Information Security Chapter 8 Review Questions
What was the earliest reason for the use of cryptography?
Concealing military and political secrets while they were transported from place to place.
What does it mean to be "out of band"? Why is it important to exchange keys out of band in symmetric encryption?
An out-of-band channel is a channel of communication that does not carry the ciphertext. Key exchange must either be done out of band or using a secured method so that the key is not intercepted and used to read the secret message.
What is a hash function, and what can it be used for?
Hash functions are mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm the identity of a specific message and confirm that the content has not changed
What is a cryptographic key, and what is it used for? What is a more formal name for a cryptographic key?
In cryptosystems, a key, also known as a cryptovariable, is the information used in conjunction with an algorithm to create the ciphertext from the plaintext or derive the plaintext from the ciphertext. The key can be a series of bits used by a computer program, or it can be a passphrase used by people that is then converted into a series of bits for use in the computer program.
What is steganography, and what can it be used for?
Steganography is a process used to hide messages within digital encoding of pictures and graphics. It is a concern for security professionals because hidden messages can contain sensitive information that needs to be protected.
What is the fundamental difference between symmetric and asymmetric encryption?
Asymmetric encryption is also known as public-key encryption. It uses two different keys to encrypt messages: the public key and the private key. Symmetric encryption is different because it uses only one key to encrypt and decrypt messages. Symmetric encryption is much faster for the computer to process, but it raises the costs of key management. In symmetric encryption, also called private key encryption, the same key is used both to encrypt and decrypt the message. Both the sender and receiver must own encryption of the key. The problem with symmetric encryption is getting a copy of the key to the sender. Asymmetric encryption uses two different keys. Either key may encrypt or decrypt the message, but one key must be used for encryption only and the other must be used for decryption only. The technique has the greatest value when one key is used as a private key and the other is used as a public key. The public key is stored in a public location where anyone can use it. The problem with asymmetric encryption is that it requires four keys to hold a single conversation between two parties. Due to the number of keys involved in asymmetric encryption, it is not as efficient as symmetric encryption in terms of CPU computations and key management.
What are the components of PKI?
A certificate authority (CA), which issues, manages, authenticates, signs, and revokes users' digital certificates. These certificates typically contain the user's name, public key, and other identifying information. A registration authority (RA), which operates under the trusted collaboration of the certificate authority and can be delegated day-to-day certification functions, such as verifying registration information about new registrants, generating end-user keys, revoking certificates, and validating that users possess a valid certificate Certificate directories, which are central locations for certificate storage that provide a single access point for administration and distribution Management protocols, which organize and manage the communications between CAs, RAs, and end users. This includes the functions and procedures for setting up new users, issuing keys, recovering keys, updating keys, revoking keys, and enabling the transfer of certificates and status information among the parties involved in the PKI's area of authority Policies and procedures that assist an organization in the application and management of certificates, the formalization of legal liabilities and limitations, and actual business practice
What is the difference between a digital signature and a digital certificate?
A digital certificate is a wrapper for a key value. A digital signature is a combination of a message digest and other information used to assure nonrepudiation.
What critical issue in symmetric and asymmetric encryption is resolved by using a hybrid method like Diffie-Hellman?
A hybrid system can be used without the need for out-of-band key exchange.
What are cryptography and cryptanalysis?
Cryptography and cryptanalysis are the two topic areas within cryptology.
What are the three basic operations in cryptography?
Encrypting, decrypting, and hashing are the three basic operations in cryptography.
How does Public-key Infrastructure add value to an organization seeking to use cryptography to protect information assets?
PKI makes the use of cryptographic systems more convenient and cost-effective.