ST0-401:6 TS Quiz Cryptography
" Your organization has decided to implement an encryption algorithm to protect data. One IT staff member suggests that the organization use IDEA. Which strength encryption key is used in this encryption algorithm? 56-bit 64-bit 128-bit 256-bit "
" Answer: 128-bit Explanation: International Data Encryption Algorithm (IDEA) uses a 128-bit encryption key to encrypt 64-bit blocks of data. Data Encryption Standard (DES) uses a 56-bit key to encrypt 64-bit blocks of data. Some private key encryption standards support 256-bit encryption keys. "
" You have been asked to choose a hashing algorithm for your organization. You decide to implement SHA. Which size checksum is produced by this algorithm? 56-bit 128-bit 160-bit 256-bit "
" Answer: 160-bit Explanation: Secure Hashing Algorithm (SHA) produces 160-bit checksums. The new standard is SHA-1, which produces the same size checksum. SHA-256 is a newer version of SHA and uses 256-bit checksums. SHA-256 should be used with a disk image to protect the image's integrity so that image can be retained for forensic purposes. MD5 produces 128-bit checksums. Data Encryption Standard (DES) uses 56-bit encryption keys. Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys. "
" Your company's wireless network uses WEP in high encryption mode. You are concerned that you may need to change to a different wireless protocol. Which level of encryption does this protocol provide? 64-bit 128-bit 256-bit 512-bit "
" Answer: 128-bit Explanation: Wired Equivalent Privacy (WEP) provides 128-bit encryption in high encryption mode. WiFi wireless devices use WEP for communications security by preventing outside users from using access points on your wireless network. WiFi is sometimes referred to as 802.11b. WEP provides 64-bit encryption in low encryption mode for devices transmitting data on a WiFi network. Interoperability problems among WiFi devices from different vendors sometimes render WEP ineffective. "
" Your company needs to protect message integrity. Management decides that you need to implement an algorithm that uses 160-bit checksums. Which algorithm should you implement? AES DES MD5 SHA "
" Explanation: The Secure Hashing Algorithm (SHA) produces 160-bit checksums. The purpose of SHA is to protect message integrity. The newest version is SHA-1. The Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys. The MD5 algorithm produces 128-bit checksums, and Data Encryption Standard (DES) uses 56-bit encryption keys. "
" Management has asked you to implement MD5 to verify data integrity. However, you are concerned that MD5 is not strong enough. Which size checksum does this algorithm produce? 56-bit 128-bit 160-bit 256-bit "
" Answer: 128-bit Explanation: The MD5 algorithm produces 128-bit checksums to verify integrity of data from a remote user. When you are given the MD5 hash for a file, you can verify that the file has not been tampered with. MD5 derives the hashing function for the challenge response of the Challenge Handshake Authentication Protocol (CHAP). MD5 is a symmetric encryption scheme. If the MD5 hash values of a file do not match, the file has been compromised. You should discard the compromised file. When two completely different files produce the same hash values, this is referred to as a collision. When using Secure Sockets Layer (SSL) to download a file for which you have the MD5 hash, you cannot verify the MD5 hash until after the file is downloaded Data Encryption Standard (DES) uses 56-bit encryption keys. Secure Hashing Algorithm (SHA) produces 160-bit checksums. Advanced Encryption Standard (AES) uses 128-bit, 192-bit, and 256-bit encryption keys. All algorithms are ciphers. Some ciphers are stronger than others. You must consider strong versus weak ciphers and how they will affect your organization. Depending on your organizational needs, you may need to select a weaker cipher for performance reasons. As a security professional, you should ensure that fully research any ciphers you consider and understand the advantages and disadvantages of each cipher. "
" You have been hired as a security consultant for a small business. While researching the small business's wireless network, you discover that it uses WEP in low encryption mode. Which level of encryption does this provide? 64-bit 128-bit 256-bit 512-bit "
" Answer: 64-bit Explanation: In low encryption mode, Wireless Equivalent Privacy (WEP) provides 64-bit encryption. WEP provides security for data transmissions for devices communicating on wireless 802.11b networks, which are sometimes referred to as WiFi networks. In high encryption mode, WEP provides 128-bit encryption for devices transmitting data on a WiFi network. WEP is sometimes ineffective due to interoperability problems among WiFi devices from different vendors. Most organizations use WPA and WPA2 instead of WEP because of security concerns. "
" You are the security administrator for an organization. Management decides that all communications on the network should be encrypted using the data encryption standard (DES) or Triple DES (3DES) algorithm. Which statement is true of these algorithms? The effective key size of DES is 64 bits. A Triple DES (3DES) algorithm uses 48 rounds of computation. A DES algorithm uses 32 rounds of computation. A 56-bit DES encryption is 256 times more secure than a 40-bit DES encryption. "
" Answer: A Triple DES (3DES) algorithm uses 48 rounds of computation. Explanation: A Triple DES (3DES) algorithm uses 48 rounds of computation. It offers high resistance to differential cryptanalysis because it uses so many rounds. The encryption and decryption process performed by 3DES takes longer due to the higher processing power required. The actual key size of the Data Encryption Standard (DES) is 64 bits. A key size of 8 bits is used for a parity check. Therefore, the effective key size of DES is 56 bits. The DES algorithm uses 16 rounds of computation. The order and the type of computations performed depend upon the value supplied to the algorithm through the cipher blocks. According to the following calculation, a 56-bit DES encryption is 65,536 times more secure than a 40-bit DES encryption: 240 = 1099511627776 and 256 = 72057594037927936 Therefore, 72057594037927936 divided by 1099511627776 = 65,536. DES has many security issues. If a bank has a fleet of aging payment terminals used by merchants for transactional processing , and the terminals currently support single DES but require an upgrade to be compliant with security standards, the simplest solution to improve the in-transit protection of transactional data is to upgrade to 3DES. "
" Recently, your organization implemented a new security policy which states that watermarks must be used for all copyrighted material. Which statement is true of a watermark? A watermark cannot be removed. A watermark cannot be embedded in an audio file. A watermark is never visible to the naked human eye. A watermark can enable you to detect copyright violations. "
" Answer: A watermark can enable you to detect copyright violations. Explanation: You can detect copyright violations by using watermark detection software. This software searches the World Wide Web to ensure that an image with a watermark is not displayed if copyright laws are violated. A watermark is a commercial application of steganography and is used to identify images and their authenticity. A watermark can appear as a pattern embedded on a sheet of paper during the manufacturing process. A watermark is used to verify the authenticity of an object, either on paper or on digital media by ensuring that no illegal copies of the images are displayed in violation of copyright laws. Steganography is also used to hide data in another media, such as a graphic image. A watermark can be removed. Cryptographic research has identified techniques to remove watermarks. A watermark can be embedded in an audio file as implanted code. The translucent design of a printed watermark is visible to a naked eye if exposed to a light source. "
