ITN 262 Final
Number of keys in a secret-key algorithm
1
Block size of AES
128
Key sizes of AES
128, 192, 256
The U.S. government standards published by NIST recommended that a secret key be used for no more than _______ years before changing it.
2
When encrypting a file, a fully punctuated passphrase should have a minimum of ________ characters.
20
What is the key size of DES
56
What is the block size of DES
64
Wireless Protected Access, version 2 (WPA2.) falls under:
802.11.
Destination IP address field
Contains the IP address of the receiving host
Source IP address field
Contains the IP address of the sending host
IP checksum field
Contains the checksum of the IP header fields
Data field
Contains the header indicated by the Type field and the data contents
TTL field
Counts the number of times a packet passes through a router
A simple gateway as described in Section 12.4 can filter on a variety of packet contents. Select all types of packets listed below that a simple gateway can filter.
e) Broadcasts c) ICMP d) IP addresses b) Web traffic
Encrypting the key itself using a passphrase is called __________.
key wrapping
Producing one encryption key for each cryptonet or communicating pair and distributing that key to the appropriate endpoints is called:
manual keying.
We use cryptography to apply all of the following protections to network traffic, except:
reliability
Volume encryption protects data on a computer against:
theft
Handshake protocol
Establishes the shared secret and the keys to be used to protect SSL traffic
Scavenge keys from powered-off RAM
Extract keys from cooled RAM chips
Port 21
FTP
True or False? After changing an encryption key, all backup copies of the protected file are also protected by the new key.
False
Establishes protocol standards used on the internet
Internet Engineering Task Force (IETF)
A protocol that establishes security associations (SAs) between a pair of hosts is:
Internet Key Exchange (IKE).
Uses the destination's IP address to choose the packet's MAC address.
Internet layer
Uses the MAC address to construct the link layer header.
Link layer
16 bits
Port number
port 25
SMTP
Port 22
SSH
Build a unique TEK from nonces and a secret
Shared secret hashing
We are implementing volume encryption using ESSIV mode, as discussed in Section 9.4.2. Which of the following statements are true about the implementation? Select all that apply.
The mode uses sector numbers to vary the information in the ciphertext. c) All sectors use the same block cipher key.
Next header
The numeric code for the protocol appearing in the first header in the encrypted payload
Record protocol
Transfers information using a symmetric cipher and integrity check
Which of the following is correct about the nmap utility? Select all that apply. Note: nmap does not graphically "map"; rather, it scans and reports what it finds in text.
a) Maps all devices on a LAN c) Identifies the versions of network protocol software each host is running
We receive several blocks of ciphertext in CTR mode. An error has changed a single bit in the middle of the ciphertext. How much of the plaintext will be affected by the error when we decrypt it?
a) One bit
Which two of the following answers indicate the Internet crypto services providing end users with the easiest key management?
a) SSL/TLS b) IPsec gateways
Which of the following network protocols typically provide application transparency? Select all that apply.
a) Wi-Fi Protected Access b) IPsec
The general objective of wireless defense was to implement a virtual boundary that includes __________ computers and excludes other _________.
a) authorized client; clients
Using the Diffie-Hellman algorithm:
a) both participants in the exchange must have a public/private key pair.
Used by a server when a client's connection arrives
accept()
File encryption protects data on a computer against all of the following, except:
c) Trojan crypto.
Which wireless security protocol is recommended for use today?
d) WPA2 with AES
In 2008, researchers at Princeton University demonstrated techniques to retrieve RAM contents after the computer had been powered off. They then extracted drive encryption keys from RAM and used them to decrypt an encrypted drive. This is called a(n):
d) cold-boot attack.
When we share a key with two or more people, we refer to that group as being the:
d) cryptonet.
The principal weakness is its key size
des
A(n) __________ uses asymmetric keys to sign or verify digital data.
digital signature
Eavesdrop on a software encryption process
A computer process "listens" to the encryption or decryption process and sniffs the key schedule
Bob and Alice want to construct a shared secret key using Diffie-Hellman. Which components will Bob use to construct the shared secret?
