Chapter 10 Understanding Cryptography and PKI

Question 1

______ provides assurances that data has not been modified. Hashing ensures that data has retained integrity.

Answer 1

Integrity

Question 2

A ____ is a number derived from performing a calculation on data, such as a message, patch, or file.

Answer 2

Hash

Question 3

_______ creates a fixed-size string of bits or hexadecimal characters, which cannot be reversed to re-create the original data.

Answer 3

Hashing

Question 4

Common hashing algorithms include ___ and ______ ____ ________.

Answer 4

MD5 and Secure Hash Algorithm (SHA)

Question 5

_________ ensures that data is only viewable by authorized users.

Answer 5

Confidentiality

Question 6

_______ protects the confidentiality of data.

Answer 6

Encryption

Question 7

_______ scrambles, or ciphers, data to make it unreadable if intercepted.

Answer 7

Encryption

Question 8

_______ normally includes an algorithm and a key.

Answer 8

Encryption

Question 9

_______ _________ uses the same key to encrypt and decrypt data.

Answer 9

Symmetric encryption

Question 10

_________ _________ uses two keys (public and private) created as a matched pair.

Answer 10

Asymmetric encryption

Question 11

_________ _________ requires a Public Key Infrastructure (PKI) to issue certificates.

Answer 11

Asymmetric encryption

Question 12

True or False: Anything encrypted with the public key can only be decrypted with the matching private key.

Answer 12

True

Question 13

True or False: Anything encrypted with the private key can only be decrypted with the matching public key.

Answer 13

True

Question 14

_____ ______ encrypt data 1 bit at a time.

Answer 14

Stream ciphers

Question 15

_____ _______ encrypt data in blocks.

Answer 15

Block ciphers

Question 16

___________ provides a level of confidentiality by hiding data within other files.

Answer 16

Steganography

Question 17

A ______ _______ provides authentication, non-repudiation, and integrity.

Answer 17

Digital signature

Question 18

__________ validates an identity.

Answer 18

Authentication

Question 19

____________ prevents a party from denying an action.

Answer 19

Non-repudiation

Question 20

True or False : Users sign emails with a digital signature, which is a hash of an email message encrypted with the sender’s private key.

Answer 20

True

Question 21

True or False : Only the sender’s public key can decrypt the hash, providing verification it was encrypted with the sender’s private key.

Answer 21

True

Question 22

True or False : No matter how many times you execute the hashing algorithm against the data, the hash will always be the same if the data is the same.

Answer 22

True

Question 23

_______ _______ is a common hashing algorithm that produces a 128-bithash.

Answer 23

Message Digest 5 (MD5)

Question 24

True or False : Although, security experts now consider MD5 cracked and discourage its use, it is still widely used to verify the integrity of files. This includes email, files stored on disks, files downloaded from the Internet, executable files, and more.

Answer 24

True

Question 25

List the different types of SHA

Answer 25

1. SHA-0 - not used
2. SHA-1 - creates 160-bit hashes. deprecated by NIST in 2011
3. SHA-2 - four version SHA-256, SHA-512, SHA-224, SHA-384. The last two create truncated versions of the first two
4. SHA-3 - similar to SHA-2

Question 26

An ____ is a fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-1

Answer 26

HMAC

Question 27

True or False : HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key.

Answer 27

True

Question 28

True or False : Internet Protocol security (IPsec) and Transport Layer Security (TLS) often use a version of HMAC such as HMAC-MD5 and HMAC-SHA1.

Answer 28

True

Question 29

_____ _________ ________ _______ ______ ______ is another hash function used for integrity, though it isn’t as widely used as MD5, SHA, and HMAC.

Answer 29

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

Question 30

True or False : Many applications calculate and compare hashes automatically without any user intervention.

Answer 30

True

Question 31

_________ is a free program anyone can use to create hashes of files.

Answer 31

sha1sum.exe

Question 32

True or False : Hashing is a one-way function that creates a string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.

Answer 32

True

Question 33

___ _________ is a technique used to increase the strength of stored passwords and can help thwart brute force and rainbow table attacks.

Answer 33

Key stretching (sometimes called key strengthening)

Question 34

True or False : Key stretching techniques salt the passwords with additional random bits to make them even more complex.

Answer 34

True

Question 35

List two common key stretching techniques

Answer 35

1. Bcrypt

2. Password-based key derivation function 2 (PBKDF2)

Question 36

______ is based on the Blowfish block cipher and is used on many Unix and Linux distributions to protect the passwords stored in the shadow password file.

