Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
78 Cards in this Set
- Front
- Back
|
Which type of cipher changes the position of the characters in a plaintext message?
- Steam - Transposition - Block - Substitution |
- Transposition
Explanation: A transposition cipher changes the position of characters in the plaintext message. It is also referred to as an anagram. A substitution cipher replaces one set of characters with symbols or another character set. A block cipher takes a fixed-length number of bits, referred to as a block, and encrypts them all at once. A stream cipher creates a sequence of bits that are used as the key. Section 2.1 |
|
|
The Enigma machine, a cryptographic tool introduced in 1944 and used in WW2, encrypted messages by replacing characters for plaintext. What type of cipher does the Enigma machine use?
- Steam - Block - Transposition - Substitution |
- Substitution
Explanation: The Enigma machine uses a substitution cipher. A substitution cipher replaces one set of characters with symbols or another character set. A transposition cipher changes the position of characters in the plaintext message. It is also referred to as an anagram. A block cipher takes a fixed-length number of bits, referred to as a block, and encrypts them all at once. A stream cipher creates a sequence of bits that are used as the key. Section 2.1 |
|
|
By definition, which security concept ensures that only authorized parties can access data?
- Non-repudiation - Integrity - Authentication - Confidentiality |
- Confidentiality
Explanation: Confidentiality ensures that only authorized parties can access data. When a cryptographic system is used to protect the confidentiality of data, unauthorized users are preventing from viewing the resource. Non-repudiation is the ability to prove that a sender sent a message. Integrity is the protection against alteration. Authentication is the assignment of access privileges to users. Section 2.1 |
|
|
In a cryptographic system, what properties should the initialization vector have? (Select two.)
- Short - Unpredictable - Large - Uniform - Predictable |
- Unpredictable
- Large Explanation: For security, the initialization vector should be large and it should be unpredictable. When the initialization vector is large and unpredictable, an encryption algorithm can generate secure keys or encrypt data that is difficult to decrypt. If the initialization vector is short, predictable, or uniform, the generated keys may not be secure and encrypted data may be easily decrypted by attackers. Section 2.1 |
|
|
Which of the following are true of Triple DES (3DES)? (Select two.)
- Uses the Rijndael block cipher - Uses a 168-bit key - Uses 64-bit blocks with 128-bit keys - Is used in IPSec - Can easily be broken |
- Uses a 168-bit key
- Is used in IPSec Explanation: Triple DES: - Applies DES three times. - Uses a 168-bit key. - Used in IPSec as its strongest and slowest encipherment. Advanced Encryption Standard (AES) uses the Rijndael block cipher. DES can easily be broken. International Data Encryption Algorithm (IDEA) uses 64-bit blocks with 128-bit keys. Section 2.2 |
|
|
Which of the following is the most frequently used symmetric key stream cipher?
- Ron's Cipher v2 (RC2) - Blowfish - Advanced Encryption Standard (AES) - Ron's Cipher v4 (RC4) |
- Ron's Cipher v4 (RC4)
Explanation: RC4 is the most frequently used symmetric key stream cipher. RC4 is commonly used with WEP and SSL. AES, RC2, and Blowfish are all symmetric block ciphers. Section 2.2 |
|
|
Which of the following is not true concerning symmetric key cryptography?
- Key management is easy when implemented on a large scale. - Before communications begin, both parties must exchange the shared secret key. - Both parties share the same key (which is kept secret). - Each pair of communicating entities requires a unique shared key. - The key is not shared with other communication partners. |
- Key management is easy when implemented on a large scale.
Explanation: Key management is difficult when symmetric cryptography is implemented on a large scale. Because two users must share the same unique key to encrypt and decrypt data, even a small group of users would require the generation of a large amount of keys. The formula to determine the number of keys is n(n-1)/2. With symmetric key cryptography: - Both parties share the same key (which is kept secret). - Before communications begin, both parties must exchange the shared secret key. - The key is not shared with other communication partners. - Each pair of communicating entities requires a unique shared key. Section 2.2 |
|
|
Which of the following forms of cryptography is best implemented in hardware?
- Asymmetric - Symmetric block - Symmetric stream - Public key |
- Symmetric stream
Explanation: Symmetric stream cryptography is best implemented in hardware because the data size makes it infeasible to have enough RAM or CPU cycles to process the data. Symmetric block cryptography is primarily implemented in software. Asymmetric cryptography, also known as public key cryptography, is mainly used for key distribution, digital signatures, and data encryption for small amounts of data. Section 2.2 |
|
|
Which of the following are true concerning the Advanced Encryption Standard (AES) symmetric block cipher? (select two)
- AES uses the Rijndael block cipher. - AES uses a variable-length block and key length (128-, 192-, or 256-bit keys). - AES uses up to 16 rounds of substitution and transposition. - AES uses 8-128 bit keys in steps of 8 bits. |
- AES uses the Rijndael block cipher.
- AES uses a variable-length block and key length (128-, 192-, or 256-bit keys). Explanation: AES is an iterative symmetric key block cipher that uses the following: - The Rijndael Block Cipher, which is resistant to all known attacks. - A variable-length block and key length (128-, 192-, or 256-bit keys). Ron's cipher v2 or Ron's Code v2 (RC2) uses 8-128 bit keys in steps of 8 bits. Twofish uses up to 16 rounds of substitution and transposition. Section 2.2 |
|
|
Which of the following symmetric block ciphers does not use a variable block length?
- Ron's cipher v5 (RC5) - Advanced Encryption Standard (AES) - International Data Encryption Algorithm (IDEA) - Elliptic Curve (EC) |
- International Data Encryption Algorithm (IDEA)
Explanation: International Data Encryption Algorithm (IDEA) does not use variable block lengths. In addition to IDEA, the following symmetric block ciphers also do not use variable block lengths: - Data Encryption Standard (DES) - Ron's Cipher v2 or Ron's Code v2 (RC2) - Blowfish - Twofish - SkipJack AES uses variable block lengths. RC5 uses 32-, 64- or 128-bit block lengths. Elliptic Curve (EC) is an asymmetric cipher. Section 2.2 |
|
|
Which of the following statements is true when comparing symmetric and asymmetric cryptography?
