Domain 6.0 cryptography and PKI
In terms of cryptography, it can be said that data security relies on which two factors?
1-The strength of the encryption algorithm. 2-The secrecy of the key. Factors to consider for data security include the strength of the underlying encryption algorithm, key length, the likelihood of compromise through a security breach and the availability of mechanism of revoking keys.
You have been tasked with enabling SSL on your e-commerce web site. What are the steps in correct order in doing so?
1. Create a certificate signing request. 2. Submit your CSR to a CA 3. Install digitally signed CA on the web server. 4. Configure the web server to use digital certificates.
Which of these terms describes the balance of factors that will provide the highest security using low latency with high resiliency? A. Resource vs. security constraint B. Security through obscurity C. Moore's law D. None of these
A. Resource vs. security constraint The resource vs. security constraint describes the time and energy required for strong security. The balance is different for every case.
Two major hash functions are used today. Which two choices below represent these functions? A. SHA-1 B. SHA-5 C. MD-1 D. MD-5 E. NSA-1
A. SHA-1 D. MD-5 As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1.
In a hierarchical trust model, how are the root CA certificates signed? A. Self-signed B. Stapling C. Intermediate CA D. None of these
A. Self-signed A root CA has the authority to self-sign certificates.
During their communication session using Mutual Authentication, both parties verify each other's identities. This is most particularly useful to which entity below? A. Banking industry B. Software Developers C. Law Enforcement Agencies D. Mass emailers
A. Banking industry Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity and is often used in the financial industry.
Which term describes multiple inputs resulting in the same hash value? A. Collision B. Confusion C. Obufscation D. Diffusion
A. Collision Collisions occur in hashing when different inputs result in the exact same hash. This is very rare but has been proven possible even with Secure Hashing Algorithm 1 (SHA-1).
Cryptographic protection can be applied to data in any of three states. Which of these is not one of those states? A. Data-in compression B. Data-at-rest C. Data-in-use D. Data-in-transit
A. Data-in compression Cryptography protects data that is at rest (stored on a disk), in-transit (email or Internet), or in use by a device such as a (printer).
Smart cards, Keberos, and public keys are all supported under which general protocol? A. EAP B. Telnet C. RADIUS D. SSH
A. EAP The Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and point-to-point connections. It is defined in RFC 3748.
You are having a meeting today with network staff to discuss your wireless network's authentication standards. Extensible Authentication Protocol (EAP) is a connecting device network authentication framework that supports methods such as PKI certificates, smartcards, and passwords. Wireless networks that support WPA or WPA2 commonly provide multiple EAP options to choose from for RADIUS authentication of connecting clients. Which EAP option doesn't require the client to be authenticated with a signed PKI certifciate? A. EAP-FAST B. EAP-TLS C. LEAP D. PEAP
A. EAP-FAST As opposed to certificate based EAP versions, EAP-FAST achieves mutual authentication by using protected access credentials, not certificates.
Which block cipher mode uses an encryption that has the possibility of repetitive data having the same cipher text? A. ECB B. CTM C. GCM D. CBC
A. ECB Electronic Code Book (ECB) encrypts each data block individually, and there is a possibility of repetitive data resulting in the same cipher text.
The word Data was encrypted using a substitution algorithm with the key value of 2. Which value below represents the output? A. FCVC B. GDTD C. BYRY D. TADA
A. FCVC
Which term most accurately describes smartcards? A. Low power B. Something you know C. Something you are D. Certificate authority
A. Low power Low power cards are still able to perform cryptographic calculations to secure IT functions.
The ability to verify that the sender of a message actually did send the message, and that it was not tampered with in transit is a benefit of cryptography, and is known as _________________. A. Non-repudiation B. Digital certificate validity C. Hashing D. None of these
A. Non-repudiation Nonrepudiation is the practice of using a trusted third party to verify the authenticity of a party who sends a message.
The acronym PGP represents which of the choices listed below? A. Pretty Good Privacy B. Powerful Gateway Private C. Private Generic Protocol D. Pretty Good Protocol
A. Pretty Good Privacy Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. Often used for signing, encrypting, and decrypting emails and files.
A message encrypted using the recipient's public key is decrypted by the recipient using which of the choices listed below? A. The recipient's private key. B. The recipient's public key. C. Both the recipient's private and public keys. D. None of these
A. The recipient's private key. A user's public key is accessible to other people in the organization. The two keys are different but complementary in function. Information that is encrypted with the public key can be decrypted only with the corresponding private key of the set.
