SEC-PRO-SEC7
Digital signature
A digital signature is a combination of asymmetric encryption and hashing values. A signature provides confidentiality, integrity validation, strong authentication, and non-repudiation.
What does a digital signature provide?
A digital signature verifies that the data is legitimate and provides non-repudiation. This means the sender cannot deny having sent the file.
Hardware security module(HSM)
A hardware security module (HSM) is a piece of hardware and associated software/firmware that is connected to a computer system to provide cryptographic functions
Hash collision
A hash collision occurs when two files generate the same hash.
Hybrid cryptosystems
A hybrid cryptosystem combines the efficiency of symmetric encryption with the convenience f asymmetric encryption.
Hybrid cryptosystem
A hybrid cryptosystem combines the efficiency of symmetric encryption with the convenience of asymmetric encryption.
File Encryption Key FEK
A pseudo-random number used with the AES encryption algorithm to encrypt files and folders in EFS
Rainbow table
A rainbow table is a table of passwords and their generated hashes.
Data Decryption Field DDF
A special location in a EFS encrypted file's header that stores in the FEK.
Encryption key
A string of bits randomly generated using a special cypher. An encryption key is used to encrypt or decrypt data.
A private key has been stolen. Which action should you take to deal with this crisis? -Recover the private key from escrow -Delete the public key -Place the private key in escrow -Add the digital certificate to the CRL
Add the digital certificate to the CRL
Certificate authorities
Certificate authorities are reputable organizations that are responsible for issuing public certificates to companies or organizations that want to securely communicate over the internet.
What is the role of certificate authority (CA)?
Certificate authorities are reputable organizations, responsible for issuing public certificates to other companies or organizations for secure communication over the internet.
Certificate chaining
Certificate authorities are usually setup in a hierarchy of multiple CAs to increase security. This structure is known as certificate chaining or the chain of trust.
When two different messages produce the same hash value, what has occurred? Birthday attack High amplification Hash value Collision
Collision
You create a new document and save it to a hard drive on a file server on your company's network. Then you employ an encryption tool to encrypt the file using AES. This activity is an example of accomplishing which security goal? Confidentiality Availability Non-repudiation Integrity
Confidentiality
Which of the following functions are performed by a TPM? Provide authentication credentials Perform bulk encryption Create a hash of system components Encrypt network data using IPsec
Create a hash of system components
Which of the following is a direct integrity protection? Digital signature Asymmetric encryption Digital envelope Symmetric encryption
Digital signature
What is a digital signature? What benefits does it provide?
Digital signature combines the hash of a file and a users private key to electronically sign a document, providing an authentic and non-repudiation file.
What is the most obvious means of providing non-repudiation in a cryptography system? Shared secret keys Digital signatures Hashing values Public keys
Digital signatures
Which of the following security solutions would prevent a user from reading a file that she did not create? IPsec BitLocker EFS VPN
EFS
Encrypting File System
EFS provides a easy and seamless way for users to encrypt files on Windows computers. EFS is used to encrypt only individual files and folders.
You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device. What should you do? Use a PIN instead of a startup key. Save the startup key to the boot partition. Disable USB devices in the BIOS. Enable the TPM in the BIOS.
Enable the TPM in the BIOS.
Which editions of Windows include Encrypting File System (EFS)?
Every Windows since Windows2000 except Home editions.
Which utility would you MOST likely use on OS X to encrypt and decrypt data and messages? IPsec VPN PGP GPG
GPG
GNU Privacy Guard
GPG is an encryption program that is now owned by NortonLifeLock (previously Symantec), PGP is used by products that protect laptops, desktops, USB drivers , optical media and smartphones.
Which standard does Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) follow?
GPG is an implementation of the Pretty Good Privacy (PGP) Protocol.