- Asymmetric key cryptography is quicker than symmetric key cryptography while processing large amounts of data. - Asymmetric key cryptography is used to distribute symmetric keys. - Symmetric key cryptography should be used for large, expanding environments. -Symmetric key cryptography uses a public and private key pair. |
- Asymmetric key cryptography is used to distribute symmetric keys.
Explanation: Asymmetric key cryptography can be used to distribute symmetric keys. This is known as a hybrid cryptography system. A hybrid cryptography system combines the strengths of both the symmetric and asymmetric cryptography systems (i.e. symmetric systems can process large amounts of data relatively fast, and asymmetric systems can securely distribute keys). Symmetric cryptography uses a single key pair, with each partner using the same key. Asymmetric cryptography uses a public and a private key pair. Symmetric key cryptography processing is about 1000 times faster than asymmetric cryptography. In large, expanding environments, managing keys with symmetric key cryptography is difficult. Section 2.3 |
|
|
Which of the following best describes high amplification when applied to hashing algorithms?
- Dissimilar messages frequently result in the same hash value. - Hashes produced by two different parties using the same algorithm result in the same hash value. - A small change in the message results in a big change in the hash value. -Reversing the hashing function does not recover the original message. |
- A small change in the message results in a big change in the hash value.
Explanation: High amplification, also known as the avalanche effect, means a small change in the message results in a big change in the hashed value. Hashes are one-way functions, meaning that once you hash a message, you cannot reverse the hashing algorithm to extract the data. Data integrity is proven when the same hashing algorithm performed on a message results in the same hash value. A collision results when two different messages produce the same hash value (a low number of collisions is desirable). Section 2.4 |
|
|
SHA-1 uses which of the following bit length hashing algorithms?
- Only 160-bit - Only 128-bit - 224-bit, 256-bit, 384-bit, and 512-bit - 128-bit, 160-bit, 192-bit, 224-bit, and 256-bit |
- Only 160-bit
Explanation: SHA-1 is only a 160-bit hashing algorithm. It is capable of producing 2160 different combinations. MD-2 and MD-4 both are 128-bit hashing algorithms. HAVAL is a 128-bit, 160-bit, 192-bit, 224-bit, and 256- bit hashing algorithm. SHA-2, a newer version of SHA-1, is a 224-bit, 256-bit, 384-bit, 512-bit hashing algorithm. Section 2.4 |
|
|
When two different messages produce the same hash value, what has occurred?
- High amplification - Birthday attack - Hash value - Collision |
- Collision
Explanation: A collision occurs when two different messages produce the same hash value. A birthday attack is a brute force attack in which the attacker hashes messages until one with the same hash is found. A hash value is the result of a compressed and transformed message (or some type of data) into a fixed-length value. High amplification means a small change in the message results in a big change in the hashed value. Section 2.4 |
|
|
What is the primary use of Secure Electronic Transaction (SET)?
- Encrypt e-commerce traffic - Secure electronic checking account transactions - Validate the integrity of database changes - Protect credit card information transmissions |
- Protect credit card information transmissions
Explanation: Secure Electronic Transaction (SET) was developed by VISA and MasterCard to secure transactions. Credit card data and a digital certificate are stored in a plug-in to the user's Web browser. An order received by a SET-enabled merchant server passes the encrypted payment information to the bank. Approval is electronically sent to the merchant. SET uses DES and RSA in addition to digital signatures. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are commonly used to protect e-commerce data transmissions between clients and servers. The concept of a transaction or transactional processing ensures the integrity of database changes. Section 2.6 |
|
|
In which type of attack does the attacker have access to both the plain text and the resulting cipher text, but does not have the ability to encrypt the plain text?
- Known plaintext - Chosen plaintext - Brute force - Chosen cipher |
- Known plaintext
Explanation: A known plaintext attack is where an attacker has seen the plaintext and the resulting cipher text. The attacker can make conclusions about the encrypting key and will have validation if the encrypting key is discovered. A chosen plaintext attack is where the attacker chooses the plaintext to be encrypted. The main difference between known plaintext and chosen plaintext is the ability of the attacker to select random plaintext and run it through the encrypting mechanism. A brute force attack is where the attacker tries every known combination. A chosen cipher text is where the attacker produces cipher text and then sends it through a decryption process to see the resulting plaintext. Section 2.7 |
|
|
Your company produces an encryption device that lets you enter text and receive encrypted text in response. An attacker obtains one of these devices and starts inputting random plaintext to see the resulting ciphertext. What type of attack is this?
- Known plaintext - Chosen cipher - Brute force - Chosen plaintext |
- Chosen plaintext
Explanation: A chosen plaintext attack is where the attacker chooses the plaintext to be encrypted. This can occur when a worker steps away from the computer and the attacker sends a message and captures the resulting cipher text. The attacker can select plaintext that will produce clues to the encryption key used. A brute force attack is where the attacker tries every known combination. A chosen cipher text is where the attacker produces cipher text and then sends it through a decryption process to see the resulting plaintext. A known plaintext attack is where an attacker has seen the plaintext and the resulting cipher text. Section 2.7 |
|
|
When an attacker decrypts an encoded message using a different key than was used during encryption, what type of attack has occurred?
- Key clustering - Analytic - Replay - Statistical |
- Key clustering
Explanation: A key clustering attack is where the attacker decrypts an encoded message using a different key than was used during encryption. A statistical attack exploits weaknesses in a cryptosystem such as inability to produce random numbers or floating point errors. An analytic attack uses an algebraic manipulation to reduce the complexity of the algorithm. A replay attack attempts to re-transmit encryption session keys in hopes of accessing the resource in a de-encrypted mode. Section 2.7 |
|
|
Which of the following best describes a side-channel attack?