In a discussion with one of your supervisors he tried to put you on the spot with a question about RSA keys and wireless encryption. Which of the statements below would best illustrate your grasp of the topic? (Choose all that apply). A. With RSA keys, never use 40-bit keys. B. RSA keys with 128-bit keys allows for reuse of the same key for each piece of data. C. WEP at any key length is not recommended. D. Using WPA2-PSK with RSA will provide the strongest and fast connection. E. WPA with RSA is the most secure way to ensure compatibility with older wireless devices. F. WPA2 with TKIP will give you the security and speed you need along with backward compatibility.
A. With RSA keys, never use 40-bit keys. C. WEP at any key length is not recommended. D. Using WPA2-PSK with RSA will provide the strongest and fast connection. Now you give it your best shot. Start with the low level information. State the plain facts: 40-bit RSA keys are easily exploitable, the 128-bit key length is more desirable. Not perfect but a lot better. Never reuse keys, consider them like the key to your house. The 128-bit key will tolerate some duplication but not for each piece of data. Avoid WEP at any key length it's too easy to compromise. Using WPA2 and a Pre Shared key (PSK) is solid security, add RSA to provide a strong, fast connection. RSA is less backward compatible than TKIP. TKIP is as close to a patch as a protocol can get. It does provide security and backward compatibility but the penalty is speed. You may find your 802.11n network running at 54Mbps to accommodate the backward compatibility. Well done if you got it correct.
Organizations typically follow a trust model to help users establish a certificate's validity. There are three different trust models. Which of the choices listed below is NOT one of these model? A. Direct Trust B. Indirect Trust C. Hierarchical trust D. Web of trust
B. Indirect trust The trust model uses a variety of techniques to establish how users validate certificates.
In order to create your own PGP certificate, you must request and be issued specific documentation from a certification authority. Which choice below correctly identifies this documentation? A. 3DES key B. X.509 certificate C. SHA-1 key D. All of these.
B X.509 certificate PGP defined its own standard for digital certificates which are very similar to X.509.
Of the key sizes listed, which is not used by Twofish? A. 128 bits B. 129 bits C. 192 bits D. 256 bits
B. 129 bits
The day before a major downturn in stock prices, Ellen purchased 100 shares of Y. Z. company stock on behalf of Chester, based on an email she'd received from him. Chester now refutes the transaction, stating that he never ordered the shares. What could they have used to verify their identities to each other? A. Non-repudiation service B. A certification authority C. MIME D. S-MIME
B. A certification authority A public key certificate (also known as a digital certificate or identity certificate) is an electronic document that uses a digital signature to bind a public key with an identity and the email address. The certificate can be used to verify that a public key belongs to an individual.
You have been asked if there is a block cipher algorithm that is considered unbreakable in practical use. Which of the provided choices is optimal? A. MD5 B. AES C. 3DES D. RC4
B. AES AES is symmetric block cipher cryptography using key lengths of 128,192 and 256-bits based on the Rijndanel algorithm. In one study it outperformed its only other competitor on the list, 3DES, in hardware and software with a 128-bit key taking over 5,000 years to check all combinations at a rate of 50 billion attempts per second. The other alternatives are stream ciphers. Of the remaining two MD5 and RC4, MD4 and MD5 along with SHA-1 were banned for use in new products in early 2009. This leaves RC4 the last man standing out of that pairing.
Your security goal is to select the appropriate controls to maintain integrity. Choose the value that does NOT fit. A. Digital Signatures B. Access Controls C. Non-repudiation D. Hashing
B. Access Controls When discussing security goals you will find them categorized into the following classifications: Confidentiality, Integrity, Availability, and Safety. Each classification is governed by a set of controls. To meet the goal of Integrity you would use the controls provided with the exception of Access Controls which is associated with Confidentiality.
Which block cipher mode uses a pseudo-random-number generator for results in reasonable unpredictable values? A. ECB B. CTM C. GCM D. CBC
B. CTM Chaotic tent mapping (CTM) mode uses a pseudo-random-number generator, and not feedback, which results in reasonable unpredictable unique values.
A cryptographic process that drastically changes data from its input to cipher text would be referred to as which of the following? A. Collision B. Confusion C. Obfuscation D. Diffusion
B. Confusion Confusion, in cryptography, refers to a process that radically changes data from its input to the resultant output, or cipher text.
