Chapter 7
Which of the following algorithms is not supported by the Digital Signature Standard? (1) RSA, (2) Digital Signature Algorithm, (3) El Gamal DSA, or (4) Elliptic Curve DSA
(3) El Gamal. The DSS standards allows federal government use of the Digital Signature Algorithm, RSA, or the Elliptic Curve DSA in conjunction with the SHA-1 hashing function to produce secure digital signatures.
What is the key length for the DSA algorithm?
1,024 bits
What is the key length for the RSA algorithm?
1,024 bits
What is the key length for the elliptic curve algorithm?
160 bits
If your email message must maintain integrity, you must _________ the message
Hash it
Any ____________ can be defined by the following equation: y^2 = x^3 + ax + b
Elliptic curve
If you need confidentiality when sending an email message, _________ the message
Encrypt it
_______________ are the glue that binds the public key infrastructure together. They offer notarization services for digital certificates. Examples of the major CAs that provide widely accepted digital certificates: - Symantec, AWS, GoDaddy, Trustwave, Digicert, Entrust
Certificate authorities (CAs). Registration authorities (RA's) assist CA's with the burden of verifying users' identities prior to issuing digital certificates. They do not directly issue certifications themselves, but they play an important role in the certification process, allowing CAs to remotely validate user identities.
Which cryptographic algorithm forms the basis of the El Gamal cryptosystem? (1) Diffie-Hellman, (2) IDEA, or (3) RSA
Diffie-Hellman. The El Gamal cryptosystem extends the functionality of the Diffie-Hellman key exchange protocol to support the encryption and decryption of messages.
____________ software uses encryption to enforce copyright restrictions on digital media
Digital Rights Management
_______________ uses the SHA-1, SHA-2, and SHA-3 message digest functions along with one of three approvedencryption algorithms: (1) Digital Signature Algorithm [DSA], (2) RSA, or the Elliptic Curve DSA [ECDSA]
Digital Signature Standard (DSS)
If your email message needs authentication, integrity, and/or nonrepudiation, you should ____________ the message
Digitally sign it
If your email message requires confidentiality, authentication, integrity, and nonrepudiation, you should _________ and __________ the message
Encrypt and digitally sign
____________ , which is a step before obtaining a digital certificate, includes validating your identity to the CA. After validating identity, you provide your public key. CA then creates (with identifying information and a copy of the public key). They then sign the certificate with their private key and provides you with a copy of your signed certificate. You may then distribute the certificate to anyone with whom you want to communicate securely.
Enrollment
True or False: When encryption happens at the lower OSI layers, it is usually end-to-end encryption
False When encryption happens at the higher OSI layers, it is usually end-to-end encryption. If encryption is done at the lower layers of the OSI model, it is usually link encryption. Secure Shell (SSH) is a good example of an end-to-end encryption technique. SSH2 supports 3DES, Blowfish, and other algorithms.
True or False: Hashing algorithms require a cryptographic key
False. Hash functions do not include any element of secrecy, and therefore do not require a cryptographic key. However, the following are attributes of a hashing algorithm: (1) They are irreversible (2) It is very difficult to find two messages with the same hash value (3) They take variable-length input
What is the de facto standard for secure web traffic?
HTTPS. HTTPS is more secure than TLS or the even older SSL. Most web browsers support both standards, but many websites are dropping support for SSL due to security concerns.
SHA, MD2, MD4, MD5, HMAC, and HAVAL are examples of what?
Hashing algorithms
________ is primarily used for virtual private networks (VPNs). It is commonly paired with Layer 2 tunneling protocol as L2TP
IPsec. Provides a completed infrastructure for secured network communications. IP Sec relies on two main components: (1) Authentication Header, and (2) Encapsulating Security Payload (ESP).
In a ____________ attack, weaknesses in the implementation of a cryptosystem are exploited. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system
Implementation attack
If a single character of a sentence is changed after a hash function has already been created (using SHA-2), what happens to the new hash value?
