Cryptography (Domain 5)

Which letters on this diagram are locations where you might find data at rest? A, B, and C C and E A and E B, D, and F

A and E can both be expected to have data at rest. C, the Internet, is an unknown, and the data can't be guaranteed to be at rest. B, D, and F are all data in transit across network links.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it? Classification Symmetric encryption Watermarks Metadata

A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.

Chris is designing a cryptographic system for use within his company. The company has 1,000 employees, and they plan to use an asymmetric encryption system. How many total keys will they need? 500 1,000 2,000 4,950

Asymmetric cryptosystems use a pair of keys for each user. In this case, with 1,000 users, the system will require 2,000 keys.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What type of encryption should you use on the file servers for the proprietary data, and how might you secure the data when it is in motion? TLS at rest and AES in motion AES at rest and TLS in motion VPN at rest and TLS in motion DES at rest and AES in motion

AES is a strong modern symmetric encryption algorithm that is appropriate for encrypting data at rest. TLS is frequently used to secure data when it is in transit. A virtual private network is not necessarily an encrypted connection and would be used for data in motion, while DES is an outdated algorithm and should not be used for data that needs strong security.

What encryption algorithm would provide strong protection for data stored on a USB thumb drive? TLS SHA1 AES DES

AES is a strong symmetric cipher that is appropriate for use with data at rest. SHA1 is a cryptographic hash, while TLS is appropriate for data in motion. DES is an outdated and insecure symmetric encryption method.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature? Alice's public key Alice's private key Bob's public key Bob's private key

Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice's public key.

What would be the best way to secure data at points B, D, and F? AES-256 SSL TLS 3DES

B, D, and F all show network links. Of the answers provided, Transport Layer Security (TLS) provides the best security for data in motion. AES-256 and 3DES are both symmetric ciphers and are more likely to be used for data at rest. SSL has been replaced with TLS and should not be a preferred solution.

Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme? 3DES AES Diffie-Hellman Blowfish

Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie-Hellman is a protocol for key exchange.

How many possible keys exist for a cipher that uses a key containing 5 bits? 10 16 32 64

Binary keyspaces contain a number of keys equal to two raised to the power of the number of bits. Two to the fifth power is 32, so a 5-bit keyspace contains 32 possible keys.

Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths? Blowfish DES Skipjack IDEA

Blowfish allows the user to select any key length between 32 and 448 bits.

What encryption algorithm is used by both BitLocker and Microsoft's Encrypting File System? Blowfish Serpent AES 3DES

By default, BitLocker and Microsoft's Encrypting File System (EFS) both use AES (Advanced Encryption Standard), which is the NIST-approved replacement for DES (Data Encryption Standard). Serpent was a competitor of AES, and 3DES was created as a possible replacement for DES.

Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL? Andrew The root authority for the top-level domain The CA that issued the certificate The revocation authority for the top-level domain

Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.

How many bits of keying material does the Data Encryption Standard use for encrypting information? 56 bits 64 bits 128 bits 256 bits

DES uses a 64-bit encryption key, but only 56 of those bits are actually used as keying material in the encryption operation. The remaining 8 bits are used to detect tampering or corruption of the key.

What scenario describes data at rest? Data in an IPSec tunnel Data in an e-commerce transaction Data stored on a hard drive Data stored in RAM

Data at rest is inactive data that is physically stored. Data in an IPsec tunnel or part of an e-commerce transaction is data in motion. Data in RAM is ephemeral and is not inactive.

What methods are often used to protect data in transit? Telnet, ISDN, UDP BitLocker, FileVault AES, Serpent, IDEA TLS, VPN, IPSec

Data in transit is data that is traversing a network or is otherwise in motion. TLS, VPNs, and IPsec tunnels are all techniques used to protect data in transit. AES, Serpent, and IDEA are all symmetric algorithms, while Telnet, ISDN, and UDP are all protocols. BitLocker and FileVault are both used to encrypt data, but they protect only stored data, not data in transit.

Howard is choosing a cryptographic algorithm for his organization, and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement? RSA DES AES Blowfish

Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.

