Cryptographic Solutions Flashcards

Question 1

Q

Which of the following are true about symmetric encryption? (Choose Two)
A. Uses a single key for encryption and decryption
B. Provides non-repudiation
C. Requires a shared secret key between sender and receiver
D. Is faster than asymmetric encryption

Answer

A

Answer:
A. Uses a single key for encryption and decryption
C. Requires a shared secret key between sender and receiver

Explanation:

Correct Options:

A: Symmetric encryption uses the same key for both encryption and decryption.

C: Both the sender and receiver must share the same secret key, which is a challenge in large-scale usage.

Incorrect Options:

B: Symmetric encryption does not provide non-repudiation because multiple parties share the same key, making it impossible to prove who performed the encryption or decryption.

D: While symmetric encryption is faster than asymmetric encryption, this is not a defining characteristic of symmetric encryption itself.

Question 2

Q

Which of the following are examples of asymmetric encryption algorithms? (Choose Three)
A. AES
B. RSA
C. Diffie-Hellman
D. ECC (Elliptic Curve Cryptography)

Answer

A

Answer:
B. RSA
C. Diffie-Hellman
D. ECC (Elliptic Curve Cryptography)

Explanation:

Correct Options:

B: RSA is a widely used asymmetric encryption algorithm.

C: Diffie-Hellman is used for secure key exchange and is part of asymmetric cryptography.

D: ECC is an asymmetric encryption method that provides strong security with smaller key sizes.

Incorrect Option:

A: AES is a symmetric encryption algorithm, not asymmetric.

Question 3

Q

What is the primary advantage of using a hybrid encryption approach?
A. It eliminates the need for encryption keys
B. It combines the speed of symmetric encryption with the key distribution benefits of asymmetric encryption
C. It uses only public keys for encryption and decryption
D. It is slower but more secure than symmetric encryption

Answer

A

Answer:
B. It combines the speed of symmetric encryption with the key distribution benefits of asymmetric encryption

Explanation:

Correct Option:

B: A hybrid approach uses asymmetric encryption to securely share a symmetric key, which is then used for fast bulk data encryption.

Incorrect Options:

A: Encryption keys are still required in a hybrid approach.

C: A hybrid approach uses both public and private keys for key exchange, not just public keys.

D: A hybrid approach is designed to be both fast and secure, not slower.

Question 4

Q

Which of the following is a characteristic of a stream cipher?
A. Encrypts data in fixed-size blocks
B. Uses a keystream generator and XOR function for encryption
C. Is typically implemented in software
D. Is slower than block ciphers

Answer

A

Answer:
B. Uses a keystream generator and XOR function for encryption

Explanation:

Correct Option:

B: Stream ciphers encrypt data bit-by-bit or byte-by-byte using a keystream generator and XOR function.

Incorrect Options:

A: This describes block ciphers, not stream ciphers.

C: Stream ciphers are often implemented in hardware, not software.

D: Stream ciphers are generally faster than block ciphers, especially for real-time data streams.

Question 5

Q

What is the main challenge of symmetric encryption in large-scale usage?
A. Lack of confidentiality
B. Difficulty in distributing shared secret keys
C. Slower performance compared to asymmetric encryption
D. Inability to encrypt data in real-time

Answer

A

Answer:
B. Difficulty in distributing shared secret keys

Explanation:

Correct Option:

B: Symmetric encryption requires both parties to share the same secret key, which becomes challenging as the number of users increases.

Incorrect Options:

A: Symmetric encryption provides confidentiality, not a lack of it.

C: Symmetric encryption is faster than asymmetric encryption.

D: Symmetric encryption can encrypt data in real-time, especially with stream ciphers.

Question 6

Q

Which of the following are common vulnerabilities associated with symmetric encryption? (Choose Two)
A. Key distribution challenges
B. Lack of non-repudiation
C. Susceptibility to brute-force attacks
D. Slower performance compared to asymmetric encryption

Answer

A

Answer:
A. Key distribution challenges
B. Lack of non-repudiation

Explanation:

Correct Options:

A: Distributing shared secret keys securely is a major challenge in symmetric encryption.

B: Symmetric encryption does not provide non-repudiation because multiple parties share the same key.

Incorrect Options:

C: While brute-force attacks are a risk, they are not unique to symmetric encryption.

D: Symmetric encryption is faster than asymmetric encryption.

Question 7

Q

Which of the following could indicate malicious activity in a network using symmetric encryption? (Choose Two)
A. Unauthorized users gaining access to shared secret keys
B. Frequent changes to public keys
C. Unexpectedly high CPU usage during encryption processes
D. Use of hybrid encryption for secure communication

Answer

A

Answer:
A. Unauthorized users gaining access to shared secret keys
C. Unexpectedly high CPU usage during encryption processes

Explanation:

Correct Options:

A: Unauthorized access to shared secret keys is a clear indicator of malicious activity.

C: High CPU usage during encryption could indicate a brute-force attack or unauthorized encryption processes.

Incorrect Options:

B: Frequent changes to public keys are not directly related to symmetric encryption.

D: Hybrid encryption is a legitimate and secure approach, not an indicator of malicious activity.

Question 8

Q

Which of the following are true about DES (Data Encryption Standard)? (Choose Two)
A. It uses a 64-bit key with 56 effective bits due to parity.
B. It encrypts data in 128-bit blocks.
C. It was widely used from the 1970s to the early 2000s.
D. It is a stream cipher.

Answer

A

Answer:
A. It uses a 64-bit key with 56 effective bits due to parity.
C. It was widely used from the 1970s to the early 2000s.

Explanation:

Correct:

A: DES uses a 64-bit key, but only 56 bits are effective for encryption due to parity bits.

C: DES was widely used from the 1970s to the early 2000s before being replaced by more secure algorithms.

Incorrect Options:

B: DES encrypts data in 64-bit blocks, not 128-bit blocks.

D: DES is a block cipher, not a stream cipher.

Question 9

Q

What is the effective key strength of Triple DES (3DES)?
A. 56 bits
B. 112 bits
C. 128 bits
D. 256 bits

Answer

A

Answer:
B. 112 bits

Explanation:

Correct:

B: Triple DES uses three 56-bit keys, resulting in an effective key strength of 112 bits.

Incorrect Options:

A: 56 bits is the key strength of standard DES, not 3DES.

C: 128 bits is the key size for AES-128, not 3DES.

D: 256 bits is the key size for AES-256, not 3DES.

Question 10

Q

Which of the following symmetric algorithms is a stream cipher?
A. AES
B. RC4
C. Blowfish
D. Twofish

Answer

A

Answer:
B. RC4

Explanation:

Correct:

B: RC4 is a stream cipher, unlike the others listed, which are block ciphers.

Incorrect Options:

A: AES is a block cipher.

C: Blowfish is a block cipher.

D: Twofish is a block cipher.

Question 11

Q

Which of the following algorithms was chosen as the replacement for DES and 3DES by the US government?
A. IDEA
B. AES
C. Blowfish
D. RC6

Answer

A

Answer:
B. AES

Explanation:

Correct:

B: AES (Advanced Encryption Standard) was chosen by the US government as the replacement for DES and 3DES.

Incorrect Options:

A: IDEA was a contender but not chosen.

C: Blowfish was developed as a DES replacement but not widely adopted.

D: RC6 was a contender but not chosen.

Question 12

Q

Which of the following are true about AES (Advanced Encryption Standard)? (Choose Three)
A. It supports key sizes of 128, 192, and 256 bits.
B. It is also known as the Rijndael Cipher.
C. It is a stream cipher.
D. It is the encryption standard for sensitive unclassified information.

Answer

A

Answer:
A. It supports key sizes of 128, 192, and 256 bits.
B. It is also known as the Rijndael Cipher.
D. It is the encryption standard for sensitive unclassified information.

Explanation:

Correct:

A: AES supports key sizes of 128, 192, and 256 bits.

B: AES is also known as the Rijndael Cipher, named after its creators.

D: AES is the encryption standard for sensitive unclassified information.

Incorrect Options:

C: AES is a block cipher, not a stream cipher.

Question 13

Q

Which of the following algorithms uses a 128-bit key and is faster and more secure than DES?
A. DES
B. 3DES
C. IDEA
D. RC4

Answer

A

Answer:
C. IDEA

Explanation:

Correct:

C: IDEA (International Data Encryption Algorithm) uses a 128-bit key and is faster and more secure than DES.

Incorrect Options:

A: DES uses a 56-bit key and is less secure.

B: 3DES uses three 56-bit keys but is slower than DES.

D: RC4 is a stream cipher with variable key sizes, not specifically faster or more secure than DES.

Question 14

Q

Which of the following are true about Blowfish and Twofish? (Choose Two)
A. Both are block ciphers.
B. Both were developed as replacements for DES.
C. Both are patented and proprietary.
D. Both use 128-bit block sizes.

Answer

A

Answer:
A. Both are block ciphers.
B. Both were developed as replacements for DES.

Explanation:

Correct:

A: Blowfish and Twofish are both block ciphers.

B: Both were developed as replacements for DES.

Incorrect Options:

C: Neither Blowfish nor Twofish are patented; they are open source.

D: Blowfish uses a 64-bit block size, while Twofish uses a 128-bit block size.

Question 15

Q

Which of the following are part of the RC Cipher Suite? (Choose Three)
A. RC1
B. RC4
C. RC5
D. RC6

Answer

A

Answer:
B. RC4
C. RC5
D. RC6

Explanation:

Correct:

B: RC4 is a stream cipher used in SSL and WEP.

C: RC5 is a block cipher with key sizes up to 2048 bits.

D: RC6 is a stronger version of RC5 and was a contender for the DES replacement.

Incorrect Options:

A: RC1 was never published.

Question 16

Q

Which of the following is the most widely used symmetric encryption algorithm today?
A. DES
B. 3DES
C. AES
D. Blowfish

Answer

A

Answer:
C. AES

Explanation:

Correct:

C: AES is the most widely used symmetric encryption algorithm today and is considered the strongest.

Incorrect Options:

A: DES is outdated and insecure.

B: 3DES is slower and less efficient than AES.

D: Blowfish is not as widely adopted as AES.

Question 17

Q

Alice wants to send Bob a confidential message. She also wants to ensure that Bob can verify the message’s integrity and confirm that it was indeed sent by her. Which of the following steps should Alice follow to achieve confidentiality, non-repudiation, and integrity?

