Chapter 2: Review Questions Flashcards

1
Q

What type of certificate does a CA have?

A

A CA has a root certificate, which is used to sign keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If I am going to use a CA internally, what type of CA should I use?

A

Private CA; these certificates will not be accepted outside your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If I want to carry out B2B activity with third-party companies or sell products on the web, what type of CA should I use?

A

Public CA for B2B activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why would I make my CA offline when not in use?

A

It should be offline when not in use so that new certificates cannot be issued. This will help stop with unauthorized individuals getting access to company data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who signs X509

certificates?

A

The CA signs for the X509 certificates to validate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What can I use to prevent my CA from being compromised and fraudulent certificates being issued?

A

Certificate Pinning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

If two entities want to set up a cross-certification, what must they set up first?

A

The two entities need to set up a Bridge Trust Model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of trust model does PGP use?

A

PGP uses a trust model known as a web of trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can I tell whether my certificate is valid?

A

Certificate Revocation List

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If the CRL is going slow, what should I implement?

A

OCSP is used only when the CRL is going slow or had been replaced by the OCSP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who builds the CA or intermediary authorities?

A

An architect would build the CA or intermediary authorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain certificate stapling/OCSP stapling.

A

It is used when a web server bypasses the CRL to use the OCSP for a faster confirmation, irrespective of whether or not a certificate is valid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the process of obtaining a new certificate?

A

A certificate Signing Request is a new certificate request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of the key escrow?

A

The key escrow holds the private keys for third parties and stores them in the Hardware Security Module.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the purpose of the Hardware Security Module(HSM)?

A

The HSM can a piece of hardware attached or a portable device that is attached to store the keys. It manages and stores the certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of the Data Recovery Agent (DRA) and what does it need in order to complete its role effectively?

A

If a user cannot access their data because their private key is corrupted, the DRA will recover the data. The DRA needs to get the private key from the key escrow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can I identify each certificate?

A

Each certificate can be identified by their OID, which is similar to a serial number.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What format is a private certificate and what file extension does it have?

A

Format is P12 and the file extension is .pfx.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What format is a public certificate and what file extension does it have?

A

The format is P7B and the extension is .cer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What format is a PEM certificate?

A

The format of a PEM certificate is a base64 format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What type of certificate can be used on multiple servers in the same domain?

A

A wildcard certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What type of certificate can be used on multiple domains?

A

Subject Alternative Name (SAN) can be used on multiple domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What should I do with my software to verify that it is the original and not a fake copy?

A

You should code sign your software so that its authenticity is guaranteed.

24
Q

What is the purpose of extended validation on an X509?

A

It provides a higher level of trust in identifying the entity that is using the certificate. When it is used, the URL background turns green.

25
Q

What type of cipher is the Caesar Cipher and how does it work if it uses ROT 4?

A

The Caesar Cipher is a substitution cipher and a ROT 4 mean that you take a word like TEA and rotate each letter 4 spaces to get a result like this: XID

26
Q

What is encryption and what are the inputs and outputs called?

A

Encryption is where we take plaintext that can be easily read and covert it to ciphertext that cannot be easily read.

27
Q

What type of encryption can be used to encrypt large amounts of data.

A

Symmetric encryption is used to encrypt large amounts of data since it has one key.

28
Q

What is the purpose of Diffie Hellman (DH)?

A

It is an asymmetric technique used to make a secure tunnel that allows for symmetric data to pass through. During a VPN connection, it is used during the IKE phase and uses UDP port 500 to create the VPN tunnel.

29
Q

What is the first stage in any encryption, no matter whether it is asymmetric or symmetric?

A

The first stage to any encryption is the key exchange. You will always keep your private key and give away your public key.

30
Q

If Carol is encrypting data to send to Bob, what key will they each use?

A

Bob’s public key to encrypt and Bob will use his own private key to decrypt.

31
Q

If George encrypted data 4 years ago with an old CAC card, can he unencrypt the data with his new CAC card?

A

No, he must obtain the old private key to decrypt the data as the encryption was done by the same key pair.