- The attack is based on information gained from the physical implementation of a cryptosystem. - The attack targets the key containing a small data set. - The attack exploits weaknesses in a cryptosystem such as inability to produce random numbers or floating point errors. - The attack targets a weakness in the software, protocol, or encryption algorithm. |
- The attack is based on information gained from the physical implementation of a cryptosystem.
Explanation: A side-channel attack is where an attack is based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms, such as the length of time required during encryption or decryption. A mathematical attack is an attack on a key containing a small data set. An implementation attack exploits implementation weaknesses, such as in software, the protocol, or the encryption algorithm. A statistical attack exploits weaknesses in a cryptosystem such as inability to produce random numbers or floating point errors. Section 2.7 |
|
|
The strength of a cryptosystem is dependent upon which of the following?
-Complexity of the cipher text - Integrity of the individuals who created the cryptosystem - Secrecy of the algorithm - Secrecy of the key |
- Secrecy of the key
Explanation: According to Kerckhoff's principle, the strength of a cryptosystem should not be in the secrecy of the algorithm, but in the secrecy of the key. This means that the algorithm is usually published and can be scrutinized for weaknesses. Section 2.1 |
|
|
Which of the following is not an accepted countermeasure to strengthen a cryptosystem?
- Keep the cryptosystem a secret - Implement long key spaces - Use strong passwords - Implement strong systems with redundant encipherment |
- Keep the cryptosystem a secret
Explanation: Current practice in cryptography does not rely on the secrecy of the cryptosystem. Publishing the algorithm exposes the system to scrutiny. This scrutiny often validates the security of the system, or identifies weaknesses that show the system as unreliable. The following countermeasures can strengthen a cryptosystem: - Use strong passwords that contain multiple character types, are a minimum length of eight characters or more, and use no part of a username or e-mail address. - Implement strong cryptosystems with redundant encipherment, such as 3DES. -Implement long key spaces. Generally speaking, the longer the key space, the stronger the cryptosystem. Section 2.7 |
|
|
By definition, which security concept uses the ability to prove that a sender sent an encrypted message?
- Non-repudiation - Integrity - Authentication - Privacy |
- Non-repudiation
Explanation: The ability to prove that a sender sent a message is known as non-repudiation. By various mechanisms in different cryptographic solutions, it can be proven that only the sender is able to initiate a communication, thus they cannot repute that they originated a message. Integrity is the protection against alteration. Authentication is the assignment of access privileges to users. Privacy is the protection of confidentiality of personal information. Section 2.1 |
|
|
What is the cryptography mechanism which hides secret communications within various forms of data?
- Codes - Signals - Steganography - Polyinstantiation |
- Steganography
Explanation: Steganography is the cryptography mechanism which hides secret communications within various forms of data. Codes and signals are pre-arranged meanings behind words, phrases, images, etc. Codes and signals are not usually considered a form of steganography, since the communication is not imbedded in the code or signal, but is a pre-established meaning for something. Polyinstantiation is a security feature of databases which allows duplicate objects to exist at different levels of security. Section 2.1 |
|
|
Which of the following is not a valid example of steganography?
- Digital watermarking - Hiding text messages within graphical images - Encrypting a data file with an encryption key - Microdots |
- Encrypting a data file with an encryption key
Explanation: Encrypting a data file with an encryption key is encryption not steganography. Digital watermarking, microdots, and hiding text messages within graphical images are all examples of steganography. Section 2.1 |
|
|
Which of the following encryption mechanisms offers the least security because of weak keys?
- DES - AES - TwoFish - IDEA |
- DES
Explanation: DES offers the least encryption security from the cryptography systems in this list. DES has a limitation of 56-bit keys, the weakest of those listed here. The strength of a cryptosystem lies not only in long keys but in the algorithm, initialization vector or method, the proper use of the keyspace, and the protection and management of keys. AES (128, 192, 256 bit keys), TwoFish (up to 256 bit keys), and IDEA (128 bit keys) all support stronger keys than that of DES. Section 2.2 |
|
|
Which version of the Rivest Cipher is a block cipher that supports variable bit length keys and variable bit block sizes?
- RC2 - RC5 - RSA - RC4 |
- RC5
Explanation: RC5 is a block cipher that supports variable bit length keys and variable bit block sizes. RC4 is a stream cipher. RC2 is limited to 64 bit blocks. RSA is not a Rivest Cipher, rather it is an asymmetric cryptography system developed by the same organization. Section 2.2 |
|
|
Which of the following algorithms are used in symmetric encryption? (Select three.)
- Blowfish - AES - 3DES - El Gamal - Diffie-Hellman |
- Blowfish
- AES - 3DES Explanation: 3DES, AES, and Blowfish are symmetric encryption algorithms. 3DES is an update to the original DES algorithm and uses multiple keys and algorithm passes to improve security. AES is considered to be the replacement for the aging 3DES algorithm and was chosen by the National Institute of Standards and Technology (NIST) as the new government standard for encryption algorithms. The Blowfish algorithm is considered to be a very secure algorithm and uses a variable key length. Section 2.2 |
|
|
Which of the following was the runner up in the selection of the algorithm of AES?
- Twofish - Rijndael - Serpent - MARS |
- Twofish
Explanation: Twofish was the runner up in the selection of the algorithm of AES. Rijndael was the selected algorithm for AES. Serpent and MARS were two other algorithms in consideration for AES, but neither was the runner up. Section 2.2 |
|
|
When operating on a legacy computer system and needing to protect data for only a few minutes, which of the following encryption algorithms is most cost-effective?