A. Encrypt the message using Bob’s public key, hash the message using SHA-256, and encrypt the hash using her private key.
B. Hash the message using SHA-256, encrypt the hash using her private key, and encrypt the message using her public key.
C. Encrypt the message using her private key, hash the message using SHA-256, and encrypt the hash using Bob’s public key.
D. Hash the message using SHA-256, encrypt the hash using Bob’s public key, and encrypt the message using her private key.

Answer

A

Answer:
A. Encrypt the message using Bob’s public key, hash the message using SHA-256, and encrypt the hash using her private key.

Explanation:
Correct Option:
A:
Confidentiality is ensured by encrypting the message with Bob’s public key because only Bob can decrypt it using his private key.
Integrity is achieved by hashing the message using SHA-256 to produce a unique fingerprint.
Non-repudiation is provided by encrypting the hash (digital signature) with Alice’s private key because only Alice could have signed it.
Incorrect Options:
B: Encrypting the message with Alice’s public key does not ensure confidentiality because anyone can decrypt it using Alice’s public key.
C: Encrypting the message with Alice’s private key does not ensure confidentiality because anyone can decrypt it using her public key.
D: Encrypting the hash with Bob’s public key is incorrect for non-repudiation because it does not prove that Alice signed it.

Question 18

Q

Bob receives a confidential message from Alice. The message also includes a digital signature. What steps should Bob take to verify the integrity and authenticity of the message?

A. Decrypt the message using Alice’s public key, hash the message using SHA-256, and compare it to the hash from the digital signature.
B. Decrypt the message using his private key, hash the message using SHA-256, decrypt the signature using Alice’s public key, and compare the hashes.
C. Hash the message using SHA-256, decrypt the hash using Alice’s private key, and compare the hashes.
D. Decrypt the message using his public key, decrypt the hash using Alice’s private key, and compare the hashes.

Answer

A

Answer:
B. Decrypt the message using his private key, hash the message using SHA-256, decrypt the signature using Alice’s public key, and compare the hashes.

Explanation:
Correct Option:
B:
Bob decrypts the message using his private key because the message was encrypted using his public key (confidentiality).
Bob hashes the decrypted message using the same hash algorithm (e.g., SHA-256).
Bob decrypts the digital signature (encrypted hash) using Alice’s public key, verifying that Alice signed it (non-repudiation).
Bob compares the two hashes. If they match, the message’s integrity and authenticity are verified.
Incorrect Options:
A: Decrypting the message with Alice’s public key is incorrect; the message was encrypted with Bob’s public key.
C: The hash from the message must be compared to the decrypted digital signature, not the other way around.
D: Decrypting the message with Bob’s public key is incorrect since the message was encrypted with Bob’s public key and requires his private key.

Question 19

Q

Alice needs to send a file to Bob. The file must remain confidential, and Bob should be able to verify that Alice was the sender and that the file was not tampered with. Which of the following describes the correct order of operations?

A. Hash the file, encrypt the file with Bob’s public key, and encrypt the hash with Alice’s private key.
B. Encrypt the file with Bob’s private key, hash the file, and encrypt the hash with Alice’s public key.
C. Encrypt the file with Bob’s public key, hash the file, and encrypt the hash with Alice’s private key.
D. Hash the file, encrypt the hash with Bob’s public key, and encrypt the file with Alice’s private key.

Answer

A

Answer:
C. Encrypt the file with Bob’s public key, hash the file, and encrypt the hash with Alice’s private key.

Explanation:
Correct Option:
C:
Alice encrypts the file with Bob’s public key to ensure confidentiality (only Bob can decrypt it).
Alice hashes the file to produce a unique hash for integrity.
Alice encrypts the hash (digital signature) with her private key to provide non-repudiation (proving she signed it).
Incorrect Options:
A: Hashing the file first is fine, but encrypting the file with Alice’s private key does not ensure confidentiality.
B: Encrypting the file with Bob’s private key is incorrect; it must be encrypted with his public key to ensure confidentiality.
D: Encrypting the hash with Bob’s public key is incorrect for non-repudiation, as it does not prove Alice signed it.

Question 20

Q

You are a security engineer tasked with implementing a digital signature system to verify the authenticity of messages exchanged between your company’s servers and its clients. Your team suggests the following options for signing the hash of the messages. Which three options would be appropriate for signing the hash? (Choose Two)

A. RSA
B. DSA
C. Diffie-Hellman
D. ECDSA
E. AES

Answer

A

Answer:
A. RSA
D. ECDSA

Explanation:

Correct Options:

RSA: RSA is a versatile algorithm that can be used for both encryption and digital signatures. It is commonly used for signing and verifying messages.
ECDSA: The Elliptic Curve Digital Signature Algorithm (ECDSA) is specifically designed for digital signing and is a more efficient alternative to RSA due to its smaller key sizes and faster computations.
Incorrect Options:

DSA: While DSA is also a valid digital signature algorithm, the question asks for two options, and RSA and ECDSA are more widely used in modern implementations.
Diffie-Hellman: Diffie-Hellman is a key exchange protocol, not a digital signature algorithm. It is designed to securely establish shared keys, not sign or verify data.
AES: AES is a symmetric encryption algorithm used for encrypting data, not for signing or verifying messages.

Question 21

Q

A software company is using Elliptic Curve Cryptography (ECC) to secure its communications. One of the team members suggests using ECC for both encrypting messages and signing them. Why would this not work for the signing process?

A. ECC is only used for key exchange.
B. ECC does not support signing directly; a specific algorithm like ECDSA is needed.
C. ECC cannot be used with public/private key pairs.
D. ECC cannot be used for encrypting data or signing.

Answer

A

Answer:
B. ECC does not support signing directly; a specific algorithm like ECDSA is needed.

Explanation:

Correct Option:

B: Elliptic Curve Cryptography (ECC) is a general cryptographic framework, not a digital signature algorithm by itself. To perform digital signing using ECC, you need a specific algorithm like ECDSA (Elliptic Curve Digital Signature Algorithm).
Incorrect Options:

A: ECC is not limited to key exchange. It can also be used for encryption and as a foundation for digital signature algorithms (e.g., ECDSA).
C: ECC is based on public/private key pairs and is used extensively in cryptography.
D: ECC is widely used for encrypting data and serves as a foundation for secure algorithms like ECDSA for signing.

Question 22

Q

Your team is evaluating different cryptographic algorithms for signing documents. One team member suggests using Diffie-Hellman for the signing process because it is a robust cryptographic algorithm. What is the main issue with this suggestion?

A. Diffie-Hellman is too slow for signing.
B. Diffie-Hellman is designed for key exchange, not signing.
C. Diffie-Hellman does not support asymmetric key pairs.
D. Diffie-Hellman does not use hashing.

Answer

A

Answer:
B. Diffie-Hellman is designed for key exchange, not signing.

Explanation:

Correct Option:

B: Diffie-Hellman is specifically designed for secure key exchange between parties and is not capable of signing or verifying data.
Incorrect Options:

A: The issue is not about speed; Diffie-Hellman is simply not designed for signing.
C: Diffie-Hellman does use asymmetric key pairs, but they are for secure key exchange, not for signing.
D: Hashing is not relevant to Diffie-Hellman’s purpose, as it is focused on exchanging keys, not signing or verifying data.

Question 23

Q

A company wants to adopt a digital signature algorithm for signing sensitive email messages. They consider RSA and AES as potential candidates. Why is RSA the correct choice in this context?

A. RSA uses hashing for integrity, while AES does not.
B. RSA can be used for digital signatures, but AES is only for encryption.
C. AES is faster but does not support public/private key pairs.
D. RSA supports both key exchange and encryption, making it better than AES.

Answer

A

Answer:
B. RSA can be used for digital signatures, but AES is only for encryption.

Explanation:

Correct Option:

B: RSA is an asymmetric encryption algorithm that supports both encryption and digital signature operations. AES, on the other hand, is a symmetric encryption algorithm and cannot be used for signing.
Incorrect Options:

A: While RSA uses hashing as part of the digital signature process, this is not the main reason AES cannot be used. AES simply does not support signing.
C: While AES is faster than RSA for encrypting data, it cannot sign data because it is symmetric.
D: The ability to perform key exchange is not directly relevant to why RSA is preferred for digital signatures.

Question 24

Q

Which of the following explains why specific algorithms like RSA, DSA, or ECDSA are used for digital signatures instead of encryption algorithms like AES ?

A. Digital signature algorithms use hashing to ensure integrity, while encryption algorithms do not.
B. Digital signature algorithms rely on public/private key pairs, which are not used in symmetric encryption.
C. Encryption algorithms cannot generate unique identifiers for messages.
D. Encryption algorithms are too slow for signing.

Answer

A

Answer:
B. Digital signature algorithms rely on public/private key pairs, which are not used in symmetric encryption.

Explanation:

Correct Option:

B: Digital signature algorithms are designed to work with asymmetric cryptography, which involves a public/private key pair. Symmetric algorithms like AES do not have this capability and therefore cannot be used for signing.
Incorrect Options:

A: While hashing is part of the digital signature process, it is not exclusive to digital signature algorithms. Encryption algorithms can also use hashing for other purposes.
C: This is not accurate; encryption algorithms do not generate unique identifiers for messages, but that is also not their purpose.
D: The issue is not speed, but rather the lack of support for public/private key operations in symmetric encryption algorithms.

Question 25

Q

A developer needs to distribute a software application securely to ensure its authenticity and integrity. The developer decides to use RSA for code signing. Which of the following steps would the developer follow to sign the software?

A. Hash the software code, then encrypt the hash using their private key.
B. Encrypt the entire software code using their private key.
C. Hash the software code, then encrypt the hash using the recipient’s public key.
D. Encrypt the software code using their public key, then attach the encrypted code with the software.

Answer

A

Answer:
A. Hash the software code, then encrypt the hash using their private key.

Explanation:

Correct: Option A is correct because code signing involves hashing the code to create a fixed-size digest and then encrypting that digest with the developer’s private key to create a digital signature.
Incorrect Options:
B: Encrypting the entire software with a private key is highly inefficient and not the purpose of a digital signature.
C: Encrypting with the recipient’s public key ensures confidentiality, not authenticity or integrity.
D: Encrypting with the public key doesn’t verify the authenticity of the developer and would not serve as a valid signature.

Question 26

Q

A company distributes a software patch and includes a digital signature to verify its integrity. The recipient of the patch downloads the file and uses the company’s public key to decrypt the signature. What will the recipient obtain after decrypting the digital signature?

A. The original software patch.
B. The hash digest of the software patch.
C. A copy of the company’s private key.
D. A certificate verifying the software’s publisher.