It is completely different
_________ is a secure email system that combines the CA hierarchy with the "web of trust" concept - that is, you must become trusted by one or more users to begin using the system
Pretty Good Privacy (PGP). This is appealing because it removes the complexity of configuring and maintaining encryption certificates and provide users with a managed secure email service. You then accept their judgment regarding the validity of additional users and by extension, trust a multilevel "web" of users descending from your initial trust judgments. The commercial version uses RSA for key exchange, IDEA for encryption/decryption, and MD5 for message digest production. The freeware version uses Diffie-Hellman key exchange, the Carlisle Adamas/Stafford Tavares (CAST) 128-bit encryption/decryption algorithm, and the SHA-1 hashing function.
Certificate recipients verify a certificate using the CA's _________ key
Public key
IPsec uses ___________ cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP-based protocols
Public key cryptography IPsec's primary use is for virtual private networks (VPNs). Provides a completed infrastructure for secured network communications.
__________ can be used to improve the effectiveness of a brute-force password cracking attack.
Rainbow tables. A rainbow table contains precomputed hash values for commonly used passwords and may be used to increase the efficiency of password cracking attacks.
The emerging standard for encrypted email messages is the _______________
S/MIME. Another popular email security tool is Phil Zimmerman's Pretty Good Privacy (PGP). Most users of email encryption rely on having this technology built into their email client or their web-based email service.
In a _____________ attack, statistical weaknesses are exploited in a cryptosystem, such as floating point errors and inability to produce truly random numbers.
Statistical attack They attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.
_________ is the art of using cryptographic techniques to embed secret messages within another message
Steganography. Can be used for both illegitimate (eg. espionage) or legitimate purposes. Adding digital watermarks to documents to protect intellectual property is accomplished by means of steganography.
________ provides a common framework for encrypting network traffic and is built into a number of common operating systems
The IPsec protocol It is the standard set forth by the Internet Engineering Task Force (IETF) for setting up a secure channel to exchange information between two entities. Uses public key cryptography to provide encryption, access control, nonrepudiation, and message authentication, all using IP-based protocols.
________ uses certificate authorities to generate digital certificates containing the public keys of system users and digital signatures
The public key infrastructure (PKI)
If Bill wants to produce a message digest of a 2,048-byte message he plans to send to Mary, what size will the message digest be if he uses the SHA-1 hashing algorithm?
160-bit message digest. The SHA-1 hashing algorithm always produces a 160-bit message digest, regardless of the size of the input message. In fact, this fixed-length output is a requirement of any secure hashing algorithm.
What is the first step of digitally signing a message?
(1) Use a hashing function to generate a message digest. Then, (2) encrypt the digest with your private key.
SHA-2 produces a _________bit message digest
Variable lengths, ranging up to 512 bits SHA-2 Variants: SHA-256 produces a 256-bit message digest using a 512-bit block size. SHA-224 uses a truncated version of the SHA-256 hash to produce a 224-bit message digest using a 512-bit block size. SHA-512 produces a 512-bit message digest using a 1,024-bit block size SHA-384 uses a truncated version of the SHA-512 hash to produce a 384-bit digest using a 1,024-bit block size.
_______________ improves on WEP encryption by implementing Temporal Key Integrity Protocol (TKIP), eliminating the cryptographic weaknesses that undermined WEP.
WiFi Protected Access (WPA). A further improvement to the technique, WPA2, adds AES cryptography. WPA2 provides secure algorithms appropriate for use on modern wireless networks.
What are the two main types of wireless security?
Wired Equivalent Privacy (WEP) and WiFi Protected Access (WPA)
_______, released in 2015, improves upon security of SHA-2
SHA-3. Offers the same variants as SHA-2 but using a more secure algorithm
True or False: As with HTTPS over SSL, HTTPS over TLS uses TCP port 443
True TLS is a replacement for SSL.
A _______ attack, also known as a collision attack or reverse hash matching, seeks to find flaws in the one-to-one nature of hashing functions. In this attack, the malicious individual seeks to substitute in a digitally signed communication of a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.
Birthday attack
The __________ attack is an attempt to find collisions in hash functions
Birthday. Malicious individual seeks to substitute in a digitally signed communication a different message that produces the same message digest, thereby maintaining the validity of the original digital signature.