- AES - RC5 - DES - IDEA |
- DES
Explanation: DES is the most cost-effective because it has a maximum effective key size of 56 bits and was designed in 1973. Thus, it is most likely to provide the best performance on legacy systems. Even a 56 bit key will provide a few minutes of protection. AES, IDEA, and RC5 are all significantly more secure than DES, they require more system resources to function, which makes them less appropriate for legacy systems. Section 2.2 |
|
|
Which of the following symmetric cryptography systems can have a key size of 0 bits?
- DES - IDEA - AES - RC5 |
- RC5
Explanation: RC5 can have a key size of 0 to 2048 bits. DES can use keys of only 56 bits. IDEA can use keys of only 128 bits. AES can only use keys of 128, 192, or 256 bits. Section 2.2 |
|
|
Which of the following symmetric cryptography systems does not support a variable block size?
- Rijndael - RC5 - AES - IDEA |
- IDEA
Explanation: IDEA is a symmetric cryptography system which does not support a variable block size. IDEA only supports a 64 bit block size. RC5, AES, and AES's algorithm Rijndael, all support variable block sizes. RC5's supported block sizes are 32, 64, and 128. AES (Rijndael) supports any block size. Section 2.2 |
|
|
What type of key or keys are used in symmetric cryptography?
- A shared private key - Two unique sets of key pairs - A unique key for each participant - A single key pair |
- A shared private key
Explanation: Symmetric cryptography uses a shared private key. Both communication partners must be in possession of the same key in order to exchanged encrypted data. Asymmetric cryptography uses a unique key pair for each participant. This key pair consists of a public key and a private key. Section 2.2 |
|
|
What form of cryptography is best suited for bulk encryption because it is so fast?
- Hashing cryptography - Asymmetric cryptography - Private key cryptography - Public key cryptography |
- Private key cryptography
Explanation: Private key cryptography, also known as symmetric cryptography, is best suited for bulk encryption because it is much faster than asymmetric cryptography. Hashing is not used for encryption, it is only used to verify the integrity of data. Public key cryptography, also known as asymmetric cryptography, is best suited for small amounts of data. Often, asymmetric cryptography is used to exchange symmetric cryptography keys, then the symmetric cryptography keys are used to encrypt communication traffic. Section 2.2 |
|
|
How many keys are used with symmetric or private key cryptography?
- One - Two - Four - Five |
- One
Explanation: Private Key or Symmetric Cryptography uses a single shared key. Both communicating parties must possess the shared key to encrypt and decrypt messages. The biggest challenge to Symmetric Cryptography is the constant need to protect the shared private key. This protection must be applied at all times, including the initial transmission of the shared key between the parties. Section 2.2 |
|
|
What form of cryptography is not scalable as a stand-alone system for use in very large and ever expanding environments where data is frequently exchanged between different communication partners?
- Symmetric cryptography - Hashing cryptography - Public key cryptography - Asymmetric cryptography |
- Symmetric cryptography
Explanation: Symmetric cryptography is not scalable as a stand-alone system for use in very large and ever-expanding environments where data is frequently exchanged between different communication partners. Hashing is scalable since everyone uses the same hashing algorithm, but it is not used for secure data exchange, rather it is used to verify integrity. Asymmetric cryptography and public key cryptography are scalable for use in very large and ever-expanding environments where data is frequently exchanged between different communication partners. Section 2.2 |
|
|
When protection of the content of a message is required, which of the following cryptography solutions should be employed?
- Symmetric encryption - Digital envelope - Hashing - Digital signature |
- Symmetric encryption
Explanation: When encryption is needed, symmetric encryption is the best solution to use. Digital signatures should be used when non-repudiation and integrity need to be verified. Hashing should be used when integrity is to be verified. Digital envelopes should be used when delivery needs to be guaranteed. Section 2.2 |
|
|
Which form of asymmetric cryptography is based upon Diffie-Hellman?
- Merkle-Hellman Knapsack - ECC - RSA - El Gamal |
- El Gamal
Explanation: El Gamal is based upon Diffie-Hellman. Section 2.3 |
|
|
Which of the following algorithms are used in asymmetric encryption? (Select two.)
- RSA - Twofish - Diffie-Hellman - AES |
- RSA
- Diffie-Hellman Explanation: RSA and Diffie-Hellman are asymmetric algorithms. RSA, one of the earliest encryption algorithms, can also be used for digital signatures. The Diffie-Hellman protocol was created in 1976, but is still in use today in such technologies such as SSL, SSH, and IPSec. Section 2.3 |
|
|
Which cryptography system generates encryption keys that could be used with DES, AES, IDEA, RC5 or any other symmetric cryptography solution?
- Elliptical Curve - RSA - Merkle-Hellman Knapsack - Diffie-Hellman |
- Diffie-Hellman
Explanation: Diffie-Hellman is the only key generation system in this list of options. Diffie-Hellman produces a number which can be used as a key in any symmetric cryptography solution assuming the number is within the algorithm's keyspace. Merkle-Hellman Knapsack is not a key generation system, instead it is an insecure concept that pre-dates public key encryption. Elliptical curve is not a key generation system, instead it is a method of applying other systems to gain greater strength from smaller keys. RSA is not a key generation system, instead it is an asymmetric cryptography system which can be used for encryption, key exchange, and digital signatures. Section 2.3 |
|
|
What form of cryptography is scalable for use in very large and ever-expanding environments where data is frequently exchanged between different communication partners?
- Private key cryptography - Asymmetric cryptography - Hashing cryptography - Symmetric cryptography |
- Asymmetric cryptography
Explanation: Asymmetric cryptography is scalable for use in very large and ever-expanding environments where data is frequently exchanged between different communication partners. Hashing is not used to exchange data securely, rather it is used to verify that integrity has been maintained. Symmetric cryptography, also known as private key cryptography, is not scalable because every set of communication partners needs a shared private key. With only 100 communication partners 4950 shared private keys are needed [n*(n-1)/2]. Section 2.3 |
|
|
How many keys are used with Public Key Cryptography?