" You are researching the RSA encryption algorithm. You need to provide some basic facts about this algorithm to your organization's management team so they can decide if they want to implement it on the organization's network. Which statement is NOT true of this algorithm? RSA can prevent man-in-the-middle attacks. An RSA algorithm is an example of symmetric cryptography. RSA encryption algorithms do not deal with discrete logarithms. RSA provides both encryption and authentication. RSA uses public and private key signatures for integrity verification. "
" Answer: An RSA algorithm is an example of symmetric cryptography. Explanation: RSA is an example of asymmetric cryptography, not symmetric cryptography. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. A man-in-the-middle attack is a threat to all asymmetric encryption communications. RSA does not deal with discrete logarithms. The security provided by RSA is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA requires higher processing power due to the factorability of numbers but ensures efficient key management. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. RSA uses public and private key signatures for integrity verification. With public key cryptography, the key is securely passed to the receiving machine. Therefore, public key cryptography is preferred to secure fax messages. When creating a public/private key pair, the RSA algorithm would need a user to specify the key strength. "
" Recently, your organization has experienced several password attacks. Management has asked you to provide additional security to ensure that this does not happen again. You decide to implement a key stretching function. Which of the following could you use? (Check all that apply.) DES Bcrypt 3DES PBKDF2 RSA "
" Answer: Bcrypt PBKDF2 Explanation: You could use Bcrypt or Password-Based Key Derivation Function 2 (PBKDF2). Both of these are key stretching functions and can be implemented to protect against brute force and rainbow attacks. None of the other options is a key stretching function. They are cryptographic algorithms. "
" You need to implement a protocol for dial-up connections that uses a challenge/response mechanism. Which protocol should you use? CHAP HTTP FTP TCP "
" Answer: CHAP Explanation: Challenge Handshake Authentication Protocol (CHAP) uses a challenge/response mechanism. CHAP is typically used for authentication on dial-up connections. A challenge/response mechanism, sometimes referred to as a three-way handshake, uses a secret password that verifies the identity of a user or node without revealing the password. CHAP uses only encrypted passwords during the authentication process. Hypertext Transfer Protocol (HTTP) is used to transfer Web pages on a TCP/IP network. File Transfer Protocol (FTP) is used to transfer files between FTP servers and FTP clients on a TCP/IP network. Transmission Control Protocol (TCP) is a protocol that provides connection-oriented communications on a TCP/IP network. Microsoft has its own implementation of CHAP, called MS-CHAP, that is more secure than CHAP. MS-CHAP v2 is more secure than version 1. MS-CHAP v2 is used in conjunction with Protected Extensible Authentication Protocol (PEAP) to provide mutual authentication between peers. "
" You suspect that several users are using expired digital certificates and that other digital certificates are very close to expiration. You need to examine the list of serial numbers of digital certificates that have not expired, but should be considered invalid. Which PKI component should you examine? CA CRL KDC UDP "
" Answer: CRL Explanation: A certificate revocation list (CRL) contains a list of serial numbers for digital certificates that have not expired, but that a certification authority (CA) has specified to be invalid. Typically, the serial number of a digital certificate is placed in a CRL because the digital certificate has been compromised in some way. A CA generates and validates digital certificates. The CA verifies the authenticity of the certificate elements. A Key Distribution Center (KDC) is used in Kerberos network authentication to distribute resource access keys. User Datagram Protocol (UDP) provides connectionless communications on TCP/IP networks. "
" You have implemented X.509 certificates for all computers on your organization's network. You need to ensure that the IT staff understands the need for X.509 certificates. Which statement is NOT true of digital certificates? X.509 is a digital certificate standard. Class 1 assurance for a digital certificate only requires an e-mail address. Class 2 assurance for a digital certificate only verifies a user's name and e-mail address. Digital certificates provide authentication before securely sending information to a Web server. "
" Answer: Class 2 assurance for a digital certificate only verifies a user's name and e-mail address. Explanation: Class 2 assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database. X.509 is a digital certificate standard that defines the certificate formats and fields for public keys. X.509 defines the manner in which a certification authority creates a digital certificate. X.509 defines the various fields, such as distinguished names of the subject, user's public key, serial number, version number, lifetime dates, and digital signature identifier, and the signature of the issuing authority, present in digital certificates. It does not contain any private keys. There are several versions of X.509 since its inception. The current version is X.509v4. The X.509 standard is used in many security protocols, such as secure socket layer (SSL) protocol. Class 1 assurance for a digital certificate only requires an e-mail address. Digital certification provides authentication before securely sending information to a Web server. Certificates act as safeguards for Internet transactions in which a user makes an online transaction with a Web server by providing services, such as non-repudiation, authentication, and encryption and decryption of data. When a certificate is created, the user's public key and the validity period are combined with the certificate issuer and the digital signature algorithm identifier before computing the digital signature. "
" Your organization has recently purchased a small manufacturing company. Both organizations have a public key infrastructure (PKI). You decide that you need to configure cross certification between both organizations. Which statement is NOT true of cross certification? Cross certification checks the authenticity of the certificates in the certification path. Cross certification builds an overall PKI hierarchy. Cross certification is primarily used to establish trust between different PKIs. Cross certification allows users to validate each other's certificate when they are certified under different certification hierarchies. "
" Answer: Cross certification checks the authenticity of the certificates in the certification path. Explanation: Certification path validation, not cross certification, checks the authenticity of the certificates in the certification path. All other statements are true of cross certification. Cross certification is primarily used to establish trust between different PKIs and build an overall PKI hierarchy. Cross certification allows users to validate each other's certificate when they are certified under different certification hierarchies. The primary purpose of cross certification is to build a trust relationship between different certification hierarchies when users who belong to different hierarchies are required to communicate, and might require authentication for legitimate connections. The process implies the establishment of a trust relationship between two certification authorities (CAs) through the signing of another CA's public key in a certificate referred to as a cross certificate. "
" Management asks you to implement an encryption standard that uses a single 56-bit encryption key to encrypt 64-bit blocks of data. Which encryption standard should you implement? Blowfish DES SSL TDES "