Which approach to cryptographic key exchange uses ephemeral keys? A. DH B. DHE C. ECDH D. D-H Groups
B. DHE Elliptic Curve Diffie-Hellman (ECDH) uses elliptic curve cryptography instead of the large prime numbers associated with standard Diffie-Hellman (DH) cryptography. Diffie-Hellman Ephemeral (DHE) keys are used only once, then discarded.
The protection of data from unauthorized disclosure to a third party is referred to as ____________________. A. Data integrity B. Data confidentiality C. Data privacy D. Data access
B. Data confidentiality
The word COMMON was encrypted using a substitution algorithm with the key value of 2. Which value below represents the output? A. DRPPRO B. EQOOQP C. ONCOMM D. AMKKML
B. EQOOQP A substitution cipher is a method of encoding by which units of plaintext are replaced with cipher text, the key in this case the number two is added to each value resulting in the cipher text. The receiver deciphers the text by performing an inverse substitution.
Which choice listed below ensures messages cannot be intercepted or read by anyone other than their intended audience? A. Authentication B. Encryption C. Access Control D. WAP
B. Encryption
What technology is used to determine whether or not data has been tampered with between the sender and the receiver? A. Encryption B. Hashing C. Auditing D. None of these.
B. Hashing Hashing is a method of determining data integrity and uses a variable length input that is converted into a fixed length output.
The system administrator wants to update the access restrictions in the application database by automated script. The script has been tested and is known to be good. When the administrator runs the script he finds that it runs erratically and the permissions do not match the desired values. Which of the major principles of information security have been compromised by this activity? A. Confidentiality B. Integrity C. Availability D. Non-repudiation
B. Integrity CompTIA identifies the main goals of information security as Confidentiality, integrity and availability. Confidentiality ensures that your information remains your information, with no unintentional availability. Integrity ensures that your data remains unchanged or unaltered. And finally availability guarantees the accessibility of the data whenever you need it. In this case it appears that the integrity of the script has been compromised.
Steganography is the process of hiding messages in digital media. What is the most common way these messages are encoded? A. Enigma machine B. Least significant bit C. Symmetric algorithms D. Secret private key
B. Least significant bit The most common way to hide a message in a digital file or image is to use the least significant bit method.
Which of these substitution ciphers rotates the alphabet 13 steps to obfuscate the message? A. XOR B. ROT13 C. Alpha13 D. X13
B. ROT13 As its name would imply, ROT13 rotates the alphabet 13 times. XOR uses binary calculations based on alphabetic characters.
Which of the following can be added to a password to reduce the ease by which rainbow tables can be used for password attacks? A. Hashing B. Salt C. Hybrid D. MD5
B. Salt Salt or random bits added to a password can greatly reduce the ease by which rainbow tables can be used to attack passwords.
When you are using Private Key Encryption, the block cyphers that follow the AES standard will generally have these properties. (Choose two) A. Asymmetric B. Symmetric C. Fixed Key Length D. Stream Cypher E. Maximum key size 256
B. Symmetric E. Maximum key size 256 The AES standard produces block cyphers using multiple rounds of encryption to produce keys between 128 and 256 bits. It is known to be effective against known attack methods, it is simple and efficient.
Which of the following would not typically be used as a part of a digital signature? A. The owner's public key. B. The owner's private key. C. The owner's email address. D. Digital signatures of a trusted third party. E. The owner's name
B. The owner's private key. Public key encryption requires the use of both a private key (a key that is known only to its owner) and a public key (a key that is available to and known to other entities on the network).
What is the main reason why SHA and MD5 are not used to create digests? A. They are weak or deprecated B. Their speed is their weakness C. The digests contain predictable patterns D. All of these
B. Their speed is their weakness SHA and MD5 can create a hash digest very quickly and an attacker using these methods can operate at the same speed. Instead, the attack should be slowed down using a process called key stretching.
Which wireless authentication method requires only a single button to be pushed on the router and device? A. WPA B. WPS C. WAP D. All of these
B. WPS There are two WPS authentication methods. The push-button method for WPS is described in this question.
Public key algorithms are also known as _______________ algorithms. A. Hashed B. Cipheretxt C. Asymmetrical D. Symmetrical
C. Asymmetrical Public key algorithms or asymmetric algorithms use encryption and decryption keys that are different.
Which of these block cipher modes requires a synchronous counter on both the sender and receiver? A. CBC B. ECB C. CTR D. None
C. CTR
The acronym CRL corresponds to which choice listed below? A. Committed Resource Locator B. Certificate Reference List C. Certificate Revocation List D. Common Resource List
C. Certificate Revocation List Used in the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates or more specifically, a list of serial numbers for certificates that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.