Sally is using IPsec's ESP component in transport mode. What important information should she be aware of about transport mode? Transport mode provides full encryption of the entire IP packet. Transport mode adds a new, unencrypted header to ensure that packets reach their destination. Transport mode does not encrypt the header of the packet. Transport mode provides no encryption; only tunnel mode provides encryption.

ESP's Transport mode encrypts IP packet data but leaves the packet header unencrypted. Tunnel mode encrypts the entire packet and adds a new header to support transmission through the tunnel.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Which one of the following keys would Bob not possess in this scenario? Alice's public key Alice's private key Bob's public key Bob's private key

Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.

Joe works at a major pharmaceutical research and development company and has been tasked with writing his organization's data retention policy. As part of its legal requirements, the organization must comply with the U.S. Food and Drug Administration's Code of Federal Regulations Title 21. To do so, it is required to retain records with electronic signatures. Why would a signature be part of a retention requirement? It ensures that someone has reviewed the data. It provides confidentiality. It ensures that the data has not been changed. It validates who approved the data.

Electronic signatures, as used in this rule, prove that the signature was provided by the intended signer. Electronic signatures as part of the FDA code are intended to ensure that electronic records are "trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper." Signatures cannot provide confidentiality or integrity and don't ensure that someone has reviewed the data.

Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it? Man-in-the-middle, VPN Packet injection, encryption Sniffing, encryption Sniffing, TEMPEST

Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn't be used to stop attacks at any normal bank.

What problem with FTP and Telnet makes using SFTP and SSH better alternatives? FTP and Telnet aren't installed on many systems. FTP and Telnet do not encrypt data. FTP and Telnet have known bugs and are no longer maintained. FTP and Telnet are difficult to use, making SFTP and SSH the preferred solution.

FTP and Telnet do not provide encryption for the data they transmit and should not be used if they can be avoided. SFTP and SSH provide encryption to protect both the data they send and the credentials that are used to log in via both utilities.

Which one of the following is not an attribute of a hashing algorithm? They require a cryptographic key. They are irreversible. It is very difficult to find two messages with the same hash value. They take variable-length input.

Hash functions do not include any element of secrecy and, therefore, do not require a cryptographic key.

Which one of the following is not one of the basic requirements for a cryptographic hash function? The function must work on fixed-length input. The function must be relatively easy to compute for any input. The function must be one way. The function must be collision free

Hash functions must be able to work on any variable-length input and produce a fixed-length output from that input, regardless of the length of the input.

In Transport Layer Security, what type of key is used to encrypt the actual content of communications between a web server and a client? Ephemeral session key Client's public key Server's public key Server's private key

In TLS, both the server and the client first communicate using an ephemeral symmetric session key. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography.

Tom is a cryptanalyst and is working on breaking a cryptographic algorithm's secret key. He has a copy of an intercepted message that is encrypted, and he also has a copy of the decrypted version of that message. He wants to use both the encrypted message and its decrypted plaintext to retrieve the secret key for use in decrypting other messages. What type of attack is Tom engaging in? Chosen ciphertext Chosen plaintext Known plaintext Brute force

In a known plaintext attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate that ciphertext.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. If Alice wants to send Bob an encrypted message, what key does she use to encrypt the message? Alice's public key Alice's private key Bob's public key Bob's private key

In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient's public key.

Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations. What civilian data classifications best fit this data? Unclassified, confidential, top secret Public, sensitive, private Public, sensitive, proprietary Public, confidential, private

Information shared with customers is public, internal business could be sensitive or private, and trade secrets are proprietary. Thus, public, sensitive, proprietary matches this most closely. Confidential is a military classification, which removes two of the remaining options, and trade secrets are more damaging to lose than a private classification would allow.

Chris wants to verify that a software package that he downloaded matches the original version. What hashing tool should he use if he believes that technically sophisticated attackers may have replaced the software package with a version containing a backdoor? MD5 3DES SHA1 SHA 256

Intentional collisions have been created with MD5, and a real-world collision attack against SHA 1 was announced in early 2017. 3DES is not a hashing tool, leaving SHA 256 (sometimes called SHA 2) as the only real choice that Chris has in this list.

What cryptographic principle stands behind the idea that cryptographic algorithms should be open to public inspection? Security through obscurity Kerckhoff's principle Defense in depth Heisenburg principle

Kerckhoff's principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.

