Cryptographic Solutions Flashcards

Question

A developer needs to distribute a software application securely to ensure its authenticity and integrity. The developer decides to use RSA for code signing. Which of the following steps would the developer follow to sign the software? A. Hash the software code, then encrypt the hash using their private key. B. Encrypt the entire software code using their private key. C. Hash the software code, then encrypt the hash using the recipient's public key. D. Encrypt the software code using their public key, then attach the encrypted code with the software.

Answer 1

Answer: A. Hash the software code, then encrypt the hash using their private key. Explanation: Correct: Option A is correct because code signing involves hashing the code to create a fixed-size digest and then encrypting that digest with the developer's private key to create a digital signature. Incorrect Options: B: Encrypting the entire software with a private key is highly inefficient and not the purpose of a digital signature. C: Encrypting with the recipient's public key ensures confidentiality, not authenticity or integrity. D: Encrypting with the public key doesn’t verify the authenticity of the developer and would not serve as a valid signature.

Answer 2

Answer: B. The hash digest of the software patch. Explanation: Correct: The digital signature is the encrypted hash digest of the software. Decrypting it with the company's public key reveals the original hash digest, which can then be compared with a freshly computed hash of the downloaded software to verify integrity. Incorrect Options: A: The digital signature does not contain the original software. C: The private key is never shared and cannot be obtained by decrypting the signature. D: Certificates verify the publisher's identity, but they are separate from the digital signature.

Answer 3

Answer: A. DH cannot be used for encrypting a hash digest as it’s not a signing algorithm. Explanation: Correct: Option A is correct because digital signature algorithms like RSA or ECDSA are specifically designed for signing purposes. Regular encryption algorithms like DH or ECC (in its standard form) are not designed for signing data. Incorrect Options: B: Hashing is essential in signing processes and can be used with encryption. C: The hash digest can (and should) be encrypted in a digital signature process, not the full software. D: Not all encryption algorithms are suitable for signing; only specific digital signature algorithms should be used.

Answer 4

Answer: B. The hash of the software and the decrypted hash digest. Explanation: Correct: To verify the code’s integrity, the recipient compares the freshly computed hash of the downloaded software with the hash digest decrypted from the digital signature. If they match, the code has not been tampered with. Incorrect Options: A: The software’s source code is not directly involved in this process. C: The developer’s private key is not accessible during the verification process. D: The recipient’s private key is irrelevant for verifying a digital signature.

Answer 5

Answer: B. Digital signatures ensure the confidentiality of the software. Explanation: Correct: Digital signatures are used to ensure authenticity and integrity but not confidentiality. Confidentiality is achieved by encrypting the content with the recipient's public key, which is unrelated to digital signing. Incorrect Options: A: Authenticity is proven as only the developer has access to their private key to sign the hash. C: Integrity is ensured as tampering with the code would result in a mismatched hash. D: Digital signatures are created by encrypting the hash digest with the private key, making this statement true.

Answer 6

Answer: D. Bob will use his private key to decrypt the message encrypted with his public key. Explanation: Correct: D: In asymmetric encryption, a message encrypted with a public key can only be decrypted with the corresponding private key. Since Alice encrypted the message using Bob’s public key, Bob will use his private key to decrypt it. Incorrect Options: A: This scenario describes asymmetric encryption, not symmetric encryption. Symmetric encryption requires a shared key, but here, Alice and Bob are using public and private keys, which do not require prior key sharing. B: Alice is not distributing a private key to Bob. Private keys are never shared; they are kept secret by their owner. C: Alice is not distributing Bob’s public key to herself. She retrieves Bob’s public key from a trusted certificate authority (CA) to encrypt the message, but this is not considered "distribution" in the context of key exchange.

Answer 7

Answer: B. The public keys of the parties are used to compute the shared key without directly transmitting the key itself. Explanation: Correct: In Diffie-Hellman, both parties exchange public information and then independently compute a shared secret key, which is never directly transmitted. Incorrect Options: A: The shared key is not sent over the internet; it is computed independently by each party. C: The Diffie-Hellman process does not use private keys directly to generate a symmetric key for encryption; it focuses on the secure exchange of public values to compute a shared key. D: While Diffie-Hellman can be used in conjunction with a PKI, it does not require one for its operation.

Answer 8

Answer: B. Alice and Bob receive the same symmetric key from the KDC to encrypt and decrypt messages. Explanation: Correct: The Key Distribution Center (KDC) provides Alice and Bob with a shared symmetric key. This key is used for encryption and decryption during communication. Incorrect Options: A: The KDC distributes a symmetric key, not a public key for asymmetric encryption. C: The KDC does not exchange private keys; it distributes a shared symmetric key. D: The KDC does not send Alice’s private key to Bob, as private keys should never be shared.

Answer 9

Answer: B. The public keys of Alice and Bob are used to create a shared secret key that will be used for symmetric encryption. Explanation: Correct: In ECDH, Alice and Bob use their respective public and private keys to independently compute a shared secret key. This shared key is then used for symmetric encryption. Incorrect Options: A: While ECDH is part of an asymmetric encryption system, the key exchange results in a shared secret for symmetric encryption, not a direct encryption of the message using asymmetric encryption. C: Alice and Bob use the shared secret for symmetric encryption, not asymmetric encryption. D: The key exchange does not involve distributing public keys to all parties; it involves two parties agreeing on a shared key.

Answer 10

Answer: B. The server’s public key is distributed to the client for encryption purposes. Explanation: Correct: In RSA key exchange, the server’s public key is used by the client to encrypt messages. The server can then use its private key to decrypt the message. Incorrect Options: A: The private keys are not exchanged in RSA key exchange; only the public key is shared. C: The server’s private key is never distributed; it is kept secret. D: The client only uses the server’s public key for encryption, not both public and private keys.

Answer 11

Correct Answer: B. To verify the server's identity to the client Explanation: Correct: The server's certificate contains its public key and other details (such as the domain name and the issuing CA). The certificate is used to verify the server's identity by validating the signature of the issuing CA against the trusted root certificate store in the client’s browser or OS. Incorrect Options: A: The server's private key is never shared during the TLS handshake. Sharing the private key would compromise the server’s security. C: The session key is not distributed in the server's certificate. Instead, it is derived later in the handshake process using the premaster key and random values. D: The premaster key is generated by the client (in RSA-based TLS) or through Diffie-Hellman/ECDH methods. It is not directly related to the server's certificate.

Answer 12

Correct Answer: B. It verifies the server's certificate is issued by a trusted CA. Explanation: Correct: The trusted root certificate store contains root certificates of trusted Certificate Authorities (CAs). During a TLS handshake, the browser checks the server's certificate to ensure that it was issued by one of these trusted CAs. Incorrect Options: A: The premaster key is generated as part of the handshake process, not by the trusted root certificate store. C: The trusted root certificate store does not contain certificates for all websites. It only stores public keys of trusted root CAs. D: The session key is derived from the premaster key, not the trusted root certificate store.

Answer 13

Correct Answer: A. The client and server exchange random values, which are combined with the premaster key to derive the session key. Explanation: Correct: In the TLS handshake, both the client and server contribute random values. These random values, combined with the premaster key, are used in a key derivation function (KDF) to generate the session key. The session key is symmetric and is used to encrypt the actual data. Incorrect Options: B: The server's certificate does not contain the session key. It only contains the server's public key and identification details. C: The CA does not generate or distribute session keys. Its role is to sign certificates to ensure trust. D: The session key is dynamically generated during the handshake, not pre-configured.