PGP supports four major conventional encryption methods. Which of the following is NOT a supported encryption method? A. CAST B. IDEA C. 3DES D. Twofish E. DSA
E. DSA not supported by PGP
Which of the following security techniques associates a host with its related public key? A. CRL B. OSCP C. Certificate pinning D. FQDN
C. Certificate pinning Certificate Pinning is a technique used to associate hosts with their public keys. This can be done by client-side applications. Web browsers keep a copy, or a hash, of a host's public key, and then it is checked by the client app when server connectivity is initiated.
Which approach to cryptographic key exchange uses elliptic curve cryptography? A. DH B. DHE C. ECDH D. Perfect forward secrecy
C. ECDH Elliptic Curve Diffie-Hellman (ECDH) uses elliptic curve cryptography instead of the large prime numbers associated with standard Diffie-Hellman cryptography. Diffie-Hellman Ephemeral keys are used only once, then discarded.
Which block cipher mode will provide both encryption and integrity? A. ECB B. CTM C. GCM D. CBC
C. GCM Galois/Counter Mode (GCM) is used to achieve both encryption and integrity.
Which wireless authentication protocol does not use PKI certificates and sends usernames in plain text? A. EAP-FAST B. EAP-TLS C. LEAP D. PEAP
C. LEAP Lightweight Extensible Authentication Protocol (LEAP) is a Cisco wireless authentication protocol that does not involve PKI certificates; usernames are sent in clear text.
Crypto service providers use crypto ______________ to perform specific tasks. A. Chains B. Blocks C. Modules D. Cipher
C. Modules Crypto service providers use crypto modules to perform tasks such as key generation, storage and authentication.
What is the intentional altering of communications to make it more difficult for unauthorized parties to make sense of the message? A. Collision B. Confusion C. Obfuscation D. Diffusion
C. Obfuscation
You're a security consultant, and your latest client is a military contractor who requires the utmost in security for transmitting messages during wartime. Which of the following provides the best security? A. AES B. 3DES C. One-time pad D. RSA
C. One-time pad One-time pads are used to combine completely random keys with plain text resulting in cipher text, after which one-time pads are not used again. A randomized initialization vector (IV), or salt, is used to derive keys. An item used only once is referred to as a nonce. Both communicating parties must have the same one-time pads, which presents a problem if communicating with many entities. No amount of computing power or time can increase the likelihood of breaking this type of cipher text.
After completing your e-commerce site SSL certificate setup and installation, you begin creating Microsoft PowerShell scripts to automate some of the other network administration tasks. You have some script files that need to be digitally signed so that they are trusted to run on computers in your environment. You have acquired a code-signing PKI certificate and need to back up the private key. Which file format should you choose during export? (Choose two.) A. DER B. PEM C. PFX D. CER E. P12 F. P7B
C. PFX E. P12 The personal information exchange format (PFX) and P12 file formats can be used to store private keys.
Which of these choices is NOT a key stretching algorithm? A. BCRYPT B. PBKDF2 C. RIPEMD D. All of these are key stretching algorithms
C. RIPEMD RIPEMD is a hashing algorithm, not a key stretching algorithm.
While setting up your company's e-commerce web server, you must protect multiple different domains, what type of certificate could you choose to use? A. CSR B. Domain validation C. SAN certificate D. Extended validation certificate
C. SAN certificate To protect multiple different domains, a subject alternative name (SAN) certificate could be used for domains such as zeus.uk and zeus.ca.
Which of the following is not a step taken to secure mail messages before they are sent using PGP and/or S/MIME? A. The plain-text message is compressed using ZIP technology (PGP only). B. A session key is created. C. The recipient's private key is added. D. The message is encrypted using the session key and a symmetrical encryption method.
C. The recipient's private key is added. Before S/MIME can be used one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA. The accepted best practice is to use separate private keys (and associated certificates) for signature and for encryption, private keys are not included into the messages.
Which protocol allows Extended XTACS authorization? This authentication is an extension of Cisco's proprietary authentication method (TACACS) that allowed user authentication. A. RADIUS B. TACACS+ C. XTACACS D. SAML
C. XTACACS XTACACS is a Cisco proprietary protocol extension that allows communication of a remote authentication server with a remote access server to determine if the user has access to the network.