What is the main function of a TPM hardware chip? -Perform bulk encryption in a hardware processor -Control access to removable media -Provide authentication credentials on a hardware device -Generate and store cryptographic keys
Generate and store cryptographic keys
Which of the following is a message authentication code that allows a user to verify that a file or message is legitimate? RIPEMD MD5 HMAC SHA
HMAC
Which of the following is used to verify that a downloaded file has not been altered? Asymmetric encryption Private key Hash Symmetric encryption
Hash
A birthday attack focuses on which of the following? Encrypted files E-commerce Hashing algorithms VPN links
Hashing algorithms
To obtain a digital certificate and participate in a public key infrastructure (PKI), what must be submitted and where? -Identifying data and a certification request to the registration authority (RA) -Identifying data with the 3DES block cipher to the hosting certificate authority (CA) -Identifying data with the MAC and IP addresses to the root certificate authority (CA) -Identifying data and a secret key request to the subordinate distribution authority (DA)
Identifying data and a certification request to the registration authority (RA)
You are concerned that if a private key is lost, all documents encrypted with your private key will be inaccessible. Which service should you use to solve this problem? OCSP Key escrow CSP RA
Key escrow
Which of the following are true of Triple DES (3DES)? Key length is 168 bits Can easily be broken Uses the Rijndael block cipher Uses 64-bit blocks with 128-bit keys
Key length is 168 bits
Which of the following is the weakest hashing algorithm? AES DES SHA-1 MD5
MD5 Both DES and AES are symmetric encryption algorithms. DES is weaker than AES.
When a sender encrypts a message using their own private key, which security service is being provided to the recipient? Non-repudiation Availability Integrity Confidentiality
Non-repudiation
Your computer system is a participant in an asymmetric cryptography system. You've crafted a message to be sent to another user. Before transmission, you hash the message and then encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. Which protection does the private key-signing activity of this process provide? Non-repudiation Confidentiality Integrity Availability
Non-repudiation
Cryptographic systems provide which of the following security services? (Select two.) Non-repudiation Cryptanalysis Encryption Decryption Confidentiality
Non-repudiation Confidentiality
Public key infrastructure (PKI)
PKI is an environment in which public encryption keys can be created and managed throughout the key lifecycle.
Above all else, what must be protected to maintain the security and benefit of an asymmetric cryptographic solution, especially if it is widely used for digital certificates? -Cryptographic algorithm -Public keys -Private keys -Hash values
Private keys The strength of an asymmetric cryptographic system lies in the secrecy and security of its private keys. A digital certificate and a digital signature are little more than unique applications of a private key. If the private keys are compromised for a single user, for a secured network, or for a digital certificate authority, the entire realm of trust is destroyed.
Which of the following items are contained in a digital certificate? (Select two.) Public key Root CA secret key Private key Validity period
Public key Validity period
Which of the following can be classified as a stream cipher? -AES -Twofish -RC4 -Blowfish
RC4
An attacker is attempting to crack a system's password by matching the password hash to a hash in a large table of hashes he or she has. Which type of attack is the attacker using? Cracking RIPEMD Brute force Rainbow
Rainbow
What type of attack takes advantage of hash collisions?
Rainbow table attack
In the certificate authority trust model known as a hierarchy, where does trust start? -Registration authority -Root CA -Third-party CA -Issuing CA
Root CA
What are the types of certificates?
Root Certificate-first certificate that a CA creates. Subject Alternative Name (SAN)- allows an organization to cover multiple domains with one certificate. Wildcard Certificate- similar to SAN certificates. Code Signing Certificate- used by app developers to prove that their application is legitimate. Self Signed certificate- certs that have not been validated or signed by a CA. Email certificate- secure, encrypted emails are sent using the S/MIME protocol. User and Computer Certificate- used in a network environment to identify and validate specific users or computers.
Which of the following does not or cannot produce a hash value of 128 bits? MD5 MD2 SHA-1 RIPEMD
SHA-1
What are the three main hashing algorithms in use today?
SHA-1 (128 bit key) MD5 (160 bit key) SHA-2 aka SHA-256(256 bit key
What is the process of adding random characters at the beginning or end of a password to generate a completely different hash called? Salting Deterministic Collision Avalanche
Salting
Mary wants to send a message to Sam in such a way that only Sam can read it. Which key should be used to encrypt the message? -Mary's private key -Sam's public key -Sam's private key -Mary's public key
Sam's public key Sam's public key should be used to encrypt the message. Only the corresponding private key, which only Sam has, can be used to decrypt the message.
Trusted Platform Module
TPM is a hardware chip on the motherboard that can generate and store cryptographic keys.
X.509
The standard that defines the format of certificates.
The following are examples of what? -Diffie-Hellman -RSA -DSA -ECC
They are examples of asymetric encryption algorithms. -Diffie-Hellman -Rivest Shamir-Adleman -Elliptic Curve Cryptography
Which of the following database encryption methods encrypts the entire database and all backups? Application-level Bitlocker Column-level Transparent Data Encryption (TDE)
Transparent Data Encryption (TDE)
When a cryptographic system is used to protect data confidentiality, what actually takes place? -Unauthorized users are prevented from viewing or accessing the resource. -Data is protected from corruption or change. -Encrypted data transmission is prohibited. -Data is available for access whenever authorized users need it.