Alice's public key and Bob's private key
True or False? Exterior routing relies on interior routers.
False
True or False? In manual keying, two encryption keys are produced for each cryptonet or communicating pair and those keys are distributed to the appropriate endpoints.
False
True or False? Network address translation (NAT) prevents hosts on a LAN from sharing the global IP address assigned by the ISP.
False
True or False? The underlying code of the Rijndael algorithm was leaked to the public in 1994, allowing for successful attacks against data encrypted with Rijndael.
False
True or False? There is a single, global public-key infrastructure (PKI).
False
True or False? WPA2 uses public key encryption with the "counter and CBC MAC" (CCM) mode.
False
True or False? When replacing crypto keys, they must be all replaced 1 month at a time.
False
port 80
HTTP
Alert protocol
Indicates errors and the end of a secure session
Type field
Indicates the type of TCP/IP transport protocol carried by this IP packet
Is DES a us standard key?
Originally, but now no
Uses the port number to route traffic to an application.
Transport layer
Each encryption operation may use a separate 56-bit key
Triple DES
Which authentication pattern may be implemented with no cryptography at all?
a) Local authentication
What was the first web browser to use public key certificates?
a) Netscape Navigator
We receive several blocks of ciphertext in OFB mode. An error has changed a single bit in the middle of the ciphertext. How much of the plaintext will be affected by the error when we decrypt it?
a) One bit
A cryptonet:
a) is two or more people who share an encryption key.
What RSA attack relies on mathematical test to reduce the risk that the chosen number isn't really a prime number?
b) Bogus primes
In the 1970s, the _________ was the only organization in the U.S. government with cryptographic expertise.
b) NSA
We receive several blocks of ciphertext in ECB mode. An error has changed a single bit in the middle of the ciphertext. How much of the plaintext will be affected by the error when we decrypt it?
b) One block
What role does the trusted third party serve in public-key certificates? Select all that apply.
b) Publishes its own public key so others can use it to verify the certificates it issues a) Signs public-key certificates using its private key
Alice is using file encryption on her laptop. Which of the following attacks are blocked by file encryption, instead of other techniques, like volume encryption or access controls?
b) Someone steals Alice's laptop. c) Kevin gives Alice a program with a Trojan horse that steals sensitive files from her and emails them to him.
1111 1111 - 1111 1111 - 1111 0000 - 0000 0000 is an example of a(n):
b) binary network mask.
Secure Sockets Layer (SSL):
b) may display a padlock on a Web page to indicate SSL protection.
Which of the following key sizes are supported by Triple DES? Select all that apply.
c) 112 e) 168 56
True or False? Two users can construct a shared secret by sharing Diffie-Hellman private keys.
False
We receive several blocks of ciphertext in CFB mode. An error has changed a single bit in the middle of the ciphertext. How much of the plaintext will be affected by the error when we decrypt it?
c) One bit and one block
Shares a separate KEK with each registered user
Key distribution center
Scavenge keys from swap files
Key schedule and possibly the key are extracted from paging file after RAM is written to the hard drive
Associate the following concepts with the appropriate secret-key building blocks.
Key wrapping
A DVD's key is encrypted with how many player keys?
c) 409 keys
TCP and the User Datagram Protocol (UDP) provide _________ between processes on any two of those hosts.
c) data transport
Access control protects data on a computer against:
c) hostile users.
Encrypting an encryption key using a passphrase is called:
c) key wrapping.
Which of the following are valid private IP addresses? Select all that apply.
d) 172.30.222.111 b) 192.168.1.270 a) 10.96.16.114
Digital signatures may be used to provide:
nonrepudiation
Used by server or client to write data to a connection
sendto()
Subdomain name assigned by the domain registrar
umn
The principal application of IPsec is:
virtual private networking.
Which interface provides a well-known way of addressing hosts and processes on a computer and of writing client or server software?
Socket interface
The ______ was carefully designed so that the network protocols worked seamlessly across a broad range of computing equipment.