- One - Two - Three - Four |
- Two
Explanation: Public Key Cryptography uses two keys: one is referred to as the public key, and the other the private key. This key pair overcomes the difficulties associated with the secure distribution of private keys. The communicating parties do not need to share secret information: only the public keys are shared. Public keys are associated with users through authentication, usually through a mutually trusted directory such as a certificate authority. The sender transmits a confidential message using only the recipient's public key. The message can only be decrypted with the associated private key possessed solely by the recipient. Public Key Cryptography provides not only encryption, but is the basis for authentication technologies such as digital signatures. Section 2.3 |
|
|
Above all else, what must be protected to maintain the security and benefit of an asymmetric cryptographic solution, especially if it is widely used for digital certificates?
- Private keys - Public keys - Cryptographic algorithm - Hash values |
- Private keys
Explanation: The strength of an asymmetric cryptographic system lies in the secrecy and security of its private keys. A digital certificate and a digital signature are little more than unique applications of a private key. If the private keys are compromised for a single user, for a secured network, or for a digital certificate authority, the entire realm of trust is destroyed. Section 2.3 |
|
|
Your computer system is a participant in an asymmetric cryptography system. You've crafted a message to be sent to another user. Before transmission, you hash the message, then encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user.
In this example, what protection does the hashing activity provide? - Non-repudiation - Availability - Integrity - Confidentiality |
- Integrity
Explanation: Hashing of any sort at any time, including within a digital signature, provides data integrity. Signing the message with the private key provides for non-repudiation. A digital signature activity as a whole does not provide protection for confidentiality, because the original message is sent in clear form. No form of cryptography provides protection for availability. Section 2.4 |
|
|
When a sender encrypts a message using their own private key, what security service is being provided to the recipient?
- Integrity - Confidentiality - Availability - Non-repudiation |
- Non-repudiation
Explanation: When a sender encrypts a message using their own private key, the security service of non-repudiation is being provided to the recipient. The encrypted message can be freely decrypted using the public key. Because only the sender knows the private key, encrypting the message with the private key proves that only the sender could have sent the message. Integrity is provided when hashing is used. Because the public key is freely available, the encryption does not provide confidentiality (anyone with the public key could read the message contents). Availability is not provided by any form of cryptography. Section 2.4 |
|
|
Hashing algorithms are used to perform what activity?
- Provide a means to exchange small amounts of data securely over a public network - Encrypt bulk data for communications exchange - Provide for non-repudiation - Create a message digest |
- Create a message digest
Explanation: Hashing algorithms are used to create a message digest to ensure that data integrity is maintained. A sender creates a message digest by performing the hash function on the data files to be transmitted. The receiver performs the same action on the data received and compares the two message digests. If they are they same then the data was not altered. Symmetric algorithms are used to encrypt bulk data for communications exchange. Asymmetric algorithms provide a means to exchange small amounts of data securely over a public network. Both symmetric and asymmetric algorithms provide for non-repudiation. Section 2.4 |
|
|
Which of the following does not or cannot produce a hash value of 128 bits?
- MD5 - SHA-1 - MD2 - Haval |
- SHA-1
Explanation: SHA-1 produces hash values of 160 bits. MD5 and MD2 both produce hash values of 128 bits. Haval can produce 128 bit hash values, but it can produce a hash value of any length. Section 2.4 |
|
|
A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. What must the receiver use to access the hashing value to verify the integrity of the transmission?
- Sender's public key - Receiver's private key - Receiver's public key - Sender's private key |
- Sender's public key
Explanation: Digital signatures are created using the sender's private key. Thus, only the sender's public key can be used to verify and open any data encrypted with the sender's private key. The recipient's private and public keys are not involved in this type of cryptography situation. Often the hashing value of a message is protected by the sender's private key (i.e. their digital signature). The recipient must extract the original hashing value. Section 2.4 |
|
|
What is the most obvious means of providing non-repudiation in a cryptography system?
- Digital signatures - Public keys - Shared secret keys - Hashing values |
- Digital signatures
Explanation: Digital signatures, which are private keys from an asymmetric cryptographic system, are the most obvious means of providing non-repudiation. Only a single person is in possession of their private key. If a message is found with their digital signature, then they are the only user who could possibly have created and transmitted it. Public keys are useful for restricting delivery, such as using them as digital envelopes, but they don't provide for non-repudiation. Hashing values protect integrity, they don't provide non-repudiation. Shared secret keys do not provide true non-repudiation because two entities hold copies of the shared key. Section 2.4 |
|
|
Which of the following cryptographic methods serves as a means to provide access control?
- Shared private key - Digital envelope - Digital signature - Hashing value |
- Digital envelope
Explanation: A digital envelope serves as a means to provide access control. A digital envelope is signing a message with a recipient's public key. Only the recipient's private key can decrypt the message, thus ensuring that only the intended and authorized entity can gain access to the resource. Digital signatures are used for non-repudiation, not access control. Hashing values are used to protect integrity. Shared private keys do not provide access control because two entities share the same key. Section 2.4 |
|
|
Your computer system is a participant in an asymmetric cryptography system. You've crafted a message to be sent to another user. Before transmission, you hash the message, then encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user.
What protection does the private key signing activity of this process provide? - Confidentiality - Availability - Integrity - Non-repudiation |
- Non-repudiation
Explanation: Signing a digital signature with the private key provides non-repudiation. A digital signature activity as a whole does not provide protection for confidentiality, because the original message is sent in clear form. Hashing of any sort at any time, including within a digital signature, provides protection for integrity. No form of cryptography provides protection for availability. Section 2.4 |
|
|
What is the purpose of key escrow?