Answer

A

Answer:
B. The hash digest of the software patch.

Explanation:

Correct: The digital signature is the encrypted hash digest of the software. Decrypting it with the company’s public key reveals the original hash digest, which can then be compared with a freshly computed hash of the downloaded software to verify integrity.
Incorrect Options:
A: The digital signature does not contain the original software.
C: The private key is never shared and cannot be obtained by decrypting the signature.
D: Certificates verify the publisher’s identity, but they are separate from the digital signature.

Question 27

Q

A software engineer claims to have signed their software using a hashing algorithm and a regular encryption algorithm like Diffie-Hellman (DH). Why is this process incorrect?

A. DH cannot be used for encrypting a hash digest as it’s not a signing algorithm.
B. Hashing cannot be used in conjunction with encryption.
C. The hash digest cannot be encrypted; only the full software can be encrypted.
D. The process is correct, as any encryption algorithm can sign data.

Answer

A

Answer:
A. DH cannot be used for encrypting a hash digest as it’s not a signing algorithm.

Explanation:

Correct: Option A is correct because digital signature algorithms like RSA or ECDSA are specifically designed for signing purposes. Regular encryption algorithms like DH or ECC (in its standard form) are not designed for signing data.
Incorrect Options:
B: Hashing is essential in signing processes and can be used with encryption.
C: The hash digest can (and should) be encrypted in a digital signature process, not the full software.
D: Not all encryption algorithms are suitable for signing; only specific digital signature algorithms should be used.

Question 28

Q

When verifying a code signature, a recipient hashes the downloaded software and decrypts the attached digital signature using the developer’s public key. What does the recipient compare to ensure the integrity of the software?

A. The decrypted hash digest and the software’s source code.
B. The hash of the software and the decrypted hash digest.
C. The decrypted hash digest and the developer’s private key.
D. The hash of the software and the recipient’s private key.

Answer

A

Answer:
B. The hash of the software and the decrypted hash digest.

Explanation:

Correct: To verify the code’s integrity, the recipient compares the freshly computed hash of the downloaded software with the hash digest decrypted from the digital signature. If they match, the code has not been tampered with.
Incorrect Options:
A: The software’s source code is not directly involved in this process.
C: The developer’s private key is not accessible during the verification process.
D: The recipient’s private key is irrelevant for verifying a digital signature.

Question 29

Q

Which of the following is not true about digital signatures in the context of code signing?

A. Digital signatures prove the authenticity of the developer.
B. Digital signatures ensure the confidentiality of the software.
C. Digital signatures protect the integrity of the code.
D. Digital signatures are created by encrypting the hash digest with the developer’s private key.

Answer

A

Answer:
B. Digital signatures ensure the confidentiality of the software.

Explanation:

Correct: Digital signatures are used to ensure authenticity and integrity but not confidentiality. Confidentiality is achieved by encrypting the content with the recipient’s public key, which is unrelated to digital signing.
Incorrect Options:
A: Authenticity is proven as only the developer has access to their private key to sign the hash.
C: Integrity is ensured as tampering with the code would result in a mismatched hash.
D: Digital signatures are created by encrypting the hash digest with the private key, making this statement true.

Question 30

Q

Alice wants to send a confidential message to Bob. To ensure that only Bob can read the message, Alice retrieves Bob’s public key from a trusted certificate authority (CA). She encrypts the message using this public key. Bob will then decrypt the message using his private key. Which of the following is true about the key distribution process in this scenario?

A. Alice and Bob must share a symmetric key before they can encrypt and decrypt messages.
B. Alice is distributing a private key to Bob.
C. Alice is distributing Bob’s public key to herself.
D. Bob will use his private key to decrypt the message encrypted with his public key.

Answer

A

Answer:
D. Bob will use his private key to decrypt the message encrypted with his public key.

Explanation:

Correct:

D: In asymmetric encryption, a message encrypted with a public key can only be decrypted with the corresponding private key. Since Alice encrypted the message using Bob’s public key, Bob will use his private key to decrypt it.

Incorrect Options:

A: This scenario describes asymmetric encryption, not symmetric encryption. Symmetric encryption requires a shared key, but here, Alice and Bob are using public and private keys, which do not require prior key sharing.

B: Alice is not distributing a private key to Bob. Private keys are never shared; they are kept secret by their owner.

C: Alice is not distributing Bob’s public key to herself. She retrieves Bob’s public key from a trusted certificate authority (CA) to encrypt the message, but this is not considered “distribution” in the context of key exchange.

Question 31

Q

In a secure communication system, two parties want to exchange confidential data over the internet. They decide to use a Diffie-Hellman key exchange protocol to securely agree on a shared secret key, which will be used for symmetric encryption. During the exchange, the parties only send public information, and they each compute the shared secret key independently.

Which of the following is true about the key exchange process in this scenario?

A. The shared key is sent over the internet and decrypted by both parties.
B. The public keys of the parties are used to compute the shared key without directly transmitting the key itself.
C. Both parties use their private keys to generate a symmetric key for encryption.
D. The Diffie-Hellman process requires the use of a public key infrastructure (PKI).

Answer

A

Answer: B. The public keys of the parties are used to compute the shared key without directly transmitting the key itself.

Explanation:

Correct: In Diffie-Hellman, both parties exchange public information and then independently compute a shared secret key, which is never directly transmitted.
Incorrect Options:
A: The shared key is not sent over the internet; it is computed independently by each party.
C: The Diffie-Hellman process does not use private keys directly to generate a symmetric key for encryption; it focuses on the secure exchange of public values to compute a shared key.
D: While Diffie-Hellman can be used in conjunction with a PKI, it does not require one for its operation.

Question 32

Q

Bob wants to securely communicate with Alice using symmetric encryption. They decide to use a secure messaging application that relies on a Key Distribution Center (KDC) to distribute the symmetric encryption keys. Alice and Bob authenticate themselves with the KDC, which then sends each of them a copy of the shared symmetric key.

Which of the following statements best describes the key distribution process used here?

A. The KDC distributes a public key to each user for asymmetric encryption.
B. Alice and Bob receive the same symmetric key from the KDC to encrypt and decrypt messages.
C. The KDC ensures that Alice and Bob exchange private keys for encryption.
D. The KDC only sends Alice’s private key to Bob, allowing for secure communication.

Answer

A

Answer: B. Alice and Bob receive the same symmetric key from the KDC to encrypt and decrypt messages.

Explanation:

Correct: The Key Distribution Center (KDC) provides Alice and Bob with a shared symmetric key. This key is used for encryption and decryption during communication.
Incorrect Options:
A: The KDC distributes a symmetric key, not a public key for asymmetric encryption.
C: The KDC does not exchange private keys; it distributes a shared symmetric key.
D: The KDC does not send Alice’s private key to Bob, as private keys should never be shared.

Question 33

Q

Alice and Bob are using Elliptic Curve Diffie-Hellman (ECDH) to securely exchange a shared key over an insecure channel. Both Alice and Bob exchange public information, and they each compute a shared secret key independently. After this, they use the shared key for encrypting their communication with symmetric encryption.

Which of the following best describes this process?

A. Alice and Bob are using asymmetric encryption to share a symmetric key.
B. The public keys of Alice and Bob are used to create a shared secret key that will be used for symmetric encryption.
C. Alice and Bob use the shared key to encrypt their communication using asymmetric encryption.
D. The key exchange process involves distributing a public key to all parties involved in the communication.

Answer

A

Answer: B. The public keys of Alice and Bob are used to create a shared secret key that will be used for symmetric encryption.

Explanation:

Correct: In ECDH, Alice and Bob use their respective public and private keys to independently compute a shared secret key. This shared key is then used for symmetric encryption.
Incorrect Options:
A: While ECDH is part of an asymmetric encryption system, the key exchange results in a shared secret for symmetric encryption, not a direct encryption of the message using asymmetric encryption.
C: Alice and Bob use the shared secret for symmetric encryption, not asymmetric encryption.
D: The key exchange does not involve distributing public keys to all parties; it involves two parties agreeing on a shared key.

Question 34

Q

A client and a server are trying to establish a secure communication channel using the RSA key exchange method. The client encrypts the communication with the server’s public key and sends it. The server then uses its private key to decrypt the message.

Which of the following best describes the key distribution process in this scenario?
A. The client and server exchange private keys during the key exchange process.
B. The server’s public key is distributed to the client for encryption purposes.
C. The server distributes its private key to the client for decryption.
D. The client generates both the public and private keys for encryption and decryption.

Answer

A

Answer: B. The server’s public key is distributed to the client for encryption purposes.

Explanation:

Correct: In RSA key exchange, the server’s public key is used by the client to encrypt messages. The server can then use its private key to decrypt the message.
Incorrect Options:
A: The private keys are not exchanged in RSA key exchange; only the public key is shared.
C: The server’s private key is never distributed; it is kept secret.
D: The client only uses the server’s public key for encryption, not both public and private keys.

Question 35

Q

During a TLS handshake, the server presents a certificate to the client. What is the primary purpose of this certificate?

A. To share the server’s private key with the client
B. To verify the server’s identity to the client
C. To distribute the session key used for encryption
D. To generate the premaster key for the session

Answer

A

Correct Answer:
B. To verify the server’s identity to the client

Explanation:
Correct:
The server’s certificate contains its public key and other details (such as the domain name and the issuing CA). The certificate is used to verify the server’s identity by validating the signature of the issuing CA against the trusted root certificate store in the client’s browser or OS.

Incorrect Options:

A: The server’s private key is never shared during the TLS handshake. Sharing the private key would compromise the server’s security.
C: The session key is not distributed in the server’s certificate. Instead, it is derived later in the handshake process using the premaster key and random values.
D: The premaster key is generated by the client (in RSA-based TLS) or through Diffie-Hellman/ECDH methods. It is not directly related to the server’s certificate.

Question 36

Q

What role does the trusted root certificate store play during a TLS handshake?

A. It generates the premaster key for the handshake.
B. It verifies the server’s certificate is issued by a trusted CA.
C. It contains all certificates issued to websites worldwide.
D. It establishes the session key used for encryption.

Answer

A

Correct Answer:
B. It verifies the server’s certificate is issued by a trusted CA.

Explanation:
Correct:
The trusted root certificate store contains root certificates of trusted Certificate Authorities (CAs). During a TLS handshake, the browser checks the server’s certificate to ensure that it was issued by one of these trusted CAs.