Answer 36

Bcrypt

Question 37

_____ salts the password by adding additional random bits before encrypting in.

Answer 37

Bcrypt

Question 38

True or False: The result of bcrypt is a 60-character string

Answer 38

True

Question 39

True or False : As an added measure, it’s possible to add some pepper to the salt to further randomize the bcrypt string.

Answer 39

True

The pepper is another set of random bits stored elsewhere

Question 40

________ uses salts of at least 64 bits and uses a pseudo-random function such as HMAC to protect passwords.

Answer 40

PBKDF2

Question 41

True or False : Many algorithms such as Wi-Fi Protected Access II (WPA2), Apple’s iOS mobile operating system, and Cisco operating systems use PBKDF2 to increase the security of passwords.

Answer 41

True

Question 42

True or False : Some security experts believe that PBKDF2 is more susceptible to brute force attacks than bcrypt.

Answer 42

True

Question 43

True or False : If a question asks what you would use to encrypt data and it lists hashing algorithms, you can quickly eliminate them because hashing algorithms don’t encrypt data.

Answer 43

True

Question 44

_________ data is in a ciphertext format that is unreadable.

Answer 44

Encrypted

Question 45

True or False : if data is sent in cleartext, an attacker can capture and read the data using a protocol analyzer.

Answer 45

True

Question 46

_____ __ ____ refers to any data stored on media and it’s common to encrypt sensitive data.

Answer 46

Data-at-rest

Question 47

____ __ _______ refers to any data sent over a network and it’s common to encrypt sensitive data-in-transit.

Answer 47

Data-in-transit

Question 48

____ __ ___ refers to data being used by a computer.

Answer 48

Data-in-use

Question 49

What two elements are included in symmetric and asymmetric encryption?

Answer 49

1. Algorithm

2. Key

Question 50

The _______ performs mathematical calculations on data and is always the same

Answer 50

Algorithm

Question 51

The ___ is a number that provides variability for the encryption. It is either kept private and/or changed frequently.

Answer 51

Key

Question 52

True or False : Many encryption schemes require a random or pseudo-random number as an input.

Answer 52

True

Question 53

An ______ _____ provides a starting value for a cryptographic algorithm. It is a fixed-size random or pseudo-random number that helps create random encryption keys.

Answer 53

Initialization vector (IV)

Question 54

A ______ is a number used once.

Answer 54

Nonce

Question 55

True or False : Many cryptographic algorithms use a random or pseudo- random nonce as a seed or a starting number.

Answer 55

True

Question 56

___ operations compare two inputs.

Answer 56

XOR

Question 57

In the context of encryption, _______ means that the ciphertext is significantly different than the plaintext.

Answer 57

Confusion

Question 58

Effective ______ techniques ensure that small changes in the plaintext result in large changes in the ciphertext.

Answer 58

Diffusion

Question 59

A _______ algorithm is one that is kept private.

Answer 59

Secret

Question 60

True or False : A weak algorithm can be cracked, allowing an attacker to easily convert ciphertext back to plaintext.

Answer 60

True

Question 61

Within cryptography, ____ _______ refers to the security of an encryption key even if an attacker discovers part of the key.

Answer 61

High resiliency

Question 62

A ____ _____ encrypts data in specific-sized blocks, such as 64-bit blocks or 128-bit blocks.

Answer 62

Block cipher

Question 63

True or False : The block cipher divides large files or messages into these blocks and then encrypts each individual block separately.

Answer 63

True

Question 64

A _____ ______ encrypts data as a stream of bits or bytes rather than dividing it into blocks.

Answer 64

Stream cipher

Question 65

In general, ______ _______ are more efficient than block ciphers when the size of the data is unknown or sent in a continuous stream, such as when streaming audio and video over a network.

Answer 65

Stream ciphers

Question 66

_____ _______ are more efficient when the size of the data is known, such as when encrypting a file or a specific-sized database field.

Answer 66

Block ciphers

Question 67

True or False : An important principle when using a stream cipher is that encryption keys should never be reused.

Answer 67

True

If a key is reused, it is easier to crack the encryption.

Question 68

Algorithms that use ___ divide the plaintext into blocks and then encrypt each block using the same key.

Answer 68

Electronic Codeblock ECB

Question 69

True or False : The Electronic Codebook (ECB) mode of operation is the simplest cipher mode

Answer 69

True

Question 70

True or False : ECB is not recommended for use in any cryptographic protocols today.