Answer 14

Correct Answer: A. Diffie-Hellman or Elliptic Curve Diffie-Hellman (ECDH) Explanation: Correct: Diffie-Hellman (DH) and its variant Elliptic Curve Diffie-Hellman (ECDH) are key exchange algorithms used to securely establish a shared premaster key between the client and server during a TLS handshake. They ensure confidentiality even if someone intercepts the exchange. Incorrect Options: B: RSA Digital Signature Algorithm is used for authentication and signing, not for key exchange. C: AES is a symmetric encryption algorithm, used for encrypting the data after the handshake, not for key exchange. D: PKI is a framework for managing digital certificates and public/private keys. It is not a specific protocol for key exchange.

Answer 15

Correct Answer: B. By checking the CA's signature on the server's certificate using the CA's public key from the trusted root certificate store. Explanation: Correct: The client validates the server's certificate by verifying the CA's digital signature on the certificate. It uses the CA's public key, stored in the trusted root certificate store, to perform this verification. If the signature matches, the certificate is trustworthy. Incorrect Options: A: The client does not directly contact the CA during the handshake. The validation is done locally using the trusted root certificate store. C: The server's private key is never used for decrypting its certificate. The private key is used for encryption or signing. D: The session key is not embedded in the certificate. It is generated during the handshake process.

Answer 16

Correct Answer: A. Because these algorithms are not designed for signing. Explanation: Correct: Diffie-Hellman and ECC are key exchange and encryption algorithms, not digital signature algorithms. Signing requires specific algorithms like RSA, DSA, or ECDSA, which are designed to produce and verify digital signatures. Incorrect Options: B: Signing does not require symmetric encryption; it uses asymmetric key pairs. C: Signing is not limited to CAs. Servers can also sign data (e.g., hash digests) using their private keys. D: Diffie-Hellman and ECC are unrelated to generating digital certificates.

Answer 17

Answer: B. Provides confidentiality, integrity, authentication, and non-repudiation D. Uses a key pair (public and private keys) Explanation: Correct Answers: B: Asymmetric algorithms provide confidentiality (encrypting with the receiver's public key), integrity (using digital signatures), authentication (verifying the sender's identity), and non-repudiation (ensuring the sender cannot deny sending the message). D: Asymmetric algorithms use a key pair: a public key for encryption and a private key for decryption. Incorrect Answers: A: This describes symmetric algorithms, which use a shared secret key for both encryption and decryption. C: Asymmetric algorithms require two keys: a public key for encryption and a private key for decryption.

Answer 18

Answer: B. It is achieved by encrypting the message with the sender's private key. Explanation: Correct Answer: B: Non-repudiation ensures the sender cannot deny sending the message. This is achieved by encrypting the message (or its hash) with the sender's private key, which can be verified using their public key. Incorrect Answers: A: This describes confidentiality, which is achieved by encrypting the message with the receiver's public key. C: Encrypting with the receiver's public key ensures confidentiality, not non-repudiation. D: This describes integrity, which is achieved using a digital signature (hashing the message and encrypting the hash with the sender's private key).

Answer 19

Answer: C. Diffie-Hellman Explanation: Correct Answer: C: Diffie-Hellman is used for secure key exchange, particularly in VPN tunnel establishment (IPSec). However, it is vulnerable to man-in-the-middle attacks unless additional authentication (e.g., passwords or digital certificates) is used. Incorrect Answers: A: RSA is used for key exchange, encryption, and digital signatures, but it is not primarily known for being vulnerable to man-in-the-middle attacks. B: ECC (Elliptic Curve Cryptography) is used for encryption in low-power devices and is not primarily associated with key exchange vulnerabilities. D: ECDSA (Elliptic Curve Digital Signature Algorithm) is used for digital signatures, not key exchange.

Answer 20

Answer: A. It relies on the difficulty of factoring large prime numbers. B. It is widely used for digital signatures and key exchange. D. It supports key sizes ranging from 1024 to 4096 bits. Explanation: Correct Answers: A: RSA's security is based on the mathematical difficulty of factoring large prime numbers. B: RSA is widely used for digital signatures, key exchange, and encryption. D: RSA supports key sizes from 1024 bits to 4096 bits. Incorrect Answer: C: ECC is six times more efficient than RSA for equivalent security, not the other way around.

Answer 21

Answer: A. ECDH B. ECDHE D. ECDSA Explanation: Correct Answers: A: ECDH (Elliptic Curve Diffie-Hellman) is a variant of ECC used for key exchange. B: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is a variant that uses different keys for each portion of the key exchange process. D: ECDSA (Elliptic Curve Digital Signature Algorithm) is used for digital signatures. Incorrect Answer: C: RSA is a separate asymmetric algorithm, not a variant of ECC.

Answer 22

Answer: B. To verify the sender's identity and ensure message integrity Explanation: Correct Answer: B: A digital signature is created by encrypting a hash of the message with the sender's private key. This ensures the sender's identity (non-repudiation) and that the message has not been altered (integrity). Incorrect Answers: A: Confidentiality is achieved by encrypting the message with the receiver's public key. C: This describes the process of ensuring confidentiality, not digital signatures. D: Preventing man-in-the-middle attacks requires additional authentication mechanisms, not just digital signatures.

Answer 23

Answer: B. A one-way cryptographic function that produces a unique message digest Explanation: Correct Answer: B: Hashing is a one-way cryptographic function that takes an input and produces a unique message digest (hash). It cannot be reversed to retrieve the original input. Incorrect Answers: A: Hashing is not a two-way function; it cannot decrypt data. C: Hashing is not a symmetric encryption algorithm, which uses a shared secret key. D: Key exchange is handled by algorithms like Diffie-Hellman, not hashing.

Answer 24

Answer: B. Hash digests act like digital fingerprints for the original data C. Hash digests are always the same length for a given hashing algorithm Explanation: Correct Answers: B: Hash digests uniquely represent the original data, acting like digital fingerprints. C: The length of a hash digest is fixed for a given hashing algorithm (e.g., MD5 produces 128-bit hashes, SHA-256 produces 256-bit hashes). Incorrect Answers: A: Hash digests are always the same length, regardless of the input size. D: Hashing is a one-way function; the original input cannot be retrieved from the hash digest.

Answer 25

Answer: B. MD5 Explanation: Correct Answer: B: MD5 produces a 128-bit hash, which is prone to collisions (two different inputs producing the same hash). It is no longer recommended for security-critical applications. Incorrect Answers: A: SHA-256 is more secure than MD5 and produces a 256-bit hash. C: SHA-3 is a secure hashing algorithm with 224-bit to 512-bit hash digests. D: RIPEMD-160 is less popular but more secure than MD5.

Answer 26

Answer: A. SHA-1 B. SHA-224 D. SHA-512 Explanation: Correct Answers: A: SHA-1 produces a 160-bit hash digest. B: SHA-224 is part of the SHA-2 family and produces a 224-bit hash digest. D: SHA-512 is part of the SHA-2 family and produces a 512-bit hash digest. Incorrect Answer: C: MD5 is not part of the SHA family; it is a separate hashing algorithm.

Answer 27

Answer: B. To verify the integrity and authenticity of a message Explanation: Correct Answer: B: HMAC is used to verify the integrity of a message and ensure its authenticity by combining a hash function with a secret key. Incorrect Answers: A: HMAC does not encrypt data for confidentiality; it ensures integrity and authenticity. C: Digital signatures are created by encrypting a hash digest with a private key, not HMAC. D: Key exchange is handled by algorithms like Diffie-Hellman, not HMAC.

Answer 28

Answer: A. They are created by encrypting a hash digest with the sender's private key C. They provide non-repudiation, proving the sender's identity Explanation: Correct Answers: A: Digital signatures are created by hashing the message and encrypting the hash digest with the sender's private key. C: Digital signatures provide non-repudiation, ensuring the sender cannot deny sending the message. Incorrect Answers: B: Confidentiality is achieved by encrypting the message with the receiver's public key, not through digital signatures. D: Key exchange is handled by algorithms like Diffie-Hellman, not digital signatures.

