Security + 501 Chapter 6 Cryptography and PKI
47. Which of the following benefits do digital signatures provide? (Choose two.) A. Nonrepudiation B. Authentication C. Encryption D. Key exchange
A and B. Digital signatures provide three core benefits: authentication, integrity, and nonrepudiation
6. Which of the following are restricted to 64-bit block sizes? (Choose two.) A. DES B. SHA C. MD5 D. 3DES
A and D. DES and 3DES are symmetric-key block ciphers using a 64-bit block size.
5. Which of the following digital certificate management practices will ensure that a lost certificate is not compromised? A. CRL B. Key escrow C. Nonrepudiation D. Recovery agent
A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted.
1. Which of the following would a public key be used for? A. To decrypt a hash of a digital signature B. To encrypt TLS traffic C. To digitally sign messages D. To decrypt TLS messages
A. A digital signature is a one-way hash and encrypted with the private key. The public key is used to decrypt the hash and validate the integrity of the digital signature. Digital signatures supports non-repudiation; where the sender can not refute sending the message
32. Which of the following is an encryption standard that uses a single 56-bit symmetric key? A. DES B. 3DES C. AES D. WPS
A. DES is a symmetric encryption standard that uses a key length of 56 bits.
40. Your company is looking to accept electronic orders from a vendor and wants to ensure nonauthorized people cannot send orders. Your manager wants a solution that provides nonrepudiation. Which of the following options would meet the requirements? A. Digital signatures B. Hashes C. Steganography D. Perfect forward secrecy
A. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something
31. Which of the following EAP types use a three-phase operation? A. EAP-FAST B. EAP-TLS C. EAP-TTLS D. PEAP
A. EAP-FAST is for situations where strong password policy cannot be enforced and certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication, establishment of a secure tunnel, and client authentication.
45. Your company's branch offices connect to the main office through a VPN. You recently discovered the key used on the VPN has been compromised. What should you do to ensure the key isn't compromised in the future? A. Enable perfect forward secrecy at the main office and branch office ends of the VPN. B. Enable perfect forward secrecy at the main office end of the VPN. C. Enable perfect forward secrecy at the branch office end of the VPN. D. Disable perfect forward secrecy at the main office and branch office ends of the VPN.
A. Enable perfect forward secrecy (PFS) at the main office and branch office end of the VPN. Perfect forward secrecy is a way to ensure the safety of session keys from future abuse by threat actors
43. A security manager has asked you to explain why encryption is important and what symmetric encryption offers. Which of the following is the best explanation? A. Confidentiality B. Nonrepudiation C. Steganography D. Collision
A. Encryption provides confidentiality because the data is scrambled and cannot be read by an unauthorized user. Symmetric encryption uses one key to encrypt, and decrypting data with one key is considered fast
30. You have been instructed by the security manager to protect the server's data-at-rest. Which of the following would provide the strongest protection? A. Implement a full-disk encryption system. B. Implement biometric controls on data entry points. C. Implement a host-based intrusion detection system. D. Implement a host-based intrusion prevention system.
A. Full-disk encryption on data-at-rest will help protect the inactive data should the storage device be stolen. The thief would not be able to read the data
50. In asymmetric encryption, what is used to decrypt an encrypted file? A. Private key B. Public key C. Message digest D. Ciphertext
A. In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file
16. James, an IT manager, expresses a concern during a monthly meeting about weak user passwords used on company servers and how they may be susceptible to brute-force password attacks. Which concept can James implement to make the weak passwords stronger? A. Key stretching B. Key escrow C. Key strength D. ECC
A. Key stretching increases the strength of stored passwords and protects passwords from brute-force attacks and rainbow table attacks.
36. You are the network administrator for a small office of 35 users and need to utilize mail encryption that will allow specific users to encrypt outgoing email messages. You are looking for an inexpensive onsite encryption server. Which of the following would you implement? A. PGP/GPG B. WPA2 C. CRL D. EAP-TLS
A. PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails
26. Which of the following is a form of encryption also known as ROT13? A. Substitution cipher B. Transposition cipher C. Diffusion D. Confusion
A. Substitution ROT13 replaces a letter with the 13th letter after it in the alphabet
49. Your IT support center is receiving a high number of calls stating that users trying to access the company's website are receiving certificate errors within their browsers. Which of the following statements best describes what the issue is? A. The website certificate has expired. B. Users have forgotten their usernames or passwords. C. The domain name has expired. D. The network is currently unavailable.
A. Users are receiving the error because the website certificate has expired. The user can continue accessing the website, but the error will state the user could be accessing an untrusted site
18. You set up your wireless SOHO router to encrypt wireless traffic, and you configure the router to require wireless clients to authenticate against a RADIUS server. What type of security have you configured? A. WPA2 Enterprise B. WPA2 Personal C. TKIP D. WEP
A. WPA2 Enterprise uses an authentication server such as a RADIUS server to control access to a WLAN
38. You are the security manager for your company, and a system administrator wants to know if there is a way to reduce the cost of certificates by purchasing a certificate to cover all domains and subdomains for the company. Which of the following solutions would you offer? A. Wildcards B. Object identifiers C. Key escrow D. OCSP
A. Wildcard certificates allow the company to secure an unlimited number of subdomain certificates on a domain name from a third party
13. Which of the following symmetric key algorithms are block ciphers? (Choose two.) A. MD5 B. 3DES C. RC4 D. Blowfish
B and D. 3DES and Blowfish are a symmetric-key block cipher. 3DES and Blowfish use a block size of 64 bits
39. Which of the following are authentication protocols? (Choose two.) A. WPS B. EAP C. IPSec D. IEEE 802.1x
B and D. EAP and IEEE 802.1x are authentication protocols that transfer authentication data between two devices.