ARPANET
Each _______ is essentially a(n) _______ that handles routing between its networking customers.
AS; ISP
True or False? A digital signature uses symmetric keys to sign or verify digital data.
False
Handles a cluster of networks, usually for paying customers
Internet Service Provider (ISP)
TFC padding
Random data intended to defeat traffic analysis
Performs 10 rounds when encrypting with a 128-bit key
Rijndael
Payload data
The headers and data being encrypted
True or False? Address scope is based on the protocol layer at which the address is defined.
True
Routing devices on the early ARPANET were called:
b) IMPs.
How does WPA2 encrypt a stream of data?
b) It uses AES with a Counter mode.
Bob and Raj share a file under two-person control: Neither can open the file unless both provide their passphrases. Which of the following are true? Select all that apply.
) Bob and Raj provide separate KEKs to produce the CEK. e) Bob and Raj share a CEK. b) Bob and Raj do not share a KEK.
48 bits
How long is a MAC address?
Which tool collects network traffic and displays it as a sequence of packets?
Wireshark
We are trying to protect our traffic as much as possible from sniffing. To minimize the risk, should we encrypt as much of our packets as possible, including headers?
Yes, because plaintext headers open our network messages to traffic analysis.
Key secrecy in a secret-key algorithm
All keys are kept secret
128 bits
An IPv6 address consists of this.
This layer is not used in routing.
Application layer
__________ rely on traffic analysis when the defenders use encryption that is too difficult to attack.
Attackers
Organizes the internet into clusters of networks for routing
Autonomous system (AS)
Routes network traffic between ASes
Border routers
True or False? A bit-flipping attack is not knowing what the message says and changing it bit by bit.
False
True or False? A router changes everything past the IP header.
False
True or False? Each site's router contains the complete path followed by every packet arriving at that site.
False
True or False? ICANN stands for Internet Communications for Assigned Numbers and Networking
False
True or False? Private addressing occurs when an ISP is assigned an IP address.
False
True or False? SSL works on top of IPsec and applies security to an orderly stream of bytes moving between a client and server.
False
True or False? The Diffie-Hellman cipher is a full encryption method.
False
True or False? The IP header and all remaining packet contents are never encrypted.
False
True or False? The Key Distribution Center (KDC) greatly simplifies key management. Each host must establish multiple "KDC keys" that it shares with the KDC.
False
32 bits
IPv4 address
Fragment field
Manages the fragmentation and reassembly of IP packets
In typical applications, does SSL provide application transparency?
No, because the SSL software is traditionally integrated into the application software package and is not supported unless the application specifically provides it.
An initialization vector is most similar to which of the following?
Nonce
Which of the following are true about the development of DES? Select all that apply
The algorithm was officially published to allow its general-purpose use. e) The rationale for the algorithm design was kept secret. f) The U.S. government adopted the algorithm as an official federal standard for encryption.
True or False? A 192-bit secret key, on average, has 2^191 keys to crack.
True
True or False? A certificate authority is a trusted third party that issues certificates on behalf of some organization.
True
True or False? A keyed hash gives us a way to verify that some of our own data has not been modified by an attacker or someone who doesn't have the secret key.
True
True or False? A tweakable cipher includes a third input, a nonce-like value that modifies the encryption without the cost of changing the encryption key.
True
True or False? Changing a single bit of a block cipher's input affects the entire output block.
True
True or False? Cipher block chaining (CBC) is a widely used cipher mode that requires plaintext to be a multiple of the cipher's block size.
True
True or False? Eavesdropping without interfering with communications would be considered a passive attack.
True
True or False? IP provides global addressing for internet hosts.
True
True or False? Private IP addresses may only be used on a private network.
True
True or False? Randomized request are a part of the DNS Security Improvements.
True
True or False? S-boxes are special data structures that control substitutions in block ciphers.
True
True or False? Self-rekeying transforms an existing encryption key into a new one using a pseudorandom number generator.
True
True or False? The ARP cache contains every MAC address and corresponding IP address the host will use.