Answer 70

True

Question 71

_____ ______ ________ mode is used by some symmetric block ciphers. It uses an IV for randomization when encrypting the first block. It then combines each subsequent block with the previous block using an XOR operation.

Answer 71

Cipher Block Chaining (CBC)

Question 72

Because encryption of each block is dependent on the encryption of all previous blocks, ____ sometimes suffers from pipeline delays, making it less efficient than some other modes.

Answer 72

CBC

Question 73

_______ mode effectively converts a block cipher into a stream cipher. It combines an IV with a counter and uses the result to encrypt each plaintext block. Each block uses the same IV, but ___ combines it with the counter value, resulting in a different encryption key for each block.

Answer 73

Counter (CTM)

It’s much more common to see it listed as CTR or CM.

Question 74

True or False : Multiprocessor systems can encrypt or decrypt multiple blocks at the same time, allowing the algorithm to be quicker on multiprocessor or multicore systems.

Answer 74

True

Question 75

True or False : CTM is not widely used and respected as a secure mode of operation.

Answer 75

True

Question 76

______ ______ ____ is a mode of operation used by many block ciphers. It combines the _____ mode of operation with the _____ mode of authentication.

Answer 76

Galois/Counter Mode (GCM), Counter, Galois

Question 77

True or False : In addition to encrypting the data for confidentiality, Galios/Counter Mode includes hashing techniques for integrity.

Answer 77

True

Question 78

Symmetric encryption is also called ______ ___ encryption or _______ ___ encryption.

Answer 78

Secret-key or session-key

Question 79

A ________ _____ replaces plaintext with ciphertext using a fixed system.

Answer 79

Substitution cipher

Question 80

The ______ cipher uses the same substitution algorithm, but always uses a key of 13.

Answer 80

ROT13 (short for rotate 13 places)

Question 81

True or False : ROT13 uses both the same algorithm and the same key, it doesn’t provide true encryption but instead just obfuscates the data.

Answer 81

True

Question 82

True or False : Symmetric encryption algorithms change keys much more often than once a day.

Answer 82

True

Question 83

The _______ _________ _________ is a strong symmetric block cipher that encrypts data in 128-bit blocks.

Answer 83

Advanced Encryption Standard (AES)

Question 84

True or False : AES can use key sizes of 128 bits, 192 bits, or 256 bits, and it’s sometimes referred to as AES-128, AES-192, or AES-256 to identify how many bits are used in the key.

Answer 84

True

Question 85

______ keys for a specific algorithm result in stronger key strength.

(Page 691).

Answer 85

Longer

Question 86

List some of the strengths of AES

Answer 86

1. Fast - uses elegant mathematical formulas and only requires a single pass to encrypt and decrypt data
2. Efficient - less resource intensive
3. Strong - strong encryption of data –> high level of confidentiality

Question 87

____ ________ ________ is a symmetric block cipher that was widely used for many years, dating back to the 1970s.

Answer 87

Data Encryption Standard (DES)

Question 88

True or False : DES encrypts data in 64- bit blocks. However, it uses a relatively small key of only 56 bits and can be broken with brute force attacks.

Answer 88

True

DES is not recommended for use today.

Question 89

____ is a symmetric block cipher designed to encrypt data using the DES algorithm in three separate passes and uses multiple keys.

Answer 89

3DES (pronounced as “Triple DES”)

Question 90

True or False : 3DES uses key sizes of 58 bits, 116 bits, or 174 bits.

Answer 90

False

52, 112, 168 bits

Question 91

___ is a symmetric stream cipher and it can use between 40 and 2,048 bits.

Answer 91

RC4 (also called ARC4)

Question 92

True or False : Microsoft recommend disabling RC4 and using AES instead due to the speculation that NSA can break RC4.

Answer 92

True

Question 93

True or False: TLS can implement either block or stream ciphers

Answer 93

True

Question 94

_______ is a strong symmetric block cipher that encrypts data in 64-bit blocks and supports key sizes between 32 and 448 bits.