32
Q

If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

A

Janet will use her private key to digitally sign the email to prove it is from her; John will use Janet’s public key to verify that the email is from her.

33
Q

What two things does digitally signing an email provide?

A

The digital signature makes the email valid and proves the identity of the sender (Integrity). Then there is non-repudiation meaning that the sender cannot deny that they did not send that email since they shouldn’t be giving out their private keys.

34
Q

What asymmetric encryption algorithm should I use to encrypt data on a smartphone?

A

Elliptic Curve Cryptography (ECC) should be used for a smartphone since it uses less processing power.

35
Q

What shall I use to encrypt a military mobile telephone?

A

AES 256-bit should be used on a military phone.

36
Q

Name two key-stretching algorithms?

A

BCRYPT and PBKDF2

37
Q

What is the purpose of key-stretching?

A

Key-stretching salts the password so that duplicate passwords are never stored and it appends a random set of characters to the end of a password to increase the size of it and increase the time for a brute-force attack to take to compute a password crack.

38
Q

What is the difference a stream and a block cipher, which one will you use to encrypt large blocks of data?

A

Stream cipher is a method of encrypting data, one bit at a time, while a block cipher is where a block of data is taken and then encrypted. You would use block cipher to encrypt large blocks of data.

39
Q

What happens with cipher block chaining if I don’t have all the blocks?

A

cipher block chaining will need all of the blocks to decrypt the data or else it won’t work.

40
Q

If I want to ensure the integrity of data, what shall I use? Name two algorithm.

A

Hashing ensures the integrity of data. SHA1, SHA2, SHA3, and MD5

41
Q

If I want to ensure the protection of data, what shall I use?

A

Encryption is used to protect data so that it cannot be reviewed or accessed.

42
Q

Is a hash a one-way or two-way function and is it reversible?

A

For the purpose of the security plus exam, it is a one-way function and cannot be reversed.

43
Q

What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

A

It is known as the POODLE attack that exploits the vulnerabilities of SSL 3.0 using CBC.

44
Q

Explain why we use Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE).

A

The keys are short-lived keys. They only have a one-time use for a single session.

45
Q

What are the strongest and weakest methods of encryption with the L2TP/IPSec VPN tunnel?

A

The weakest method of encryption is DES and the strongest is AES.

46
Q

What is the name of the key used to ensure the security of communication between a computer and a server or a computer to another computer?

A

A session key ensures the security of communications between a computer and a server or a computer and another computer.

47
Q

What should I do to protect data at rest on a tablet or smartphone?

A

These devices should use Full Data Encryption (FDE).

48
Q

What should I do to protect data at rest on a removable device, such as a USB flash drive or an external hard drive?

A

We should use Full Data Encryption so the data is unreadable if stolen.

49
Q

What should I do to protect data at rest on a backend server?

A

Data-at-rest on a backend server is stored on a database, so it needs database encryption.

50
Q

How can you protect data in use?

A

We can protect this data using Full Memory Encryption.

51
Q

What two protocols could we use to protect data in transit?

A

TLS , HTTPS, or an L2TP/IPSec VPN.

52
Q

What is the purpose of perfect forward secrecy?

A

With perfect forward secrecy, there is no link between the session key and the private key, so if a VPN server has been compromised, the attacker cannot use the server’s private key to decrypt the session.

53
Q

What type of attack tries to find two hash values that match?

A

A collision attack.

54
Q

Explain the concept of steganography?

A

Steganography is where a document, image, audio file, or video file can be hidden inside another document, image, audio file, or video file.

55
Q

What is the purpose of rainbow tables?

A

Rainbow tables are a list of precomputed word showing their hash value. You will get rainbow tables for MD5 and different rainbow tables for SHA-1.

56
Q

What are the two purposes of Data Loss Protection (DLP)?

A

DLP prevents sensitive or PII information from being emailed out of the company or being stolen from a file server using a USB device.

57
Q

What is the purpose of salting a password?

A

Salting a password ensures that duplicate passwords are never stored and makes things more difficult for brute-force attacks by increasing the key size (key stretching). It appends the salt to the password making longer than before hashing.