Chapter 7 – Cryptography and PKI
Cryptographic systems provide which of the following security services? (Select two.) Encryption Confidentiality Cryptanalysis Non-repudiation Decryption
Confidentiality Non-repudiation Cryptography is the science of converting data into a secret code to hide a message's meaning during transmission. Cryptographic systems provide the following security services: -Confidentiality by ensuring that only authorized parties can access data. -Integrity by verifying that data has not been altered in transit. -Authentication by proving the identity of the sender or receiver. -Non-repudiation by validating that communications have come from a particular sender at a particular time.
Which of the following functions are performed by a TPM? Perform bulk encryption Encrypt network data using IPsec Create a hash of system components Provide authentication credentials
Create a hash of system components
Hashing algorithms are used to perform which of the following activities? Provide a means for exchanging small amounts of data securely over a public network. Create a message digest. Provide for non-repudiation. Encrypt bulk data for communications exchange.
Create a message digest. Hashing algorithms are used to create a message digest to ensure that data integrity is maintained. A sender creates a message digest by performing the hash function on the data files that are transmitted. The receiver performs the same action on the data received and compares the two message digests. If they are the same, the data was not altered.
Which of the following encryption mechanisms offers the least security because of weak keys? IDEA DES AES TwoFish
DES DES offers the least encryption security of all the cryptography systems in this list. DES has a limitation of 56-bit keys, the weakest of those listed here. The strength of a cryptosystem lies not only in long keys but in the algorithm, initialization vector or method, the proper use of the keyspace, and the protection and management of keys.
Which of the following should you set up to ensure encrypted files can still be decrypted if the original user account becomes corrupted? DRA GPG PGP VPN
DRA
Which type of password attack employs a list of pre-defined passwords that it tries against a login prompt? Downgrade attack Dictionary attack Birthday attack Collision attack
Dictionary attack A dictionary attack is a type of brute-force attack. A hacker uses a list of words and phrases to try to guess the decryption key.
Which of the following is a direct integrity protection? Symmetric encryption Digital signature Asymmetric encryption Digital envelope
Digital signature
What is the most obvious means of providing non-repudiation in a cryptography system? Shared secret keys Public keys Hashing values Digital signatures
Digital signatures
Which of the following security solutions would prevent a user from reading a file that she did not create? IPsec EFS VPN
EFS is a Windows file encryption option that encrypts individual files so that only the user who created the file can open it. Decryption is automatic when the file owner opens it. Other users cannot open the encrypted file unless specifically authorized.
You have downloaded a file from the internet. You generate a hash and check it against the original file's hash to ensure the file has not been changed. Which information security goal is this an example of? Non-repudiation Integrity Authenticity Confidentiality
Integrity Creating a hash of a file can be used to validate that the file has not been altered. This validates the integrity of the file.
You are concerned that if a private key is lost, all documents encrypted with your private key will be inaccessible. Which service should you use to solve this problem? Key escrow CSP OCSP RA
Key escrow Key escrow backs up private keys to a third-party organization outside of the company. If the private key is lost, you can recover the key from escrow.
Which of the following are true of Triple DES (3DES)? Can easily be broken Uses the Rijndael block cipher Key length is 168 bits Uses 64-bit blocks with 128-bit keys
Key length is 168 bits Triple DES: Applies DES three times Uses a 168-bit key
Which of the following is the weakest hashing algorithm? SHA-1 AES MD5 DES
MD5 MD5 is the weakest hashing algorithm. It produces a message digest of 128 bits. The larger the message digest, the more secure the hash. SHA-1 is more secure because it produces a 160-bit message digest.
When a sender encrypts a message using their own private key, which security service is being provided to the recipient? Availability Confidentiality Non-repudiation Integrity
Non-repudiation
Your computer system is a participant in an asymmetric cryptography system. You've crafted a message to be sent to another user. Before transmission, you hash the message and then encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. Which protection does the private key-signing activity of this process provide? Integrity Availability Confidentiality Non-repudiation
Non-repudiation
Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments? Key escrow Private key recovery Online Certificate Status Protocol Certificate Revocation List
Online Certificate Status Protocol Online Certificate Status Protocol (OCSP) is the technology developed to improve the efficiency and reliability of checking the validity status of certificates in large, complex environments. OCSP allows clients to query a CA or registration authority (RA) and quickly learn whether a certificate is valid or has been revoked.
Above all else, what must be protected to maintain the security and benefit of an asymmetric cryptographic solution, especially if it is widely used for digital certificates? Cryptographic algorithm Public keys Private keys Hash values
Private keys The strength of an asymmetric cryptographic system lies in the secrecy and security of its private keys. A digital certificate and a digital signature are little more than unique applications of a private key. If the private keys are compromised for a single user, for a secured network, or for a digital certificate authority, the entire realm of trust is destroyed.