Answer 94

Blowfish

Question 95

______ is related to Blowfish, but it encrypts data in 128-bit blocks and it supports 128-, 192-, or 256-bit keys.

Answer 95

Twofish

Question 96

True or False: AES-256 is faster than Blowfish

Answer 96

False

Question 97

List the type, method, and key size for the following:

1. AES
2. 3DES
3. Blowfish
4. Twofish
5. RC4
6. DES

Answer 97

1. Symmetric encryption, 128 bit block cipher, 128, 192, 256 bit key
2. Symmetric encryption, 64-bit block cipher, 56, 112, 168 bit key
3. Symmetric encryption, 64-bit block cipher, 32 to 448 bit key
4. Symmetric encryption, 128-bit block cipher, 128, 192, 256 bit key
5. Symmetric encryption, Stream cipher, 40 to 2048 bit key
6. Symmetric encryption, 64-bit block cipher, 56-bit key

Question 98

encryption uses two keys in a matched pair to encrypt and decrypt data—a public key and a private key.

Answer 98

Asymmetric

Question 99

True or False : If the public key encrypts information, only the matching private key can decrypt the same information.

Answer 99

True

Question 100

True or False : If the private key encrypts information, only the matching public key can decrypt the same information.

Answer 100

True

Question 101

True or False : Private keys are always kept private and never shared.

Answer 101

True

Question 102

True or False : Public keys are freely shared by embedding them in a shared certificate.

Answer 102

True

Question 103

True or False : Asymmetric encryption is not very resource intensive.

Answer 103

False

Asymmetric encryption is resource intensive

Question 104

___ ______ is any cryptographic method used to share cryptographic keys between two entities.

Answer 104

Key exchange

Question 105

A ______ is a digital document that typically includes the public key and information on the owner of the certificate.

Answer 105

Certificate

Question 106

True or False : Certificate Authorities issue and manage certificates.

Answer 106

True

Question 107

True or False : Certificates are used for a variety of purposes beyond just asymmetric encryption, including authentication and digital signatures.

Answer 107

True

Question 108

A key element of asymmetric encryption is a _______.

Answer 108

Certificate

Question 109

List common elements within a certificate

Answer 109

1. Serial number - unique ID of the certificate
2. Issuer - the CA that issued the certificate
3. Validity dates
4. Subject - owner of the certificate
5. Public key - RSA asymmetric encryption uses the public key in combination with the matching private key
6. Usage

Question 110

True or False : Email applications often use RSA to privately share a symmetric key between two systems.

Answer 110

True

The application uses the recipient’s public key to encrypt a symmetric key, and the recipient’s private key decrypts it.

Question 111

True or False : RSA laboratories recommend a key size of 2,048 bits to protect data through the year 2030. If data needs to be protected beyond 2030, they recommend a key size of 3,072 bits.

Answer 111

True

Question 112

True or False : RSA is widely used on the Internet and elsewhere due to its strong security.

Answer 112

True

Question 113

The two primary categories of asymmetric keys are _____ and __________.

Answer 113

Static and ephemeral

Question 114

A _____ key is semi-permanent and stays the same over a long period of time.

Answer 114

Static

Question 115

An ________ key has a very short lifetime and is re-created for each session.

Answer 115

Ephemeral

Question 116

RSA uses _____ keys.

Answer 116

Static

Question 117

______ _______ ______ indicates that a cryptographic system generates random public keys for each session and it doesn’t use a deterministic algorithm to do so. In other words, given the same input, the algorithm will create a different public key.

Answer 117

Perfect forward secrecy

Question 118

______ _____ ___________ doesn’t take as much processing power as other cryptographic methods and is often considered with common use cases of low-power devices.

Answer 118

Elliptic curve cryptography (ECC)

Question 119

True or False : ECC uses mathematical equations to formulate an elliptical curve. It then graphs points on the curve to create keys. This is mathematically easier and requires less processing power, while also being more difficult to crack.

Answer 119

True

Question 120

_____ _______ is a key exchange algorithm used to privately share a symmetric key between two parties.

Answer 120

Diffie-Hellman (DH)

Question 121

Diffie-Hellman methods support both _____ keys and ________ keys.

Answer 121

Static and ephemeral

Question 122

______ ________ _________ uses ephemeral keys, generating different keys for each session.

Answer 122

Diffie-Hellman Ephemeral (DHE)

Question 123

_____ ______ ______ _______ uses ephemeral keys generated using ECC.

Answer 123

Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)

Question 124

______ _____ _______ ________, uses static keys.

Answer 124

Elliptic Curve Diffie-Hellman (ECDH)

Question 125

True or False: With DH higher group numbers indicate the group is more secure. For example, DH Group 1 uses 768 bits in the key exchange process and DH Group 15 uses 3,072 bits.