Kevin is an internal auditor at a major retailer and would like to ensure that the information contained in audit logs is not changed after it is created. Which one of the following controls would best meet his goal? Cryptographic hashing Data loss prevention File encryption Certificate management

Kevin can take a cryptographic hash of the log files when they are created and then later repeat the use of the same hash function and compare the two hash values. If the hash values are identical, Kevin can be confident that the file was not altered.

Information maintained about an individual that can be used to distinguish or trace their identity is known as what type of information? Personally identifiable information (PII) Personal health information (PHI) Social Security number (SSN) Secure identity information (SII)

NIST Special Publication 800-122 defines PII as any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name, biometric records, and other information that is linked or linkable to an individual such as medical, educational, financial, and employment information. PHI is health-related information about a specific person, Social Security numbers are issued to individuals in the United States, and SII is a made-up term.

Which one of the following cryptographic algorithms supports the goal of nonrepudiation? Blowfish DES AES RSA

Nonrepudiation is possible only with an asymmetric encryption algorithm. RSA is an asymmetric algorithm. AES, DES, and Blowfish are all symmetric encryption algorithms that do not provide nonrepudiation.

Alice sent a message to Bob. Bob would like to demonstrate to Charlie that the message he received definitely came from Alice. What goal of cryptography is Bob attempting to achieve? Authentication Confidentiality Nonrepudiation Integrity

Nonrepudiation occurs when the recipient of a message is able to demonstrate to a third party that the message came from the purported sender.

Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet? SSL TLS PGP VPN

PGP, or Pretty Good Privacy (or its open source alternative, GPG), provides strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.

Which one of the following is not considered PII under U.S. federal government regulations? Name Social Security number Student ID number ZIP code

Personally identifiable information includes any information that can uniquely identify an individual. This would include name, Social Security number, and any other unique identifier (including a student ID number). ZIP code, by itself, does not uniquely identify an individual.

Which one of the following cryptographic systems is most closely associated with the Web of Trust? RC4 SHA AES PGP

Phil Zimmerman's Pretty Good Privacy (PGP) software is an encryption technology based upon the Web of Trust (WoT). This approach extends the social trust relationship to encryption keys.

Carla's organization recently suffered a data breach when an employee misplaced a laptop containing sensitive customer information. Which one of the following controls would be least likely to prevent this type of breach from reoccurring in the future? Full disk encryption File encryption File integrity monitoring Data minimization

Protecting the sensitive information with either full disk encryption or file encryption would render it unreadable to anyone finding the device. Data minimization would involve the removal of sensitive information from the device. File integrity monitoring would detect any changes in information stored on the device but would not protect against data loss.

Quantum Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quantum can use to protect these tapes? Locked shipping containers Private couriers Data encryption Media rotation

Quantum may choose to use any or all of these security controls, but data encryption is, by far, the most important control. It protects the confidentiality of data stored on the tapes, which are most vulnerable to theft while in transit between two secure locations.

Attackers who compromise websites often acquire databases of hashed passwords. What technique can best protect these passwords against automated password cracking attacks that use precomputed values? Using the MD5 hashing algorithm Using the SHA-1 hashing algorithm Salting Double-hashing

Salting adds random text to the password before hashing in an attempt to defeat automated password cracking attacks that use precomputed values. MD5 and SHA-1 are both common hashing algorithms, so using them does not add any security. Double-hashing would only be a minor inconvenience for an attacker and would not be as effective as the use of salting.

What protocol is preferred over Telnet for remote server administration via the command line? SCP SFTP WDS SSH

Secure Shell (SSH) is an encrypted protocol for remote login and command-line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.

Greg is designing a defense-in-depth approach to securing his organization's information and would like to select cryptographic tools that are appropriate for different use cases and provide strong encryption. Which one of the following pairings is the best use of encryption tools? SSL for data in motion and AES for data at rest VPN for data in motion and SSL for data at rest TLS for data in motion and AES for data at rest SSL for data in motion and TLS for data at rest

Secure Sockets Layer (SSL), Transport Layer Security (TLS), and virtual private networks (VPNs) are all used to protect data in motion. AES cryptography may be used to protect data at rest. SSL is no longer considered secure, so it is not a good choice for Greg. The only answer choice that matches each tool with the appropriate type of information and does not use SSL is using TLS for data in motion and AES for data at rest.