28. You are conducting a one-time electronic transaction with another company. The transaction needs to be encrypted, and for efficiency and simplicity, you want to use a single key for encryption and decryption of the data. Which of the following types would you use? A. Asymmetric B. Symmetric C. Hashing D. Steganography
B. A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data
19. You must implement a cryptography system that applies encryption to a group of data at a time. Which of the following would you choose? A. Stream B. Block C. Asymmetric D. Symmetric
B. Block ciphers encrypt data one block, or fixed block, at a time. Cryptographic service provider, a cryptographic module, performs block and stream cryptography algorithms
17. You are installing a network for a small business named Matrix Interior Design that the owner is operating out of their home. There are only four devices that will use the wireless LAN, and you are installing a SOHO wireless router between the wireless LAN clients and the broadband connection. To ensure better security from outside threats connecting to the wireless SOHO router, which of the following would be a good choice for the WPA2-PSK passphrase? A. 123456 B. XXrcERr6Euex9pRCdn3h3 C. bRtlBv D. HomeBusiness
B. Complex passwords of 16 or more ASCII characters are considered strong. Passwords should follow the complexity rule of having three of the four following items: lowercase letter, uppercase letter, number, and special character
3. Mary is concerned about the validity of an email because a coworker denies sending it. How can Mary prove the authenticity of the email? A. Symmetric algorithm B. Digital signature C. CRL D. Asymmetric algorithm
B. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something
21. Root CAs can delegate their authority to which of the following to issue certificates to users? A. Registered authorities B. Intermediate CAs C. CRL D. CSR
B. EAP-TLS is a remote access authentication protocol that supports the use of smartcards
33. Which of the following cryptography concepts converts output data into a fixed-length value and cannot be reversed? A. Steganography B. Hashing C. Collision D. IV
B. Hashing is a one-way encryption that transforms a string of characters into a fixed length value or key, also known as a hash value. Hashes ensure the integrity of data or messages
9. Matt has been told that successful attacks have been taking place and data that has been encrypted by his company's software system has leaked to the company's competitors. Matt, through investigation, has discovered patterns due to the lack of randomness in the seeding values used by the encryption algorithm in the company's software. This discovery has led to successful reverse engineering. What can the company use to ensure patterns are not created during the encryption process? A. One-time pad B. Initialization vector C. Stream cipher D. Block cipher
B. Initialization vectors (IVs) are random values that are used with algorithms to ensure patterns are not created during the encryption process. IVs are used with keys and are not encrypted when being sent to the destination
12. Which of the following would you use to verify certificate status by receiving a response of "good," "revoked," or "unknown"? A. CRL B. OSCP C. RA D. PKI
B. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. It validates certificates by returning responses such as "good," "revoked," and "unknown."
34. SSL is a protocol used for securing transactions transmitting over an untrusted network such as the Internet. Which of the following best describes the action that occurs during the SSL connection setup process? A. The client creates a session key and encrypts it with the server's private key. B. The client creates a session key and encrypts it with the server's public key. C. The server creates a session key and encrypts it with the client's private key. D. The server creates a session key and encrypts it with the client's public key.
B. SSL (Secure Socket Layer) uses public key encryption. When a client accesses a secured website, it will generate a session key and encrypt it with the server's public key. The session key is decrypted with the server's private key, and the session key is used to encrypt and decrypt data sent back and forth
44. You are a security administrator and have discovered one of the employees has been encoding confidential information into graphic files. Your employee is sharing these pictures on their social media account. What concept was the employee using? A. Hashing B. Steganography C. Symmetric algorithm D. Asymmetric algorithm
B. Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files
20. Which symmetric block cipher supersedes Blowfish? A. RSA B. Twofish C. MD5 D. PBKDF2
B. Twofish is a symmetric block cipher that replaced Blowfish
15. What encryption protocol does WEP improperly use? A. RC6 B. RC4 C. AES D. DES
B. WEP uses the encryption protocol RC4 and is considered insecure
46. You are configuring your friend's new wireless SOHO router and discover a PIN on the back of the router. Which of the following best describes the purpose of the PIN? A. This is a WEP PIN. B. This is a WPS PIN. C. This is a WPA PIN. D. This is a Bluetooth PIN.
B. WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. Users enter a PIN to allow the device to connect after pressing the WPS button on the SOHO
4. Wi-Fi Alliance recommends that a passphrase be how many characters in length for WPA2-Personal security? A. 6 characters B. 8 characters C. 12 characters D. 16 characters
B. WiFi Alliance, a nonprofit organization that promotes WiFi technology, recommends a passphrase be at least eight characters long and include a mixture of upper- and lowercase letters and symbols
48. Your company has asked you to recommend a secure method for password storage. Which of the following would provide the best protection against brute-force attacks? (Choose two.) A. ROT13 B. MD5 C. PBKDF2 D. BCRYPT
C and D. PBKDF2 applies a pseudo-random function such as a HMAC to the password along with a salt value and produces a derived key. PBKDF2 is designed to protect against brute-force attacks. BCRYPT is a password-hashing function derived from the Blowfish cipher. It adds a salt value to protect against rainbow table attacks
25. You are conducting a training program for new network administrators for your company. You talk about the benefits of asymmetric encryption. Which of the following are considered asymmetric algorithms? (Choose two.) A. RC4 B. DES C. RSA D. ECC
C and D. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions. ECC (elliptical curve cryptography) is based on elliptic curve theory that uses points on a curve to define more efficient public and private keys.
14. Which of the following encryption algorithms is the weakest? A. Blowfish B. AES C. DES D. SHA
C. DES (Data Encryption Standard) is a 56-bit key and is superseded by 3DES. DES is considered to be insurance for many applications
35. Which of the following EAP types requires both server and client certificates? A. EAP-FAST B. PEAP C. EAP-TLS D. EAP-TTLS
C. EAP-TLS requires both client and server to have certificates. The authentication is mutual where the server authenticates to the client and the client authenticates to the server.
11. The CIO at your company no longer wants to use asymmetric algorithms because of the cost. Of the following algorithms, which should the CIO discontinue using? A. AES B. RC4 C. RSA D. Twofish
C. RSA is an asymmetric algorithm and should be discontinued
37. You have been promoted to security administrator for your company and you need to be aware of all types of hashing algorithms for integrity checks. Which algorithm offers a 160-bit digest? A. MD5 B. RC4 C. SHA-1 D. AES
C. SHA-1 is a hashing algorithm that produces a 160-bit digest
27. Matt needs to calculate the number of keys that must be generated for 480 employees using the company's PKI asymmetric algorithm. How many keys must Matt create? A. 114,960 B. 480 C. 960 D. 229,920
C. With asymmetric algorithms, every user must have at least one pair of keys (private and public). The two keys are mathematically related. If a message is encrypted with one key, the other key is required to decrypt the message. The formula to determine the number of keys needed is N × 2, where N is the number of people
2. Your company's web server certificate has been revoked and external customers are receiving errors when they connect to the website. Which of following actions must you take? A. Renew the certificate. B. Create and use a self-signed certificate. C. Request a certificate from the key escrow. D. Generate a new key pair and new certificate.
D. A revoked certificate is no longer valid for the intended purpose, and a new key pair and certificate will need to be generated.
10. You are asked to configure a WLAN that does not require a user to provide any credentials to associate with a wireless AP and access a WLAN. What type of authentication is said to be in use? A. IV B. WEP C. WPA D. Open
D. An open wireless network does not require a user to enter credentials for access.
22. Which of the following protocols should be used to authenticate remote access users with smartcards? A. PEAP B. EAP-TLS C. CHAP D. MS-CHAPv2
D. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something
23. Tom is sending Mary a document and wants to show the document came from him. Which of the following should Tom use to digitally sign the document? A. TKIP B. Intermediate CA C. Public key D. Private key
D. Digital signatures are created by using the user's or computer's private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something.
24. Which of the following EAP types offers support for legacy authentication protocols such as PAP, CHAP, MS-CHAP, or MS-CHAPv2? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS
D. EAP-TTLS determines how user authentication will perform during phase 2. The user authentication may be a legacy protocol such as PAP, CHAP, MS-CHAP, or MSCHAPV2.
8. You are given the task of selecting an asymmetric encryption type that has an appropriate level of encryption strength but uses a smaller key length than is typically required. Which of the following encryption methods will accomplish your requirement? A. Blowfish B. RSA C. DHE D. ECC
D. ECC (elliptic curve cryptography) is an asymmetric algorithm that uses smaller keys and has the same level of strength compared to longer key length asymmetric algorithm.
41. You are tasked to implement a solution to ensure data that are stored on a removable USB drive hasn't been tampered with. Which of the following would you implement? A. Key escrow B. File backup C. File encryption D. File hashing
D. Hashing is a one-way encryption that transforms a string of characters into a fixedlength value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
42. Which of the following is mainly used for remote access into a network? A. TACACS+ B. XTACACS C. Kerberos D. RADIUS
D. RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security
29. Which of the following uses two mathematically related keys to secure data during transmission? A. Twofish B. 3DES C. RC4 D. RSA
D. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a public and a private key to encrypt and decrypt data during transmissions
7. Your company has implemented a RADIUS server and has clients that are capable of using multiple EAP types, including one configured for use on the RADIUS server. Your security manager wants to implement a WPA2-Enterprise system. Since you have the RADIUS server and clients, what piece of the network would you need? A. Network access control B. Authentication server C. Authenticator D. Supplicant
D. You would need the supplicant. The authenticator, an AP or wireless controller, sends authentication messages between the supplicant and authentication server