Answer 125

True

Question 126

True or False : Common examples of steganography are hiding data by manipulating bits and hiding data in the white space of a file.

Answer 126

True

Question 127

True or False :

Email digital signatures
• The sender’s private key encrypts (or signs).
• The sender’s public key decrypts.

Answer 127

True

Question 128

True or False :

Email encryption
• The recipient’s public key encrypts.
• The recipient’s private key decrypts.

Answer 128

True

Question 129

True or False :

Web site encryption
• The web site’s public key encrypts.
• The web site’s private key decrypts.
• The symmetric key encrypts data in the web site session.

Answer 129

True

Question 130

Cryptography provides two primary security methods you can use with email: _______ _________ and _______.

Answer 130

Digital signatures and encryption

Question 131

The _____ ________ _______ uses an encrypted hash of a message. The hash is encrypted with the sender’s private key.

Answer 131

Digital signature algorithm (DSA)

Question 132

True or False : If the recipient of a digitally signed email can decrypt the hash, it provides the following three security benefits:

• Authentication
• Non-repudiation
• Integrity

Answer 132

True

Question 133

True or False : A digital signature is an encrypted hash of a message. The sender’s private key encrypts the hash of the message to create the digital signature. The recipient decrypts the hash with the sender’s public key. If successful, it provides authentication, non-repudiation, and integrity. Authentication identifies the sender. Integrity verifies the message has not been modified. Non-repudiation prevents senders from later denying they sent an email.

Answer 133

True

Question 134

When you’re encrypting email contents, the recipient’s ____ key encrypts and the recipient’s _______ key decrypts.

Answer 134

Public and private

Question 135

True or False : Most email applications use asymmetric encryption to privately share a session key. They then use symmetric encryption to encrypt the data. They then use symmetric encryption to encrypt the data.

Answer 135

True

Question 136

______/_____ _____ ___ _____ is one of the most popular standards used to digitally sign and encrypt email.

Answer 136

Secure/Multipurpose Internet Mail Extensions(S/MIME)

Question 137

S/MIME uses ___ for asymmetric encryption and ___ for symmetric encryption.

Answer 137

RSA and AES

Question 138

True or False : Because S/MIME uses RSA for asymmetric encryption, it requires a PKI to distribute and manage certificates.

Answer 138

True

Question 139

True or False : like S/MIME, PGP uses both asymmetric and symmetric encryption.

Answer 139

True

Question 140

_____ ____ ______ is a method used to secure email communication. It can encrypt, decrypt, and digitally sign email.

Answer 140

Pretty Good Privacy (PGP)

Question 141

________ encryption methods encrypt data-in-transit to ensure transmitted data remains confidential.

Answer 141

Transport

Question 142

Both ___ and ___ provide certificate-based authentication and they encrypt data with a combination of both symmetric and asymmetric encryption during a session.

Answer 142

SSL and TLS

Question 143

True or False : SSL and TLS use asymmetric encryption for the key exchange (to privately share a session key) and symmetric encryption to encrypt data displayed on the web page and transmitted during the session.

Answer 143

True

Question 144

True or False : Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that have been commonly used to encrypt data-in transit.

Answer 144

True

Question 145

______ _____ ______ is a replacement for SSL and is widely used in many different applications.

Answer 145

Transport Layer Security (TLS)

Question 146

True or False : A CA is required to support TLS and SSL.

Answer 146

True

Question 147

_____ uses asymmetric encryption to transmit a symmetric key using a secure key exchange method.

Answer 147

HTTPS

Question 148

______ _____ are a combination of cryptographic algorithms that provide several layers of security for TLS and SSL, though most organizations have deprecated the use of SSL.

Answer 148

Cipher suites

Question 149

True or False : When two systems connect, they negotiate to identify which cipher suite they use. Each system passes a prioritized list of cipher suites it is willing to use. They then choose the cipher suite that is highest on their lists and common to both lists.

Answer 149

True

Question 150

A _____ ______ is a set of hardware, software, and/or firmware that implements cryptographic functions. This includes algorithms for encryption and hashing, key generation, and authentication techniques such as a digital signature.

Answer 150

Crypto module

Question 151

A _____ ______ provider is a software library of cryptographic standards and algorithms. These libraries are typically distributed within crypto modules.

Answer 151

Crypto service

Question 152

True or False : If administrators leave weak or deprecated algorithms functioning on servers, it makes the servers susceptible to attacks such as downgrade attacks.