- To provide a means for legal authorities to access your confidential data - To provide a means to recover from a lost private key - To grant the certificate authority full control over the communication environment - Collection of additional fees over the life of using a public digital certificate |
- To provide a means to recover from a lost private key
Explanation: The purpose of key escrow is to provide a means to recover from a lost private key. If you lose your private key, then all of the data that is encrypted or protected by your private key is permanently inaccessible. Through key escrow, a recovery agent can extract a copy of your private key which can be used to unlock all of your secured files. Upon obtaining a new private key you can re-protect the data. Section 2.5 |
|
|
In what form of key management solution is key recovery possible?
- Hierarchical - Public - Decentralized - Centralized |
- Centralized
Explanation: Only a centralized key management solution provides a key escrow service that allows for key recovery to occur. A decentralized key management solution does not provide for key escrow and thus key recovery is not possible. A hierarchical trust model may employ a centralized or decentralized key management solution. A public certificate system may be a centralized or decentralized key management solution. Section 2.5 |
|
|
Which of the following is not a valid statement in regards to key management?
- The lifetime of a key should correspond to the sensitivity of the data it is protecting - Keys should not be destroyed at the end of their lifetime, instead they should be escrowed - Keys should be truly random and use the full spectrum of the keyspace without repeating - Keys length should be long enough to provide the necessary level of protection |
- Keys should not be destroyed at the end of their lifetime, instead they should be escrowed
Explanation: Keys should be properly destroyed at the end of their lifetime. A key's length should be long enough to provide the necessary level of protection. Keys should be truly random and use the full spectrum of the keyspace without repeating. The lifetime of a key should correspond to the sensitivity of the data it is protecting. Section 2.5 |
|
|
Which aspect of certificates makes them a reliable and useful mechanism for proving the identity of a person, system, or service on the Internet?
- Ease of use - Electronic signatures - It is a digital mechanism rather than a physical one - Trusted third-party |
- Trusted third-party
Explanation: The use of a trusted third-party (called a Certificate Authority or CA) is what makes certificates a reliable and useful mechanism for proving the identity of a person, system, or service on the Internet. The CA issues proof of identity to each organization in the form of a certificate. The fact that all entities trust the CA makes the certificates trusted and valuable. A certificate only proves identity, it does not prove reliability. Electronic signatures are a form of certificate that verifies identity. While electronic signatures prove identity, they do so only because both parties trust the authority of the CA, not only because the signature exists. Certificates are easy to use. However, ease of use does not make them reliable. Certificates are a digital mechanism, which makes them suited for use on the Internet. However, that alone does not make them reliable or useful. Section 2.5 |
|
|
What is the primary purpose of a certificate?
- Prevention of malicious code - Declaration of intent - Identity proofing - Code verification |
- Identity proofing
Explanation: A certificate's primary purpose is to prove identity. Certificates provide no other service other than proving the identity of the certificate holder. Certificates make no judgment, statement, or guarantee as to the content, reliability, or purpose of anything they are connected to. They only provide proof of origin or identity. Section 2.5 |
|
|
In the certificate authority trust model known as a hierarchy, where does trust start?
- Registration authority - Third party CA - Root CA - Issuing CA |
- Root CA
Explanation: Trust starts at the root CA in all trust models. An issuing CA can be a root CA or a CA at any level below the root. A third party CA may be the source of trust, but even then the trust starts at a root CA located somewhere. A registration authority is a limited functionality CA where certificates are verified, but no new certificates can be issued. Section 2.5 |
|
|
Which standard is most widely used for certificates?
- X.509 version 3 - SSL v.3.0 - 802.1x - HTTP 1.1 |
- X.509 version 3
Explanation: The standard for certificates that is most widely used is X.509 version 3. This standard defines the key elements that must exist within a certificate. This standard is used by PKI (Public Key Infrastructure), SSL, IPSec, DES, and many other infrastructure components and technologies. HTTP 1.1 is the latest version of the protocol used to transmit Web resources from a Web server to a Web client. SSL v.3.0 uses certificates, but this is the standard for the secure session protocol for protecting Web communications. 802.1x is a networking protocol that defines how to support EAP (Extensible Authentication Protocol) over a wired or wireless LAN. Section 2.5 |
|
|
Certificates can be invalidated by the trusted third-party that originally issued the certificate. What is the name of the mechanism that is used to distribute information about invalid certificates?
- ACL (Access Control List) - One-way function - TACACS (Terminal Access Controller Access Control System) - CRL (Certificate Revocation List) |
- CRL (Certificate Revocation List)
Explanation: The CRL (Certificate Revocation List) is the mechanism that is used to distribute information about invalid certificates. Each time an application receives a certificate, that application checks the CRL from the CA (Certificate Authority) that issued the certificate. If the certificate is not on the CRL and its timestamp is still valid, then the user is prompted whether or not to accept the certificate. ACLs are used to protect files and other resources. TACACS is a remote access centralized authentication system. One-way functions are common cryptographic mechanisms. None of these technologies are directly used to distribute invalid certificate information. Section 2.5 |
|
|
To obtain a digital certificate and participate in a Public Key Infrastructure (PKI), what must be submitted and where should it be submitted?
- Identifying data and a secret key request to the subordinate distribution authority (DA) - Identifying data and a certification request to the registration authority (RA) - Identifying data with the MAC and IP addresses to the root certificate authority (CA) - Identifying data with the 3DES block cipher to the hosting certificate authority (CA) |
- Identifying data and a certification request to the registration authority (RA)
Explanation: The registration authority (RA) processes all requests for digital certificates. Registration and authentication requirements vary based on the class of certificate requested. Once the RA has successfully authenticated the requesting party, the request is forwarded to the certificate authority (CA) for certificate generation. Section 2.5 |
|
|
Which of the following items are contained in a digital certificate? (Select two.)
- Validity period - Root CA secret key - Private Key - Public Key |
- Validity period
- Public Key Explanation: Digital certificates create a link between identities and public keys. A certificate contains the information needed for verifying the identity of the public key owner. Certificates include fields detailing the issuing CA and the standards version used to generate the certificate, a certificate serial number, all approved uses for the certificate, the certificate owner, the public key and algorithm, the validity period, and the algorithms used to digitally sign the certificate. Additional functionality and data may be added through the use of certificate extensions. Section 2.5 |
|
|
Which of the following would require that a certificate be placed on the CRL?