____________ are attempts to randomly find the correct cryptographic key
Brute-force attacks
_______________ attacks attempt every possible valid combination for a key or password. They will always be successful given enough time, but the time is hindered by the key size length.
Brute-force attacks Rainbow tables (which provide precomputed values for cryptographic hashes - used for cracking passwords stored in a system in hashed form) and specific hardware can be used to enhance the effectiveness of these attacks. Use cryptographic salt - a random value that is added to the end of the password before the OS hashes the password. Key stretching also adds security and makes it difficult to guess a password.
What is the major disadvantage of using certificate revocation lists? (1) Latency, or (2) Record Keeping
Certificate revocation lists introduce an inherent latency to the certificate expiration process due to the time lag between CRL distributions.
In a _______________ attack, the attacker has ability to decrypt chosen portions of the ciphertext message and use the decrypted portion of the message to discover the key.
Chosen ciphertext attack
In a ______________ attack, the attacker has ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm
Chosen plaintext attack
In a ____________ attack, the only information you have at your disposal is the encrypted ciphertext. Counting the number of times each letter appears in the ciphertext. Using this, several hypotheses can be tested.
Ciphertext only attack / Frequency Analysis Frequency analysis can help count ciphers, the number of times each letter appears in the ciphertext.
PBKDF2, bcrypt, and scrypt are common password hashing algorithms that use ___________ to further increase the difficult of attack
Key stretching
In a ____________ attack, the attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy).
Known plaintext attack This knowledge greatly helps the attacker in breaking weaker codes.
______ algorithms are no longer accepted as suitable hashing functions
MD5
In a _____________ attack, a malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session).
Man in the middle The attacker responds to the originator's initialization requests and sets up a secure session with the originator. The attacker then establishes a second secure session with the intended recipient using a different key and posing as the originator. The attacker can then sit in the middle of the communication and read all traffic as it passes between the two parties.
The ___________ attack fools both parties into communicating with the attacker instead of directly with each other
Man-in-the-middle attack. A malicious individual sits between two communicating parties and intercepts all communications (including the setup of the cryptographic session).
Attackers might use a _____________ attack to defeat encryption algorithms that use two rounds of encryption. It is the reason 2DES was quickly discarded and replaced with 3DES. Attacker uses a known plaintext message. The plaintext message is then encrypted using every possible key (k1), and the equivalent ciphertext is decrypted using all possible keys (k2). When a match is found, the corresponding pair (k1, k2) represents both portions of the double encryption.
Meet in the middle This type of attack generally takes only double the time necessary to break a single round of encryption, offering minimal added protection (2^n).
The __________ attack exploits protocols that use two rounds of encryption
Meet-in-the middle attack
The certificate revocation list contains the _________ of digital certificates issues by a certificate authority that have later been revoked
Serial numbers This is the element of the certificate that goes on the CRL when adding to the list.
The two goals of a digital signature system are to: - Assure the recipient that the message truly came from the sender (nonrepudiation) - Assure recipient that the message was not altered (integrity and authentication)
True
True or False: Although generally used to connect two networks, IPsec can be used to connect individual computers, such as a server and a workstation or a pair of workstations (sender and receiver, perhaps).
True
True or False: At runtime, you set up an IPsec session by creating a security association will be set up (SA), which represents the communication session and records any configuration and status information about the connection.
True
True or False: Every additional bit of key length doubles the time to perform a brute-force attack because the number of potential keys doubles
True
Another commonly used wireless security standard, ____________, provides a flexible framework for authentication and key management in wired and wireless networks. To use this, the client runs a software called a supplicant, which communicates with the authentication server.
802.1x After successful authentication, the network switch or wireless access point allows the client to access the network. WPA was designed to interact with 802.1x authentication servers.
In a ___________ attack, an algebraic manipulation attempts to reduce the complexity of an algorithm. They focus on the logic of the algorithm itself.
Analytic attacks
______ provides the framework for the digital signing of messages to ensure nonrepudiation and message integrity
Asymmetric key cryptography
The _________ attack is used against algorithms that don't incorporate temporal protections. In this attack, the malicious individual intercepts an encrypted message between two parties (often a request for authorization) and then later replays the captured message to open a new session.
