LPIC-3 Exam 303: Security

Topic 331: Cryptography

331.1 X.509 Certificates and Public Key Infrastructures (weight: 5)

Key Knowledge Areas:

  • Understand X.509 certificates, X.509 certificate lifecycle, X.509 certificate fields and X.509v3 certificate extensions
  • Understand trust chains and public key infrastructures, including certificate transparency
  • Generate and manage public and private keys
  • Create, operate and secure a certification authority
  • Request, sign and manage server and client certificates
  • Revoke certificates and certification authorities
  • Basic feature knowledge of Let’s Encrypt, ACME and certbot
  • Basic feature knowledge of CFSSL

Partial list of the used files, terms and utilities:

  • openssl (including relevant subcommands)
  • OpenSSL configuration
  • CSR
  • CRL
  • OCSP

331.2 X.509 Certificates for Encryption, Signing and Authentication (weight: 4)

Key Knowledge Areas:

  • Understand SSL, TLS, including protocol versions and ciphers
  • Configure Apache HTTPD with mod_ssl to provide HTTPS service, including SNI and HSTS
  • Configure Apache HTTPD with mod_ssl to serve certificate chains and adjust the cipher configuration (no cipher-specific knowledge)
  • Configure Apache HTTPD with mod_ssl to authenticate users using certificates
  • Configure Apache HTTPD with mod_ssl to provide OCSP stapling
  • Use OpenSSL for SSL/TLS client and server tests

Links sobre os assuntos:

331.3 Encrypted File Systems (weight: 3)

Key Knowledge Areas:

  • Understand block device and file system encryption
  • Use dm-crypt with LUKS1 to encrypt block devices
  • Use eCryptfs to encrypt file systems, including home directories and PAM integration
  • Awareness of plain dm-crypt
  • Awareness of LUKS2 features
  • Conceptual understanding of Clevis for LUKS devices and Clevis PINs for TMP2 and Network Bound Disk Encryption (NBDE)/Tang

The following is a partial list of the used files, terms and utilities:

  • cryptsetup (including relevant subcommands)
  • cryptmount
  • /etc/crypttab
  • ecryptfsd
  • ecryptfs-* commands
  • mount.ecryptfs, umount.ecryptfs
  • pam_ecryptfs