Incorrect Options:

A: The premaster key is generated as part of the handshake process, not by the trusted root certificate store.
C: The trusted root certificate store does not contain certificates for all websites. It only stores public keys of trusted root CAs.
D: The session key is derived from the premaster key, not the trusted root certificate store.

Question 37

Q

Which of the following describes the process of generating the session key during the TLS handshake?

A. The client and server exchange random values, which are combined with the premaster key to derive the session key.
B. The session key is transmitted to the server in the server’s digital certificate.
C. The CA generates the session key and distributes it to both the client and the server.
D. The session key is pre-configured on the server and shared with the client.

Answer

A

Correct Answer:
A. The client and server exchange random values, which are combined with the premaster key to derive the session key.

Explanation:
Correct:
In the TLS handshake, both the client and server contribute random values. These random values, combined with the premaster key, are used in a key derivation function (KDF) to generate the session key. The session key is symmetric and is used to encrypt the actual data.

Incorrect Options:

B: The server’s certificate does not contain the session key. It only contains the server’s public key and identification details.
C: The CA does not generate or distribute session keys. Its role is to sign certificates to ensure trust.
D: The session key is dynamically generated during the handshake, not pre-configured.

Question 38

Q

Which of the following protocols is responsible for securely exchanging the premaster key during a TLS handshake?

A. Diffie-Hellman or Elliptic Curve Diffie-Hellman (ECDH)
B. RSA Digital Signature Algorithm
C. Advanced Encryption Standard (AES)
D. Public Key Infrastructure (PKI)

Answer

A

Correct Answer:
A. Diffie-Hellman or Elliptic Curve Diffie-Hellman (ECDH)

Explanation:
Correct:
Diffie-Hellman (DH) and its variant Elliptic Curve Diffie-Hellman (ECDH) are key exchange algorithms used to securely establish a shared premaster key between the client and server during a TLS handshake. They ensure confidentiality even if someone intercepts the exchange.

Incorrect Options:

B: RSA Digital Signature Algorithm is used for authentication and signing, not for key exchange.
C: AES is a symmetric encryption algorithm, used for encrypting the data after the handshake, not for key exchange.
D: PKI is a framework for managing digital certificates and public/private keys. It is not a specific protocol for key exchange.

Question 39

Q

During a TLS handshake, how does the client verify that the server’s certificate is trustworthy?

A. By contacting the CA directly to validate the certificate.
B. By checking the CA’s signature on the server’s certificate using the CA’s public key from the trusted root certificate store.
C. By decrypting the server’s certificate with the server’s private key.
D. By generating a session key and embedding it in the certificate.

Answer

A

Correct Answer:
B. By checking the CA’s signature on the server’s certificate using the CA’s public key from the trusted root certificate store.

Explanation:
Correct:
The client validates the server’s certificate by verifying the CA’s digital signature on the certificate. It uses the CA’s public key, stored in the trusted root certificate store, to perform this verification. If the signature matches, the certificate is trustworthy.

Incorrect Options:

A: The client does not directly contact the CA during the handshake. The validation is done locally using the trusted root certificate store.
C: The server’s private key is never used for decrypting its certificate. The private key is used for encryption or signing.
D: The session key is not embedded in the certificate. It is generated during the handshake process.

Question 40

Q

Why can’t a regular encryption algorithm like Diffie-Hellman or ECC be used for signing during the TLS handshake?

A. Because these algorithms are not designed for signing.
B. Because signing requires symmetric encryption, and these algorithms are asymmetric.
C. Because signing is performed only by CAs, not by servers.
D. Because they don’t support the generation of digital certificates.

Answer

A

Correct Answer:
A. Because these algorithms are not designed for signing.

Explanation:
Correct:
Diffie-Hellman and ECC are key exchange and encryption algorithms, not digital signature algorithms. Signing requires specific algorithms like RSA, DSA, or ECDSA, which are designed to produce and verify digital signatures.

Incorrect Options:

B: Signing does not require symmetric encryption; it uses asymmetric key pairs.
C: Signing is not limited to CAs. Servers can also sign data (e.g., hash digests) using their private keys.
D: Diffie-Hellman and ECC are unrelated to generating digital certificates.

Question 41

Q

Which of the following are key characteristics of asymmetric algorithms? (Choose Two)
A. Uses a shared secret key
B. Provides confidentiality, integrity, authentication, and non-repudiation
C. Requires only one key for encryption and decryption
D. Uses a key pair (public and private keys)

Answer

A

Answer:
B. Provides confidentiality, integrity, authentication, and non-repudiation
D. Uses a key pair (public and private keys)

Explanation:

Correct Answers:

B: Asymmetric algorithms provide confidentiality (encrypting with the receiver’s public key), integrity (using digital signatures), authentication (verifying the sender’s identity), and non-repudiation (ensuring the sender cannot deny sending the message).

D: Asymmetric algorithms use a key pair: a public key for encryption and a private key for decryption.

Incorrect Answers:

A: This describes symmetric algorithms, which use a shared secret key for both encryption and decryption.

C: Asymmetric algorithms require two keys: a public key for encryption and a private key for decryption.

Question 42

Q

Which of the following is true about non-repudiation in asymmetric cryptography?
A. It ensures the message cannot be read by unauthorized parties.
B. It is achieved by encrypting the message with the sender’s private key.
C. It is achieved by encrypting the message with the receiver’s public key.
D. It ensures the message has not been altered in transit.

Answer

A

Answer:
B. It is achieved by encrypting the message with the sender’s private key.

Explanation:

Correct Answer:

B: Non-repudiation ensures the sender cannot deny sending the message. This is achieved by encrypting the message (or its hash) with the sender’s private key, which can be verified using their public key.

Incorrect Answers:

A: This describes confidentiality, which is achieved by encrypting the message with the receiver’s public key.

C: Encrypting with the receiver’s public key ensures confidentiality, not non-repudiation.

D: This describes integrity, which is achieved using a digital signature (hashing the message and encrypting the hash with the sender’s private key).

Question 43

Q

Which of the following asymmetric algorithms is primarily used for key exchange and is vulnerable to man-in-the-middle attacks?
A. RSA
B. ECC
C. Diffie-Hellman
D. ECDSA

Answer

A

Answer:
C. Diffie-Hellman

Explanation:

Correct Answer:

C: Diffie-Hellman is used for secure key exchange, particularly in VPN tunnel establishment (IPSec). However, it is vulnerable to man-in-the-middle attacks unless additional authentication (e.g., passwords or digital certificates) is used.

Incorrect Answers:

A: RSA is used for key exchange, encryption, and digital signatures, but it is not primarily known for being vulnerable to man-in-the-middle attacks.

B: ECC (Elliptic Curve Cryptography) is used for encryption in low-power devices and is not primarily associated with key exchange vulnerabilities.

D: ECDSA (Elliptic Curve Digital Signature Algorithm) is used for digital signatures, not key exchange.

Question 44

Q

Which of the following are true about RSA? (Choose Three)
A. It relies on the difficulty of factoring large prime numbers.
B. It is widely used for digital signatures and key exchange.
C. It is more efficient than ECC for equivalent security.
D. It supports key sizes ranging from 1024 to 4096 bits.

Answer

A

Answer:
A. It relies on the difficulty of factoring large prime numbers.
B. It is widely used for digital signatures and key exchange.
D. It supports key sizes ranging from 1024 to 4096 bits.

Explanation:

Correct Answers:

A: RSA’s security is based on the mathematical difficulty of factoring large prime numbers.

B: RSA is widely used for digital signatures, key exchange, and encryption.

D: RSA supports key sizes from 1024 bits to 4096 bits.

Incorrect Answer:

C: ECC is six times more efficient than RSA for equivalent security, not the other way around.

Question 45

Q

Question 46

Q

Which of the following are variants of Elliptic Curve Cryptography (ECC)? (Choose Three)
A. ECDH
B. ECDHE
C. RSA
D. ECDSA

Answer

A

Answer:
A. ECDH
B. ECDHE
D. ECDSA

Explanation:

Correct Answers:

A: ECDH (Elliptic Curve Diffie-Hellman) is a variant of ECC used for key exchange.

B: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is a variant that uses different keys for each portion of the key exchange process.

D: ECDSA (Elliptic Curve Digital Signature Algorithm) is used for digital signatures.

Incorrect Answer:

C: RSA is a separate asymmetric algorithm, not a variant of ECC.

Question 47

Q

What is the primary purpose of a digital signature in asymmetric cryptography?
A. To ensure the message is confidential
B. To verify the sender’s identity and ensure message integrity
C. To encrypt the message using the receiver’s public key
D. To prevent man-in-the-middle attacks

Answer

A

Answer:
B. To verify the sender’s identity and ensure message integrity

Explanation:

Correct Answer:

B: A digital signature is created by encrypting a hash of the message with the sender’s private key. This ensures the sender’s identity (non-repudiation) and that the message has not been altered (integrity).

Incorrect Answers:

A: Confidentiality is achieved by encrypting the message with the receiver’s public key.

C: This describes the process of ensuring confidentiality, not digital signatures.

D: Preventing man-in-the-middle attacks requires additional authentication mechanisms, not just digital signatures.

Question 48

Q

Which of the following best describes a hashing function?
A. A two-way cryptographic function that encrypts and decrypts data
B. A one-way cryptographic function that produces a unique message digest
C. A symmetric encryption algorithm that uses a shared secret key
D. A method for securely exchanging keys over a network

Answer

A

Answer:
B. A one-way cryptographic function that produces a unique message digest

Explanation:

Correct Answer:

B: Hashing is a one-way cryptographic function that takes an input and produces a unique message digest (hash). It cannot be reversed to retrieve the original input.

Incorrect Answers:

A: Hashing is not a two-way function; it cannot decrypt data.

C: Hashing is not a symmetric encryption algorithm, which uses a shared secret key.

D: Key exchange is handled by algorithms like Diffie-Hellman, not hashing.

Question 49

Q

Question 50

Q

Which of the following are true about hash digests? (Choose Two)
A. The length of the hash digest varies based on the input size.
B. Hash digests act like digital fingerprints for the original data.
C. Hash digests are always the same length for a given hashing algorithm.
D. Hash digests can be reversed to retrieve the original input.

Answer

A

Answer:
B. Hash digests act like digital fingerprints for the original data
C. Hash digests are always the same length for a given hashing algorithm

Explanation:

Correct Answers:

B: Hash digests uniquely represent the original data, acting like digital fingerprints.

C: The length of a hash digest is fixed for a given hashing algorithm (e.g., MD5 produces 128-bit hashes, SHA-256 produces 256-bit hashes).