True
True or False? The Internet Control Message Protocol (ICMP) provides status messages that report errors detected while routing internet packets.
True
True or False? The Internet Corporation for Assigned Names and Numbers (ICAAN) manages the distribution of domain names and IP addresses.
True
True or False? The internet layer of every such protocol stack contains a routing table that chooses a network and/or MAC address for the outgoing packet.
True
True or False? The time to live (TTL) field in an IP header counts the number of hops a packet takes through routers on its way to its destination.
True
True or False? Though vulnerabilities exist, most DNS transactions take place without trouble or interference.
True
True or False? We clearly need to use encryption if we wish to protect against sniffing.
True
True or False? When internet technology connects two networks with separate link layers together, each individual network is called a subnet.
True
True or False? When you visit a website with an "https" prefix in the address, the site uses encryption on the web data it sends and receives.
True
True or False? You can wrap a secret key with RSA.
True
Number of keys in a public-key algorithm
Two different, but related keys
Symmetry of keys in a public-key algorithm
Uses asymmetric keys
A tool that captures packets on a network and helps you analyze the packets is:
Wireshark
Virtual private networking is used primarily for encrypting:
a connection between two sites across the internet.
An Advanced Encryption Standard (AES) key may not be:
a) 16 bits in length.
Bob needs to deploy an efficient block cipher. He has a choice between 128-bit AES and Triple DES using three different keys. Which of the following statements is most accurate about these choices?
a) AES is more efficient than triple DES and it provides better security.
Alice is using volume encryption on her laptop. Which of the following attacks are blocked by volume encryption, instead of other techniques, like file encryption or access controls? Select all that apply.
a) Alice forgets to explicitly encrypt a sensitive file. b) Someone steals Alice's laptop.
We have an operating system that includes built-in file encryption. When we consider the layers of system software, where does the file encryption reside?
a) Between the file system and the application layer.
The element that automatically assigns an IP address to a newly-appearing LAN host is:
a) Dynamic Host Configuration Protocol (DHCP).
What is the single most important feature of stream encryption that could prevent reused key streams?
a) Incorporating a nonce
A block cipher algorithm operates more slowly if we change the key every time we use it. Which of the following concepts is most responsible for this delay?
a) Key expansion
Which of the following are true about the development of AES? Select all that apply.
a) The algorithm was officially published to allow its general-purpose use. c) The algorithm was chosen based on published criteria. d) The algorithm was chosen by comparing it to other algorithms. f) The U.S. government adopted the algorithm as an official federal standard for encryption. b) The algorithm was chosen from a group of candidates.
When encrypting data with a block cipher, each repetition is called a:
a) round.
When we place crypto in different protocol layers, we often balance two important properties:
application transparency and network transparency.
Below are statements about ARP and routing. Select all that are true.
b) ARP can provide the MAC address of a gateway router if the router's IP address is known. d) ARP requests are broadcast to all hosts on a given local network. a) A host can rely exclusively on ARP to route packets between hosts on its local network.
Section 8.1.1 discusses NIST recommendations for cryptoperiods. Which of the following best summarizes the recommendations?
b) Issue a new key at least every 2 years and use that key for all subsequent encryption tasks. Use old keys for decryption only as needed.
Why should a self-encrypting hard drive wrap its working keys when the drive is locked?
b) It protects the key from electronic probing and extraction even if the drive is powered off.
Why does nmap pose a risk when scanning a host or network?
b) It sends numerous messages to hosts and networks, which could interfere with more important network traffic.
Which type of attack is a bit-flipping attack?
b) Known plaintext
DNS by itself provides specific services, not including services that a domain registrar might provide to customers. Which of the following services are part of DNS as opposed to additional services provided by registrars? Select all that apply.
b) Map a domain name to an email server's IP address a) Map a domain name to an IP address
Which of the following are practical risks that apply to software-based volume encryption systems? Select all that apply.
b) Online eavesdropping on a software encryption process a) Offline cracking of wrapped keys d) Retrieve working key from saved RAM when the system hibernates e) Intercept a passphrase that unlocks the encrypted drive
Which of the following play an essential part in a smurf attack? Select all that apply.
b) Packet broadcasting d) A forged IP source address
Which of the following crypto building blocks are used to construct a typical digital signature, as described in Section 8.5.3? Select all that apply.
b) Public-key encryption a) One-way hash
How does DNS cache poisoning work?
b) The attacker transmits bogus DNS responses to the victim, or the victim's DNS server, containing the bogus information.