Replay attack This can be defeated by incorporating a time stamp and expiration period into each message.
True or False: Self-signed digital certificates should only be used for internal-facing applications, where the user base trusts the internally generated digital certificate
True
True or False: Specialized password hashing functions, such as PBKDF2, bcrypt, and scrypt allow for the creation of hashes using salts
True
True or False: WPA does not provide an end-to-end security solution. It encrypts traffic only between mobile computer and the nearest wireless access point. Once the traffic hits the wired network, it's in the clear again.
True
True or False: The Internet Security Association and Key Management Protocol (ISAKMP) provides background security support services for IPsec by negotiating, establishing, modifying, and deleting security associations.
True IPsec relies on a system of security associations. SAs are managed through the use of ISAKMP. The four basic requirements for ISAKMP are: (1) Authenticate communicating peers (2) Create and manage security associations (3) Provide key generation mechanisms (4) Protect against threats (for example, replace and denial-of-service attacks)
True or False: With a transposition cipher, the letters within the plaintext message are rearranged and not altered
True If common letters in the english language are used, it is probably a transposition cipher. If other letters than the most common are in the cipher, then it is probably some form of substitution cipher which replaced the plaintext message.
True or False: WEP provides 64 and 128 bit encryption options to protect communications within the wireless LAN.
True It is described in IEEE 802.11 as an optional component of the wireless networking standard. You should never use WEP encryption on a wireless network.
True or False: In Transport Layer Security (TLS), both the server and the client first communicate using an ephemeral symmetric session key
True. They exchange this key using asymmetric cryptography, but all encrypted content is protected using symmetric cryptography
What are the two protocols that IPsec uses (not modes)?
(1) Authentication Header (AH). This provides assurances of message integrity and nonrepudiation. Also provides authentication and access control and prevents replay attacks. (2) Encapsulating Security Payload (ESP). Provides confidentiality and integrity of packet contents. It provides encryption and limited authentication and prevents replay attacks.
What is the first step to verify the digital signature?
(1) Decrypt the signature with the sender's public key. Then (2) compare the message digest to one you generate yourself. If they match, the message is authentic.
What are the three types of attacks that require an attacker to have extra information in addition to the ciphertext?
(1) Known plaintext, (2) Chosen ciphertext, (3) Chosen plaintext Known Plaintext - Attacker has a copy of the encrypted message along with the plaintext message used to generate the ciphertext (the copy). Chosen Ciphertext - Attacker has ability to decrypt chosen portions of the ciphertext message and use decrypted portion to discover the key. Chosen Plaintext - Attacker has ability to encrypt plaintext messages of their choosing and can then analyze the ciphertext output of the encryption algorithm.
In asymmetric cryptography.... to encrypt a message, use the ___(1)____ key, and to decrypt a message, use ___(2)__ key
(1) Recipient's public key, (2) Your own private key
What are the two modes with regards to IPSec?
(1) Transport mode - Only the packet payload is encrypted. Packet contents are encrypted for peer-to-peer communication. Designed for peer to peer communication. (2) Tunnel mode - The entire packet, including header information, is encrypted for gateway to gateway communication.
In asymmetric cryptography.... to sign a message, use the ___(1)____ key, and to validate a signature, use ___(2)__ key
(1) Your own private key, (2) Sender's public key
Which TCP/IP communications port is used by Transport Layer Security traffic? (1) 220, (2) 443, or (3) 559
(2) 443. Transport Layer Security uses TCP port 443 for encrypted client-server communications.
Which cryptosystem provides the encryption/decryption technology for the commercial version of Phil Zimmerman's Pretty Good Privacy secure email system? (1) El Gamal, (2) IDEA, or (3) ROT13
(2) IDEA. Pretty Good Privacy uses a "web of trust" system of digital signature verification. The encryption technology is based on the IDEA private key cryptosystem.
Which of the following encryption algorithms is now considered insecure: (1) El Gamal, or (2) Merkle-Hellman Knapsack
(2) Merkle-Hellman Knapsack. This algorithm, which relies on the difficulty of factoring super-increasing sets, has been broken by cryptanalysts.