" Answer: DES Explanation: Data Encryption Standard (DES) is a block cipher encryption standard that uses a single 56-bit encryption key to encrypt 64-bit blocks of data. It is a symmetric or private key encryption algorithm. Triple Data Encryption Standard (TDES) uses multiple DES encryption and decryption processes to create an encryption scheme that is stronger than DES. Blowfish is a private key encryption algorithm, optimized for use on 32-bit processors, which supports encryption keys with a maximum length of 448 bits. Secure Sockets Layer (SSL) supports an encryption key length of 40 bits or 128 bits. "
" Your organization is trying to decide whether to use RSA or ECC to encryption cellular communications. What is an advantage of ECC over the RSA algorithm? ECC requires fewer resources. ECC uses elliptic curves that improve its reliability. ECC uses elliptic curves instead of keys to provide security. ECC does not deal with the intricacies of digital signatures. "
" Answer: ECC requires fewer resources. Explanation: The advantage of Elliptic Curve Cryptography (ECC) over the Rivest, Shamir, and Adleman (RSA) algorithm is its improved efficiency and requirement of fewer resources than RSA. ECC has a higher strength per bit than an RSA. ECC is a method used to implement public-key (asymmetric) cryptography. ECC serves as an alternative to the RSA algorithm and provides similar functionalities. The functions of ECC are as digital signature generation, secure key distribution, and encryption and decryption of data. Wireless devices, handheld computers, smart cards, and cellular telephones have limited processing power, storage, power, memory, and bandwidth compared to other systems. To ensure efficient use of resources, ECC provides encryption by using shorter key lengths. Shorter key lengths do not imply less secure systems. Therefore, ECC provides the same level of security as RSA by using a shorter key that enables easier processing by the resource-constrained devices. For example, a 224-bit ECC key provides the same level of security as the 2048-bit keys used by legacy schemes. A 3072-bit legacy key and a 256-bit ECC key provide equivalent security. This is an obvious advantage when the future lies in smaller devices and increased security. Also keep in mind that you need to understand ephemeral keys and perfect forward secrecy. An ephemeral key is used when a key is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once within a single session when the sender generates only one ephemeral key pair per message and the private key is combined separately with each recipient's public key. Perfect forward secrecy (PFS) ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. For PFS to exist, the key used to protect transmission of data must NOT be used to derive any additional keys. If the key used to protect data transmission was derived from some other keying material, that material must NOT be used to derive any more keys. "
" Management has asked you to implement an encryption algorithm that is based on the Diffie-Hellman key agreement. Which encryption algorithm should you implement? HAVAL ElGamal Knapsack International Data Encryption Algorithm "
" Answer: ElGamal Explanation: ElGamal is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement. It is used for digital signatures, encryption of data, and key exchange. The mathematical functions in the ElGamal algorithm calculate discrete logarithms in a finite field. Diffie-Hellman is one of the first implementations of a public/private key system. HAVAL is a hashing algorithm and not an encryption algorithm. It processes 1024-bit block sizes of information. HAVAL creates message digests of variable sizes rather than a fixed output value. HAVAL produces hashes in lengths of 128, 160, 192, 224, and 256 bits. Knapsack is an asymmetric encryption algorithm. It is not based on the Diffie-Hellman key agreement. International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks of data, requires a 128-bit key, and performs eight rounds of computation. The Pretty Good Privacy (PGP) encryption software uses IDEA. "
" You have been hired as a security consultant for a large corporation. During a meeting with the IT department, the IT manager indicates that one of their applications uses a private key encryption standard that was developed in Russia and uses 256-bit encryption keys. Which encryption standard does the application use? CAST-128 GOST IDEA RC5 "
" Answer: GOST Explanation: GOST is a Russian private key encryption standard that uses a 256-bit encryption key. GOST was developed as a counter to the Data Encryption Standard (DES). CAST-128 is a private key encryption standard that is used in Pretty Good Privacy (PGP). International Data Encryption Algorithm (IDEA) is a private key encryption standard that was developed in Switzerland. IDEA is used in PGP and uses 128-bit encryption keys. RC5 is a private key encryption standard that was developed at the Massachusetts Institute of Technology. RC5 supports variable length encryption keys. "
" You have been hired as a Web security practitioner. Your organization implements several different Web security mechanisms to protect multiple Web sites. Which Web technology provides the highest level of security? HTTPS S-HTTP ActiveX JavaScript "
" Answer: HTTPS Explanation: Of the options given, HTTPS provides the highest level of security. The HTTP Secure (HTTPS) protocol provides a secure connection between two computers. The connection is protected, and all traffic between the two computers is encrypted. HTTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS). It uses private key encryption to encrypt the entire channel. Secure HTTP (S-HTTP) is different from HTTPS. S-HTTP allows computers to negotiate an encryption connection and is not as secure as HTTPS. It uses document encryption to protect the HTTP document's contents only. ActiveX is very vulnerable to attacks because users can configure their computer to automatically access an ActiveX component or control. JavaScript scripts can be downloaded from a Web site and executed, causing damage to systems. "
" Your company has decided to implement IPSec on all VPN connections to provide better security. You need to ensure that packets are digitally signed on IPSec connections. What provides this in IPSec? DES Diffie-Hellman KHMAC ISAKMP "
" Answer: KHMAC Explanation: Keyed Hashing for Message Authentication Code (KHMAC) is used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections. The standard is also referred to as Keyed-Hash Message Authentication Code (HMAC). Data Encryption Standard (DES) is a private key encryption standard that is used in IPSec to ensure that data packets are confidentially transmitted. Diffie-Hellman or Diffie-Hellman Exchange (DHE) facilitates encryption key sharing. Internet Security Association and Key Management Protocol (ISAKMP) supports the establishment of security associations (SAs), which are sets of parameters that define the methods used by computers to communicate securely. Elliptic Curve Diffie-Hellman Key Exchange (ECDHE) is a special form of DHE that uses elliptic curves. "
" You need to digitally sign packets that are transmitted on IPSec connections for your organization's VPN. Which of the following should you implement? DES Diffie-Hellman KHMAC ISAKMP "
" Answer: KHMAC Explanation: Keyed Hashing for Message Authentication Code (KHMAC) is used to digitally sign packets that are transmitted on Internet Protocol Security (IPSec) connections. The standard is also referred to as Keyed-Hash Message Authentication Code (KHMAC). Data Encryption Standard (DES) is a private key encryption standard that is used in IPSec to ensure that data packets are confidentially transmitted. Diffie-Hellman facilitates encryption key sharing. Internet Security Association and Key Management Protocol (ISAKMP) supports the establishment of security associations (SAs), which are sets of parameters that define the methods used by computers to communicate securely. "
" Your company wants you to implement a protocol that operates at the Data Link layer of the OSI model to provide communications over the Internet. Which protocol should you implement? IS-IS IPSec L2TP TCP "
