
I've changed my mind! If every employee was storing their own key, they would store it on their own TPM.
Key wording "securely store the private keys" which is Key Escrow and physically stored on an HSM (Hardware Security Module). This would be A. The TPM is used to store encryption keys for Bitlocker and for EUFI Boot Attestation. PKI would leave the Private keys in the Cert store where they were generated, we need to secure them.
Private keys protected by the TPM are never exposed to the operating system or malware. All private key operations are handled within the TPM.TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Encrypted flash drive is susceptible to loss physical damage etc . Physical secured storage adds manual labor and adds room for human error . PKI is a concept / system and not a storage solution . Certificate Authority is a component of PKI that can trust a TPM to store the private key assuming the TPM is made by the reputable vendors part of the Trusted Computing Group (TCG). Source :https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj889441(v=ws.11)?redirectedfrom=MSDN
B. Trusted Platform Module (TPM) is the best choice. A. Physically secured storage device -- it doesn't say that's HSM D. Public key infrastructure (PKI) -- PKI doesn't store private key.
A primary security control in a PKI is how private keys are stored and managed, particularly for certification authorities.Aug 31, 2016 https://learn.microsoft.com › it-pro
I agree at first I was torn between A, thinking maybe that was another way of describing an HSM, but I think it would need to say a physically secured cryptographic storage device. Instead a secured storage device could just be a hard drive
Public key infrastructure (PKI) The certificate is signed by a central and respected certificate authority (CA) to vouch for its authenticity. A large organization might manage a private CA for internal communications, while several third-party public CAs offer internet-based certificate services. If a certificate is compromised, the CA can revoke it and issue a new one. X.509 certificates use it by default. PKI itself encompasses multiple trust models.
No, the trust models are established between the certificates, not how the private keys are stored. PKI administrators are responsible to find a secure way how to store the private keys. It would be a no-brainer if HSM was one of the choices, but it isn't. The thing closest to HSM is actually TPM. TPMs are not primarily designed for storing a large number of private keys, but they offer hardware-based security features that make them well-suited for securely storing cryptographic keys, including private keys. TPMs provide a dedicated and tamper-resistant storage area within the hardware, protecting the keys from unauthorized access, tampering, or theft.
TPM and HSM are the best options to store crypto keys
D is correct
Agree with D
- D - appears to the best answer from these choice. Certification authority = PKI
TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys.
D - PKI This article brings it all together: https://www.infineon.com/dgdl/Infineon-Use_Case_ISPN_GMO-ABR-v07_00-EN.pdf?fileId=5546d46254e133b40155595f0d3e5e69
physical security also part of layered defense. out-of-band
The certificate authority uses a PKI to sign the public keys provided by the employees. The PKI does not have anything to do with employee private keys. The only private keys in this scenario are the ones used by the PKI to operate. Eliminate option D as the scenario is about a PKI. The remaining options are all possible but the best one is a purpose built solution for cryptography which is TPM. Answer is B.
TPM is corrected.
designing and implementing an "internal" certification authority
If you issue certs from AD CS to Windows devices the private user key is not stored on the TPM of the laptop. This would have to be PKI IMO.
B: The key word is, "Store..."
A TPM is just a chip on a montherboard. YES it does store private keys for a given single computer. The questions says "internal certification authority to generate digital certificates for all employees" - I am thinking maybe PKI. Or If HSM was one of the answer option...
The Trusted Platform Module (TPM) is both a specification for a cryptoprocessor chip on a mainboard and the general name for implementation of the specification. A TPM can be used to implement a broad range of cryptography-based security protection mechanisms. A TPM chip is often used to store and process cryptographic keys for a hardware-supported or OS-implemented local storage device encryption system. A TPM is an example of a hardware security module (HSM). An HSM is a cryptoprocessor used to manage and store digital encryption keys, accelerate crypto operations, support faster digital signatures, and improve authentication. An HSM can be a chip on a motherboard, an external peripheral, a network-attached device, or an extension card (which is inserted into a device, such as a router, firewall, or rack-mounted server blade). HSMs include tamper protection to prevent their misuse even if an attacker gains physical access.
A simple wikipedia search for TPM confirms the answer is B.
TPM and HSM are all part of PKI. As managers we have to think endgame and not get too much into the weeds.
seems D tls needs private key . internal setup CA contact PKI global so https://www.digicert.com/what-is-an-ssl-certificate https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786417(v=ws.11)
I vote B as well
B is correct
I think should be A vs B. the question asking internal certification <- so i choose B
B is the correct answer! A Trusted Platform Module (TPM) is a specialized chip on a laptop or desktop computer that is designed to secure hardware with integrated cryptographic keys. A TPM helps prove a user's identity and authenticates their device. In this case, the employees each own a TPM compliant device.
TPM is correct.
A Trusted Platform Module (TPM) is a cryptographic processor embedded into a computer. It provides authentication and full-disk encryption.
The best answer is B. Trusted Platform Module (TPM) because TPMs provide hardware-based security that is more resilient to external software attacks than software-based encryption solutions. They are designed to protect and store cryptographic keys securely within the hardware, making it a suitable option for securing the private keys of a certification authority.
B - from CISSP Official Study Guide (Sybex) - Trusted Platform Module Modern computers often include a specialized cryptographic component known as a Trusted Platform Module (TPM). The TPM is a chip that resides on the motherboard of the device. The TPM serves a number of purposes, including the storage and management of keys used for full-disk encryption (FDE) solutions. The TPM provides the operating system with access to the keys only if the user successfully authenticates. This prevents someone from removing the drive from one device and inserting it into another device to access the drive's data. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 286). Wiley. Kindle Edition.
The question states nothing to do with the devices being laptops. VMs dont have TPMs neither do desktops, so how could it be TPM.
ummm pretty much all modern desktops have tpms
For key storage its pretty much always going to be a TPM or HSM. Ima go with A as I think a Physically secure storage device is just another name for HSM
A Trusted Platform Module (TPM) is a dedicated hardware chip designed to securely store cryptographic keys, including private keys. It provides hardware-based security by protecting the keys from unauthorized access and tampering. TPMs are widely recognized as one of the most secure options for storing private keys, especially within an internal certification authority (CA) environment, where the security of private keys is critical.
Trusted Platform Module (TPM): A TPM is a hardware-based security module that is typically embedded on the motherboard of a computer system. It provides secure storage for cryptographic keys and other sensitive data. TPMs are designed to be tamper-resistant and can be used to protect against various attacks, including cold boot attacks and physical tampering.
Not D - PKI is the overall framework for managing keys and certificates, but it does not specify or implement the storage mechanism for private keys itself.