What encryption technique does WPA use to protect wireless communications? (1) AES, (2) TKIP, or (3) 3DES?
(2) TKIP. The WPA Protected Access (WPA) uses the Temporal Key Integrity Protocol (TKIP) to protect wireless communications. WPA2 uses AES encryption.
Which International Telecommunications Union (ITU) standard governs the creation and endorsement of digital certificates for secure electronic communication? (1) X.905, or (2) X.509?
(2) X.509. This standard governs digital certificates and the public-key infrastructure (PKI). It defines the appropriate content for a digital certificate and the processes used by certificate authorities to generate and revoke licenses.
Which of the following links would be protected by WPA encryption? (1) Router to firewall, (2) Wireless access point to router, or (3) Client to wireless access point
(3) Client to wireless access point. The Wi-Fi Access protocol encrypts traffic passing between a mobile client and the wireless access point. It does not provide end-to-end encryption.
Which of the following technologies is considered flawed and should not be used? (1) TLS, (2) PGP, or (3) WEP
(3) WEP. The WEP algorithm has documented flaws that make it trivial to break. It should never be used to protect wireless networks.
If a 1,024 bit RSA encryption standard is used and one wants to switch to an elliptic curve cryptosystem (while maintaining the same cryptographic strength), what ECC key length should it use? (1) 160 bits, (2) 512 bits, or (3) 2,048 bits
160 bits. The elliptic curve cryptosystem requires significantly shorter keys to achieve encryption that would be the same length as encryption achieved with the RSA encryption algorithm.
SHA-1 produces a ________ bit message digest
160-bit The SHA-1 algorithm processes a message in 512-bit blocks. Cryptoanalytic attacks demonstrated that there are weaknesses in SHA-1 algorithm.
If a 2,048 bit plaintext message were encrypted with the El Gamal public key cryptosystem, how long would the resulting ciphertext be?
4,096 bits. The major disadvantage of the El Gamal cryptosystem is that it doubles the length of any message it encrypts. This presents a major hardship when encrypting long messages or data that will be transmitted over a narrow bandwidth communications circuit.
Adding _____ to passwords before hashing them reduces the effectiveness of rainbow table attacks.
Cryptographic salts
_______________ provides communicating parties with assurance that people are who they claim they are. Endorsed copies of an individual's public key. X.509 is the international standard governing their construction.
Digital certificates They are essentially endorsed copies of an individual's public key. When users verify that a certificate was signed by a trusted certificate authority (CA), they know that the public key is legitimate.
____________ solutions allow content owners to enforce restrictions on the use of their content by others.
Digital rights management (DRM).
The _________________ process does not inherently guarantee privacy (only integrity, nonrepudiation, and authentication).
Digital signature After appending a signed message digest to a message, encrypt the entire message with the recipient's public key. This will allow for privacy.
Once a cryptographically sound hashing algorithm has been chosen, you can use it to implement a ______________________ system.
Digital signature. Digital signature algorithms rely on a combination of public key cryptography and hashing algorithms.
What are the other two major public key cryptosystems, other than RSA
El Gamal - Extension of the Diffie-Hellman key exchange. Since El Gamal did not obtain a patent, it is freely available for use unlike the then-patented RSA technology. Elliptical Curve algorithm - depends on the elliptic curve discrete algorithm problem and provides more security than other algorithms when are used with keys of the same length.
______________________ are hardware devices that store and manage encryption keys. Store encrypted keys on a USB drive for personal use. Cloud providers, such as Amazon and Microsoft, offer cloud-based ________ that provide secure key management for IaaS services
Hardware security modules (HSMs)
____________ implements a partial digital signature. guarantees integrity, but does not provide for nonrepudiation
Hashed message authentication code (HMAC) algorithm. Technically a digital signature algorithm (partial). Uses a hashing algorithm but with a shared private key. Therefore does not offer nonrepudiation. However, it operates in a more efficient manner than the digital signature standard. May be suitable for applications in which symmetric key cryptography is appropriate. Halfway point between unencrypted use of a message digest algorithm and computationally expensive digital signature algorithms.