" Answer: L2TP Explanation: Layer 2 Tunneling Protocol (L2TP) operates at the Data Link layer, or Layer 2, of the Open Systems Interconnection (OSI) model. L2TP is a tunneling protocol that is used to create virtual private network (VPN) connections, typically through the Internet. Internet Protocol Security (IPSec) is a suite of protocols designed to protect Internet Protocol (IP) communications by encrypting IP data packets. IPSec can operate in tunnel mode to support VPNs or in transport mode to support typical IP communications. IPSec operates at the Network layer, or Layer 3, of the OSI model. Intermediate System to Intermediate System (IS-IS) is a Network layer protocol that enables intermediate systems within a routing domain to exchange information regarding the routing topology. Transmission Control Protocol (TCP) is a protocol in the TCP/IP protocol suite that operates at Layer 4, or the Transport layer, of the OSI model. TCP provides connection-oriented communications for hosts on TCP/IP networks. You need to understand and be able to comparatively analyze the OSI layer at which the protocols work. The OSI model layers and the protocols that work at each layer are as follows: Layer 7: Application - FTP, TFTP, DNS, SMTP, SFTP, SNMP, HTTP, Telnet, DHCP, Secure Copy Protocol (SCP) Layer 6: Presentation - MPEG, JPEG, TIFF Layer 5: Session - NetBIOS, PPTP, RTP, NFS, Session Control Protocol (SCP) Layer 4: Transport - TCP, UDP Layer 3: Network - IP, ICMP, IPSec, IGMP, AppleTalk, OSPF, RIP, ARP, RARP Layer 2: Data Link - SLIP, PPP, MTU, L2TP, Frame Relay, SDLC Layer 1: Physical - IEEE 802, USB, Bluetooth, RS-232, DSL Remember that Secure Copy (SCP) operates at the Application layer, but Session Control Protocol (SCP) operates at the Session layer. "
" You are investigating the authentication protocols used on your network. You discover that several authentication protocols are implemented. You are worried that some of the older protocols could be susceptible to attacks. Which authentication protocol is the oldest? Kerberos NTLMv1 NTLMv2 LANMan "
" Answer: LANMan Explanation: LAN Manager (LANMan) is the oldest authentication protocol listed. LANMan uses a hash and two Digital Encryption Standard (DES) keys. LANMan is seen as non-secure based on its ability to only store seven uppercase characters of data, making it susceptible to brute force attacks. Kerberos is the preferred authentication protocol for Windows 2000 Server, Windows Server 2003, and Windows Server 2008. It uses DES for encryption. NT LAN Manager version 1 (NTLMv1) and NTLMv2 replaced LANMan and use the MD4/MD5 hashing algorithm. NTLM is backwards compatible with LANMan. "
" Your company must implement a subnetwork that is highly secure. Management asks you to implement an encryption method that is used only once for a single document. Which encryption method should you use? Caesar cipher DES OTP substitution cipher "
" Answer: OTP Explanation: A one-time pad (OTP) is an encryption method designed to be used only once. An OTP is a random number that is used to encrypt only one document. The OTP must be used to decrypt a file that was encrypted with the OTP. Data Encryption Standard (DES) is a private key encryption algorithm. A substitution cipher is an encryption method that substitutes one character with another character in a particular pattern. For example, the Caesar cipher is a substitution cipher that replaces a letter with a letter that appears three letters later in the alphabet. For example, in the Caesar cipher, the letter J is replaced with the letter M. "
" Your company has decided to implement a virtual private network (VPN), which will be used by remote employees to access internal network resources. Which two protocols could you use? (Choose two.) PPP SSL RAS PPTP L2TP "
" Answer: PPTP L2TP Explanation: Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point Protocol (PPP) to create a virtual Internet connection so that networks can use the Internet as their WAN link. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect, PPTP creates a secure WAN connection using dial-up access. PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server. Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP and can also be used to create a VPN. L2TP is a combination of PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocols and operates at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model. L2TP uses User Datagram Protocol (UDP) for sending packets as well as for maintaining the connection. Internet Protocol Security (IPSec) is used in conjunction with L2TP for encryption of the data. PPP is a protocol used to establish dial-up network connections. Secure Sockets Layer (SSL) is a security protocol that uses both encryption and authentication to protect data sent in network communications. Remote Access Service (RAS) is a service provided by the network operating system that allows remote access to the network via a dial-up connection. L2TP can be combined with Internet Protocol Security (IPSec) to provide enhanced security. Both PPTP and L2TP create a single point-to-point, client-to-server communication link. "
" You are currently comparing stream ciphers and block ciphers. You have decided to use only block ciphers and hash algorithms on your organization's network. Which cryptographic algorithm is a stream cipher? RC4 RC5 RC6 MD5 "
" Answer: RC4 Explanation: RC4 is a stream cipher. Wired Equivalent Privacy (WEP) is considered unsecure because of its improper use of RC4. RC4 would be a great algorithm to use for encrypting streaming video because it is a stream-based cipher. RC4 provides 56-bit encryption. Stream and block ciphers are the two main types of symmetric algorithms. Block ciphers process one block of bits, and stream ciphers process one bit at a time. RC5 and RC6 are block ciphers. RC4, RC5, and RC6 do not provide one-way hashing. MD5 is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash value is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission. Hashing algorithms include MD2, MD4, MD5, HAVAL, and all of the Secure Hash Algorithm (SHA) variants. Hashing is the best way to protect confidentiality of sensitive data entered in a database table. "
" You have been asked to make recommendations on which IPSec mode your organization should implement on its VPN. In addition, you need to implement the appropriate protocol. You decide to use IPSec in tunnel mode with the AH protocol. Which payload is produced by this configuration? an encapsulated packet that is encrypted an encapsulated packet that is digitally signed an unencapsulated packet that is encrypted an unencapsulated packet that is digitally signed "
" Answer: an encapsulated packet that is digitally signed Explanation: Internet Protocol Security (IPSec) in tunnel mode with the Authentication Header (AH) protocol produces an encapsulated packet that is digitally signed. AH digitally signs a packet for authentication purposes. Tunnel mode encapsulates a packet within another packet. Encapsulating Security Protocol (ESP) encrypts IPSec packets. Transport mode sends IPSec packets between two computers without encapsulating packets. AH and ESP work in transport mode and tunnel mode. "
" You have been hired as a security consultant. The company owner asks you to implement public key encryption to protect messages traveling between two points. Which algorithm should you implement? IDEA RC5 RSA Skipjack "
" Answer: RSA Explanation: Rivest, Shamir, Adleman (RSA) is a public key encryption algorithm. RSA supports encryption and decryption and secures data with an algorithm that is based on the difficulty of factoring large numbers. A public key encryption algorithm is sometimes referred to as an asymmetric encryption algorithm. With asymmetric encryption, the public key is shared and used to encrypt information, and the private key is secret and used to decrypt data that was encrypted with the matching public key. Using RSA, messages traveling between two points are encrypted and authenticated. RSA tokens are used to provide a rolling password for one-time use. Private key encryption is sometimes referred to as symmetric encryption. With symmetric key encryption, the private key is used to both encrypt and decrypt data. International Data Encryption Algorithm (IDEA), RC5, and Skipjack are private key encryption algorithms. "