Unauthorized users are prevented from viewing or accessing the resource.
What partition/volumes are created when implementing BitLocker?
When setting up BitLocker, the hard disk must be configured with two partitions- the System and Boot.
Which standard defines the format of certificates?
X.509
Which standard is most widely used for certificates? X.509 802.1x SSL v.3.0 HTTP 1.1
X.509
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file? -Your copy is the same as the copy posted on the website. -No one has read the file contents as it was downloaded. -You are the only one able to open the downloaded file. -You can prove the source of the file
Your copy is the same as the copy posted on the website.
Which trust model would be used to connect the CAs of two organizations?
bridge model
What are the following examples of: -DES -RC -AES -IDEA -Blowfish -Twofish -CAST
common symmetric algorithms in use. -Data encryption standard -Rivest's Cipher -Advanced encryption standard -International data encryption algorithm
How can cryptography support the goals of information security?
confidentiality- encrypting data or obfuscating integrity- creating a hash of a file can be used to validate that the file has not been altered. authenticity- Applying a digital signature proves that the file is authentic and comes from the correct person. non-repudiation- applying a digital signature provides non repudiation.
What type of attack uses a large list of common words and phrases?
dictionary attack
What is the output of hashing called?
hash or message digest
What are uses of blockchain in addition to cryptocurrency?
monitor supply-chains retail loyalty programs
What are the main hashing algorithms used?
most common: MD5 and SHA other options: HMAC and RIPEMD
What is the lifecycle of an encryption key?
pre-activation/key generation > activation> expiration> post activation> destruction
What functionality does a Trusted Platform Module (TPM) chip provide?
provides cryptographic services. Using a hardware chip means that the encryption system itself can't be attacked by malicious software.
What is the difference between symmetric and asymmetric encryption?
symmetric- uses the same key to encrypt and decrypt data. asymmetric- uses 2 keys instead of one. A user's public key is used to encrypt the data. That user then uses their private key to decrypt the data. The private key only decrypts data that was encrypted using its matching public key.
steganography
the practice of concealing a file, message, image or video within another file, message, image or video.
What is a legitimate use for steganography?
watermarking
How do Cryptosystems work?
**they combine the efficiency of symmetric encryption with the convenience of asymmetric encryption. **Hybrid cryptosystem is used as follows: -user 1 uses their symmetric private key to encrypt some data. -user 1 then encrypts that symmetric private key using the recipient's public key and sends both to the recipient. -user2, the recipient uses their private key to decrypt user 1's private key which is then used to decrypt the message. -as long as user 2's private key is kept secret, the data remain secure.
You've used BitLocker to implement full volume encryption on a notebook system. The notebook motherboard does not have a TPM chip, so you've used an external USB flash drive to store the BitLocker startup key. You use EFS to encrypt the C:\Secrets folder and its contents. Which of the following is true in this scenario? (Select two.) -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will remain in an encrypted state. -The EFS encryption process will fail. -Only the user who encrypted the C:\Secrets\confidential.docx file is able to boot the computer from the encrypted hard disk. -Any user who is able to boot the computer from the encrypted hard disk will be able to open the C:\Secrets\confidential.docx file. -By default, only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it. -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will be saved in an unencrypted state.
-By default, only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it. -If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will be saved in an unencrypted state.
Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments? -Certificate Revocation List -Key escrow -Online Certificate Status Protocol -Private key recovery
-Online Certificate Status Protocol
Which of the following algorithms are used in asymmetric encryption? (Select two.) -RSA -Twofish -AES -Diffie-Hellman -Blowfish
-RSA -Diffie-Hellman RSA and Diffie-Hellman are asymmetric algorithms. RSA, one of the earliest encryption algorithms, can also be used for digital signatures. The Diffie-Hellman Protocol was created in 1976 but is still in use today in technologies such as SSL, SSH, and IPsec.
What are three methods of database encryption?
-TDE (Transparent Data Encryption) -Column-level encryption -Application-level encryption
What are the five characteristics of a hash function?
-deterministic -quick and efficient -cannot be reversed -collision-resistant -avalanche effect
What are some common uses for hashing?
-file integrity -digital signatures -password verification
Trust model
A PKI uses a trust model to establish trust between two communicating entities. Depending on the number of CAs being implemented and the use, there are a few configurations that can be used to setup certificate authorities.
Blockchain
A decentralized and distributed ledger of transactions between two or more parties.