(1) Input of any length, (2) Fixed-length output, (3) make it relatively easy to compute the hash function for any input, (4) Provide one-way functionality, and (5) Be collision free are fundamental requirements of a _________________
Hashing function
Jim wants to digitally sign the message he's sending to Sue so that Sue can be sure the message came from him without modification while in transit. Which key should he use to encrypt the message digest?
His private key. When sue receives the message, she will decrypt the digest with Richard's public key and then compute the digest herself. If the two digests match, she can be assured that the message truly originated from Richard.
________ is typically used to establish a direct communication between computers
IPsec. It is a framework for setting up a secure communication channel.
Which type of cryptographic attack rendered Double DES (2DES) no more effective than standard DES encryption?
Meet-in-the-middle attack. It demonstrated that it took relatively the same amount of computation power to defeat 2DES as it does to defeat the standard DES. This led to the adoption of Triple DES (3DES) as the standard for government communication.
Hash functions take a potentially long message and generate a unique output value derived from the content of a message, commonly referred to as the __________________
Message digest. Message digest can also be used interchangeably with a wide variety of synonyms, including hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID. In most cases, a message digest is 128 bits or larger. In most cases, the longer the message digest, the more reliable it's verification of integrity.
The major strength of _____________ is ability to facilitate communication between parties previously unknown to each other
Public key infrastructure (PKI) Public key infrastructure is a hierarchy of trust relationships. Hybrid cryptography, using a combination of asymmetric, symmetric, hashing, and digital certificates
________ is the most famous public key cryptosystem
RSA algorithm. It depends on the computational difficulty inherent in factoring large prime numbers.
The ________ attack is an attempt to reuse authentication requests
Replay attack. Malicious individual intercepts an encrypted message between two parties and then later replays the captured message to open a new session. This can be defeated by incorporating a time stamp and expiration period into each message.
________ is the hashing algorithm making up the government standard message digest function
SHA-1 and SHA-2.
An attack in 2014 - Padding Oracle On Downgraded Legacy Encryption (POODLE) - demonstrated a significant flaw in ___________
SSL Significant flaw in the SSL 3.0 fallback mechanism of TLS. In an effort to remediate this vulnerability, many organizations completed dropped SSL support and now rely solely on TLS security.
____________, which is an encryption mechanism used for web application that was created by Netscape, to provides client/server encryption for web traffic.
Secure Sockets Layer (SSL) Hypertext Transfer Protocol Secure (HTTPS) uses port 443 to negotiate encrypted communication sessions between web servers and browser clients. The incorporation of this into popular web browsers (including Internet Explorer) made SSL the de facto internet standard.
_____________________ has emerged as the de facto standard for encrypted email. Uses RSA encryption algorithm and has received backing of major industry players, including RSA security.
Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME has been incorporated in Microsoft Outlook and O365, Mozilla Thunderbird, Mac OS X Mail, and GSuite Enterprise Edition. Relies on use of X.509 certs. RSA is the only public key cryptographic protocol supported by S/MIME. S/MIME supports AES and 3DES symmetric encryption algorithms. Although major desktop mail applications support S/MIME email, mainstream web-based email systems do not support it out of the box because of technical limitations (the use of browser extensions are required).
True or False: Keys used within public key systems must be longer than those used in private key systems to produce cryptosystems of equivalent strengths
True
True or False: The Secure Hash Algorithm (SHA) and its successors, SHA-1, SHA-2, and SHA-3 are government standard hash functions promoted by the NIST and are specified in an official government publication - the secure hash standard (SHS), also known as Federal Information Processing Standard (FIPS) 180.
True
True or False: The elliptic curve discrete logarithm problem is harder to solve than both the prime factorization problem that RSA is based on and the standard logarithm problem utilized by Diffie-Hellman and El Gamal
True
True or False: The following are the five basic requirements of a cryptographic hash function: (1) The input can be of any length (2) The output has a fixed length (3) The hash function is relatively easy to compute (4) The hash function is one-way (5) The hash function is collision free (extremely hard to find two messages that product the same hash value)
True
True or False: The security of asymmetric cryptosystems relies on the difficulty of reversing a one-way function
True
The two types of encryption techniques used to protect data traveling over networks includes (1) Link encryption, and (2) End to end encryption
True (1) Link encryption protects the entire communications circuits by creating a secure tunnel between two points using either a hardware solution or a software solution that encrypts all traffic entering one end of the tunnel and decrypts all traffic entering the other end of the tunnel. (2) End to end encryption protects communications between two parties (eg. a client and a server) and is performed independently of link encryption.