- The private key is compromised - The encryption key algorithm is revealed - The certificate validity period is exceeded - The signature key size is revealed |
- The private key is compromised
Explanation: Certificates are published to the Certificate Revocation List (CRL) when a condition happens that compromises the integrity of the certificate. If the private key is compromised (discovered), the certificate is no longer proof of identity. Certificates do not need to be placed on the CRL if their validity period expires. In this case, the certificate simply expires. Knowing the signature key size or the encryption key algorithm does not compromise the integrity of the certificate. Section 2.5 |
|
|
When is the best time to apply for a certificate renewal?
After a certificate has been revoked - Close to the end of the certificate's valid lifetime - Immediately after a certificate is issued - Just after a certificate expires |
- Close to the end of the certificate's valid lifetime
Explanation: Certificate renewal is a process by which a currently valid certificate is re-issued with an extended lifetime value. It is performed by submitting a renewal request and signing the request with the still valid certificate. Attempting to renew a certificate close to its issuance date will not result in a renewal in most cases. There is no need to renew a certificate until you near the end of its valid lifetime. It is not possible to renew a certificate after it has expired or been revoked. These conditions require you to request a new certificate. Section 2.5 |
|
|
Which of the following conditions does not result in a certificate being added to the certificate revocation list?
- Committing a crime using the certificate - Invalid identity credentials - Private key compromise - Certificate expiration |
- Certificate expiration
Explanation: When a certificate's valid time value expires, the certificate immediately becomes invalid because it has expired. Expired certificates are not added to the CRL because the time stamp itself serves as notification that the certificate is no longer valid. Section 2.5 |
|
|
What action is taken when the private key associated with a digital certificate becomes compromised?
- The CA retracts all previously issued copies of the certificate - The certificate is revoked and added to the Certificate Revocation List - All certificates are revoked from parties known to possess the matching public key - The RA requests a reissued digital signature based on the existing private key |
- The certificate is revoked and added to the Certificate Revocation List
Explanation: When a private key becomes compromised, the certificate authority revokes the certificate and adds it to the certificate revocation list (CRL). This list notifies anyone attempting to verify the digital signature that the certificate is not trustworthy. The CRL is designed to prevent impersonation by anyone obtaining unauthorized access to a private key. Section 2.5 |
|
|
Which of the following is not true in regards to Secure Multi-Purpose Internet Mail Extensions (S/MIME)?
- Uses X.509 version 3 certificates - Included in most Web browsers - Uses IDEA encryption - Authenticates through digital signatures |
- Uses IDEA encryption
Explanation: Secure Multi-Purpose Internet Mail Extensions (S/MIME) uses RSA (not IDEA) encryption. Based on RFC 1521, S/MIME employs encryption to provide for confidentiality. S/MIME can be used to protect both the body of e-mail messages as well as any file attachments. Secure Multi-Purpose Internet Mail Extensions (S/MIME) authenticates through digital signatures, uses X.509 version 3 certificates, and is included in most Web browsers. Section 2.6 |
|
|
Which of the following is a minimal requirement in order to employ Secure Multi-Purpose Internet Mail Extensions (S/MIME)?
- PGP mail client - IPSec policy - Digital certificate - RADIUS |
- Digital certificate
Explanation: A digital certificate is a minimal requirement to employ Secure Multi-Purpose Internet Mail Extensions (S/MIME). S/MIME authenticates using digital signatures which are a form of digital certificates. Section 2.6 |
|
|
Secure Multi-Purpose Internet Mail Extensions (S/MIME) is used primarily to protect what?
- Newsgroup postings - Instant messages - E-mail attachments - Web surfing |
- E-mail attachments
Explanation: Secure Multi-Purpose Internet Mail Extensions (S/MIME) is used primarily to protect e-mail and the file attachments on e-mail messages. Based on RFC 1521, S/MIME uses RSA encryption. S/MIME employs encryption to provide for confidentiality. Section 2.6 |
|
|
The PGP or Pretty Good Privacy encryption utility relies upon what algorithms? (Select two.)
- IDEA - 3DES - Blowfish - AES |
- IDEA
- 3DES Explanation: The PGP or Pretty Good Privacy encryption utility relies upon the IDEA or 3DES algorithm. PGP is an encryption solution available for free use to individuals. Corporate users can purchase a license to employ PGP in business communications. PGP is a very popular e-mail protection tool on the Internet. Section 2.6 |
|
|
Which public key encryption system does PGP (Pretty Good Privacy) use for key exchange and digital signatures?
- RSA - Elliptic Curve - El Gamal - Merkle-Hellman Knapsack |
- RSA
Explanation: PGP uses the RSA public key encryption system for key exchange and digital signatures. PGP is an encryption solution available for free use to individuals. Corporate users can purchase a license to employ PGP in business communications. PGP is a very popular e-mail protection tool on the Internet. Section 2.6 |
|
|
Which of the following technologies is based upon SSL (Secure Sockets Layer)?
- L2TP (Layer 2 Tunneling Protocol) - TLS (Transport Layer Security) - S/MIME (Secure Multipurpose Internet Mail Extensions) - IPSec (Internet Protocol Security) |
- TLS (Transport Layer Security)
Explanation: TLS is based on SSL, but they are not interoperable. TLS (Transport Layer Security) operates over TCP port 443 or port 80. TLS was developed by Netscape to secure Internet based client/server interactions. TLS authenticates the server to the client using public key cryptography and digital certificates. TLS encrypts the entire communication session between a server and a client. TLS can be used to protect Web (HTTP) traffic as well as telnet, FTP, and e-mail. Section 2.6 |
|
|
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) can be used to provide security for what type of traffic?