A PKI is an implementation for managing which type of encryption? -Symmetric -Steganography -Hashing -Asymmetric
Asymmetric
BitLocker
BitLocker is used to encrypt an entire volume. All data on the volume is protected even if the hard drive is moved to another computer.
Which of the following algorithms are used in symmetric encryption? (Select two.) -Blowfish -RSA -Diffie-Hellman -3DES -ECC
Blowfish 3DES
You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose? BitLocker EFS VPN IPsec
BitLocker
Hashing algorithms are used to perform which of the following activities? -Provide for non-repudiation. -Provide a means for exchanging small amounts of data securely over a public network. -Create a message digest. -Encrypt bulk data for communications exchange.
Create a message digest. Hashing algorithms are used to create a message digest to ensure that data integrity is maintained. A sender creates a message digest by performing the hash function on the data files that are transmitted. The receiver performs the same action on the data received and compares the two message digests. If they are the same, the data was not altered.
Which of the following encryption mechanisms offers the least security because of weak keys? -TwoFish -AES -DES -IDEA
DES
Which algorithms can be used to generate a hash?
DES RC AES IDEA Blowfish Twofish CAST Diffie-Hellman RSA DSA ECC MD5 SHA
Which of the following should you set up to ensure encrypted files can still be decrypted if the original user account becomes corrupted? PGP VPN GPG DRA
DRA
Which type of password attack employs a list of pre-defined passwords that it tries against a login prompt? Collision attack Downgrade attack Dictionary attack Birthday attack
Dictionary attack
You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do? Implement BitLocker without a TPM. Implement BitLocker with a TPM. Have each user encrypt the entire volume with EFS. Have each user encrypt user files with EFS.
Implement BitLocker without a TPM. f you use BitLocker without a TPM, system integrity checks are not performed. The TPM is required for saving the startup file information that is used to verify system integrity. When using BitLocker without a TPM, you must use a startup key on a USB device. When using a TPM, this is an optional configuration.
Why would you create a DATA Recovery Agent (DRA)?
In case the original person cannot access the files, the DRA would be able to.
You have downloaded a file from the internet. You generate a hash and check it against the original file's hash to ensure the file has not been changed. Which information security goal is this an example of? Confidentiality Non-repudiation Integrity Authenticity
Integrity
A receiver wants to verify the integrity of a message received from a sender. A hashing value is contained within the digital signature of the sender. Which of the following must the receiver use to access the hashing value and verify the integrity of the transmission? -Receiver's private key -Receiver's public key -Sender's private key -Sender's public key
Sender's public key Digital signatures are created using the sender's private key. Therefore, only the sender's public key can be used to verify and open any data encrypted with the sender's private key. The recipient's private and public keys are not involved in this type of cryptography situation. Often, the hashing value of a message is protected by the sender's private key (their digital signature). The recipient must extract the original hashing value.
Which term means a cryptography mechanism that hides secret communications within various forms of data? -Steganography -Cryptanalysis -Algorithm -Ciphertext
Steganography
Which form of cryptography is best suited for bulk encryption because it is so fast? Public key cryptography Asymmetric cryptography Hashing cryptography Symmetric key cryptography
Symmetric key cryptography
An SSL client has determined that the certificate authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity? -The post-master secret must initiate subsequent communication. -The domain on the server certificate must match the CA's domain name. -The CA's public key must validate the CA's digital signature on the server certificate. -The master secret is generated from common key code.
The CA's public key must validate the CA's digital signature on the server certificate. Once an SSL client has identified a CA as trusted, it uses the CA's public key to validate the CA's digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.
Data Recovery Agent
The DRA is an account tht has been granted the right to decrypt files and folder in the EFS.
Ciphertext
The encrypted form of a message that is readable only to those for whom the message is intended.
You have transferred an encrypted file across a network using the Server Message Block (SMB) Protocol. What happens to the file's encryption? -An encrypted file cannot be moved using SMB. -The file is unencrypted when moved. -The encryption inherits from the new location. -The encryption carries over to the new location.
The file is unencrypted when moved.
Why is reusing encryption keys considered a weakness?
The more a key is reused, the more likely that it will be cracked.
Which of the following would require that a certificate be placed on the CRL? -The signature key size is revealed. -The encryption key algorithm is revealed. -The private key is compromised. -The certificate validity period is exceeded.
The private key is compromised.
Hashing
The process of using an algorithm to convert data to a fixed-length key called a hash.
Cipher/algorithm
The process or formula used to encrypt a message or otherwise hide the message's meaning
Cryptography
The science and study of concealing information