True or False: Operating systems now include disk encryption capabilities to make it easy to apply and manage encryption on portable devices.
True For example - Mac OS X includes FileVault encryption, Windows includes BitLocker and Encrypting File System (EFS) technologies, VeraCrypt open source can be used on Linux, Windows and Mac.
True or False: Digital certificates may need to be revoked due to compromise, erroneous issuance, or security associated change
True For example, a certificate was compromised (eg the owner gave away their private key), the certificate was erroneously issued, the details of the certificate changed, or the security association changed. Two methods can be used to verify the authenticity of certificates and identify revoked certificates: (1) Certificate revocation lists [CRL], and (2) Online Certificate Status Protocol [OCSP]. CRLs are subject to latency/lag in updating the lists, however they are the most common method for checking cert status today. OCSP provides real-time certificate verification.
True or False: HAVAL (hash of variable length) is a modification of MD5 (Message Digest 5). It produces hash values of 128, 160, 192, 224, and 256 bits.
True HAVAL is an encryption algorithm
True or False: MD5 processes 512-bit blocks of a message, but uses four distinct rounds of computation to produce a digest of the same length as the MD2 and MD4 algorithms (128 bits).
True MD5 protocol is subject to collisions, preventing its use for ensuring message integrity.
True or False: MD2 generates a 128-bit message digest. MD2 is not a one-way function and should no longer be used.
True Message Digest 2 algorithm (which was developed by Ronald Rivest [from RSA]).
True or False: If message digests do not match, that means the message was somehow modified in transit
True Messages must be exactly identical for the digests to match
True or False: The MD2, MD4, and MD5 algorithms are no longer accepted as suitable hashing functions.
True The final output of the MD4 algorithm is a 128-bit message digest.
True or False: The DSS specifies 3 approved standard encryption algorithms: - Digital Signature Algorithm (DSA) - Rivest-Shamir-Adleman (RSA) - Elliptic Curve DSA (ECDSA)
True Two others that should be recognized by name are Schnorr's algorithm and Nyberg-Rueppel's signature algorithm.
True or False: When you receive a digital certificate from someone with whom you want to communicate, you verify the certificate by checking the CA's digital signature using the CA's public key.
True You check to make sure that the certificate was not revoked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP).
True or False: Certificate path validation (CPV) refers to each certificate in a certificate path from the original start or root of trust down to the server or client in question is valid and legitimate.
True. It can be important if you need to verify that every link between "trusted" endpoints remains current, valid, and trustworthy.
True or False: The critical difference between the link encryption and end-to-end encryption is that in link encryption - all the data (including header/trailer, address, and routing data) is also encrypted.
True. Therefore, each packet has to be decrypted at each hop so it can be properly routed to the next hop, which slows the routing. End-to-end encryption does not encrypt the header, trailer, address, and routing data, so it moves faster from point to point, but is more susceptible to sniffers and eavesdroppers.
True or False: NIST specifies the digital signature algorithms acceptable for federal government use in FIPS 186-4, also known as the Digital Signature Standard (DSS).
True. This document specifies that all federally approved digital signature algorithms must use the SHA-3 hashing functions.
True or False: SSL's goal is to create secure communications channels that remain open for an entire web browsing session.
True. Depends on a combination of symmetric and asymmetric cryptography. SSL relies on the exchange of server digital certificates to negotiate encryption/decryption parameters between the browser and the web server.
True or False: Steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files
True. The changes are so minor that there is no appreciable effect on the viewed image.
Most modern computers have a _________________ chip on their motherboard that stores and manages keys for full disk encryption (FDE) solutions.
Trusted Platform Module (TPM) It provides the operating system with access to the keys, preventing someone from removing the drive from one device and inserting it into another device to access the drive's data.