Answer 29

Answer: A. RSA C. DSA Explanation: Correct Answers: A: RSA is widely used for digital signatures, encryption, and key distribution. C: DSA (Digital Signature Algorithm) is specifically designed for digital signatures. Incorrect Answers: B: MD5 is a hashing algorithm, not used for digital signatures. D: HMAC is used for message integrity and authenticity, not digital signatures.

Answer 30

Answer: C. The hash digest changes drastically Explanation: Correct Answer: C: Even a minor change in the input (e.g., one character) results in a completely different hash digest due to the avalanche effect in hashing algorithms. Incorrect Answers: A: The hash digest will not remain the same if the input changes. B: The hash digest does not change slightly; it changes entirely. D: The hash digest remains readable but is entirely different.

Answer 31

Answer: A. SHA-2 uses 64-80 rounds of computations, while SHA-3 uses 120 rounds Explanation: Correct Answer: A: SHA-2 uses 64-80 rounds of computations, while SHA-3 uses 120 rounds, making it more secure. Incorrect Answers: B: SHA-2 is secure, but SHA-3 is more secure due to its increased rounds of computation. C: Both SHA-2 and SHA-3 can produce hash digests of similar lengths (e.g., 256-bit, 512-bit). D: Both SHA-2 and SHA-3 are used for hashing, not encryption.

Answer 32

Answer: B. To authenticate to a remote system using a stolen hash instead of a plaintext password Explanation: Correct Answer: B: In a Pass-the-Hash attack, the attacker uses a stolen hash to authenticate to a remote system without needing the plaintext password. Incorrect Answers: A: The attacker does not need to crack the hash; they use the hash directly for authentication. C: Creating collisions is associated with Birthday Attacks, not Pass-the-Hash attacks. D: Pass-the-Hash attacks do not directly bypass multi-factor authentication; they exploit stolen hashes.

Answer 33

Answer: B. Mimikatz Explanation: Correct Answer: B: Mimikatz is a penetration tool used to automate the harvesting of hashes and executing Pass-the-Hash attacks. Incorrect Answers: A: Wireshark is a network protocol analyzer, not used for Pass-the-Hash attacks. C: Nmap is a network scanning tool, not used for Pass-the-Hash attacks. D: Metasploit is a penetration testing framework but is not specifically known for Pass-the-Hash attacks.

Answer 34

Answer: A. Using multi-factor authentication C. Ensuring all systems are patched and updated Explanation: Correct Answers: A: Multi-factor authentication adds an additional layer of security, making it harder for attackers to exploit stolen hashes. C: Patching and updating systems reduces vulnerabilities that attackers could exploit to harvest hashes. Incorrect Answers: B: Key stretching is used to strengthen passwords, not directly defend against Pass-the-Hash attacks. D: Shorter hash digests increase the risk of collisions and do not defend against Pass-the-Hash attacks.

Answer 35

Answer: B. Creating two different messages that produce the same hash digest (collision) Explanation: Correct Answer: B: A Birthday Attack exploits the probability of two different inputs producing the same hash digest (collision), based on the Birthday Paradox. Incorrect Answers: A: Brute-forcing weak passwords is unrelated to Birthday Attacks. C: Harvesting hashes is associated with Pass-the-Hash attacks, not Birthday Attacks. D: Birthday Attacks do not bypass multi-factor authentication; they exploit hash collisions.

Answer 36

Answer: C. Using longer hash digests (e.g., SHA-256) Explanation: Correct Answer: C: Longer hash digests (e.g., SHA-256) reduce the likelihood of collisions, making Birthday Attacks less effective. Incorrect Answers: A: Shorter hash digests increase the risk of collisions, making Birthday Attacks more likely. B: Salting prevents rainbow table and brute-force attacks but does not directly mitigate Birthday Attacks. D: Limiting failed login attempts prevents password guessing but does not address hash collisions.

Answer 37

Answer: B. To increase the time required to crack a password Explanation: Correct Answer: B: Key stretching applies a hash function multiple times to make brute-force attacks more time-consuming and computationally expensive. Incorrect Answers: A: Key stretching creates longer, more secure keys, not shorter ones. C: Salting generates random data for password hashing, not key stretching. D: Nonces prevent replay attacks, not key stretching.

Answer 38

Answer: A. It ensures the same password produces different hash outputs for different users C. It prevents rainbow table attacks Explanation: Correct Answers: A: Salting adds random data to passwords, ensuring the same password produces different hash outputs for different users. C: Salting makes rainbow table attacks ineffective because each salt requires a unique precomputed table. Incorrect Answers: B: Salting does not reduce the length of hash digests; it adds randomness to the input. D: Salting does not create collisions; it enhances password security.

Answer 39

Answer: B. To prevent replay attacks by ensuring unique authentication data Explanation: Correct Answer: B: A nonce (number used once) ensures that authentication data is unique for each session, preventing replay attacks. Incorrect Answers: A: Nonces do not create longer hash digests; they add uniqueness to authentication data. C: Nonces do not reduce collisions; they prevent reuse of authentication data. D: Nonces are not used to harvest hashes; they enhance security.

Answer 40

Answer: C. Limiting failed login attempts to three before locking the account Explanation: Correct Answer: C: Limiting failed login attempts deters attackers from guessing passwords by locking the account after a few incorrect attempts. Incorrect Answers: A: Shorter hash digests increase security risks, such as collisions. B: Allowing unlimited failed login attempts makes it easier for attackers to guess passwords. D: Disabling multi-factor authentication reduces security, making systems more vulnerable.

Answer 41

Answer: B. To make password hashes harder to guess Explanation: Correct: The main goal of key stretching, such as PBKDF2 with a high number of iterations, is to slow down attackers attempting to brute-force the password. The more iterations, the longer it takes to compute the hash, making it significantly more difficult for attackers to guess the password through brute-force or dictionary attacks. Incorrect Options: A: Key stretching doesn't make passwords shorter; it makes them harder to crack. C: Key stretching slows down password verification, not improves it. D: Key stretching increases the computational effort, so the size of the hash might be larger, but it doesn’t reduce storage requirements.

Answer 42

Answer: B. The password verification process would take longer. Explanation: Correct: Increasing the work factor in bcrypt makes the hashing process slower by applying more iterations. While this makes password verification take longer, it’s a security feature that makes it harder for attackers to brute-force the password hash. Incorrect Options: A: A higher work factor does not make the password easier to guess; it does the opposite, making it harder to crack. C: A higher work factor increases computational cost, but it does not directly affect the file size where the password hash is stored. D: Passwords should always be hashed, not encrypted. Hashing is a one-way function, unlike encryption, which can be reversed.

Answer 43

Answer: B. It increases the time and resources needed for an attacker to crack a password hash. Explanation: Correct: Key stretching is specifically designed to make password hashing slower and more resource-intensive. This increases the time and computational resources required for an attacker to perform brute-force or dictionary attacks on the hash. Incorrect Options: A: Key stretching is designed to slow down the process for attackers, not to speed it up. C: Key stretching applies to password hashes, not encryption. D: Key stretching makes rainbow tables less effective by introducing randomness (e.g., salting) and increasing the time required for brute-force attacks.