Backups and RAID are examples of ______________. A. data in transit B. active data C. data at rest D. processing
C. data at rest Backups and RAID are examples of data at rest, meaning that the data is not currently being transmitted. Data in transit is information that is being sent over a network connection.
Which of these EAP Protocols are supported by WPA2 Enterprise? A. EAP-TLS B. EAP-TTLS C. EAP-FAST D. All of these
D. All of these
Which block cipher mode uses a feedback-based encryption method to ensure that repetitive data results in unique cipher text? A. ECB B. CTM C. GCM D. CBC
D. CBC Cipher Block Chaining (CBC) mode uses feedback information to help ensure that the current block cipher text differs from other blocks even if the exact same data is being encrypted.
In cryptography, when subtle input changes make a radical change in the output, this is referred to as which of the following? A. Collision B. Confusion C. Obfuscation D. Diffusion
D. Diffusion
Your security goal is to select the appropriate controls to maintain data confidentiality. Choose the value that does NOT fit. A. Encryption B. Access controls C. Steganography D. Hashing
D. Hashing When discussing security goals you will find them categorized into the following classifications: Confidentiality, Integrity, Availability, and Safety. Each classification is governed by a set of controls. To meet the goal of confidentiality you would use the controls provided with the exception of hashing which is associated with Data Integrity.
Bob claims that he didn't make a phone call from his office phone that you believe was a breach of company confidentiality policy. Telephone logs show that the call was in fact placed from Bob's phone. To support the assumption time clock records show that Bob was the only person working at the time the call was placed. What do these records show? A. Integrity B. Confidentiality C. Authentication D. Non-repudiation
D. Non-repudiation Non-repudiation offers proof that Bob was involved in the phone call made from his office.
It can be said that cryptography has four primary functions: confidentiality, authentication, integrity, and ___________________. A. Verification B. Secured distribution C. Adaptability D. Non-repudiation
D. Non-repudiation The practice of using a trusted third party to verify the authenticity of a party who sends a message.
Which of the following security features is not needed in a SAN? A. Firewall B. Antivirus C. User access control D. None of the above
D. None of the above SANs need all the security measures that are found in other networks.
Which is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website? A. CA B. PKI-R C. OSPF D. OCSP
D. OCSP The use of certificate revocation lists (CRL) to check SSL Certificate revocation has largely been replaced by the Online Certificate Status Protocol (OCSP). Instead of downloading a potentially large list of revoked certificates in a CRL, a client can simply query the issuing Certificate Authority's (CA) OCSP server using the certificate's serial number and receive a response indicating if the certificate is revoked or not.
An organization may employ which of these methods for root CA security? A. Intermediate CA B. OID C. Online CA D. Offline CA
D. Offline CA Keeping the root CA offline, or not directly connected to the network, provides an extra layer of security.
Which EAP option encapsulates the EAP connection in an encrypted and unauthenticated tunnel? A. EAP-FAST B. EAP-TLS C. LEAP D. PEAP
D. PEAP Protected Extensible Authentication Protocol (PEAP) creates a secure channel for user authentication using a server-side PKI certificate initially; then a symmetric session key is used for the remainder of the session.
An algorithm in which the encryption key can be calculated using the decryption key is referred to as which type of algorithm? A. Hashed B. Ciphertext C. Asymmetrical D. Symmetrical
D. Symmetrical Symmetric algorithms are algorithms that can be calculated from the decryption key.
Stream algorithms and Block algorithms are both categories of which algorithm type? A. Hashed B. Ciphertext C. Asymmetrical D. Symmetrical
D. Symmetrical Symmetric algorithms are algorithms that can be calculated from the decryption key.
Which of these is used with digital certificates to validate a main domain and its subdomains? A. Stapling B. Key escrow C. Certificate chaining D. Wildcard
D. Wildcard A wildcard digital certificate is used to validate a main domain and all of its subdomains.
Which of the choices listed below represents the best tool for exchanging privileged information with someone you've never met while using public key cryptography? A. Use PKI certificates B. Use the web of trust C. Encrypt all communications D. Use OCSP fingerprinting E. Use digital certificates
E. Use digital certificates Digital certificates are most commonly used to verify that a user sending a message is who he or she claims to be and to provide the receiver with the means to encode a reply.