Which of the following can be classified as a stream cipher? Twofish RC4 Blowfish AES
RC4 The most frequently used implementation of symmetric key stream ciphers is Rivest's cipher v4, known as RC4. RC4 uses a variable key up to 256 bits and is commonly used with WEP and SSL. It uses the Key Scheduling Algorithm (KSA) and the Pseudo-Random Generation Algorithm (PRGA).
Which of the following algorithms are used in asymmetric encryption? (Select two.) AES RSA Diffie-Hellman Blowfish Twofish
RSA Diffie-Hellman RSA and Diffie-Hellman are asymmetric algorithms. RSA, one of the earliest encryption algorithms, can also be used for digital signatures. The Diffie-Hellman Protocol was created in 1976 but is still in use today in technologies such as SSL, SSH, and IPsec.
An attacker is attempting to crack a system's password by matching the password hash to a hash in a large table of hashes he or she has. Which type of attack is the attacker using? AnswerCracking RIPEMD Rainbow Brute force
Rainbow A rainbow attack uses rainbow tables. A rainbow table is a table of passwords and their generated hashes. A hacker can use this table to try to match hashes instead of the actual password.
In the certificate authority trust model known as a hierarchy, where does trust start? Issuing CA Third-party CA Registration authority Root CA
Root CA
Which of the following does not or cannot produce a hash value of 128 bits? RIPEMD SHA-1 MD5 MD2
SHA-1 SHA-1 produces hash values of 160 bits.
What is the process of adding random characters at the beginning or end of a password to generate a completely different hash called? Collision Deterministic Salting Avalanche
Salting
Mary wants to send a message to Sam in such a way that only Sam can read it. Which key should be used to encrypt the message? Mary's private key Sam's private key Sam's public key Mary's public key
Sam's public key Sam's public key should be used to encrypt the message. Only the corresponding private key, which only Sam has, can be used to decrypt the message.
A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. Which of the following must the receiver use to access the hashing value and verify the integrity of the transmission? Sender's public key Receiver's public key Sender's private key Receiver's private key
Sender's public key Digital signatures are created using the sender's private key. Therefore, only the sender's public key can be used to verify and open any data encrypted with the sender's private key. The recipient's private and public keys are not involved in this type of cryptography situation. Often, the hashing value of a message is protected by the sender's private key (their digital signature). The recipient must extract the original hashing value.
Which term means a cryptography mechanism that hides secret communications within various forms of data? Cryptanalysis Steganography Ciphertext Algorithm
Steganography
Which form of cryptography is best suited for bulk encryption because it is so fast? Public key cryptography Asymmetric cryptography Symmetric key cryptography Hashing cryptography
Symmetric key cryptography
An SSL client has determined that the certificate authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity? The domain on the server certificate must match the CA's domain name. The CA's public key must validate the CA's digital signature on the server certificate. The post-master secret must initiate subsequent communication. The master secret is generated from common key code.
The CA's public key must validate the CA's digital signature on the server certificate.
You have transferred an encrypted file across a network using the Server Message Block (SMB) Protocol. What happens to the file's encryption? The file is unencrypted when moved. The encryption carries over to the new location. The encryption inherits from the new location. An encrypted file cannot be moved using SMB.
The file is unencrypted when moved. A file is automatically unencrypted when you copy it over a network using the SMB Protocol. The encryption does not carry over to the new location, nor does the file inherit from the new location.
Which of the following would require that a certificate be placed on the CRL? The certificate validity period is exceeded. The encryption key algorithm is revealed. The private key is compromised. The signature key size is revealed.
The private key is compromised. Certificates are published to the Certificate Revocation List (CRL) when a condition compromises the integrity of the certificate. If the private key is compromised (discovered), the certificate is no longer proof of identity.
Which of the following database encryption methods encrypts the entire database and all backups? Bitlocker Column-level Transparent Data Encryption (TDE) Application-level
Transparent Data Encryption (TDE) Transparent Data Encryption (TDE) encrypts the entire database and all backups. TDE: -encrypts data at rest, which is data not being currently used. -is called transparent because when an authorized user needs to access the data, it is automatically decrypted so the user does not see the process or need to do anything extra.
When a cryptographic system is used to protect data confidentiality, what actually takes place? Data is protected from corruption or change. Encrypted data transmission is prohibited. Data is available for access whenever authorized users need it. Unauthorized users are prevented from viewing or accessing the resource.
Unauthorized users are prevented from viewing or accessing the resource.
Which standard is most widely used for certificates? SSL v.3.0 X.509 HTTP 1.1 802.1x
X.509 The standard for certificates that is most widely used is X.509. This standard defines the key elements that must exist within a certificate. This standard is used by public key infrastructure (PKI), SSL, IPsec, DES, and many other infrastructure components and technologies.
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file? Your copy is the same as the copy posted on the website. No one has read the file contents as it was downloaded. You can prove the source of the file. You are the only one able to open the downloaded file.
Your copy is the same as the copy posted on the website.
You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose? EFS IPsec BitLocker VPN
BitLocker Microsoft security solution that encrypts the entire contents of a hard drive, protecting all files on the disk. BitLocker uses a special key that is required to unlock the hard disk. You cannot unlock/decrypt a drive simply by moving it to another computer.