Margot is considering the use of a self-signed certificate to reduce the costs associated with maintaining a public-facing web server. What is the primary risk associated with the use of self-signed certificates? Self-signed certificates use weak encryption. Self-signed certificates are not trusted by default. Self-signed certificates have short expiration periods. Self-signed certificates cannot be used with most browsers.

Self-signed certificates are functionally equivalent to those purchased from a trusted certificate authority. The fundamental difference is that they don't carry the trusted signature of a CA and, therefore, won't be trusted by web browsers by default. They are generally only appropriate for internal use.

Which one of the following would be a reasonable application for the use of self-signed digital certificates? E-commerce website Banking application Internal scheduling application Customer portal

Self-signed digital certificates should be used only for internal-facing applications, where the user base trusts the internally generated digital certificate.

What is the best way to secure files that are sent from workstation A via the Internet service (C) to remote server E? Use AES at rest at point A, and use TLS in transit via B and D. Encrypt the data files and send them. Use 3DES and TLS to provide double security. Use full disk encryption at A and E, and use SSL at B and D.

Sending a file that is encrypted before it leaves means that exposure of the file in transit will not result in a confidentiality breach, and the file will remain secure until decrypted at location E. Since answers A, C, and D do not provide any information about what happens at point C, they should be considered insecure, as the file may be at rest at point C in an unencrypted form.

Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP? SCP SSH HTTP Telnet

Skip should use SCP—Secure Copy is a secure file transfer method. SSH is a secure command-line and login protocol, whereas HTTP is used for unencrypted web traffic. Telnet is an unencrypted command-line and login protocol.

What type of encryption is typically used for data at rest? Asymmetric encryption Symmetric encryption DES OTP

Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for onetime password.

The healthcare company that Lauren works for handles HIPAA data as well as internal business data, protected health information, and day-to-day business communications. Its internal policy uses the following requirements for securing HIPAA data at rest and in transit. What encryption technology would be appropriate for HIPAA documents in transit? BitLocker DES TLS SSL

TLS is a modern encryption method used to encrypt and protect data in transit. BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.

Fred is preparing to send backup tapes off-site to a secure third-party storage facility. What steps should Fred take before sending the tapes to that facility? Ensure that the tapes are handled the same way the original media would be handled based on their classification. Increase the classification level of the tapes because they are leaving the possession of the company. Purge the tapes to ensure that classified data is not lost. Decrypt the tapes in case they are lost in transit.

Tapes are frequently exposed because of theft or loss in transit. That means that tapes that are leaving their normal storage facility should be handled according to the organization's classification schemes and handling requirements. Purging the tapes would cause the loss of data, while increasing the classification level of the tapes. The tapes should be encrypted rather than decrypted.

Florian and Tobias would like to begin communicating using a symmetric cryptosystem, but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key? IDEA Diffie-Hellman RSA MD5

The Diffie-Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.

Susan would like to configure IPsec in a manner that provides confidentiality for the content of packets. What component of IPsec provides this capability? AH ESP IKE ISAKMP

The Encapsulating Security Payload (ESP) protocol provides confidentiality and integrity for packet contents. It encrypts packet payloads and provides limited authentication and protection against replay attacks.

Sherry conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure? MD5 3DES PGP WPA2

The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.

Which attack helped drive vendors to move away from SSL toward TLS-only by default? POODLE Stuxnet BEAST CRIME

The POODLE (or Padding Oracle On Downgraded Legacy Encryption) attack helped force the move from SSL 3.0 to TLS because it allowed attackers to easily access SSL encrypted messages. Stuxnet was a worm aimed at the Iranian nuclear program, while CRIME and BEAST were earlier attacks against SSL.

What standard governs the creation and validation of digital certificates for use in a public key infrastructure? X.509 TLS SSL 802.1x

The X.509 standard, developed by the International Telecommunications Union, contains the specification for digital certificates.

Todd wants to add a certificate to a certificate revocation list. What element of the certificate goes on the list? Serial number Public key Digital signature Private key

The certificate revocation list contains the serial numbers of digital certificates issued by a certificate authority that have later been revoked.