Answer 44

Answer: A. It makes the password hash unique even if two users have the same password. Explanation: Correct: A salt is a random value added to the password before hashing, ensuring that even if two users have the same password, their hashes will be different. This prevents attackers from using precomputed rainbow tables effectively. Incorrect Options: B: The salt doesn't reduce the number of iterations; the iterations are independent of the salt. C: The salt doesn't speed up the process; it makes the hashing more secure by adding uniqueness. D: If the salt is leaked, it doesn’t make it easier for attackers to guess the password directly, as they still need to perform the key stretching process for each password guess.

Answer 45

Answer: A. A technique where attackers collect password hashes over time to crack them later Explanation: A (Correct): Hash harvesting is when an attacker collects password hashes to crack them in the future. This method is common in data breaches or when attackers have access to databases or network traffic that exposes these hashes. B (Incorrect): Encrypting passwords does not define hash harvesting. Hashing is different from encryption and is used for storing passwords securely. C (Incorrect): Applying hash functions does not directly involve harvesting; it's a method for securely storing passwords. D (Incorrect): Storing passwords in plain text is a security flaw, not related to hash harvesting.

Answer 46

Answer: A. It is a type of server that stores and manages user credentials and enforces security policies Explanation: A (Correct): A domain controller is a server that is responsible for authenticating users and managing access control in a domain, including the storage of user credentials and enforcing security policies. B (Incorrect): Monitoring network traffic is typically handled by network security appliances, not domain controllers. C (Incorrect): Physical access control is handled by security systems, not a domain controller. D (Incorrect): A domain controller is not a client machine; it is a server managing domain resources.

Answer 47

Answer: A. Allowing users in one domain to access resources in another domain Explanation: A (Correct): Domain trust is the process of allowing users and systems from one domain to access resources in another domain or forest. Trusts are established to allow sharing of resources across domains in a network. B (Incorrect): Physical access control to domain controllers is unrelated to domain trust. Domain trust deals with network and resource access. C (Incorrect): Verifying user passwords within a domain is a task managed by the domain controller, not the trust process. D (Incorrect): Data encryption within a domain does not define domain trust, which is about allowing access across domains.

Answer 48

Answer: B. To protect against replay attacks by ensuring each request is unique Explanation: B (Correct): A nonce is a randomly generated number or string used to ensure the uniqueness of each request, making it impossible for attackers to replay old requests and successfully execute a replay attack. A (Incorrect): Nonces are not primarily for ensuring confidentiality, though they can be part of the process, their main function is preventing replay attacks. C (Incorrect): While nonces may be used in some cryptographic processes, they do not directly generate session keys. D (Incorrect): Authentication of users is done using other mechanisms like usernames and passwords or certificates, not nonces.

Answer 49

Answer: C. They are randomly generated for each request and prevent replay attacks Explanation: C (Correct): Nonces are randomly generated for each request to ensure that the request is unique. This randomness is crucial for preventing attackers from capturing and replaying the request at a later time. A (Incorrect): Nonces are typically generated by the server but are included in requests, not responses. B (Incorrect): Nonces are not used for an entire session; they are unique for each individual request. D (Incorrect): Nonces must be random and unique for each request. If they were static, attackers could predict them and exploit them.

Answer 50

Correct Answer: B. CRL Explanation: Correct: CRL (Certificate Revocation List) is a file containing all revoked certificates, which the administrator must download and check manually. Incorrect: A. OCSP checks certificate status in real time and doesn’t require downloading a list. C. OCSP Stapling involves the server providing the OCSP response directly to the client. D. Key Recovery relates to backing up encryption keys, not certificate revocation.

Answer 51

Correct Answer: B. OCSP Explanation: Correct: OCSP (Online Certificate Status Protocol) sends real-time requests to the CA’s OCSP server for certificate verification. Incorrect: A. CRL is a list-based method that does not involve real-time requests. C. OCSP Stapling is where the server provides the OCSP response itself, not the client. D. Certificate Pinning is unrelated to checking the revocation status.

Answer 52

Correct Answer: C. OCSP Stapling Explanation: Correct: OCSP Stapling reduces client-server communication by having the web server provide a cached OCSP response from the CA. Incorrect: A. CRL involves manually downloading a list of revoked certificates. B. OCSP requires the client to query the OCSP server directly. D. Root of Trust refers to the trust chain in PKI, not revocation methods.

Answer 53

Correct Answer: B. It is a service provided by the CA’s server. Explanation: Correct: The OCSP server is a service run by the CA to handle real-time certificate status requests. Incorrect: A. OCSP is a service, not necessarily a standalone server. C. OCSP does not replace a CA; it is part of the CA’s infrastructure. D. OCSP operates independently of CRLs, which are list-based.

Answer 54

Correct Answer: C. Use OCSP Stapling. Explanation: Correct: OCSP Stapling allows the server to provide a cached OCSP response, reducing the need for client-server communication and improving efficiency. Incorrect: A. CRLs are inefficient because they involve downloading large lists. B. OCSP improves efficiency but still requires real-time queries from the client. D. Removing certificate validation compromises security.

Answer 55

Correct Answer: B) Before the TLS handshake, via an HTTP header. Explanation: The pinned key is sent to the browser before the TLS handshake starts, typically through an HTTP header like Public-Key-Pins. This allows the browser to store the pinned key and use it to verify the server’s public key during the TLS handshake.

Answer 56

Correct Answer: B) To ensure the browser only trusts a specific public key for the website. Explanation: The pinned key ensures that the browser only accepts a specific public key or certificate for the website. During the TLS handshake, the browser compares the server’s public key (from its certificate) to the pinned key. If they match, the connection is trusted. If they don’t match, the browser blocks the connection.

Answer 57

Correct Answer: C) Use a public CA for the e-commerce website and a self-managed CA for the employee portal. Explanation: Public CA for the E-Commerce Website: The e-commerce website is public-facing and needs to be trusted by all users' browsers. A public CA (like Let's Encrypt or DigiCert) issues certificates that are globally trusted, ensuring that users don’t see security warnings when visiting the site. Public CAs also handle domain validation, which is essential for public websites. Self-Managed CA for the Employee Portal: The employee portal is an internal service, accessible only within the company’s private network. A self-managed CA is ideal here because: It allows the company to issue certificates at no cost. The company has full control over certificate issuance and policies. Since the portal is internal, there’s no need for global trust. Employees’ devices can be configured to trust the self-managed CA’s root certificate.

Answer 58

Correct Answer: B) The self-managed CA’s root certificate is not trusted by the employees’ browsers. Explanation: Why B is Correct: Certificates issued by a self-managed CA are not trusted by default by browsers or operating systems. For the HR system’s certificate to be trusted, the self-managed CA’s root certificate must be manually installed and trusted on all employees’ devices. This is a common issue when using self-managed CAs for internal services. Why the Other Options Are Incorrect: A) Expired Certificate: While an expired certificate can cause warnings, the scenario specifically mentions a self-managed CA, which points to a trust issue rather than an expiration issue. C) Public CA Certificate: If the HR system were using a certificate from a public CA, it would be trusted by default, and there would be no warnings. The issue is specific to the self-managed CA. D) Weak Encryption Key: A weak encryption key could cause security issues, but it wouldn’t result in trust warnings. The problem here is related to trust, not encryption strength.

Answer 59

Correct Answer: B) Use a self-managed CA because the devices are on a private network, and you need full control over certificate issuance. Explanation: Why B is Correct: The IoT devices are on a private network, so there’s no need for global trust. A self-managed CA is ideal because: It allows the company to issue certificates at no cost. The company has full control over certificate policies, such as validity periods and key usage. The self-managed CA’s root certificate can be installed on the IoT devices and the central server, ensuring trust within the private network. Why the Other Options Are Incorrect: A) Public CA: While a public CA is easier to manage, it’s unnecessary for private networks and would incur additional costs. C) Global Trust: IoT devices on a private network don’t require global trust, so a public CA is not needed. D) Less Secure: A self-managed CA is not inherently less secure. It provides full control over security policies, making it a good choice for private networks.