Which of the following explanations of how packet addresses are used during routing is most accurate?
b) The packet's destination IP address is used to select the packet's next MAC address.
We are implementing a server with direct authentication. What is included in the security boundary?
b) The server itself, including its credential checking mechanism and the authentication database
We have implemented volume encryption using a self-encrypting drive. Which of the following attacks is the volume still vulnerable to? Select all that apply.
b) Trojan BIOS intercepting the unlock code when the operator unlocks the drive
We wish to crack an RSA key using brute force. Which of the following techniques will be most efficient and successful?
b) Try to factor N to find P and Q.
A major obstacle to becoming an ISP today is:
b) the shortage of internet addresses.
Encryption can help protect volumes in all of the following situations, except:
b) to prevent physical damage to a hard drive.
The following are all best practices or proper recommendations for choosing an encryption algorithm, except:
b) use DES if at all possible.
An autonomous system (AS):
b) uses border routers to connect one AS to another. a) handles two types of routing: interior and exterior.
We reduce the risk of untrustworthy encryption by using certified products. In the
c) 140-2.
Kevin's little brother has implemented a 28-bit one-way hash as a math project. How many trials should it take to locate a collision using a birthday attack?
c) 214
Which of the following qualities of a good encryption algorithm apply to DES today? Select all that apply.
c) Available for analysis a) Explicitly designed for encryption b) Security does not rely on its secrecy d) Subjected to analysis
A firewall gateway for a household or small business LAN contains several of the following features. Select all that appear in a typical gateway.
c) DHCP protocol b) Share a single IP address assigned by the ISP among multiple hosts inside the network
192.168.1.1 is an example of a(n):
c) IPv4 address.
A successful bit-flipping attack requires which of the following? Select all that apply.
c) Knowledge of the exact contents of the plaintext b) A stream cipher
Here is a list of features appearing in a low-cost commercial gateway. Which feature is most important in order to use private IP addresses?
c) Network address translation
Why do protocols like IKE and SSL exchange nonces as part of their key creation/exchange protocol? Select all that apply.
c) New nonce values should make it impossible for an attacker to replay a previous set of messages and force the connection to reuse a previous key. b) If the nonces are always different, then the protocol yields a different result each time it takes place.
We receive several blocks of ciphertext in CBC mode. An error has changed a single bit in the middle of the ciphertext. How much of the plaintext will be affected by the error when we decrypt it?
c) One bit and one block
Which of the following are requirements of secret-key cryptography? Select all that apply.
c) Reliable key revocation a) Lower computing resources required than public-key algorithms d) Trustworthy central servers
Which of the following information services are maintained as part of a domain name registration? Select all that apply.
c) Street address of the domain name's owner a) Numerical server addresses associated with the domain name b) Contact information for people responsible for the DNS entry's ownership and technical support
When encrypting a one-way hash or a secret encryption key with RSA, you must encrypt a value that contains more bits than the public key's N value. You can accomplish this via which of the following? Select all that apply.
c) Using a sufficiently large hash value a) Padding the hash value with additional, randomly generated data
PGP implemented _______________, making it so that no single person was universally trusted to sign certificates.
c) a web of trust
Internet routing:
c) makes routing decisions one at a time as a packet crosses individual networks.
Used by a client to contact a selected server
connect()
Which of the following can help to avoid problems with reused encryption keys? Select all that apply.
d) Combine the key with a nonce c) Change the internal key
How does WPA2 use cryptography to ensure the integrity of packet data?
d) It uses CBC to calculate the packet's MIC.