Incorrect Answers:

A: Hash digests are always the same length, regardless of the input size.

D: Hashing is a one-way function; the original input cannot be retrieved from the hash digest.

Question 51

Q

Which of the following hashing algorithms is considered the least secure due to its vulnerability to collisions?
A. SHA-256
B. MD5
C. SHA-3
D. RIPEMD-160

Answer

A

Answer:
B. MD5

Explanation:

Correct Answer:

B: MD5 produces a 128-bit hash, which is prone to collisions (two different inputs producing the same hash). It is no longer recommended for security-critical applications.

Incorrect Answers:

A: SHA-256 is more secure than MD5 and produces a 256-bit hash.

C: SHA-3 is a secure hashing algorithm with 224-bit to 512-bit hash digests.

D: RIPEMD-160 is less popular but more secure than MD5.

Question 52

Q

Which of the following are members of the SHA family of hashing algorithms? (Choose Three)
A. SHA-1
B. SHA-224
C. MD5
D. SHA-512

Answer

A

Answer:
A. SHA-1
B. SHA-224
D. SHA-512

Explanation:

Correct Answers:

A: SHA-1 produces a 160-bit hash digest.

B: SHA-224 is part of the SHA-2 family and produces a 224-bit hash digest.

D: SHA-512 is part of the SHA-2 family and produces a 512-bit hash digest.

Incorrect Answer:

C: MD5 is not part of the SHA family; it is a separate hashing algorithm.

Question 53

Q

What is the primary purpose of HMAC (Hash-based Message Authentication Code)?
A. To encrypt data for confidentiality
B. To verify the integrity and authenticity of a message
C. To generate digital signatures for non-repudiation
D. To exchange keys securely over a network

Answer

A

Answer:
B. To verify the integrity and authenticity of a message

Explanation:

Correct Answer:

B: HMAC is used to verify the integrity of a message and ensure its authenticity by combining a hash function with a secret key.

Incorrect Answers:

A: HMAC does not encrypt data for confidentiality; it ensures integrity and authenticity.

C: Digital signatures are created by encrypting a hash digest with a private key, not HMAC.

D: Key exchange is handled by algorithms like Diffie-Hellman, not HMAC.

Question 54

Q

Which of the following is true about digital signatures? (Choose Two)
A. They are created by encrypting a hash digest with the sender’s private key.
B. They ensure confidentiality by encrypting the entire message.
C. They provide non-repudiation, proving the sender’s identity.
D. They are used to securely exchange keys over a network.

Answer

A

Answer:
A. They are created by encrypting a hash digest with the sender’s private key
C. They provide non-repudiation, proving the sender’s identity

Explanation:

Correct Answers:

A: Digital signatures are created by hashing the message and encrypting the hash digest with the sender’s private key.

C: Digital signatures provide non-repudiation, ensuring the sender cannot deny sending the message.

Incorrect Answers:

B: Confidentiality is achieved by encrypting the message with the receiver’s public key, not through digital signatures.

D: Key exchange is handled by algorithms like Diffie-Hellman, not digital signatures.

Question 55

Q

Which of the following algorithms is commonly used for digital signatures? (Choose Two)
A. RSA
B. MD5
C. DSA
D. HMAC

Answer

A

Answer:
A. RSA
C. DSA

Explanation:

Correct Answers:

A: RSA is widely used for digital signatures, encryption, and key distribution.

C: DSA (Digital Signature Algorithm) is specifically designed for digital signatures.

Incorrect Answers:

B: MD5 is a hashing algorithm, not used for digital signatures.

D: HMAC is used for message integrity and authenticity, not digital signatures.

Question 56

Q

What happens to the hash digest if even a single character in the input is changed?
A. The hash digest remains the same.
B. The hash digest changes slightly.
C. The hash digest changes drastically.
D. The hash digest becomes unreadable.

Answer

A

Answer:
C. The hash digest changes drastically

Explanation:

Correct Answer:

C: Even a minor change in the input (e.g., one character) results in a completely different hash digest due to the avalanche effect in hashing algorithms.

Incorrect Answers:

A: The hash digest will not remain the same if the input changes.

B: The hash digest does not change slightly; it changes entirely.

D: The hash digest remains readable but is entirely different.

Question 57

Q

Which of the following is a key difference between SHA-2 and SHA-3?
A. SHA-2 uses 64-80 rounds of computations, while SHA-3 uses 120 rounds.
B. SHA-2 is less secure than SHA-3.
C. SHA-2 produces shorter hash digests than SHA-3.
D. SHA-2 is used for digital signatures, while SHA-3 is used for encryption.

Answer

A

Answer:
A. SHA-2 uses 64-80 rounds of computations, while SHA-3 uses 120 rounds

Explanation:

Correct Answer:

A: SHA-2 uses 64-80 rounds of computations, while SHA-3 uses 120 rounds, making it more secure.

Incorrect Answers:

B: SHA-2 is secure, but SHA-3 is more secure due to its increased rounds of computation.

C: Both SHA-2 and SHA-3 can produce hash digests of similar lengths (e.g., 256-bit, 512-bit).

D: Both SHA-2 and SHA-3 are used for hashing, not encryption.

Question 58

Q

What is the primary goal of a Pass-the-Hash attack?
A. To crack a password by brute-forcing its hash
B. To authenticate to a remote system using a stolen hash instead of a plaintext password
C. To create collisions in a hashing algorithm
D. To bypass multi-factor authentication

Answer

A

Answer:
B. To authenticate to a remote system using a stolen hash instead of a plaintext password

Explanation:

Correct Answer:

B: In a Pass-the-Hash attack, the attacker uses a stolen hash to authenticate to a remote system without needing the plaintext password.

Incorrect Answers:

A: The attacker does not need to crack the hash; they use the hash directly for authentication.

C: Creating collisions is associated with Birthday Attacks, not Pass-the-Hash attacks.

D: Pass-the-Hash attacks do not directly bypass multi-factor authentication; they exploit stolen hashes.

Question 59

Q

Which of the following tools is commonly used to automate Pass-the-Hash attacks?
A. Wireshark
B. Mimikatz
C. Nmap
D. Metasploit

Answer

A

Answer:
B. Mimikatz

Explanation:

Correct Answer:

B: Mimikatz is a penetration tool used to automate the harvesting of hashes and executing Pass-the-Hash attacks.

Incorrect Answers:

A: Wireshark is a network protocol analyzer, not used for Pass-the-Hash attacks.

C: Nmap is a network scanning tool, not used for Pass-the-Hash attacks.

D: Metasploit is a penetration testing framework but is not specifically known for Pass-the-Hash attacks.

Question 60

Q

What is the primary defense against Pass-the-Hash attacks? (Choose Two)
A. Using multi-factor authentication
B. Implementing key stretching
C. Ensuring all systems are patched and updated
D. Using shorter hash digests

Answer

A

Answer:
A. Using multi-factor authentication
C. Ensuring all systems are patched and updated

Explanation:

Correct Answers:

A: Multi-factor authentication adds an additional layer of security, making it harder for attackers to exploit stolen hashes.

C: Patching and updating systems reduces vulnerabilities that attackers could exploit to harvest hashes.

Incorrect Answers:

B: Key stretching is used to strengthen passwords, not directly defend against Pass-the-Hash attacks.

D: Shorter hash digests increase the risk of collisions and do not defend against Pass-the-Hash attacks.

Question 61

Q

What is the main concept behind a Birthday Attack?
A. Exploiting weak passwords through brute force
B. Creating two different messages that produce the same hash digest (collision)
C. Harvesting hashes to impersonate users
D. Bypassing multi-factor authentication

Answer

A

Answer:
B. Creating two different messages that produce the same hash digest (collision)

Explanation:

Correct Answer:

B: A Birthday Attack exploits the probability of two different inputs producing the same hash digest (collision), based on the Birthday Paradox.

Incorrect Answers:

A: Brute-forcing weak passwords is unrelated to Birthday Attacks.

C: Harvesting hashes is associated with Pass-the-Hash attacks, not Birthday Attacks.

D: Birthday Attacks do not bypass multi-factor authentication; they exploit hash collisions.

Question 62

Q

Which of the following techniques can mitigate the risk of Birthday Attacks?
A. Using shorter hash digests
B. Implementing salting
C. Using longer hash digests (e.g., SHA-256)
D. Limiting failed login attempts

Answer

A

Answer:
C. Using longer hash digests (e.g., SHA-256)

Explanation:

Correct Answer:

C: Longer hash digests (e.g., SHA-256) reduce the likelihood of collisions, making Birthday Attacks less effective.

Incorrect Answers:

A: Shorter hash digests increase the risk of collisions, making Birthday Attacks more likely.

B: Salting prevents rainbow table and brute-force attacks but does not directly mitigate Birthday Attacks.

D: Limiting failed login attempts prevents password guessing but does not address hash collisions.

Question 63

Q

What is the purpose of key stretching in password security?
A. To create shorter, more manageable keys
B. To increase the time required to crack a password
C. To generate random salts for password hashing
D. To prevent replay attacks

Answer

A

Answer:
B. To increase the time required to crack a password

Explanation:

Correct Answer:

B: Key stretching applies a hash function multiple times to make brute-force attacks more time-consuming and computationally expensive.

Incorrect Answers:

A: Key stretching creates longer, more secure keys, not shorter ones.

C: Salting generates random data for password hashing, not key stretching.

D: Nonces prevent replay attacks, not key stretching.

Question 64

Q

Which of the following is true about salting? (Choose Two)
A. It ensures the same password produces different hash outputs for different users.
B. It reduces the length of hash digests.
C. It prevents rainbow table attacks.
D. It is used to create collisions in hashing algorithms.

Answer

A

Answer:
A. It ensures the same password produces different hash outputs for different users
C. It prevents rainbow table attacks

Explanation:

Correct Answers:

A: Salting adds random data to passwords, ensuring the same password produces different hash outputs for different users.

C: Salting makes rainbow table attacks ineffective because each salt requires a unique precomputed table.

Incorrect Answers:

B: Salting does not reduce the length of hash digests; it adds randomness to the input.

D: Salting does not create collisions; it enhances password security.

Answer 63

A

Answer:
B. To prevent replay attacks by ensuring unique authentication data

Explanation:

Correct Answer:

B: A nonce (number used once) ensures that authentication data is unique for each session, preventing replay attacks.

Incorrect Answers:

A: Nonces do not create longer hash digests; they add uniqueness to authentication data.

C: Nonces do not reduce collisions; they prevent reuse of authentication data.