- FTP - Web - Telnet |
- Web
Explanation: HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) can be used to provide security for only Web traffic. HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) works over TCP port 443. HTTPS uses a 40-bit key for the RC4 stream encryption algorithm. HTTPS uses a slightly different Uniform Resource Locator (URL) than that used by HTTP: https://. HTTPS should not be confused with SHTTP (Secure Hypertext Transfer Protocol) which is a proposed standard for security enhanced HTTP. Section 2.6 |
|
|
Bob Jones used the RC5 cryptosystem to encrypt a sensitive and confidential file on his notebook. He used 32 bit blocks, a 64 bit key, and he only used the selected key once. He moved the key onto a USB hard drive which was stored in a safety deposit box. Bob's notebook was stolen. Within a few days Bob discovered the contents of his encrypted file on the Internet.
What is the primary reason why Bob's file was opened so quickly? - Too small of a block size - The decryption key was used to decrypt the files - Weak key - A birthday attack was used |
- Weak key
Explanation: The primary reason for the quick failure of Bob's intended encryption protection was the use of a weak key. 64-bit RC5 keys can be broken in a very short amount of time, usually less than three days on a fast computer or a small network of distributed cracking agents. Bob should have used a larger key, at least 128 bits. The birthday attack is used against hashing algorithms, not symmetric cryptography systems. The block size may have had some effect on the weakness of the protection, but not as much as the weak key. The decryption key was not used because it was moved to a removable device that was secured at a bank. Section 2.7 |
|
|
Which of the following is a form of mathematical attack against the complexity of a cryptosystem's algorithm?
- Replay attack - Birthday attack - Brute force attack - Analytic attack |
- Analytic attack
Explanation: An analytic attack is a form of mathematical attack against the complexity of a cryptosystem's algorithm. The goal of an analytic attack is to break the algorithm. A birthday attack is focused on hashing algorithms, but not on the algorithm itself. Instead, a birthday attack exploits a statistical anomaly of collusion when two different messages using the same algorithm will produce the same message digest. A brute force attack tries all possible combinations of keys to decipher an encrypted message. A replay attack attempts to re-transmit encryption session keys in hopes of accessing the resource in a de-encrypted mode. Section 2.7 |
|
|
Which of the following is an example of a statistical attack against a cryptosystem?
- Attempting every possible key pattern - Intercepting messages between two communication partners and modifying the content - Exploiting a computer's inability to produce true random numbers - Exploiting faulty implementation of an algorithm in software |
- Exploiting a computer's inability to produce true random numbers
Explanation: An example of a statistical attack against a cryptosystem is exploiting a computer's inability to produce true random numbers. Another example is to exploit the floating point errors in a processor. A computer system's inability to produce true random numbers makes the possibility of the re-use of keys probable if not likely. Attempting every possible key pattern is a form of brute force attack. Exploiting faulty implementation of an algorithm in software is an implementation attack. Intercepting messages between two communication partners and modifying the content is a form of man in the middle attack. Section 2.7 |
|
|
A birthday attack focuses on what?
- Encrypted files - E-commerce - VPN links - Hashing algorithms |
- Hashing algorithms
Explanation: A birthday attack focuses on hashing algorithms. Birthday attacks exploit the probability that two messages using the same hash algorithm will produce the same message digest. This is also known as exploiting collision. If two different messages or files produce the same hashing digest, then a collision has occurred. Section 2.7 |
|
|
If two different messages or files produce the same hashing digest, then a collision has occurred. What form of cryptographic attack exploits this condition?
- Meet in the middle attack - Adaptive chosen ciphertext attack - Statistical attack - Birthday attack |
- Birthday attack
Explanation: Birthday attacks exploit collisions. Birthday attacks exploit the probability that two messages using the same hash algorithm will produce the same message digest. An adaptive chosen ciphertext attack is used to discover the encryption key. Meet in the middle attack is used to determine the algorithm used. Statistical attack is used to exploit computer based cryptosystems, such as the inability to produce true random numbers. Section 2.7 |
|
|
What form of cryptanalysis focuses on the weaknesses in the supporting computing platform as a means to exploit and defeat encryption?
- Implementation attack - Statistical attack - Ciphertext only attack - Analytic attack |
- Statistical attack
Explanation: A statistical attack attacks weaknesses in the computing platform, such as the inability to produce random numbers or CPU floating point errors. An analytic attack focuses on weaknesses in the algorithm itself. A ciphertext only attack is a solution attack where material supplied by the attacker is "decrypted" by the victim, thus revealing the key. Implementation attack focuses on poor programming and seeks out a software bug that can be exploited. Section 2.7 |
|
|
If a birthday attack is successful, meaning the attacker discovers a password that generates the same hash as that captured from a user's logon credentials, which of the following is true?
- A collision was discovered - The discovered password will allow the attacker to log on as the user, even if it is not the same as the user's password - The discovered password is always the same as the user's password - The user is forced to change their password at their next logon attempt |
- The discovered password will allow the attacker to log on as the user, even if it is not the same as the user's password
Explanation: The only true statement in this list is that the discovered password will allow the attacker to log on as the user, even if it is not the same as the user's password. This is because the birthday attack (i.e. password cracking) will discover a collision. A collision is when two messages produce the same hash. Collision does not guarantee that the two messages are the same. Thus, another password could be discovered that has the same hash as the original user's password. Since the authentication system checks only for matching hashes, the attacker could log on with a different password as long as it produces the correct hash. The discovered password might not be the same as the user's password since collision only ensures that two messages produce the same hash, not that the two messages are the same. The attack component of the birthday attack is collision not collusion. Collusion is when two or more people agree to work together to commit a security violation. The act of an attacker discovering a user's password does not automatically force the user to change their password upon the next logon attempt. Instead, this is a good security practice to implement if a password compromise is discovered or suspected by the information security team. Section 2.7 |