" You have been asked to implement the e-mail security method that is defined in RFC 2632 and RFS 2634. Which e-mail security method should you implement? PEM PGP MOSS S/MIME "
" Answer: S/MIME Explanation: Secure Multipurpose Internet Mail Extension (S/MIME) version 3 is an e-mail security method that is defined in Request for Comments (RFC) 2632 and RFC 2634. S/MIME 3 provides non-repudiation, authentication, and integrity for e-mail messages. Privacy Enhanced Mail (PEM) and MIME Object Security Services (MOSS) are older proposals for e-mail security standards that have not been adopted. Pretty Good Privacy (PGP) is the current de facto e-mail security standard. The Internet Engineering Task Force (IETF) is currently developing a version of PGP known as Open-PGP. "
" You need to ensure that several confidential files are not changed. You decide to use an algorithm to create message digests for the confidential files. Which algorithm should you use? AES DES IDEA SHA-1 "
" Answer: SHA-1 Explanation: Secure hash algorithm (SHA)-1 is a hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. An unchanged message should create the same message digest on multiple passes through a hashing algorithm. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and International Data Encryption Algorithm (IDEA) are secret key encryption standards that are used to encrypt files. "
" After a recent security audit, several security issues were found. The auditor made suggestions on technologies that your organization should deploy. One of the suggestions made is to deploy SKIP. Which statement is true of SKIP? SKIP is a key distribution protocol. SKIP is only a key storage protocol. SKIP works on a response-by-session basis. SKIP deploys IKE for key distribution and management. "
" Answer: SKIP is a key distribution protocol. Explanation: Simple Key management protocol for Internet Protocols (SKIP) is a key management and distribution protocol used for secure IP communication, such as Internet Protocol Security (IPSec). SKIP uses hybrid encryption to convey session keys. These session keys are used to encrypt data in IP packets. SKIP uses a key exchange algorithm, such as the Diffie-Hellman algorithm, to generate a key-encrypting key that will be used between two parties. A session key is used with a symmetric algorithm to encrypt data. SKIP is not a key storage protocol. It is a key distribution and management protocol similar to Internet Key Exchange (IKE). SKIP works on a session-by-session basis, although it does not require prior communication for the establishment of sessions. SKIP employs encryption standards, such as Data Encryption Standard (DES) and Triple DES (3DES), to provide secure communication. SKIP does not deploy IKE for key distribution and management. IKE is a separate framework used to securely exchange keys to establish an IPSec session. Key exchange can occur either in band or out of band. In-band key exchange occurs over the same transmission media that is used by data and voice transmissions. Out-of-band exchange occurs outside the data and voice transmission media. In-band key exchange is less secure than out-of-band key exchange. "
" A user contacts you regarding his UNIX computer. He wants to remotely connect to his UNIX computer via a terminal connection. The company security policy states that all remote connections with internal resources must use encrypted connections. Which technology should you implement? FTP SCP SSH Telnet "
" Answer: SSH Explanation: You should implement Secure Shell (SSH). SSH creates an encrypted remote terminal connection with a UNIX computer. File Transfer Protocol (FTP) is used to transfer files on a TCP/IP network. FTP transmits data in clear text. Secure Copy (SCP) enables users to transfer files over a secure connection. Telnet is a protocol that enables a user to establish terminal connections with UNIX computers. Telnet transmits data in clear text. "
" You have been asked to implement the encryption standard that is used in the Clipper Chip. Which encryption standard should you use? AES Blowfish DES Skipjack "
" Answer: Skipjack Explanation: Skipjack is a private key encryption standard that was developed by the U.S. government for the Clipper Chip. Skipjack uses an 80-bit key, which might soon be vulnerable to decryption by hackers. Advanced Encryption Standard (AES) is a newer encryption standard that uses the Rijndael algorithm with 128-bit, 192-bit, or 256-bit keys. AES256 is stronger than DES, 3DES, SHA, or RC4. Blowfish is a private key encryption algorithm that was developed for optimal performance on 32-bit central processing units (CPUs). Blowfish supports keys up to 448 bits in length. Data Encryption Standard (DES) is an older private key encryption algorithm that was developed by IBM in the 1970s. DES uses 56-bit encryption keys on 64-bit data blocks. "
" Your company recently implemented an internal public key infrastructure (PKI). You need to ensure that all of the PKI components are secure and are currently researching the vulnerabilities on the entity that signs the certificates. Which entity are you examining? an issuer a principal a verifier a subject "
" Answer: an issuer Explanation: In a public key infrastructure (PKI), an issuer is the entity that signs a certificate. Signing a certificate verifies that the name and key in the certificate are valid. PKI is a system designed to securely distribute public keys. A PKI typically consists of the following components: certificates, a key repository, a method for revoking certificates, and a method to evaluate a certificate chain, which security professionals can use to follow the possession of keys. Chain of custody might be used in proving legal cases against hackers. A principal is any entity that possesses a public key. A verifier is an entity that verifies a public key chain. A subject is an entity that seeks to have a certificate validated. When using a PKI, keep the following points in mind: When encrypting a message with the public key, only the private key can decrypt it. When encrypting a message with the private key, only the public key can decrypt it. "
" You have been promoted to security administrator. Recently, management has implemented a security policy that states that symmetric cryptography must be used. However, your research indicates the asymmetric cryptography is a better choice for your organization. Which statement is true of symmetric cryptography? Symmetric cryptography is faster than asymmetric cryptography. Symmetric cryptography uses different keys to encrypt and decrypt messages. Symmetric cryptography does not require a secure mechanism to properly deliver keys. Symmetric cryptography provides better security compared to asymmetric cryptography. "
" Answer: Symmetric cryptography is faster than asymmetric cryptography. Explanation: Symmetric cryptography is faster than asymmetric cryptography. Symmetric cryptography is approximately 1,000 to 10,000 times faster than asymmetric cryptography. Symmetric cryptography uses either symmetric or secret keys to encrypt or decrypt messages. In symmetric cryptography, the same key that encrypts the data is used to decrypt the data. An example of a symmetric key is a key code that is given to lock and unlock a door. This key code is only shared with those you trust. Asymmetric cryptography involves the use of different keys to encrypt and decrypt the data. These keys are referred to as private and public keys, respectively. The public encryption key is used to ensure only the intended recipient can decrypt the ciphertext. Symmetric keys do not ensure security and scalability for key management because the same key is used for encryption and decryption. Therefore, symmetric cryptography requires a secure mechanism to deliver keys among the communicating hosts. Symmetric cryptography may be less secure than asymmetric cryptography because of the same keys being used for encryption and decryption. When implementing cryptography, it is important that organizations use proven technologies. The use of proven technologies will ensure that the cryptography that you implement has been thoroughly tested. "