Answer 152

True

Question 153

A ______ _____ is a type of attack that forces a system to downgrade its security.

Answer 153

Downgrade attack

Question 154

__________ ______ are most often associated with cryptographic attacks due to weak implementations of cipher suites.

Answer 154

Downgrade attacks

Question 155

True or False : Attackers exploit this vulnerability by configuring their systems so that they cannot use TLS. When they communicate with the server, the server downgrades security to use SSL instead of TLS. This allows attackers to launch SSL-based attacks such as the well-known Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.

Answer 155

True

Question 156

One way to ensure that SSL isn’t used on a site is to modify the server’s protocol list and ensure that SSL is ________.

Answer 156

Disabled

Question 157

If weak cipher suites are enabled on a server, it _______ the vulnerabilities.

Answer 157

Increases

Question 158

A _____ ___ ________ is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates.

Answer 158

Public Key Infrastructure (PKI)

Question 159

True or False : A primary benefit of a PKI is that it allows two people or entities to communicate securely without knowing each other previously.

Answer 159

True

Question 160

A _______ ______ issues, manages, validates, and revokes certificates.

Answer 160

Certificate Authority (CA)

Question 161

True or False : If the CA is trusted, all certificates issued by the CA are trusted.

Answer 161

True

Question 162

CAs are trusted by placing a copy of their root certificate into a _____ ____ __ _____.

Answer 162

Trusted root CA store

Question 163

The ____ _________ is the first certificate created by the CA that identifies it, and the store is just a collection of these root certificates.

Answer 163

Root certificate

Question 164

True or False : Public CAs such as Symantec and Comodo negotiate with web browser developers to have their certificates included with the web browser. This way, any certificates that they sell to businesses are automatically trusted.

Answer 164

True

Question 165

True or False : The most common trust model is the hierarchical trust model, also known as a centralized trust model.

Answer 165

True

Question 166

_________ _________ combines all the certificates from the root CA down to the certificate issued to the end user.

Answer 166

Certificate chaining

Question 167

A ___ __ _____ uses self-signed certificates, and a third party vouches for these certificates.

Answer 167

Web of trust

Question 168

True or False : Many programs are available to automate the process of generating a public and private key pair

Answer 168

True

Question 169

True or False : Submitted with a certificate signing request (CSR) is the purpose of the certificate, information about the website, the public key, and information about the owner of the site.

Answer 169

True

Question 170

The CSR includes the ______ ___ but not the _______ ___

Answer 170

Public key, private key

Question 171

True or False : After receiving the CSR, the CA validates my identity and creates a certificate with the public key. The validation process is different based on the usage of the certificate. In some cases, it includes extensive checking, and in other cases, verification comes from the credit card I use to purchase it.

Answer 171

True

Question 172

_____ _________ are used to identify specific objects within the certificates

Answer 172

Object identifiers (OIDs)

Question 173

The ___ is a string of numbers separated by dots. ___ can be used to name almost every object type in certificates.

Answer 173

OID(s)

Question 174

True or False : In large organizations, a registration authority(RA) can assist the CA by collecting registration information. The RA never issues certificates. Instead, it only assists in the registration process.

Answer 174

True

Question 175

True or False : An organization may choose to keep some CAs offline to protect them from attacks. Offline CAs can only accept CSRs manually.

Answer 175

True

Question 176

True or False : an organization may choose to keep some CAs offline to protect them from attacks. Offline CAs can only accept CSRs manually.

Answer 176

True

Question 177

True or False : A CA can use any of the following reasons when revoking a certificate: 
• Key compromise 
• CA compromise 
• Change of affiliation 
• Superseded 
• Cease of operation 
• Certificate hold

Answer 177

True

Question 178

CAs use ________ ________ ____ to revoke a certificate.

Answer 178

Certificate revocation lists (CRLs, pronounced “crill”)

Question 179

True or False : The CRL is a version 2 certificate that includes a list of revoked certificates by serial number.

Answer 179

True

Question 180

List some common certificate issues

Answer 180

1. Expired
2. Certificate not trusted
3. Improper certificate and key management
4. Revoked

Question 181

True or False : A common method of validating a certificate is by requesting a copy of the CRL

Answer 181

True

Question 182

CRLs are typically ______ after being downloaded the first time.