When two different messages produce the same hash value, what has occurred? Birthday attack Collision Hash value High amplification
Collision
You create a new document and save it to a hard drive on a file server on your company's network. Then you employ an encryption tool to encrypt the file using AES. This activity is an example of accomplishing which security goal? Confidentiality Availability Non-repudiation Integrity
Confidentiality
Which of the following is used to verify that a downloaded file has not been altered? Hash Symmetric encryption Private key Asymmetric encryption
Hash A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Hashes ensure the data integrity of files and messages in transit. For example, when users post files for download, they often create a hash value for the file. After you download the file, you can create a hash using the same algorithm. If the hash values match, you know that the file you have matches the original file.
A birthday attack focuses on which of the following? E-commerce Encrypted files Hashing algorithms VPN links
Hashing algorithms Birthday attacks exploit the probability that two messages using the same hash algorithm produce the same message digest. This is also known as exploiting collision. If two different messages or files produce the same hashing digest, a collision has occurred.
To obtain a digital certificate and participate in a public key infrastructure (PKI), what must be submitted and where? Identifying data and a certification request to the registration authority (RA) Identifying data with the MAC and IP addresses to the root certificate authority (CA) Identifying data with the 3DES block cipher to the hosting certificate authority (CA) Identifying data and a secret key request to the subordinate distribution authority (DA)
Identifying data and a certification request to the registration authority (RA) The registration authority (RA) processes all requests for digital certificates. Registration and authentication requirements vary based on the class of certificate requested. Once the RA has successfully authenticated the requesting party, the request is forwarded to the certificate authority (CA) for certificate generation.
You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do? Implement BitLocker with a TPM. Implement BitLocker without a TPM. Have each user encrypt the entire volume with EFS. Have each user encrypt user files with EFS.
Implement BitLocker with a TPM.
You've used BitLocker to implement full volume encryption on a notebook system. The notebook motherboard does not have a TPM chip, so you've used an external USB flash drive to store the BitLocker startup key. You use EFS to encrypt the C:\Secrets folder and its contents. Which of the following is true in this scenario? (Select two.) -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will remain in an encrypted state. -By default, only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it. -Any user who is able to boot the computer from the encrypted hard disk will be able to open the C:\Secrets\confidential.docx file. -Only the user who encrypted the C:\Secrets\confidential.docx file is able to boot the computer from the encrypted hard disk. -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will be saved in an unencrypted state. -The EFS encryption process will fail.
-By default, only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it. -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will be saved in an unencrypted state.
Which of the following items are contained in a digital certificate? (Select two.) Validity period Root CA secret key Public key Private key
-Validity period -Public key Digital certificates create a link between identities and public keys. A certificate contains the information necessary to identify the public key owner. Certificates include fields detailing the Issuing CA and the standards version used to generate the certificate, as well as a certificate serial number, all approved uses for the certificate, the certificate owner, the public key and algorithm, the validity period, and the algorithms used to digitally sign the certificate. Additional functionality and data may be added through the use of certificate extensions.
Which of the following algorithms are used in symmetric encryption? (Select two.) 3DES Diffie-Hellman Blowfish RSA ECC
3DES Blowfish
A private key has been stolen. Which action should you take to deal with this crisis? Delete the public key Recover the private key from escrow Add the digital certificate to the CRL Place the private key in escrow
Add the digital certificate to the CRL If a private key--a digital certificate or digital signature--is compromised (especially by theft), it should be added to the CRL. This prevents any future use of the key/certificate and prevents impersonation attacks.
A PKI is an implementation for managing which type of encryption? Symmetric Asymmetric Steganography Hashing
Asymmetric A public key infrastructure (PKI) is a hierarchy of computers that issue and manage certificates. Certificates use asymmetric encryption with a public and private key pair.
You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device. What should you do? Disable USB devices in the BIOS. Enable the TPM in the BIOS. Use a PIN instead of a startup key. Save the startup key to the boot partition.
Enable the TPM in the BIOS. When a system boots, the startup key is required to unlock the encrypted volume. The system startup key can be saved in the Trusted Platform Module (TPM). With the startup key saved in the TPM, the system can start without additional intervention.
Which utility would you MOST likely use on OS X to encrypt and decrypt data and messages? GPG IPsec PGP VPN
GPG GNU Privacy Guard (GPG) is a command line utility that's used to encrypt and decrypt data and messages. GPG is a open source utility and can be used on many different systems, including Windows, Linux, Android, and Apple's OS X.
What is the main function of a TPM hardware chip? Perform bulk encryption in a hardware processor Provide authentication credentials on a hardware device Generate and store cryptographic keys Control access to removable media
Generate and store cryptographic keys
Which of the following is a message authentication code that allows a user to verify that a file or message is legitimate? SHA RIPEMD MD5 HMAC
HMAC Hash-Based Message Authentication Code (HMAC) is a type of message authentication code. Like a digital signature, HMAC allows a user to verify that a file or message is legitimate.