" Your organization has a legacy server that uses CHAP to communicate. You are concerned that CHAP may not provide enough protection. What occurs during step 4 of the handshake process with this protocol? The client sends the server a logon request. The server sends the client a challenge. The client creates a message digest from a hashing algorithm. The client sends the server a response. "
" Answer: The client sends the server a response. Explanation: During step 4 of the Challenge Handshake Authentication Protocol (CHAP) handshake process, the client sends the server a response. CHAP is designed to start a handshake at the beginning of a remote connection and at several points during the CHAP connection to ensure that a hacker has not hijacked the CHAP connection. The following list indicates the steps involved in the CHAP handshake authentication process: The client sends the server a request for logon. The server sends the client a challenge message. The client creates a message digest from a hashing algorithm and includes the digest in a response message. The client sends the server a response. The server uses a hashing algorithm to create a message digest. The server compares the message digest in the response with the one the server created. The server sends either an authorize message or a fail message to the CHAP client. Password Authentication Protocol (PAP) is an authentication protocol that uses a password. Two entities share a password in advance and use the password as the basis of authentication. "
" You are creating a wireless network for your company. You need to implement a wireless protocol that provides maximum security while providing support for older wireless clients. Which protocol should you choose? Wireless Application Protocol (WAP) Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Wi-Fi Protected Access 2 (WPA2) "
" Answer: Wi-Fi Protected Access (WPA) Explanation: You should implement WPA. WPA was created to fix core problems with WEP. WPA is designed to work with older wireless clients while implementing the 802.11i standard. WAP is the default protocol used by most wireless networks and devices. However, because WAP can access Web pages and scripts, there is great opportunity for malicious code to damage a system. WAP does not provide maximum security. It is considered the weakest wireless protocol. WEP is the security standard for wireless networks and devices that uses encryption to protect data. However, WEP does have weaknesses and is not as secure as WPA or WPA2. WPA2 implements the 802.11i standard completely. Therefore, it does not support the use of older wireless cards. Identification and WPA2 are considered the best combination for securing a wireless network. There are two versions of WPA: WPA and WPA2. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA2 uses CCM Mode Protocol (CCMP) for encryption. Both WPA and WPA2 can operate in two modes: Personal and Enterprise. Because CCMP uses AES, TKIP is considered weaker than CCMP. The Personal mode uses a 256-bit key and is referred to as WPA-Personal or WPA-Preshared Key (WPA-PSK) and WPA2-Personal or WPA2-PSK, depending on which version of WPA you implement. The Enterprise mode is designed for enterprise networks and uses Extensible Authentication Protocol (EAP) for authentication. This mode is referred to as WPA-Enterprise or WPA-802.1x and WPA2-Enterprise or WPA2-802.1x, depending on which version of WPA you implement. WPA-Enterprise is more secure than WPA2-PSK. If you need to implement a secure wireless authentication method that uses a remote RADIUS server for authentication, you should implement Lightweight Extensible Authentication Protocol (LEAP) or Protected Extensible Authentication Protocol (PEAP). Of these two protocols, PEAP is considered the most secure. When deploying a WPA2-Enterprise wireless network, you will need to install a digital certificate on the authentication server. "
" You have decided to deploy EFS on several computers on your network. You need to explain to management why EFS should be deployed. What is EFS? a server on a Windows NT network that participates in directory services a server that issues digital certificates a server on a Windows 2000 network that participates in directory services a Windows XP feature that supports file encryption "
" Answer: a Windows XP feature that supports file encryption Explanation: Encrypting File System (EFS) is a Microsoft Windows feature that supports file encryption on NTFS hard disk volumes. On Windows networks, primary domain controllers (PDCs) and backup domain controllers (BDCs) participate in directory services. A certification authority (CA) is a server that issues digital certificates. On a Windows 2000 or Windows XP network, a domain controller (DC) participates in providing Active Directory (AD) directory services for network clients. "
" As a security administrator, you are responsible for ensuring that your organization's IT staff understands the security mechanisms employed on the network. You are currently documenting the security mechanisms as part of the IT training. During the documentation, you realize that many of the IT staff does not understand the basic terms used in IT security. You need to document the terms and definitions that you will use. What is a mathematical formula that is used in cryptography to encrypt data? algorithm ciphertext key plaintext "
" Answer: algorithm Explanation: An algorithm is a mathematical formula that is used in cryptography to encrypt data by transforming plaintext into ciphertext. Plaintext, sometimes referred to as clear text, is information in its pre-encrypted form. Ciphertext is data in its post-encrypted form. A key is information that can be plugged into an encryption algorithm to either encrypt plaintext or decrypt ciphertext. Private keys are kept secret and are used in symmetric and asymmetric encryption. Public keys are shared and used in asymmetric encryption. The public key of the recipient is used to encrypt an e-mail message to ensure the message can only be read by its intended recipient. Public keys decrypt the hash of an electronic signature. "
" Your organization has recently adopted a new security policy. As part of this policy, you must implement the appropriate technologies to provide confidentiality. Which technology provides this? asymmetric encryption a disk array authentication a digital signature "
" Answer: asymmetric encryption Explanation: Asymmetric encryption provides confidentiality because encryption protects the contents of a file from being viewed by unauthorized users. Authentication provides accountability by establishing an individual's identity and defining that individual's access to resources. Some disk arrays, such as Redundant Array of Independent Disks (RAID)-1 and RAID-5 arrays, are implemented to provide fault tolerance for the data stored on those disks. If a user signs a file with a digital signature before sending the file to another user, the recipient can then use the digital signature to ensure that the file was not changed during transmission. "
" You have been asked to research the encryption algorithms available and make recommendations to management about which to implement. One of the encryption algorithms that you are researching is RSA. Which type of encryption algorithm does this algorithm represent? asymmetric with authorization symmetric with authentication asymmetric with authentication symmetric with digital signature "
" Answer: asymmetric with authentication Explanation: RSA is an example of asymmetric cryptography with authentication. RSA is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication. It relies on the hacker's inability to factor large prime numbers. Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), CAST, and Knapsack. Symmetric algorithms include Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, RC4, RC5, and RC6. Symmetric algorithms are sometimes called block ciphers. RSA does not deal with discrete logarithms. The security that RSA provides is based on the use of large prime numbers for encryption and decryption. It is difficult to factor large prime numbers. Therefore, it is difficult to break the encryption. RSA can prevent man-in-the-middle attacks by providing authentication before the exchange of public and private keys. The key is securely passed to the receiving machine. Therefore, public key cryptography is preferably used to secure fax messages. RSA requires higher processing power due to the factorability of its numbers, but provides efficient key management. "