D: Nonces are not used to harvest hashes; they enhance security.

Answer 64

A

Answer:
C. Limiting failed login attempts to three before locking the account

Explanation:

Correct Answer:

C: Limiting failed login attempts deters attackers from guessing passwords by locking the account after a few incorrect attempts.

Incorrect Answers:

A: Shorter hash digests increase security risks, such as collisions.

B: Allowing unlimited failed login attempts makes it easier for attackers to guess passwords.

D: Disabling multi-factor authentication reduces security, making systems more vulnerable.

Answer 65

A

Answer:
B. To make password hashes harder to guess

Explanation:

Correct: The main goal of key stretching, such as PBKDF2 with a high number of iterations, is to slow down attackers attempting to brute-force the password. The more iterations, the longer it takes to compute the hash, making it significantly more difficult for attackers to guess the password through brute-force or dictionary attacks.
Incorrect Options:
A: Key stretching doesn’t make passwords shorter; it makes them harder to crack.
C: Key stretching slows down password verification, not improves it.
D: Key stretching increases the computational effort, so the size of the hash might be larger, but it doesn’t reduce storage requirements.

Answer 66

A

Answer:
B. The password verification process would take longer.

Explanation:

Correct: Increasing the work factor in bcrypt makes the hashing process slower by applying more iterations. While this makes password verification take longer, it’s a security feature that makes it harder for attackers to brute-force the password hash.
Incorrect Options:
A: A higher work factor does not make the password easier to guess; it does the opposite, making it harder to crack.
C: A higher work factor increases computational cost, but it does not directly affect the file size where the password hash is stored.
D: Passwords should always be hashed, not encrypted. Hashing is a one-way function, unlike encryption, which can be reversed.

Answer 67

A

Answer:
B. It increases the time and resources needed for an attacker to crack a password hash.

Explanation:

Correct: Key stretching is specifically designed to make password hashing slower and more resource-intensive. This increases the time and computational resources required for an attacker to perform brute-force or dictionary attacks on the hash.
Incorrect Options:
A: Key stretching is designed to slow down the process for attackers, not to speed it up.
C: Key stretching applies to password hashes, not encryption.
D: Key stretching makes rainbow tables less effective by introducing randomness (e.g., salting) and increasing the time required for brute-force attacks.

Answer 68

A

Answer:
A. It makes the password hash unique even if two users have the same password.

Explanation:

Correct: A salt is a random value added to the password before hashing, ensuring that even if two users have the same password, their hashes will be different. This prevents attackers from using precomputed rainbow tables effectively.
Incorrect Options:
B: The salt doesn’t reduce the number of iterations; the iterations are independent of the salt.
C: The salt doesn’t speed up the process; it makes the hashing more secure by adding uniqueness.
D: If the salt is leaked, it doesn’t make it easier for attackers to guess the password directly, as they still need to perform the key stretching process for each password guess.

Answer 69

A

Answer: A. A technique where attackers collect password hashes over time to crack them later

Explanation:

A (Correct): Hash harvesting is when an attacker collects password hashes to crack them in the future. This method is common in data breaches or when attackers have access to databases or network traffic that exposes these hashes.
B (Incorrect): Encrypting passwords does not define hash harvesting. Hashing is different from encryption and is used for storing passwords securely.
C (Incorrect): Applying hash functions does not directly involve harvesting; it’s a method for securely storing passwords.
D (Incorrect): Storing passwords in plain text is a security flaw, not related to hash harvesting.

Answer 70

A

Answer: A. It is a type of server that stores and manages user credentials and enforces security policies

Explanation:

A (Correct): A domain controller is a server that is responsible for authenticating users and managing access control in a domain, including the storage of user credentials and enforcing security policies.
B (Incorrect): Monitoring network traffic is typically handled by network security appliances, not domain controllers.
C (Incorrect): Physical access control is handled by security systems, not a domain controller.
D (Incorrect): A domain controller is not a client machine; it is a server managing domain resources.

Answer 71

A

Answer: A. Allowing users in one domain to access resources in another domain

Explanation:

A (Correct): Domain trust is the process of allowing users and systems from one domain to access resources in another domain or forest. Trusts are established to allow sharing of resources across domains in a network.
B (Incorrect): Physical access control to domain controllers is unrelated to domain trust. Domain trust deals with network and resource access.
C (Incorrect): Verifying user passwords within a domain is a task managed by the domain controller, not the trust process.
D (Incorrect): Data encryption within a domain does not define domain trust, which is about allowing access across domains.

Answer 72

A

Answer: B. To protect against replay attacks by ensuring each request is unique

Explanation:

B (Correct): A nonce is a randomly generated number or string used to ensure the uniqueness of each request, making it impossible for attackers to replay old requests and successfully execute a replay attack.
A (Incorrect): Nonces are not primarily for ensuring confidentiality, though they can be part of the process, their main function is preventing replay attacks.
C (Incorrect): While nonces may be used in some cryptographic processes, they do not directly generate session keys.
D (Incorrect): Authentication of users is done using other mechanisms like usernames and passwords or certificates, not nonces.

Answer 73

A

Answer: C. They are randomly generated for each request and prevent replay attacks

Explanation:

C (Correct): Nonces are randomly generated for each request to ensure that the request is unique. This randomness is crucial for preventing attackers from capturing and replaying the request at a later time.
A (Incorrect): Nonces are typically generated by the server but are included in requests, not responses.
B (Incorrect): Nonces are not used for an entire session; they are unique for each individual request.
D (Incorrect): Nonces must be random and unique for each request. If they were static, attackers could predict them and exploit them.

Answer 74

A

Correct Answer: B. CRL
Explanation:

Correct: CRL (Certificate Revocation List) is a file containing all revoked certificates, which the administrator must download and check manually.
Incorrect:
A. OCSP checks certificate status in real time and doesn’t require downloading a list.
C. OCSP Stapling involves the server providing the OCSP response directly to the client.
D. Key Recovery relates to backing up encryption keys, not certificate revocation.

Answer 75

A

Correct Answer: B. OCSP
Explanation:

Correct: OCSP (Online Certificate Status Protocol) sends real-time requests to the CA’s OCSP server for certificate verification.
Incorrect:
A. CRL is a list-based method that does not involve real-time requests.
C. OCSP Stapling is where the server provides the OCSP response itself, not the client.
D. Certificate Pinning is unrelated to checking the revocation status.

Answer 76

A

Correct Answer: C. OCSP Stapling
Explanation:

Correct: OCSP Stapling reduces client-server communication by having the web server provide a cached OCSP response from the CA.
Incorrect:
A. CRL involves manually downloading a list of revoked certificates.
B. OCSP requires the client to query the OCSP server directly.
D. Root of Trust refers to the trust chain in PKI, not revocation methods.

Answer 77

A

Correct Answer: B. It is a service provided by the CA’s server.
Explanation:

Correct: The OCSP server is a service run by the CA to handle real-time certificate status requests.
Incorrect:
A. OCSP is a service, not necessarily a standalone server.
C. OCSP does not replace a CA; it is part of the CA’s infrastructure.
D. OCSP operates independently of CRLs, which are list-based.

Answer 78

A

Correct Answer: C. Use OCSP Stapling.
Explanation:

Correct: OCSP Stapling allows the server to provide a cached OCSP response, reducing the need for client-server communication and improving efficiency.
Incorrect:
A. CRLs are inefficient because they involve downloading large lists.
B. OCSP improves efficiency but still requires real-time queries from the client.
D. Removing certificate validation compromises security.

Answer 79

A

Correct Answer: B) Before the TLS handshake, via an HTTP header.
Explanation: The pinned key is sent to the browser before the TLS handshake starts, typically through an HTTP header like Public-Key-Pins. This allows the browser to store the pinned key and use it to verify the server’s public key during the TLS handshake.

Answer 80

A

Correct Answer: B) To ensure the browser only trusts a specific public key for the website.
Explanation: The pinned key ensures that the browser only accepts a specific public key or certificate for the website. During the TLS handshake, the browser compares the server’s public key (from its certificate) to the pinned key. If they match, the connection is trusted. If they don’t match, the browser blocks the connection.

Answer 81

A

Correct Answer: C) Use a public CA for the e-commerce website and a self-managed CA for the employee portal.

Explanation:
Public CA for the E-Commerce Website:
The e-commerce website is public-facing and needs to be trusted by all users’ browsers. A public CA (like Let’s Encrypt or DigiCert) issues certificates that are globally trusted, ensuring that users don’t see security warnings when visiting the site. Public CAs also handle domain validation, which is essential for public websites.

Self-Managed CA for the Employee Portal:
The employee portal is an internal service, accessible only within the company’s private network. A self-managed CA is ideal here because:

It allows the company to issue certificates at no cost.

The company has full control over certificate issuance and policies.

Since the portal is internal, there’s no need for global trust. Employees’ devices can be configured to trust the self-managed CA’s root certificate.

Answer 82

A

Correct Answer: B) The self-managed CA’s root certificate is not trusted by the employees’ browsers.

Explanation:
Why B is Correct:
Certificates issued by a self-managed CA are not trusted by default by browsers or operating systems. For the HR system’s certificate to be trusted, the self-managed CA’s root certificate must be manually installed and trusted on all employees’ devices. This is a common issue when using self-managed CAs for internal services.

Why the Other Options Are Incorrect:

A) Expired Certificate: While an expired certificate can cause warnings, the scenario specifically mentions a self-managed CA, which points to a trust issue rather than an expiration issue.

C) Public CA Certificate: If the HR system were using a certificate from a public CA, it would be trusted by default, and there would be no warnings. The issue is specific to the self-managed CA.

D) Weak Encryption Key: A weak encryption key could cause security issues, but it wouldn’t result in trust warnings. The problem here is related to trust, not encryption strength.

Answer 83

A

Correct Answer: B) Use a self-managed CA because the devices are on a private network, and you need full control over certificate issuance.

Explanation:
Why B is Correct:
The IoT devices are on a private network, so there’s no need for global trust. A self-managed CA is ideal because:

It allows the company to issue certificates at no cost.

The company has full control over certificate policies, such as validity periods and key usage.

The self-managed CA’s root certificate can be installed on the IoT devices and the central server, ensuring trust within the private network.

Why the Other Options Are Incorrect:

A) Public CA: While a public CA is easier to manage, it’s unnecessary for private networks and would incur additional costs.

C) Global Trust: IoT devices on a private network don’t require global trust, so a public CA is not needed.

D) Less Secure: A self-managed CA is not inherently less secure. It provides full control over security policies, making it a good choice for private networks.