Answer 60

Correct Answer: B) Use the key recovery agent to retrieve the lost encryption key and decrypt the files. Explanation: Why B is Correct: The key recovery agent is specifically designed to handle situations where encryption keys are lost. They can retrieve the backup key (or a way to recreate it) and use it to decrypt the files, restoring access without data loss. Why the Other Options Are Incorrect: A) Create a New Key: Creating a new key won’t help because the files are already encrypted with the lost key. The new key can’t decrypt the old files. C) Format and Restore: Formatting the computer and restoring from an unencrypted backup would result in data loss if the backup is outdated or doesn’t exist. It’s also unnecessary when a key recovery agent can solve the problem. D) Files Are Lost: This is incorrect because the key recovery agent exists to prevent permanent data loss in such situations.

Answer 61

Correct Answer: B) Use the key recovery agent to recover the encryption key and access the files. Explanation: Why B is Correct: The key recovery agent can retrieve the encryption key (or a backup of it) and use it to decrypt the files. This ensures the company can access the data without relying on the former employee. Why the Other Options Are Incorrect: A) Contact the Employee: While this might work, it’s not reliable. The former employee may refuse to cooperate or may no longer have the key. C) Hire a Hacker: This is illegal and unethical. Encryption is designed to be secure, and breaking it without the key is nearly impossible. D) Abandon the Files: This is unnecessary and wasteful, especially when a key recovery agent can solve the problem.

Answer 62

Correct Answer: B) Use a key recovery agent to securely store and recover encryption keys when needed. Explanation: Why B is Correct: A key recovery agent provides a secure and reliable way to back up and recover encryption keys. This ensures that data can always be accessed, even if an employee loses their key or leaves the company. Why the Other Options Are Incorrect: A) Rely on Employees: This is risky because employees might forget to back up their keys or lose them, leading to permanent data loss. C) Avoid Encryption: This is not a solution. Encryption is essential for protecting sensitive data, and avoiding it would leave the company vulnerable to breaches. D) Public Cloud Storage: Storing encryption keys in a public cloud service is insecure and could lead to unauthorized access. A key recovery agent uses secure, controlled methods to store and recover keys.

Answer 63

Answer: B. To serve as a shared immutable ledger for recording transactions C. To track assets and build trust in a decentralized network Explanation: Correct: B: A blockchain is a shared immutable ledger that records transactions in a secure and transparent manner. C: Blockchain technology is used to track assets and build trust in a decentralized network, eliminating the need for central authorities. Incorrect: A: Blockchain is decentralized, not centralized. D: Records on a blockchain cannot be altered, ensuring data integrity.

Answer 64

Answer: A. Previous block's hash B. Timestamp C. Root transactions (hashes of individual transactions) Explanation: Correct: A: Each block contains the hash of the previous block, linking them in chronological order. B: A timestamp records when the block was last modified. C: Root transactions are the hashes of individual transactions within the block. Incorrect: D: Blockchain is decentralized and does not rely on a centralized authority.

Answer 65

Answer: B. Immutable ledger Explanation: Correct: B: An immutable ledger ensures that once data is recorded, it cannot be altered or deleted, reinforcing trust and data integrity. Incorrect: A: Decentralization eliminates the need for central authorities but does not directly ensure data integrity. C: A public ledger is a record-keeping system but does not guarantee immutability. D: Smart contracts automate processes but are not directly related to data integrity.

Answer 66

Answer: A. Supply chain management B. Smart contracts D. Cryptocurrencies Explanation: Correct: A: Blockchain enhances transparency and traceability in supply chains. B: Smart contracts automate processes and execute actions when conditions are met. D: Cryptocurrencies like Bitcoin are built on blockchain technology. Incorrect: C: Blockchain is decentralized and does not support centralized banking systems.

Answer 67

Answer: B. To maintain a secure and anonymous record of transactions Explanation: Correct: B: A public ledger maintains participants' identities securely and anonymously while recording all genuine transactions. Incorrect: A: Records on a blockchain cannot be modified. C: Blockchain is decentralized and does not centralize control. D: Blockchain relies on peer-to-peer networks for decentralization.

Answer 68

Answer: B. They are transparent and tamper-proof C. They reduce the risk of fraud and associated costs Explanation: Correct: B: Smart contracts are transparent and tamper-proof because they are written in code and executed automatically. C: Smart contracts reduce fraud and costs by eliminating intermediaries and automating processes. Incorrect: A: Smart contracts do not require intermediaries. D: Smart contracts operate in a decentralized environment.

Answer 69

Answer: B. A blockchain used for business transactions with restricted access Explanation: Correct: B: A permissioned blockchain is used for business transactions and promotes trust and transparency with restricted access. Incorrect: A: Permissioned blockchains have restricted access, unlike public blockchains. C: Permissioned blockchains still maintain transparency. D: Permissioned blockchains are decentralized but with controlled access.

Answer 70

Answer: B. By providing immutable records of product origin and handling C. By ensuring compliance and quality control Explanation: Correct: B: Blockchain provides immutable records, ensuring transparency and traceability in the supply chain. C: Blockchain ensures compliance and quality control by maintaining accurate and unalterable records. Incorrect: A: Blockchain is decentralized and does not centralize control. D: Blockchain enhances transparency, not eliminates it.

Answer 71

Answer: C. It empowers peer-to-peer networks and removes central authorities Explanation: Correct: C: Decentralization eliminates the need for central authorities and empowers peer-to-peer networks. Incorrect: A: Decentralization removes centralized control. B: Decentralization relies on peer-to-peer networks. D: Decentralization reduces the risk of fraud and tampering.

Answer 72

Answer: A. Financial services B. Supply chain management D. Intellectual property protection Explanation: Correct: A: Blockchain is widely used in financial services, especially for cryptocurrencies. B: Blockchain enhances transparency and traceability in supply chains. D: Blockchain can protect intellectual property by maintaining immutable records. Incorrect: C: Blockchain is used for decentralized voting systems, not centralized ones.

Answer 73

Answer: B. To facilitate secure data transfer and authentication C. To manage digital certificates and cryptographic keys Explanation: Correct: B: PKI enables secure data transfer and authentication through the use of digital certificates and cryptographic keys. C: PKI manages the creation, validation, and distribution of digital certificates and cryptographic keys. Incorrect: A: PKI is decentralized and does not centralize control over encryption keys. D: PKI relies on asymmetric encryption as a core component.

Answer 74

Answer: A. Hardware and software C. Policies and procedures D. Certificate authorities Explanation: Correct: A: PKI involves hardware and software to manage keys and certificates. C: Policies and procedures are essential for governing PKI operations. D: Certificate authorities (CAs) issue and validate digital certificates. Incorrect: B: PKI is based on asymmetric encryption, not symmetric encryption.

Answer 75

Answer: B. It issues and validates digital certificates for public keys Explanation: Correct: B: Certificate authorities issue and validate digital certificates, ensuring the authenticity of public keys. Incorrect: A: CAs do not generate symmetric keys; they manage public key certificates. C: Key escrow is a separate component, not the primary role of a CA. D: CAs rely on public key cryptography to function.

Answer 76

Answer: B. To securely store cryptographic keys for retrieval in case of loss Explanation: Correct: B: Key escrow stores cryptographic keys in a secure third-party location, allowing retrieval in cases of key loss or legal investigations. Incorrect: A: Key escrow does not eliminate the need for CAs. C: Key escrow does not generate symmetric keys. D: Key escrow complements public key cryptography; it does not replace it.