" You have been hired as a security consultant. One of your recommendations is that the organization should implement encryption for all data, including data at rest and data in transit. Which security service does this provide? accountability availability confidentiality integrity "
" Answer: confidentiality Explanation: Encryption provides confidentiality security services. An encrypted file is protected from being read by users who cannot decrypt the file. Users require digital keys to decrypt and read encrypted files. Confidentiality deals with ensuring that information is not disclosed intentionally or unintentionally. Accountability is a security service that is used to determine the identity of users. Authentication is an example of an accountability security service. Availability is a security service that protects hardware and data from loss by ensuring that any needed data is available when necessary. Backups are an example of availability. Integrity is a security service that ensures that digital files have not been changed. Digital signatures are an example of an integrity security method. A digital signature provides integrity and non-repudiation. Non-repudiation ensures that data's origin is known. "
" You have recently been hired as the security administrator for Verigon, Inc. A key management system is included as part of the company's current security infrastructure. Which process generates keys for this system? certification creation protection revocation "
" Answer: creation Explanation: Key creation generates keys for a key management system. For example, Data Encryption Standard (DES) provides a key creation system that produces 56-bit encryption keys. Key certification is a system that enables the receivers of a key to certify the identity of a key sender. Encryption systems typically provide password protection to protect private keys. Key revocation systems enable users to mark keys or key pairs that are no longer valid. "
" You recently discovered a folder on your computer that contains a secured copy of the private key for all users in your organization. You maintain this copy to ensure that you can recover lost keys. Of which security practice is this an example? quantum cryptography CRL steganography key escrow "
" Answer: key escrow Explanation: Key escrow occurs when you maintain a secured copy of a user's private to ensure that you can recover the lost key. In some cases, a third party may be selected to provide the key escrow service when the key is owned by one organization but is used by another. If a third party provides this service, it ensures that the organization that is using the key can still recover data if the organization that owns the key goes out of town. Key escrow is a primary concern in cryptography and in a public key infrastructure (PKI). Key escrow is required when implementing a PKI if data loss is unacceptable. Quantum cryptography is a relatively new method of encryption. Quantum cryptography is different from proven technologies in that it relies more on physics, rather than mathematics, as a key aspect of its security model. While most organizations use proven technologies, quantum cryptography usage will increase because it is more secure. A certificate revocation list (CRL) is list of certificates which have been revoked, are no longer valid, and should not be used. A certificate signing request (CSR) is a message sent from an applicant to a certificate authority to apply for a digital identity certificate. This is also the same process that is used to renew a certificate. Steganography is the science of hiding messages within another medium. A common use of steganography involves hiding a message within an otherwise normal-looking picture or graphic. "
" You have recently noticed that several users are using keys that should be expired. You decide to check if the key revocation system is configured properly. Which task does this system accomplish? key generation private key protection key invalidation key validation "
" Answer: key invalidation Explanation: Key revocation systems are designed to invalidate keys. Keys are generated by key generation systems. Data Encryption Standard (DES), for example, provides a key generation system that produces 56-bit encryption keys. A receiver of a key can certify the identity of the sender of the key by using a key certification system. Encryption systems typically provide password protection to protect private keys. "
" You have recently been hired by an organization as their security administrator. While reading the documentation provided to you by the IT manager, you discover that the organization has a large public key infrastructure (PKI) that you will need to manage. You are concerned with the trust relationships that have been established between your organization's PKI and outside entities. Which type of trust models are used by CAs? (Choose all that apply.) bus ring mesh hierarchy "
" Answer: mesh hierarchy Explanation: Certification authorities (CAs) are organized in a trust hierarchy or trust mesh. In a hierarchy model, a root CA is at the top of a CA trust hierarchy and contains a root certificate, which is used to sign certificates for CAs in the level immediately below the root CA. The centralized model uses a CA to issue and revoke certificates. In a mesh model, CAs may certify other CAs, provided no naming constraints are applied The terms bus and ring refer to network topology types. For example, Ethernet networks are often configured in a bus topology. Token Ring networks are arranged in a ring topology. There are other types of PKI trust models, including hybrid and bridge. "
" You have been hired as the new security administrator for your company. Documentation indicates that the company implements message authentication code (MAC). What does this ensure? message integrity message availability message confidentiality message replay "
" Answer: message integrity Explanation: Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures integrity of the messages. MAC adds authentication capability to a one-way hashing function. MAC cannot ensure the availability of the data or the system. MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the middle attacks. A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted and hashing can be reproduced. One-way hashing converts a message of arbitrary length into a value of fixed length. Given the digest value, it should be computationally infeasible to find the corresponding message. It should be impossible or rare to derive the same digest from two different messages. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message. There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC. MAC was developed to prevent fraud in electronic fund transfers involved in online transactions. "
" You have recently been hired as a security administrator for your company. In the security documentation, it mentions that message authentication code (MAC) is implemented. What does this ensure? message integrity message availability message confidentiality message replay "
" Answer: message integrity Explanation: Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures the integrity of messages. MAC adds authentication capability to a one-way hashing function. MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the-middle attacks. MAC cannot ensure the availability of the data or the system. A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted, and hashing can be reproduced. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message. MAC was developed to prevent fraud in electronic fund transfers involved in online transactions. There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well. You need to understand the difference between block and stream ciphers. A block cipher uses an algorithm that conducts operations on fixed-length groupings of bits, or blocks. A stream cipher takes plain text characters or digits and combines them with a pseudo-random cipher digit stream, or key stream. "