Answer 84

A

Correct Answer: B) Use the key recovery agent to retrieve the lost encryption key and decrypt the files.

Explanation:
Why B is Correct:
The key recovery agent is specifically designed to handle situations where encryption keys are lost. They can retrieve the backup key (or a way to recreate it) and use it to decrypt the files, restoring access without data loss.

Why the Other Options Are Incorrect:

A) Create a New Key: Creating a new key won’t help because the files are already encrypted with the lost key. The new key can’t decrypt the old files.

C) Format and Restore: Formatting the computer and restoring from an unencrypted backup would result in data loss if the backup is outdated or doesn’t exist. It’s also unnecessary when a key recovery agent can solve the problem.

D) Files Are Lost: This is incorrect because the key recovery agent exists to prevent permanent data loss in such situations.

Answer 85

A

Correct Answer: B) Use the key recovery agent to recover the encryption key and access the files.

Explanation:
Why B is Correct:
The key recovery agent can retrieve the encryption key (or a backup of it) and use it to decrypt the files. This ensures the company can access the data without relying on the former employee.

Why the Other Options Are Incorrect:

A) Contact the Employee: While this might work, it’s not reliable. The former employee may refuse to cooperate or may no longer have the key.

C) Hire a Hacker: This is illegal and unethical. Encryption is designed to be secure, and breaking it without the key is nearly impossible.

D) Abandon the Files: This is unnecessary and wasteful, especially when a key recovery agent can solve the problem.

Answer 86

A

Correct Answer: B) Use a key recovery agent to securely store and recover encryption keys when needed.

Explanation:
Why B is Correct:
A key recovery agent provides a secure and reliable way to back up and recover encryption keys. This ensures that data can always be accessed, even if an employee loses their key or leaves the company.

Why the Other Options Are Incorrect:

A) Rely on Employees: This is risky because employees might forget to back up their keys or lose them, leading to permanent data loss.

C) Avoid Encryption: This is not a solution. Encryption is essential for protecting sensitive data, and avoiding it would leave the company vulnerable to breaches.

D) Public Cloud Storage: Storing encryption keys in a public cloud service is insecure and could lead to unauthorized access. A key recovery agent uses secure, controlled methods to store and recover keys.

Answer 87

A

Answer:
B. To serve as a shared immutable ledger for recording transactions
C. To track assets and build trust in a decentralized network

Explanation:

Correct:

B: A blockchain is a shared immutable ledger that records transactions in a secure and transparent manner.

C: Blockchain technology is used to track assets and build trust in a decentralized network, eliminating the need for central authorities.

Incorrect:

A: Blockchain is decentralized, not centralized.

D: Records on a blockchain cannot be altered, ensuring data integrity.

Answer 88

A

Answer:
A. Previous block’s hash
B. Timestamp
C. Root transactions (hashes of individual transactions)

Explanation:

Correct:

A: Each block contains the hash of the previous block, linking them in chronological order.

B: A timestamp records when the block was last modified.

C: Root transactions are the hashes of individual transactions within the block.

Incorrect:

D: Blockchain is decentralized and does not rely on a centralized authority.

Answer 89

A

Answer:
B. Immutable ledger

Explanation:

Correct:

B: An immutable ledger ensures that once data is recorded, it cannot be altered or deleted, reinforcing trust and data integrity.

Incorrect:

A: Decentralization eliminates the need for central authorities but does not directly ensure data integrity.

C: A public ledger is a record-keeping system but does not guarantee immutability.

D: Smart contracts automate processes but are not directly related to data integrity.

Answer 90

A

Answer:
A. Supply chain management
B. Smart contracts
D. Cryptocurrencies

Explanation:

Correct:

A: Blockchain enhances transparency and traceability in supply chains.

B: Smart contracts automate processes and execute actions when conditions are met.

D: Cryptocurrencies like Bitcoin are built on blockchain technology.

Incorrect:

C: Blockchain is decentralized and does not support centralized banking systems.

Answer 91

A

Answer:
B. To maintain a secure and anonymous record of transactions

Explanation:

Correct:

B: A public ledger maintains participants’ identities securely and anonymously while recording all genuine transactions.

Incorrect:

A: Records on a blockchain cannot be modified.

C: Blockchain is decentralized and does not centralize control.

D: Blockchain relies on peer-to-peer networks for decentralization.

Answer 92

A

Answer:
B. They are transparent and tamper-proof
C. They reduce the risk of fraud and associated costs

Explanation:

Correct:

B: Smart contracts are transparent and tamper-proof because they are written in code and executed automatically.

C: Smart contracts reduce fraud and costs by eliminating intermediaries and automating processes.

Incorrect:

A: Smart contracts do not require intermediaries.

D: Smart contracts operate in a decentralized environment.

Answer 93

A

Answer:
B. A blockchain used for business transactions with restricted access

Explanation:

Correct:

B: A permissioned blockchain is used for business transactions and promotes trust and transparency with restricted access.

Incorrect:

A: Permissioned blockchains have restricted access, unlike public blockchains.

C: Permissioned blockchains still maintain transparency.

D: Permissioned blockchains are decentralized but with controlled access.

Answer 94

A

Answer:
B. By providing immutable records of product origin and handling
C. By ensuring compliance and quality control

Explanation:

Correct:

B: Blockchain provides immutable records, ensuring transparency and traceability in the supply chain.

C: Blockchain ensures compliance and quality control by maintaining accurate and unalterable records.

Incorrect:

A: Blockchain is decentralized and does not centralize control.

D: Blockchain enhances transparency, not eliminates it.

Answer 95

A

Answer:
C. It empowers peer-to-peer networks and removes central authorities

Explanation:

Correct:

C: Decentralization eliminates the need for central authorities and empowers peer-to-peer networks.

Incorrect:

A: Decentralization removes centralized control.

B: Decentralization relies on peer-to-peer networks.

D: Decentralization reduces the risk of fraud and tampering.

Answer 96

A

Answer:
A. Financial services
B. Supply chain management
D. Intellectual property protection

Explanation:

Correct:

A: Blockchain is widely used in financial services, especially for cryptocurrencies.

B: Blockchain enhances transparency and traceability in supply chains.

D: Blockchain can protect intellectual property by maintaining immutable records.

Incorrect:

C: Blockchain is used for decentralized voting systems, not centralized ones.

Answer 97

A

Answer:
B. To facilitate secure data transfer and authentication
C. To manage digital certificates and cryptographic keys

Explanation:

Correct:

B: PKI enables secure data transfer and authentication through the use of digital certificates and cryptographic keys.

C: PKI manages the creation, validation, and distribution of digital certificates and cryptographic keys.

Incorrect:

A: PKI is decentralized and does not centralize control over encryption keys.

D: PKI relies on asymmetric encryption as a core component.

Answer 98

A

Answer:
A. Hardware and software
C. Policies and procedures
D. Certificate authorities

Explanation:

Correct:

A: PKI involves hardware and software to manage keys and certificates.

C: Policies and procedures are essential for governing PKI operations.

D: Certificate authorities (CAs) issue and validate digital certificates.

Incorrect:

B: PKI is based on asymmetric encryption, not symmetric encryption.

Answer 99

A

Answer:
B. It issues and validates digital certificates for public keys

Explanation:

Correct:

B: Certificate authorities issue and validate digital certificates, ensuring the authenticity of public keys.

Incorrect:

A: CAs do not generate symmetric keys; they manage public key certificates.

C: Key escrow is a separate component, not the primary role of a CA.

D: CAs rely on public key cryptography to function.

Answer 100

A

Answer:
B. To securely store cryptographic keys for retrieval in case of loss

Explanation:

Correct:

B: Key escrow stores cryptographic keys in a secure third-party location, allowing retrieval in cases of key loss or legal investigations.

Incorrect:

A: Key escrow does not eliminate the need for CAs.

C: Key escrow does not generate symmetric keys.

D: Key escrow complements public key cryptography; it does not replace it.

Answer 101

A

Answer:
B. Confidentiality through encrypted communication
C. Authentication of server identities

Explanation:

Correct:

B: PKI ensures confidentiality by encrypting data using shared secret keys.

C: PKI authenticates server identities using private keys and digital certificates.

Incorrect:

A: PKI is decentralized and does not centralize control.

D: Digital certificates are a core component of PKI.

Answer 102

A

Answer:
B. PKI encompasses the entire system for managing keys and certificates, while public key cryptography refers only to the encryption process

Explanation:

Correct:

B: PKI includes key management, policies, and trust systems, while public key cryptography focuses solely on encryption and decryption.

Incorrect:

A: This is the opposite of the correct relationship.

C: PKI relies on public key cryptography.

D: PKI uses asymmetric encryption, not symmetric encryption.

Answer 103

A

Answer:
B. To establish a secure symmetric encryption tunnel

Explanation:

Correct:

B: The shared secret key is used for symmetric encryption (e.g., AES) to create a secure tunnel for data transfer.

Incorrect:

A: The shared secret key is used for symmetric encryption, not asymmetric encryption.

C: Digital certificates are still required to establish trust.

D: Certificate authorities are essential for issuing and validating certificates.

Answer 104

A

Answer:
C. Malicious actors could gain access to escrowed keys

Explanation:

Correct:

C: If escrowed keys are compromised, malicious actors could decrypt sensitive data.

Incorrect:

A: Key escrow does not eliminate encryption; it ensures access to encrypted data.

B: Key escrow does not centralize control; it stores keys securely.

D: Key escrow does not replace the need for CAs.

Answer 105

A

Answer:
A. The web browser contacts a certificate authority for the server’s public key
C. The shared secret key is encrypted using the server’s public key
D. The web server decrypts the shared secret key using its private key

Explanation:

Correct:

A: The browser retrieves the server’s public key from a CA.

C: The shared secret key is encrypted with the server’s public key for secure transmission.

D: The server decrypts the shared secret key using its private key.

Incorrect:

B: The shared secret key is generated by the browser, not the server.

Answer 106

A

Answer:
B. A padlock icon

Explanation:

Correct:

B: A padlock icon indicates a secure HTTPS connection.

Incorrect:

A: A green address bar is not a standard indicator for HTTPS.

C: A warning message indicates an insecure connection.

D: A red exclamation mark typically indicates an error or warning.

Answer 107

A

Answer:
B. To bind a public key with a user’s identity

Explanation:

Correct:

B: A digital certificate binds a public key to the identity of a user, device, or server, ensuring authenticity.

Incorrect:

A: Digital certificates are used for asymmetric encryption, not symmetric encryption.