Which of the following security measures can detect a bit-flipping attack? Select all that apply.
d) Message containing a digital signature c) Message containing a keyed hash
Bob has purchased a self-encrypting hard drive that always encrypts everything stored on the drive. Bob wants to install a bootable operating system on it and use it on an older computer. The old computer does not allow him to install pre-boot authentication in the BIOS. Will he be able to use the drive?
d) No, because there is no way to add a plaintext partition to this drive.
Which of the following qualities of a good encryption algorithm apply to AES today? Select all that apply.
d) Subjected to analysis c) Available for analysis e) No practical weaknesses a) Explicitly designed for encryption b) Security does not rely on its secrecy
Which of the following are true of generic top-level domains .edu, .gov, and .mil? Select all that apply.
d) The domain registrar ensures that the domain information is published in the Domain Name System. a) A registrar is responsible for issuing names to domain name owners. b) The registrar restricts domain names to owners in particular countries, industries, or organizations.
Which of the following represents the best size for a cryptonet?
d) The fewest people who require access to the encrypted data
Highway systems of driveways, local roads, and national roads are networks for automobiles, much like the internet is a network for data traffic. Both types of network share some similarities. Select the most appropriate similarities from those listed below.
d) The networks may be used for private, public service, and commercial traffic. c) There is no single organization responsible for all network elements. b) The networks connect their elements across many different types of links.
We are implementing a server with off-line authentication. What is included in the security boundary?
d) The server itself, which does not include an authentication database
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the secret-key solution? Select all that apply best to secret-key cryptography.
d) The system will always be limited to a small user community. f) When someone loses the privilege to access the system, we must be able to revoke their access rights immediately. b) We are providing the service to an established user community whose members are already identified.
In an SSL data packet, the field that indicates whether the packet carries data, an alert message, or is negotiating the encryption key is:
d) content type.
Modern internet technology evolved from research on:
d) the ARPANET.
The well-known port number 80 is used for:
d) the World Wide Web via HTTP.
Which of the following are possible features of the DNS protocol? Select all that apply.
e) Recursive name resolution c) Hierarchical domain name structure b) Distributed database for retrieving domain name information
Here is a list of features of a block cipher mode. Select all that apply to the OFB mode.
e) The mode relies on block encryption; it does not use the block decryption operation even when decrypting data. d) The mode requires an initialization vector. f) The mode uses both the block cipher algorithm and the XOR operation.
Which of the following are true about the development of RC4? Select all that apply.
e) The rationale for the algorithm design was kept secret.
Top-level domain name
edu
Here is a list of features of a block cipher mode. Select all that apply to the CBC mode.
f) The mode uses both the block cipher algorithm and the XOR operation. d) The mode requires an initialization vector. a) Ciphertext must fit into a multiple of the cipher's block size; it can't be an arbitrary number of bits.
Here is a list of features of a block cipher mode. Select all that apply to the CTR mode.
f) The mode uses both the block cipher algorithm and the XOR operation. e) The mode relies on block encryption; it does not use the block decryption operation even when decrypting data. d) The mode requires an initialization vector.
Alice has constructed a document. Bob needs to verify the document's integrity. Which of the following data items must they share? Select all that apply.
g) A one-way hash value encrypted with Alice's private key a) Alice's public key
A router is traditionally called a(n) ________.
gateway
Used by a server to await a client's connection
listen()
A(n) _______ binary value contains a row of 1 bits to identify the network address bits.
network mask
Subdomain name assigned by the domain's owner
www
True or False? A network attack in which someone forges network traffic would be considered an active attack.
True
On the internet, the entity that looks up a domain name and retrieves information about it is the:
a) Domain Name System (DNS).
Which if the following is not one of the stages that TCP connections go through?
c) Error reporting
Which authentication pattern requires public-key cryptography?
d) Off-line authentication
Sequence number
A numerical value that's used to detect duplicate packets
Bob and Alice want to construct a shared secret key using RSA. Which of the following components must Bob use to share the secret with Alice?
Alice's public key alone
Which of the following security protections is used to prevent passive attacks?