Answer 77

Answer: B. Confidentiality through encrypted communication C. Authentication of server identities Explanation: Correct: B: PKI ensures confidentiality by encrypting data using shared secret keys. C: PKI authenticates server identities using private keys and digital certificates. Incorrect: A: PKI is decentralized and does not centralize control. D: Digital certificates are a core component of PKI.

Answer 78

Answer: B. PKI encompasses the entire system for managing keys and certificates, while public key cryptography refers only to the encryption process Explanation: Correct: B: PKI includes key management, policies, and trust systems, while public key cryptography focuses solely on encryption and decryption. Incorrect: A: This is the opposite of the correct relationship. C: PKI relies on public key cryptography. D: PKI uses asymmetric encryption, not symmetric encryption.

Answer 79

Answer: B. To establish a secure symmetric encryption tunnel Explanation: Correct: B: The shared secret key is used for symmetric encryption (e.g., AES) to create a secure tunnel for data transfer. Incorrect: A: The shared secret key is used for symmetric encryption, not asymmetric encryption. C: Digital certificates are still required to establish trust. D: Certificate authorities are essential for issuing and validating certificates.

Answer 80

Answer: C. Malicious actors could gain access to escrowed keys Explanation: Correct: C: If escrowed keys are compromised, malicious actors could decrypt sensitive data. Incorrect: A: Key escrow does not eliminate encryption; it ensures access to encrypted data. B: Key escrow does not centralize control; it stores keys securely. D: Key escrow does not replace the need for CAs.

Answer 81

Answer: A. The web browser contacts a certificate authority for the server's public key C. The shared secret key is encrypted using the server's public key D. The web server decrypts the shared secret key using its private key Explanation: Correct: A: The browser retrieves the server's public key from a CA. C: The shared secret key is encrypted with the server's public key for secure transmission. D: The server decrypts the shared secret key using its private key. Incorrect: B: The shared secret key is generated by the browser, not the server.

Answer 82

Answer: B. A padlock icon Explanation: Correct: B: A padlock icon indicates a secure HTTPS connection. Incorrect: A: A green address bar is not a standard indicator for HTTPS. C: A warning message indicates an insecure connection. D: A red exclamation mark typically indicates an error or warning.

Answer 83

Answer: B. To bind a public key with a user's identity Explanation: Correct: B: A digital certificate binds a public key to the identity of a user, device, or server, ensuring authenticity. Incorrect: A: Digital certificates are used for asymmetric encryption, not symmetric encryption. C: Certificate authorities are essential for issuing and validating digital certificates. D: The Root of Trust is a foundational concept in digital certificates and cannot be replaced.

Answer 84

Answer: A. Owner's name and organization B. Public key C. Certificate authority's digital signature Explanation: Correct: A: Digital certificates contain the owner's identifying information. B: The public key is included in the certificate. C: The certificate authority's digital signature validates the certificate. Incorrect: D: Digital certificates do not include symmetric encryption keys.

Answer 85

Answer: A. It allows multiple subdomains to use the same certificate Explanation: Correct: A: Wildcard certificates allow all subdomains under a root domain to use the same certificate, simplifying management. Incorrect: B: Wildcard certificates still require a certificate authority. C: Wildcard certificates do not inherently provide higher security than single-sided certificates. D: Wildcard certificates are issued by trusted certificate authorities, not self-signed authorities.

Answer 86

Answer: B. Compromising one subdomain affects all subdomains Explanation: Correct: B: If a wildcard certificate is compromised, all subdomains using that certificate are affected. Incorrect: A: Wildcard certificates are cost-effective for managing multiple subdomains. C: Wildcard certificates are designed for subdomains, not multiple domains. D: Wildcard certificates do not require dual-sided authentication.

Answer 87

Answer: A. To allow multiple domains to use the same certificate Explanation: Correct: A: The SAN field allows a single certificate to support multiple domains or IP addresses. Incorrect: B: The SAN field complements wildcard certificates but does not replace them. C: The SAN field is not related to encryption. D: Certificate authorities are still required to issue certificates with SAN fields.

Answer 88

Answer: B. Single-sided certificates only validate the server, while dual-sided certificates validate both the server and the user Explanation: Correct: B: Single-sided certificates validate only the server, while dual-sided certificates require mutual authentication. Incorrect: A: This is the opposite of the correct relationship. C: Both single-sided and dual-sided certificates can be used in production. D: Single-sided certificates can be issued by certificate authorities.

Answer 89

Answer: B. A certificate signed by the same entity whose identity it certifies Explanation: Correct: B: Self-signed certificates are signed by the entity they certify, without third-party validation. Incorrect: A: Self-signed certificates are not issued by trusted certificate authorities. C: Self-signed certificates are used for asymmetric encryption. D: Self-signed certificates still rely on the Root of Trust concept.

Answer 90

Answer: B. They are trusted by browsers and operating systems Explanation: Correct: B: Third-party certificates are issued by trusted certificate authorities and are inherently trusted by browsers and systems. Incorrect: A: Third-party certificates require validation by a certificate authority. C: Third-party certificates rely on the Root of Trust. D: Third-party certificates are used for production, not just testing.

Answer 91

Answer: B. To list all revoked digital certificates Explanation: Correct: B: The CRL is maintained by certificate authorities to list all revoked certificates. Incorrect: A: The CRL does not issue new certificates. C: The CRL is part of the certificate authority's role. D: The CRL is not related to encryption.

Answer 92

Answer: A. OCSP is faster and more efficient Explanation: Correct: A: OCSP checks the revocation status of a single certificate in real-time, making it faster than CRL. Incorrect: B: OCSP does not provide encryption. C: OCSP relies on certificate authorities. D: OCSP is used for all types of certificates, not just self-signed ones.

Answer 93

Answer: B. To provide hardware-level security for cryptographic keys Explanation: Correct: B: A TPM is a dedicated microcontroller that secures hardware through integrated cryptographic keys, ensuring digital secrets remain confidential. Incorrect: A: This describes the role of an HSM, not a TPM. C: Key lifecycle management is the role of a Key Management System (KMS). D: This describes the role of a secure enclave.

Answer 94

Answer: B. To manage the lifecycle of cryptographic keys Explanation: Correct: B: A KMS manages the generation, distribution, storage, and retirement of cryptographic keys. Incorrect: A: This describes the role of a secure enclave. C: This describes the role of a TPM. D: This describes the role of an HSM.

Answer 95

Answer: B. It isolates sensitive data from the main processor Explanation: Correct: B: A secure enclave is a co-processor that isolates sensitive data (e.g., biometric information) from the main processor. Incorrect: A: This describes the role of a TPM. C: This describes the role of a KMS. D: This describes the role of an HSM.

Answer 96

Answer: B. Trusted Platform Module (TPM) Explanation: Correct: B: TPM is used with BitLocker to secure cryptographic keys at the hardware level. Incorrect: A: HSMs are used for mission-critical encryption tasks, not BitLocker. C: KMS manages key lifecycles but is not directly tied to BitLocker. D: Secure enclaves are used for isolating sensitive data, not BitLocker.

Answer 97

Answer: B. Securing financial transactions and sensitive data Explanation: Correct: B: HSMs are used for mission-critical scenarios like financial transactions due to their tamper-proof environment. Incorrect: A: This describes the role of a KMS. C: This describes the role of a secure enclave. D: This describes the role of a TPM.

Answer 98

Answer: A. Automates key lifecycle management C. Ensures regulatory compliance for sensitive data Explanation: Correct: A: A KMS automates the generation, distribution, and retirement of cryptographic keys. C: A KMS helps organizations meet regulatory compliance by securely managing keys. Incorrect: B: This describes the role of a TPM or HSM. D: This describes the role of a secure enclave.