" You are providing end-user security awareness training. As part of this training, you explain why the organization uses asymmetric encryption and how it works. What is used to decrypt a file in this type of encryption? message digest plaintext private key public key "
" Answer: private key Explanation: In asymmetric encryption, which is sometimes referred to as public key encryption, a user creates a public and private key pair. The user distributes the public key and retains the private key. Another user can use the distributed public key to encrypt a file before sending that file to the owner of the private key. The owner then uses the private key to decrypt the received file. If a hacker wants to decrypt a file that was encrypted with a user's public key, then the hacker must gain access to or fabricate a replacement for the private key. The recovery agent is used to recover the private key. If a user encrypts data using his private key and his account is deleted when he leaves the company, the only way to recover the data is to use the recovery agent. If the recovery agent is not available, the encrypted data is not retrievable. A message digest, which is created by a hashing algorithm, can be used to determine whether a file has been modified subsequent to the creation of the file's message digest. Plaintext refers to unencrypted files. "
" Management has asked you to ensure that the certificates that have been validated in the corporate PKI are protected. What must be secured in the PKI? the public key of the root CA the private key of the root CA the public key of a user's certificate the private key of a user's certificate "
" Answer: the private key of the root CA Explanation: The private key of the root certification authority (CA) must be secured to ensure that the certificates that have been validated in a public key infrastructure (PKI) are protected. If the private key of the root CA has been compromised, then a new root certificate must be created and the PKI must be rebuilt. The public key is found in the trusted root CA. If the private key of a user's certificate has been compromised, then a new certificate should be created for that user and the user's compromised certificate should be revoked. The compromise of a user's certificate will not jeopardize other certificates in a PKI. A public key, as its name implies, is public, and does not need to be kept secret. If the private key of a server has been compromised by an intruder, you should submit the public key to the CRL. "
" You have recently implemented a new public key infrastructure (PKI) for your organization. You need to back up the entity that is responsible for certifying the public key pair of the root CA. Which entity must you back up? the root CA a subordinate CA an external CA a Kerberos server "
" Answer: the root CA Explanation: You should back up the root CA. The root certification authority (CA) must certify its own public key pair. An organization may also want to have a root CA's public key pair certified by an external CA for added security and confidence in the key pair. Neither a subordinate CA nor a Kerberos server is used to certify a root CA's key pair. "
" Recently, several confidential messages from your company have been intercepted. Your company has decided to implement PGP to encrypt files. Which type of model does this encryption use? bus hierarchy ring web "
" Answer: web Explanation: Pretty Good Privacy (PGP) uses a web of trust to validate public key pairs. In a web of trust model, users sign their own key pairs. If a user wants to receive a file encrypted with PGP, the user must first supply the public key. In a public key infrastructure (PKI), certification authorities (CAs) are arranged in a hierarchy and sign public key pairs. Many older Ethernet networks used a bus model for their physical architecture. In a bus network, all computers on a network are connected to a central bus cable. A ring model is used to wire computers in token ring networks. In a ring network, all computers are connected to a physical ring of cable. GNU Privacy Guard (GPG) is an alternative to the PGP suite of cryptographic software. It uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange. GnuPG currently supports the following algorithms: Pubkey: RSA, ElGamal, DSA Cipher: IDEA (from 1.4.13/2.0.20), 3DES, CAST5, Blowfish, AES-128, AES-192, AES-256, Twofish, Camellia-128, Camellia-192, Camellia-256 (from 1.4.10/2.0.12) Hash: MD5, SHA-1, RIPEMD-160, SHA-256, SHA-384, SHA-512, SHA-224 "
" Your company decides to implement a wireless network. You have been asked to assess which wireless encryption protocol to implement on the wireless network. Match the descriptions on the left with the Wireless Encryption Protocols on the right."
" Explanation: The Wireless Encryption Protocols should be matched with the descriptions in the following way: WEP - Uses a 40-bit or 104-bit key WPA/WPA2 Personal - Uses a 256-bit pre-shared key WPA/WPA2 Enterprise - Requires a RADIUS server "
" Match the PKI component on the left with the descriptions given on the right. "
" Explanation: The tools and their descriptions should be matched in the following manner: Wildcard - Reduces the certificate management burden by allowing one certificate to be used for multiple subdomains OCSP - Checks online certificate status in real time CSR - Messages sent from an user or application to a CA to apply for a digital certificate CRL - Contains a list of certificates that have been issued and subsequently rescinded by a given CA Keep in mind that OCSP is used to validate whether trust is in place and accurate by returning responses of good, unknown, or revoked. "
" After researching different security mechanisms, your company decides to implement PGP instead of a formal PKI and formal trust certificates. Which of the following is a characteristic of PGP? the use of certification authority (CA) servers the establishment of a web of trust between the users the use of trust domains by the servers and the clients the deployment of private keys for authentication and encryption "
" the establishment of a web of trust between the users Explanation: Pretty Good Privacy (PGP) establishes a web of trust between the users. A web of trust implies that the users generate and distribute their public keys. These keys are signed by users for each other, establishing a community of users who trust each other for communication. Every user has a collection of signed public keys stored in a file known as a key ring. A level of trust and validity are associated with each key in that list. For example, if A trusts B more than C, there will be a higher level of trust for B compared to C. PGP is a public key encryption standard that is used to protect e-mail and files that are transmitted over the network. PGP encrypts data using symmetric encryption. PGP provides the following functionalities: confidentiality through the International Data Encryption Algorithm (IDEA) integrity through the Message Digest 5 (MD5) hashing algorithm authentication through public key certificates non-repudiation through encrypted signed messages PGP does not use either certification authorities (CA) servers or formal trust certificates. The users trust each other instead of trusting only the CA server before initiating the communication. The drawback of PGP is that unlike the centralized CA server, it is hard to achieve standardized functionality using PGP. After the loss of a private key by a user, the user should inform all of the other users in the user's web of trust to avoid unauthorized communication. PGP deploys a web of trust and does not use trust domains between the servers and the clients. PGP does not use private keys for authentication and encryption, but instead uses public and private keys to deploy public key cryptography for authentication and encryption. "