Chapter 13 Quiz
__________ rely on traffic analysis when the defenders use encryption that is too difficult to attack.
Attackers
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the public-key solution? Select all that apply best to public-key cryptography.
Attackers should not be able to penetrate the whole system simply by attacking a critical crypto server. The system can apply a lot of computational power to cryptographic operations. The process of adding new users must be easy to delegate.
True or False? Private addressing occurs when an ISP is assigned an IP address.
False
True or False? SSL works on top of IPsec and applies security to an orderly stream of bytes moving between a client and server.
False
True or False? The IP header and all remaining packet contents are never encrypted.
False
True or False? The Key Distribution Center (KDC) greatly simplifies key management. Each host must establish multiple "KDC keys" that it shares with the KDC.
False
True or False? Two users can construct a shared secret by sharing Diffie-Hellman private keys.
False
True or False? WPA2 uses public key encryption with the "counter and CBC MAC" (CCM) mode.
False
True or False? When replacing crypto keys, they must be all replaced 1 month at a time.
False
Amalgamated is implementing a private corporate network using a private IP address space. The network will connect separate sites using a VPN. Which of the following statements are true about this arrangement? Select all that apply.
Gateways will use IPsec tunnel mode between VPN sites. If Amalgamated buys another company, the new company's internal network must be assigned a compatible set of private IP addresses if it is to interact with other corporate VPN sites. VPN traffic will be restricted to Amalgamated's sites because the appropriate crypto credentials will only be shared among authorized VPN gateways.
Which of the following network protocols typically provide application transparency? Select all that apply.
IPsec Wi-Fi Protected Access
Why do protocols like IKE and SSL exchange nonces as part of their key creation/exchange protocol? Select all that apply.
If the nonces are always different, then the protocol yields a different result each time it takes place. New nonce values should make it impossible for an attacker to replay a previous set of messages and force the connection to reuse a previous key.
The phrases below describe functions of protocols that are part of the modern SSL protocol. Match the protocol with its function. Alert protocol
Indicates errors and the end of a secure session
Of the following, select the two primary components of IPsec.
Internet Key Exchange (IKE) Encapsulating Security Payload (ESP)
A protocol that establishes security associations (SAs) between a pair of hosts is:
Internet Key Exchange (IKE).
How does WPA2 encrypt a stream of data?
It uses AES with a Counter mode.
How does WPA2 use cryptography to ensure the integrity of packet data?
It uses CBC to calculate the packet's MIC.
Associate the following concepts with the appropriate secret-key building blocks. Shares a separate KEK with each registered user
Key distribution center
Associate the following concepts with the appropriate secret-key building blocks. Use a KEK to encrypt a TEK
Key wrapping
In typical applications, does SSL provide application transparency?
No, because the SSL software is traditionally integrated into the application software package and is not supported unless the application specifically provides it.
The phrases below describe some of the fields in an IPsec ESP packet. Match the field with its description. TFC padding
Random data intended to defeat traffic analysis
Which two of the following answers indicate the Internet crypto services providing end users with the easiest key management?
SSL/TLS IPsec gateways
Associate the following concepts with the appropriate secret-key building blocks. Build a unique TEK from nonces and a secret
Shared secret hashing
True or False? Encryption works against traffic filtering, because the filtering process can't detect malicious content in encrypted packets.
True
True or False? Self-rekeying transforms an existing encryption key into a new one using a pseudorandom number generator.
True
True or False? We clearly need to use encryption if we wish to protect against sniffing.
True
True or False? You can wrap a secret key with RSA.
True
Which of the following are requirements of secret-key cryptography? Select all that apply.
Trustworthy central servers Lower computing resources required than public-key algorithms Reliable key revocation
Which wireless security protocol is recommended for use today?
WPA2 with AES
We are trying to protect our traffic as much as possible from sniffing. To minimize the risk, should we encrypt as much of our packets as possible, including headers?
Yes, because plaintext headers open our network messages to traffic analysis.
In an SSL data packet, the field that indicates whether the packet carries data, an alert message, or is negotiating the encryption key is:
content type
The principal application of IPsec is
virtual private networking.
Wireless Protected Access, version 2 (WPA2.) falls under:
802.11
The phrases below describe some of the fields in an IPsec ESP packet. Match the field with its description. Sequence number
A numerical value that's used to detect duplicate packets
Bob and Alice want to construct a shared secret key using RSA. Which of the following components must Bob use to share the secret with Alice?
Alice's public key alone
Bob and Alice want to construct a shared secret key using Diffie-Hellman. Which components will Bob use to construct the shared secret?
Alice's public key and Bob's private key
To provide both encryption and integrity protection, WPA2 uses AES encryption with:
CCM mode
Which of the following security protections is used to prevent passive attacks?
Confidentiality
True or False? In manual keying, two encryption keys are produced for each cryptonet or communicating pair and those keys are distributed to the appropriate endpoints.
False
The phrases below describe functions of protocols that are part of the modern SSL protocol. Match the protocol with its function. Handshake protocol
Establishes the shared secret and the keys to be used to protect SSL traffic
The phrases below describe some of the fields in an IPsec ESP packet. Match the field with its description. Payload data
The headers and data being encrypted
The phrases below describe some of the fields in an IPsec ESP packet. Match the field with its description. Next header
The numeric code for the protocol appearing in the first header in the encrypted payload
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the secret-key solution? Select all that apply best to secret-key cryptography.
The system will always be limited to a small user community. When someone loses the privilege to access the system, we must be able to revoke their access rights immediately. We are providing the service to an established user community whose members are already identified.
The phrases below describe functions of protocols that are part of the modern SSL protocol. Match the protocol with its function. Record protocol
Transfers information using a symmetric cipher and integrity check
Secure Sockets Layer (SSL) has been replaced by:
Transport Layer Security (TLS).
True or False? A network attack in which someone forges network traffic would be considered an active attack.
True
True or False? Crypto techniques originally focused on confidentiality.
True
True or False? Eavesdropping without interfering with communications would be considered a passive attack.
True
Virtual private networking is used primarily for encrypting:
a connection between two sites across the internet.
When we place crypto in different protocol layers, we often balance two important properties:
application transparency and network transparency.
The general objective of wireless defense was to implement a virtual boundary that includes __________ computers and excludes other _________.
authorized client; clients
Producing one encryption key for each cryptonet or communicating pair and distributing that key to the appropriate endpoints is called:
manual keying
Secure Sockets Layer (SSL):
may display a padlock on a Web page to indicate SSL protection.
Encrypting "above the stack":
means applying cryptography at the top of the application layer or above the network protocol stack and provides network transparency.
We use cryptography to apply all of the following protections to network traffic, except:
reliability.
The process of transforming an existing key into a new one is called:
self-rekeying