Confidentiality
True or False? The concept that embodies dumb networking by placing most network protocols in the connection's endpoint hosts is the domain name principle.
False
Secure Sockets Layer (SSL) has been replaced by:
Transport Layer Security (TLS).
True or False? Encryption works against traffic filtering, because the filtering process can't detect malicious content in encrypted packets.
True
True or False? Hosts behind a network address translation (NAT) gateway are typically assigned local IP addresses.
True
True or False? The failure of network-based reliable transport influenced a central design principle of internet-oriented networks: the end-to-end principle.
True
True or False? The point of DNS redundancy is to provide other servers that can be contacted in the event the main server goes down.
True
True or False? The purpose of a gateway firewall is to block potentially hostile traffic from reaching the internal LAN.
True
What is the "ping" packet?
a) An ICMP message used to verify that a host is on the network
To provide both encryption and integrity protection, WPA2 uses AES encryption with:
a) CCM mode.
Packet filtering looks at any packet header and filters on all of the following values, except:
a) email address.
Bob has started a company and registered its name with the government as a private corporation. He tries to create a domain name using that registered name along with his country code. The name has already been registered by someone else. What should Bob do?
b) Choose a different name that has not already been registered.
How have DDOS attacks affected DNS and hosts that rely on it? Select all that apply.
b) DDOS attacks on DNS servers for specific hosts have made it difficult for some users to reach those hosts. a) Partially successful attacks on root DNS servers have had little effect on Internet traffic. d) Botnets may have been used in some DNS DDOS attacks.
True or False? Crypto techniques originally focused on confidentiality.
True
True or False? DNS is an essential part of the internet; nobody remembers the numerical IP address of Google or Amazon or Microsoft, but everyone knows their domain names.
True
We are implementing a product with local authentication on the device. What is included in the security boundary?
a) Everything from the point where the credential is entered to the checking mechanism and the authentication database
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the public-key solution? Select all that apply best to public-key cryptography.
a) The system can apply a lot of computational power to cryptographic operations. e) Attackers should not be able to penetrate the whole system simply by attacking a critical crypto server. c) The process of adding new users must be easy to delegate.
Which of the following statements related to the end-to-end concept of network design are true? Select all that apply.
b) Dumb networks require smart endpoints. c) Internet technology is based on interconnecting a lot of dumb networks.
Amalgamated is implementing a private corporate network using a private IP address space. The network will connect separate sites using a VPN. Which of the following statements are true about this arrangement? Select all that apply.
b) Gateways will use IPsec tunnel mode between VPN sites. c) If Amalgamated buys another company, the new company's internal network must be assigned a compatible set of private IP addresses if it is to interact with other corporate VPN sites. d) VPN traffic will be restricted to Amalgamated's sites because the appropriate crypto credentials will only be shared among authorized VPN gateways.
Which TCP fields help ensure reliable transmission of data by keeping track of the number of bytes sent and received? Select all that apply.
b) Sequence number d) Acknowledgment number
A network's topology refers to the structure of its:
b) connections.
TCP and UDP are purely ___________ protocols.
b) end-to-end
An attack in which one or more hosts conspire to inundate a victim with ping requests is called a:
b) ping flood.
An attack that forges the sender's IP address is called a(n):
c) IP spoofing attack.
We need to implement services on several servers, and we wish to use the same login credentials for all of them. Which authentication patterns are most effective for this? Select all that apply.
c) Indirect authentication d) Off-line authentication
Of the following, select the two primary components of IPsec.
c) Internet Key Exchange (IKE) d) Encapsulating Security Payload (ESP)
Encrypting "above the stack":
c) means applying cryptography at the top of the application layer or above the network protocol stack and provides network transparency.
DNS security improvements include which of the following? Select all that apply.
d) Limited access to resolvers c) Distributed DNS servers b) Randomized requests
The Domain Name System (DNS) looks up a(n) ________ name and ________ information about it.
d) domain; retrieves
The process of transforming an existing key into a new one is called:
self-rekeying.