Answer 99

Answer: B. To isolate and protect sensitive data like biometric information Explanation: Correct: B: A secure enclave isolates sensitive data (e.g., fingerprints, facial recognition) from the main processor. Incorrect: A: This describes the role of a KMS. C: This describes the role of an HSM. D: This describes the role of a TPM

Answer 100

Answer: D. Secure Enclave Explanation: Correct: D: The secure enclave in iPhones isolates and protects biometric data like fingerprints and facial recognition data. Incorrect: A: TPMs are used for hardware-level security in Windows devices. B: HSMs are used for mission-critical encryption tasks. C: KMS manages cryptographic keys but does not isolate biometric data.

Answer 101

Answer: C. HSMs are designed for mission-critical encryption tasks Explanation: Correct: C: HSMs are used for high-security scenarios like financial transactions, offering tamper-proof encryption operations. Incorrect: A: Both HSMs and TPMs provide hardware-level security. B: This describes the role of a secure enclave. D: This describes the role of a secure enclave.

Answer 102

Answer: B. To hide the existence of a message within another medium Explanation: Correct: B: Steganography aims to conceal the very existence of a hidden message within another file or medium, such as an image or text. Incorrect: A: Steganography hides data but does not encrypt it. C: This describes tokenization. D: This describes data masking.

Answer 103

Answer: A. Embedding a secret message in the pixels of an image C. Using the first letter of each word in a newspaper ad to form a hidden message Explanation: Correct: A: Steganography often involves hiding messages in images by altering pixel values. C: This is a classic example of steganography, where hidden messages are embedded in plain sight. Incorrect: B: This describes tokenization. D: This describes data masking.

Answer 104

Answer: B. To replace sensitive data with non-sensitive tokens Explanation: Correct: B: Tokenization substitutes sensitive data (e.g., credit card numbers) with non-sensitive tokens that have no intrinsic value. Incorrect: A: This describes steganography. C: This describes data masking. D: Tokenization does not encrypt data; it replaces it with tokens.

Answer 105

Answer: B. Protecting credit card data in payment systems Explanation: Correct: B: Tokenization is widely used in payment systems to replace sensitive credit card data with tokens, reducing the risk of data breaches. Incorrect: A: This describes steganography. C: This describes data masking. D: Tokenization does not encrypt data; it replaces it with tokens.

Answer 106

Answer: C. To disguise original data while maintaining usability Explanation: Correct: C: Data masking disguises sensitive data (e.g., credit card numbers, social security numbers) while keeping the data usable for testing or other purposes. Incorrect: A: This describes steganography. B: This describes tokenization. D: Data masking does not encrypt data; it alters it to protect sensitive information.

Answer 107

Answer: C. Displaying only the last four digits of a credit card number Explanation: Correct: C: Data masking often involves displaying only a portion of sensitive data (e.g., the last four digits of a credit card number) to protect the full data. Incorrect: A: This describes steganography. B: This describes tokenization. D: Data masking does not encrypt data; it alters it to protect sensitive information.

Answer 108

Answer: B. It reduces the scope of compliance with standards like PCI DSS Explanation: Correct: B: Tokenization reduces the scope of compliance with standards like PCI DSS by replacing sensitive data with tokens, minimizing the exposure of sensitive information. Incorrect: A: This describes steganography. C: Tokenization does not encrypt data; it replaces it with tokens. D: This describes data masking.

Answer 109

Answer: C. Data masking Explanation: Correct: C: Data masking is commonly used in non-production environments (e.g., software testing) to protect sensitive data while maintaining usability. Incorrect: A: Steganography hides messages but is not typically used for protecting data in non-production environments. B: Tokenization replaces sensitive data with tokens but is more commonly used in production environments like payment systems. D: Encryption secures data but does not disguise it for usability in non-production environments

Answer 110

Answer: A. Steganography hides data within another medium, while tokenization replaces sensitive data with tokens Explanation: Correct: A: Steganography conceals data within another medium (e.g., an image), while tokenization substitutes sensitive data with non-sensitive tokens. Incorrect: B: Steganography does not encrypt data; it hides it. C: Tokenization is used in payment systems, not steganography. D: This is the opposite of the correct relationship.

Answer 111

Answer: A. Steganography Explanation: Correct: A: Steganography hides data within another medium (e.g., an image) without altering its visible appearance. Incorrect: B: Tokenization replaces sensitive data with tokens, which alters its appearance. C: Data masking disguises sensitive data, altering its appearance. D: Encryption transforms data into an unreadable format, altering its appearance.

Answer 112

Answer: A, B, D Explanation: Correct Options: A: Downgrade attacks force systems to use weaker or older cryptographic protocols, exploiting vulnerabilities in outdated versions. B: Collision attacks aim to find two different inputs that produce the same hash output, undermining data integrity. D: Quantum computing threats involve the potential for quantum computers to break traditional encryption algorithms by rapidly solving complex math problems. Incorrect Option: C: Brute-force attacks are not specifically mentioned in the content as a type of cryptographic attack. They are a general method of guessing keys or passwords but are not categorized as a cryptographic attack in this context.

Answer 113

Answer: A Explanation: Correct Option: A: Downgrade attacks aim to force systems to use weaker or older cryptographic protocols, exploiting vulnerabilities in outdated versions. Incorrect Options: B: This describes a collision attack. C: This refers to the threat of quantum computing. D: This describes a brute-force attack, not a downgrade attack.

Answer 114

Answer: A Explanation: Correct Option: A: The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack is a real-world example of a downgrade attack that forced systems to use the insecure SSL 3.0 protocol. Incorrect Options: B: The Birthday attack is related to collision attacks, not downgrade attacks. C: Quantum factorization is a threat posed by quantum computing, not a downgrade attack. D: Brute-force attacks are unrelated to downgrade attacks.

Answer 115

Answer: B Explanation: Correct Option: B: Collision attacks aim to find two different inputs that produce the same hash output, undermining the integrity of cryptographic systems. Incorrect Options: A: This describes a downgrade attack. C: This refers to the threat of quantum computing. D: This describes a brute-force attack.

Answer 116

Answer: B Explanation: Correct Option: B: MD5 (Message Digest Algorithm 5) is known to be vulnerable to collision attacks due to its structural weaknesses. Incorrect Options: A: SHA-256 is considered secure against collision attacks. C: AES is a symmetric encryption algorithm, not a hashing algorithm. D: RSA is an asymmetric encryption algorithm, not a hashing algorithm.

Answer 117

Answer: B Explanation: Correct Option: B: The Birthday Paradox refers to the probability that two distinct inputs, when processed through a hashing function, will produce the same output (a collision). Incorrect Options: A: This is the general definition of the Birthday Paradox but not its cryptographic application. C: This refers to the threat of quantum computing. D: This is unrelated to the Birthday Paradox.

Answer 118

Answer: A, C Explanation: Correct Options: A: Quantum computers can rapidly factorize large prime numbers, threatening asymmetric encryption algorithms like RSA. C: Quantum computers can solve discrete logarithmic problems quickly, undermining algorithms like ECC (Elliptic Curve Cryptography). Incorrect Options: B: This describes a downgrade attack, not a quantum computing threat. D: This describes a downgrade attack, not a quantum computing threat.

Answer 119

Answer: B Explanation: Correct Option: B: Post-quantum cryptography aims to create algorithms that are resistant to attacks from future quantum computers. Incorrect Options: A: This is a countermeasure for downgrade attacks, not post-quantum cryptography. C: This is not the primary purpose of post-quantum cryptography. D: This describes collision attacks, not post-quantum cryptography.