Answer 182

Cached

Question 183

True or False : Another method of validating a certificate is with the Online Certificate Status Protocol (OCSP). OCSP allows the client to query the CA with the serial number of the certificate. The CA then responds with an answer of “good,” “revoked,” or “unknown.” A response of “unknown” could indicate the certificate is a forgery.

Answer 183

True

Question 184

OCSP ________ solves the problem of heavy traffic generation between clients and CAs

Answer 184

Stapling

Question 185

True or False : In OCSP stapling, the certificate presenter obtains a timestamped OCSP response from the CA. Before sending it, the CA signs it with a digital signature. The certificate presenter then appends (or metaphorically staples) a timestamped OCSP response to the certificate during the TLS handshake process. This eliminates the need for clients to query the CA.

Answer 185

True

Question 186

Public key ________ is a security mechanism designed to prevent attackers from impersonating a web site using fraudulent certificates.

Answer 186

Pinning

Question 187

True or False : When configured on a web site server, the server responds to client HTTPS requests with an extra header. This extra header includes a list of hashes derived from valid public keys used by the web site. It also includes a max-age field specifying how long the client should store and use the data. When clients connect to the same web site again, they recalculate the hashes and then compare the recalculated hashes with the stored hashes. If the hashes match, it verifies that the client is connected to the same web site.

Answer 187

True

Question 188

___ ______ is the process of placing a copy of a private key in a safe environment and is useful for recovery.

Answer 188

Key escrow

Question 189

A ___ ______ ______ is a designated individual who can recover or restore cryptographic keys.

Answer 189

Key recovery agent

Question 190

List some usage types of certificates

Answer 190

1. Machine/computer - The certificate is typically used to identify the computer within a domain.
2. User - Certificates can also be issued to users. They can be used for encryption, authentication, smart cards, and more.
3. Email - The two uses of email certificates are for encryption of emails and digital signatures.
4. Code signing - Developers often use code signing certificates to validate the authentication of executable applications or scripts. The code signing certificate verifies the code has not been modified.
5. Self-signed - A self-signed certificate is not issued by a trusted CA. Private CAs within an enterprise often create self-signed certificates.
6. Wildcard - A wildcard certificate starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.
7. SAN - A Subject Alternative Name (SAN) is used for multiple domains that have different names, but are owned by the same organization.
8. Domain validation - A domain-validated certificate indicates that the certificate requestor has some control over a DNS domain.
9. Extended validation - Extended validation certificates use additional steps beyond domain validation.

Question 191

A ________ _______ starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain.

Answer 191

Wildcard certificate

Question 192

A _______ _________ ____ is used for multiple domains that have different names, but are owned by the same organization.

Answer 192

Subject Alternative Name (SAN)

Question 193

True or False : Extended validation certificates use additional steps beyond domain validation.

Answer 193

True

Question 194

True or False : Certificates are typically stored as binary files or as BASE64 American Standard Code for Information Interchange (ASCII) encoded files and some certificates are also encrypted to provide additional confidentiality.

Answer 194

True

Question 195

The base format of certificates is _______ _______ _____ or ___________ ________ _______.

Answer 195

Canonical Encoding Rules (CER)
or
Distinguished Encoding Rules (DER)

Question 196

True or False : CER-based certificates include headers and footers to identify the contents.

Answer 196

False it is DER

Question 197

____ is derived from the Privacy Enhanced Mail format, but that is misleading. It implies that these certificates are used for email only.

Answer 197

PEM

Question 198

True or False : PEM-based certificates can be used for just about anything.

Answer 198

True

Question 199

___ certificates use the PKCS version 7 (PKCS#7) format and they are DER-based (ASCII). They are commonly used to share public keys with proof of identity of the certificate holder.

Answer 199

P7B

Question 200

True or False: P7B can include the private key

Answer 200

False

It never includes the private key

Question 201

___ certificates use the PKCS version 12 (PKCS#12) format and they are CER-based (binary).

Answer 201

P12

Question 202

True or False : P12 are commonly used to hold certificates with the private key.

Answer 202

True

Question 203

______ ________ ______ is a predecessor to the P12 certificate and it has the same usage. Administrators often use this format on Windows systems to import and export certificates.

Answer 203

Personal Information Exchange (PFX)

Question 204

True or False : CER is a binary format for certificates and DER is an ASCII format. PEM is the most commonly used certificate format and can be used for just about any certificate type. P7B certificates are commonly used to share public keys. P12 and PFX certificates are commonly used to hold the private key.

Answer 204

True