Match each of the numbered data elements shown here with one of the lettered categories. You may use the categories once, more than once, or not at all. If a data element matches more than one category, choose the one that is most specific. Data elements: Medical records Credit card numbers Social Security numbers Driver's license numbers Categories: PCI DSS PHI PII

The data elements match with the categories as follows: Data elements Medical records: B. PHI Credit card numbers: A. PCI DSS Social Security numbers: C. PII Driver's license numbers: C. PII Medical records are an example of protected health information (PHI). Credit card numbers are personally identifiable information (PII), but they are also covered by the Payment Card Industry Data Security Standard (PCI DSS), which is a more specific category governing only credit card information and is a better answer. Social Security numbers and driver's license numbers are examples of PII.

Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate? 6 12 15 30

The formula for determining the number of encryption keys required by a symmetric algorithm is ((n*(n − 1))/2). With six users, you will need ((6*5)/2), or 15 keys.

Which one of the following cryptographic goals protects against the risks posed when a device is lost or stolen? Nonrepudiation Authentication Integrity Confidentiality

The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against this risk.

The Double DES (2DES) encryption algorithm was never used as a viable alternative to the original DES algorithm. What attack is 2DES vulnerable to that does not exist for the DES or 3DES approach? Chosen ciphertext Brute force Man-in-the-middle Meet-in-the-middle

The meet-in-the-middle attack uses a known plaintext message and uses both encryption of the plaintext and decryption of the ciphertext simultaneously in a brute-force manner to identify the encryption key in approximately double the time of a brute-force attack against the basic DES algorithm.

Alison is examining a digital certificate presented to her by her bank's website. Which one of the following requirements is not necessary for her to trust the digital certificate? She knows that the server belongs to the bank. She trusts the certificate authority. She verifies that the certificate is not listed on a CRL. She verifies the digital signature on the certificate.

The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA's digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.

What name is given to the random value added to a password in an attempt to defeat rainbow table attacks? Hash Salt Extender Rebar

The salt is a random value added to a password before it is hashed by the operating system. The salt is then stored in a password file with the hashed password. This increases the complexity of cryptanalytic attacks by negating the usefulness of attacks that use precomputed hash values, such as rainbow tables.

Alan intercepts an encrypted message and wants to determine what type of algorithm was used to create the message. He first performs a frequency analysis and notes that the frequency of letters in the message closely matches the distribution of letters in the English language. What type of cipher was most likely used to create this message? Substitution cipher AES Transposition cipher 3DES

This message was most likely encrypted with a transposition cipher. The use of a substitution cipher, a category that includes AES and 3DES, would change the frequency distribution so that it did not mirror that of the English language.

Max is the security administrator for an organization that uses a remote access VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the security of that service. Which one of the following hash functions is the strongest cryptographic hash protocol supported by RADIUS? MD5 SHA 2 SHA-512 HMAC

Unfortunately, the RADIUS protocol only supports the weak MD5 hash function. This is the major criticism of the RADIUS protocol. Most organizations require that RADIUS be protected with additional encryption to compensate for this vulnerability.

What security measure can provide an additional security control in the event that backup tapes are stolen or lost? Keep multiple copies of the tapes. Replace tape media with hard drives. Use appropriate security labels. Use AES-256 encryption.

Using strong encryption, like AES-256, can help ensure that loss of removable media like tapes doesn't result in a data breach. Security labels may help with handling processes, but they won't help once the media is stolen or lost. Having multiple copies will ensure that you can still access the data but won't increase the security of the media. Finally, using hard drives instead of tape only changes the media type and not the risk from theft or loss.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When Bob receives the encrypted message from Alice, what key does he use to decrypt the message? Alice's public key Alice's private key Bob's public key Bob's private key

When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality.

Barry recently received a message from Melody that Melody encrypted using symmetric cryptography. What key should Barry use to decrypt the message? Barry's public key Barry's private key Melody's public key Shared secret key

When using symmetric cryptography, the sender encrypts a message using a shared secret key, and the recipient then decrypts the message with that same key. Only asymmetric cryptography uses the concept of public and private key pairs.