Answer 120

Answer: A, C, D Explanation: Correct Options: A: CRYSTALS-Kyber is recommended for general encryption needs. C: CRYSTALS-Dilithium is recommended for digital signatures. D: SPHINCS+ is another digital signature algorithm recommended by NIST. Incorrect Option: B: MD5 is a hashing algorithm vulnerable to collision attacks and is not a post-quantum algorithm.

Answer 121

Answer: B Explanation: Correct Option: B: A qubit (quantum bit) can represent multiple combinations of 0 and 1 simultaneously through superposition, enabling quantum computers to process vast amounts of information. Incorrect Options: A: This describes a traditional bit, not a qubit. C: This is unrelated to qubits. D: This describes a downgrade attack, not a qubit.

Answer 122

Correct Answer: A. Use HMAC, as it relies on a shared secret key and is efficient for ensuring integrity and authenticity. Explanations: A. Use HMAC, as it relies on a shared secret key and is efficient for ensuring integrity and authenticity. Why Correct: Since Alice and Bob already share a secret key, they can use HMAC to ensure the integrity and authenticity of the message. HMAC uses symmetric key cryptography combined with a hashing algorithm like SHA (e.g., HMAC-SHA-256) to produce a unique message authentication code. This approach is fast, secure, and perfect for scenarios where both parties trust each other and pre-share a key. Why Important: HMAC does not involve computationally expensive public-private key cryptography, making it an ideal choice for closed systems like this one. B. Use Digital Signatures, as they provide non-repudiation and use public-private key cryptography. Why Incorrect: While digital signatures are great for providing non-repudiation and open communication, they are unnecessary here since Alice and Bob already trust each other and share a secret key. Digital signatures are also slower than HMAC because they rely on asymmetric key algorithms like RSA or ECDSA, which require more computational power. C. Use HMAC, as it does not require any shared secret key for operation. Why Incorrect: This statement is false. HMAC requires a shared secret key for operation. Without a shared key, neither Alice nor Bob could generate or verify the HMAC. D. Use Digital Signatures, as they are always faster than HMAC for authenticating messages. Why Incorrect: This statement is also false. Digital signatures are generally slower than HMAC because they rely on computationally intensive asymmetric cryptography. HMAC is faster because it uses symmetric key cryptography combined with hashing.

Answer 123

Correct Answer: A. HMAC uses a shared secret key and a hashing algorithm like SHA-256 to provide authentication and integrity. Explanations: A. HMAC uses a shared secret key and a hashing algorithm like SHA-256 to provide authentication and integrity. Why Correct: HMAC (Hash-Based Message Authentication Code) combines a secret key with a hashing algorithm like SHA-256 to generate a secure authentication code. This code ensures that the message has not been altered (integrity) and that it was generated by someone possessing the secret key (authentication). B. HMAC uses public-private key cryptography for authentication and integrity. Why Incorrect: This statement is false. HMAC does not use public-private key cryptography. It uses symmetric key cryptography, where a single shared key is used by both parties. C. HMAC provides non-repudiation, making it suitable for legal and financial transactions. Why Incorrect: HMAC does not provide non-repudiation because both parties share the same secret key. Either party could have generated the HMAC, so it cannot be used to prove the sender's identity to a third party. Non-repudiation is a feature of digital signatures, not HMAC. D. HMAC works without the need for any key and relies solely on the hashing algorithm. Why Incorrect: This is incorrect because HMAC requires a secret key to generate the authentication code. Without the key, HMAC cannot function.

Answer 124

Correct Answer: B. HMAC requires a shared secret key, while digital signatures require a public-private key pair. Explanations: A. HMAC provides non-repudiation, while digital signatures do not. Why Incorrect: This is false. HMAC does not provide non-repudiation because both parties share the same secret key. Digital signatures, on the other hand, provide non-repudiation because only the sender has the private key used for signing. B. HMAC requires a shared secret key, while digital signatures require a public-private key pair. Why Correct: HMAC uses symmetric cryptography, meaning both parties share the same secret key for generating and verifying the code. Digital signatures use asymmetric cryptography, where a private key is used to sign messages, and a public key is used to verify them. C. Digital signatures rely on symmetric cryptography, while HMAC uses asymmetric cryptography. Why Incorrect: This is the reverse of the truth. Digital signatures rely on asymmetric cryptography, while HMAC relies on symmetric cryptography. D. HMAC is slower than digital signatures because it uses hashing algorithms like SHA-256. Why Incorrect: This is false. HMAC is generally faster than digital signatures because it uses efficient symmetric key cryptography and hashing. Digital signatures, which rely on asymmetric cryptography, are computationally more expensive.

Answer 125

Answer: B. Permissioned Blockchain Explanation: A. Public Blockchain: Incorrect. Public blockchains like Bitcoin or Ethereum allow anyone to participate without restrictions. This does not align with the company’s need to control access and maintain privacy. B. Permissioned Blockchain: Correct. A permissioned blockchain is ideal for supply chain management as it allows only authorized participants to join and defines specific roles for participants, ensuring privacy and data control. C. Hybrid Blockchain: Partially correct, but not the best answer. Hybrid blockchains combine features of both public and private blockchains, but they’re not specifically designed for strict access control in supply chain scenarios. D. Consortium Blockchain: Incorrect. While consortium blockchains are also permissioned, they’re typically governed by a group of organizations rather than a single company, making it less ideal for a single-company solution.

Answer 126

Answer: B. To ensure faster and more efficient transactions among approved participants. Explanation: A. To allow anyone to access sensitive supply chain data: Incorrect. Sensitive data must remain private, so a permissioned blockchain is used to restrict access to authorized participants only. B. To ensure faster and more efficient transactions among approved participants: Correct. Permissioned blockchains streamline processes by limiting participation to trusted entities, reducing the complexity and delays often associated with public blockchains. C. To let customers participate directly in the blockchain: Incorrect. Customers typically don’t participate in supply chain blockchains; it’s mainly for supply chain partners like farmers, distributors, and retailers. D. To use cryptocurrency for supply chain payments: Incorrect. The IBM Food Trust blockchain focuses on supply chain transparency and traceability, not cryptocurrency transactions.

Answer 127

Answer: B. Permissioned Blockchain Explanation: A. Public Blockchain: Incorrect. Public blockchains lack privacy and cannot enforce strict access controls, making them unsuitable for sharing sensitive healthcare data. B. Permissioned Blockchain: Correct. A permissioned blockchain allows only approved entities (e.g., hospitals) to join and ensures privacy and compliance with regulations like HIPAA. C. Hybrid Blockchain: Partially correct. A hybrid blockchain could work but would be more complex and less efficient for strictly controlled environments like healthcare. D. Private Blockchain: Incorrect. While private blockchains also restrict access, they are typically controlled by a single organization. A consortium like this requires shared governance, making a permissioned blockchain more appropriate.

Answer 128

Answer: B. Permissioned blockchains offer more scalability and control over data access. Explanation: A. Permissioned blockchains provide complete anonymity to participants: Incorrect. Permissioned blockchains do not focus on anonymity; participants are usually known and verified. B. Permissioned blockchains offer more scalability and control over data access: Correct. Permissioned blockchains limit participants and roles, allowing businesses to scale their operations while maintaining control and privacy. C. Permissioned blockchains eliminate the need for cryptographic techniques: Incorrect. Cryptographic techniques are still essential for ensuring data security and integrity. D. Permissioned blockchains are less secure than public blockchains: Incorrect. Security in permissioned blockchains is tailored to specific use cases and can be highly effective within controlled environments.

Cryptographic Solutions Flashcards

1.4 - Explain the importance of using appropriate cryptographic solutions 2.3 - Explain various types of vulnerabilities 2.4 - Given a scenario, you must be able to analyze indicators of malicious activity