Chapter 13
__________ rely on traffic analysis when the defenders use encryption that is too difficult to attack.
Attackers
True or False? In manual keying, two encryption keys are produced for each cryptonet or communicating pair and those keys are distributed to the appropriate endpoints.
False
True or False? Private addressing occurs when an ISP is assigned an IP address.
False
True or False? SSL works on top of IPsec and applies security to an orderly stream of bytes moving between a client and server.
False
True or False? The IP header and all remaining packet contents are never encrypted.
False
True or False? The Key Distribution Center (KDC) greatly simplifies key management. Each host must establish multiple "KDC keys" that it shares with the KDC.
False
True or False? Two users can construct a shared secret by sharing Diffie-Hellman private keys.
False
True or False? WPA2 uses public key encryption with the "counter and CBC MAC" (CCM) mode.
False
True or False? When replacing crypto keys, they must be all replaced 1 month at a time.
False
The phrases below describe functions of protocols that are part of the modern SSL protocol. Match the protocol with its function.
Handshake protocol - Establishes the shared secret and the keys to be used to protect SSL traffic Record protocol - Transfers information using a symmetric cipher and integrity check Alert protocol - Indicates errors and the end of a secure session
A protocol that establishes security associations (SAs) between a pair of hosts is:
Internet Key Exchange (IKE).
How does WPA2 encrypt a stream of data?
It uses AES with a Counter mode
Encrypting "above the stack":
Means applying cryptography at the top of the application layer or above the network protocol stack and provides network transparency
In typical applications, does SSL provide application transparency?
No, because the SSL software is traditionally integrated into the application software package and is not supported unless the application specifically provides it.
The phrases below describe some of the fields in an IPsec ESP packet. Match the field with its description.
Payload data - The headers and data being encrypted Next header - The numeric code for the protocol appearing in the first header in the encrypted payload Sequence number - A numerical value that's used to detect duplicate packets TFC padding - Random data intended to defeat traffic analysis
True or False? Encryption works against traffic filtering, because the filtering process can't detect malicious content in encrypted packets.
True
True or False? Self-rekeying transforms an existing encryption key into a new one using a pseudorandom number generator.
True
True or False? We clearly need to use encryption if we wish to protect against sniffing.
True
True or False? You can wrap a secret key with RSA.
True
Associate the following concepts with the appropriate secret-key building blocks.
Use a KEK to encrypt a TEK - Key wrapping Build a unique TEK from nonces and a secret - Shared secret hashing Shares a separate KEK with each registered user - Key distribution center
We are trying to protect our traffic as much as possible from sniffing. To minimize the risk, should we encrypt as much of our packets as possible, including headers?
Yes, because plaintext headers open our network messages to traffic analysis.
In an SSL data packet, the field that indicates whether the packet carries data, an alert message, or is negotiating the encryption key is:
content type.
How does WPA2 use cryptography to ensure the integrity of packet data?
d) It uses CBC to calculate the packet's MIC.
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the secret-key solution? Select all that apply best to secret-key cryptography.
d) The system will always be limited to a small user community. f) When someone loses the privilege to access the system, we must be able to revoke their access rights immediately. b) We are providing the service to an established user community whose members are already identified.
Which wireless security protocol is recommended for use today?
d) WPA2 with AES
Of the following, select the two primary components of IPsec.
c) Internet Key Exchange (IKE) d) Encapsulating Security Payload (ESP)
Why do protocols like IKE and SSL exchange nonces as part of their key creation/exchange protocol? Select all that apply.
c) New nonce values should make it impossible for an attacker to replay a previous set of messages and force the connection to reuse a previous key. b) If the nonces are always different, then the protocol yields a different result each time it takes place.
Which of the following are requirements of secret-key cryptography? Select all that apply.Alice's public key alone
c) Reliable key revocation a) Lower computing resources required than public-key algorithms d) Trustworthy central servers
The principal application of IPsec is:
virtual private networking.
Wireless Protected Access, version 2 (WPA2.) falls under:
802.11.
Bob and Alice want to construct a shared secret key using Diffie-Hellman. Which components will Bob use to construct the shared secret?
Alice's public key and Bob's private key
Bob and Alice want to construct a shared secret key using RSA. Which of the following components must Bob use to share the secret with Alice?
Alice's public key alone
Which of the following security protections is used to prevent passive attacks?
Confidentiality
Secure Sockets Layer (SSL) has been replaced by:
Transport Layer Security (TLS)
True or False? A network attack in which someone forges network traffic would be considered an active attack.
True
True or False? Crypto techniques originally focused on confidentiality.
True
True or False? Eavesdropping without interfering with communications would be considered a passive attack.
True
Virtual private networking is used primarily for encrypting:
a connection between two sites across the internet.
To provide both encryption and integrity protection, WPA2 uses AES encryption with:
a) CCM mode.
Which two of the following answers indicate the Internet crypto services providing end users with the easiest key management?
a) SSL/TLSb) IPsec gateways
We are trying to decide between a public-key and a secret-key cryptographic solution. Which of the following criteria would encourage us to choose the public-key solution? Select all that apply best to public-key cryptography.
a) The system can apply a lot of computational power to cryptographic operations. e) Attackers should not be able to penetrate the whole system simply by attacking a critical crypto server. c) The process of adding new users must be easy to delegate.
Which of the following network protocols typically provide application transparency? Select all that apply.
a) Wi-Fi Protected Access b) IPsec
The general objective of wireless defense was to implement a virtual boundary that includes __________ computers and excludes other _________.
a) authorized client; clients
When we place crypto in different protocol layers, we often balance two important properties:
application transparency and network transparency.
Amalgamated is implementing a private corporate network using a private IP address space. The network will connect separate sites using a VPN. Which of the following statements are true about this arrangement? Select all that apply.
b) Gateways will use IPsec tunnel mode between VPN sites. c) If Amalgamated buys another company, the new company's internal network must be assigned a compatible set of private IP addresses if it is to interact with other corporate VPN sites. d) VPN traffic will be restricted to Amalgamated's sites because the appropriate crypto credentials will only be shared among authorized VPN gateways.
Producing one encryption key for each cryptonet or communicating pair and distributing that key to the appropriate endpoints is called:
manual keying.
Secure Sockets Layer (SSL):
may display a padlock on a Web page to indicate SSL protection.
We use cryptography to apply all of the following protections to network traffic, except:
reliability
The process of transforming an existing key into a new one is called:
self-rekeying.