C: Certificate authorities are essential for issuing and validating digital certificates.

D: The Root of Trust is a foundational concept in digital certificates and cannot be replaced.

Answer 108

A

Answer:
A. Owner’s name and organization
B. Public key
C. Certificate authority’s digital signature

Explanation:

Correct:

A: Digital certificates contain the owner’s identifying information.

B: The public key is included in the certificate.

C: The certificate authority’s digital signature validates the certificate.

Incorrect:

D: Digital certificates do not include symmetric encryption keys.

Answer 109

A

Answer:
A. It allows multiple subdomains to use the same certificate

Explanation:

Correct:

A: Wildcard certificates allow all subdomains under a root domain to use the same certificate, simplifying management.

Incorrect:

B: Wildcard certificates still require a certificate authority.

C: Wildcard certificates do not inherently provide higher security than single-sided certificates.

D: Wildcard certificates are issued by trusted certificate authorities, not self-signed authorities.

Answer 110

A

Answer:
B. Compromising one subdomain affects all subdomains

Explanation:

Correct:

B: If a wildcard certificate is compromised, all subdomains using that certificate are affected.

Incorrect:

A: Wildcard certificates are cost-effective for managing multiple subdomains.

C: Wildcard certificates are designed for subdomains, not multiple domains.

D: Wildcard certificates do not require dual-sided authentication.

Answer 111

A

Answer:
A. To allow multiple domains to use the same certificate

Explanation:

Correct:

A: The SAN field allows a single certificate to support multiple domains or IP addresses.

Incorrect:

B: The SAN field complements wildcard certificates but does not replace them.

C: The SAN field is not related to encryption.

D: Certificate authorities are still required to issue certificates with SAN fields.

Answer 112

A

Answer:
B. Single-sided certificates only validate the server, while dual-sided certificates validate both the server and the user

Explanation:

Correct:

B: Single-sided certificates validate only the server, while dual-sided certificates require mutual authentication.

Incorrect:

A: This is the opposite of the correct relationship.

C: Both single-sided and dual-sided certificates can be used in production.

D: Single-sided certificates can be issued by certificate authorities.

Answer 113

A

Answer:
B. A certificate signed by the same entity whose identity it certifies

Explanation:

Correct:

B: Self-signed certificates are signed by the entity they certify, without third-party validation.

Incorrect:

A: Self-signed certificates are not issued by trusted certificate authorities.

C: Self-signed certificates are used for asymmetric encryption.

D: Self-signed certificates still rely on the Root of Trust concept.

Answer 114

A

Answer:
B. They are trusted by browsers and operating systems

Explanation:

Correct:

B: Third-party certificates are issued by trusted certificate authorities and are inherently trusted by browsers and systems.

Incorrect:

A: Third-party certificates require validation by a certificate authority.

C: Third-party certificates rely on the Root of Trust.

D: Third-party certificates are used for production, not just testing.

Answer 115

A

Answer:
B. To list all revoked digital certificates

Explanation:

Correct:

B: The CRL is maintained by certificate authorities to list all revoked certificates.

Incorrect:

A: The CRL does not issue new certificates.

C: The CRL is part of the certificate authority’s role.

D: The CRL is not related to encryption.

Answer 116

A

Answer:
A. OCSP is faster and more efficient

Explanation:

Correct:

A: OCSP checks the revocation status of a single certificate in real-time, making it faster than CRL.

Incorrect:

B: OCSP does not provide encryption.

C: OCSP relies on certificate authorities.

D: OCSP is used for all types of certificates, not just self-signed ones.

Answer 117

A

Answer:
B. To provide hardware-level security for cryptographic keys

Explanation:

Correct:

B: A TPM is a dedicated microcontroller that secures hardware through integrated cryptographic keys, ensuring digital secrets remain confidential.

Incorrect:

A: This describes the role of an HSM, not a TPM.

C: Key lifecycle management is the role of a Key Management System (KMS).

D: This describes the role of a secure enclave.

Answer 118

A

Answer:
A. Tamper-proof environment for encryption operations
C. Safeguards and manages digital keys
D. Accelerated cryptographic operations

Explanation:

Correct:

A: HSMs perform encryption operations in a tamper-proof environment.

C: HSMs are designed to safeguard and manage digital keys.

D: HSMs provide accelerated cryptographic operations for sensitive tasks.

Incorrect:

B: Centralized key lifecycle management is the role of a Key Management System (KMS).

Answer 119

A

Answer:
B. To manage the lifecycle of cryptographic keys

Explanation:

Correct:

B: A KMS manages the generation, distribution, storage, and retirement of cryptographic keys.

Incorrect:

A: This describes the role of a secure enclave.

C: This describes the role of a TPM.

D: This describes the role of an HSM.

Answer 120

A

Answer:
B. It isolates sensitive data from the main processor

Explanation:

Correct:

B: A secure enclave is a co-processor that isolates sensitive data (e.g., biometric information) from the main processor.

Incorrect:

A: This describes the role of a TPM.

C: This describes the role of a KMS.

D: This describes the role of an HSM.

Answer 121

A

Answer:
B. Trusted Platform Module (TPM)

Explanation:

Correct:

B: TPM is used with BitLocker to secure cryptographic keys at the hardware level.

Incorrect:

A: HSMs are used for mission-critical encryption tasks, not BitLocker.

C: KMS manages key lifecycles but is not directly tied to BitLocker.

D: Secure enclaves are used for isolating sensitive data, not BitLocker.

Answer 122

A

Answer:
B. Securing financial transactions and sensitive data

Explanation:

Correct:

B: HSMs are used for mission-critical scenarios like financial transactions due to their tamper-proof environment.

Incorrect:

A: This describes the role of a KMS.

C: This describes the role of a secure enclave.

D: This describes the role of a TPM.

Answer 123

A

Answer:
A. Automates key lifecycle management
C. Ensures regulatory compliance for sensitive data

Explanation:

Correct:

A: A KMS automates the generation, distribution, and retirement of cryptographic keys.

C: A KMS helps organizations meet regulatory compliance by securely managing keys.

Incorrect:

B: This describes the role of a TPM or HSM.

D: This describes the role of a secure enclave.

Answer 124

A

Answer:
B. To isolate and protect sensitive data like biometric information

Explanation:

Correct:

B: A secure enclave isolates sensitive data (e.g., fingerprints, facial recognition) from the main processor.

Incorrect:

A: This describes the role of a KMS.

C: This describes the role of an HSM.

D: This describes the role of a TPM

Answer 125

A

Answer:
D. Secure Enclave

Explanation:

Correct:

D: The secure enclave in iPhones isolates and protects biometric data like fingerprints and facial recognition data.

Incorrect:

A: TPMs are used for hardware-level security in Windows devices.

B: HSMs are used for mission-critical encryption tasks.

C: KMS manages cryptographic keys but does not isolate biometric data.

Answer 126

A

Answer:
C. HSMs are designed for mission-critical encryption tasks

Explanation:

Correct:

C: HSMs are used for high-security scenarios like financial transactions, offering tamper-proof encryption operations.

Incorrect:

A: Both HSMs and TPMs provide hardware-level security.

B: This describes the role of a secure enclave.

D: This describes the role of a secure enclave.

Answer 127

A

Answer:
B. To hide the existence of a message within another medium

Explanation:

Correct:

B: Steganography aims to conceal the very existence of a hidden message within another file or medium, such as an image or text.

Incorrect:

A: Steganography hides data but does not encrypt it.

C: This describes tokenization.

D: This describes data masking.

Answer 128

A

Answer:
A. Embedding a secret message in the pixels of an image
C. Using the first letter of each word in a newspaper ad to form a hidden message

Explanation:

Correct:

A: Steganography often involves hiding messages in images by altering pixel values.

C: This is a classic example of steganography, where hidden messages are embedded in plain sight.

Incorrect:

B: This describes tokenization.

D: This describes data masking.

Answer 129

A

Answer:
B. To replace sensitive data with non-sensitive tokens

Explanation:

Correct:

B: Tokenization substitutes sensitive data (e.g., credit card numbers) with non-sensitive tokens that have no intrinsic value.

Incorrect:

A: This describes steganography.

C: This describes data masking.

D: Tokenization does not encrypt data; it replaces it with tokens.

Answer 130

A

Answer:
B. Protecting credit card data in payment systems

Explanation:

Correct:

B: Tokenization is widely used in payment systems to replace sensitive credit card data with tokens, reducing the risk of data breaches.

Incorrect:

A: This describes steganography.

C: This describes data masking.

D: Tokenization does not encrypt data; it replaces it with tokens.

Answer 131

A

Answer:
C. To disguise original data while maintaining usability

Explanation:

Correct:

C: Data masking disguises sensitive data (e.g., credit card numbers, social security numbers) while keeping the data usable for testing or other purposes.

Incorrect:

A: This describes steganography.

B: This describes tokenization.

D: Data masking does not encrypt data; it alters it to protect sensitive information.

Answer 132

A

Answer:
C. Displaying only the last four digits of a credit card number

Explanation:

Correct:

C: Data masking often involves displaying only a portion of sensitive data (e.g., the last four digits of a credit card number) to protect the full data.

Incorrect:

A: This describes steganography.

B: This describes tokenization.

D: Data masking does not encrypt data; it alters it to protect sensitive information.

Answer 133

A

Answer:
B. It reduces the scope of compliance with standards like PCI DSS

Explanation:

Correct:

B: Tokenization reduces the scope of compliance with standards like PCI DSS by replacing sensitive data with tokens, minimizing the exposure of sensitive information.

Incorrect:

A: This describes steganography.

C: Tokenization does not encrypt data; it replaces it with tokens.

D: This describes data masking.

Answer 134

A

Answer:
C. Data masking

Explanation:

Correct:

C: Data masking is commonly used in non-production environments (e.g., software testing) to protect sensitive data while maintaining usability.

Incorrect:

A: Steganography hides messages but is not typically used for protecting data in non-production environments.

B: Tokenization replaces sensitive data with tokens but is more commonly used in production environments like payment systems.

D: Encryption secures data but does not disguise it for usability in non-production environments

Answer 135

A

Answer:
A. Steganography hides data within another medium, while tokenization replaces sensitive data with tokens

Explanation:

Correct:

A: Steganography conceals data within another medium (e.g., an image), while tokenization substitutes sensitive data with non-sensitive tokens.

Incorrect:

B: Steganography does not encrypt data; it hides it.

C: Tokenization is used in payment systems, not steganography.

D: This is the opposite of the correct relationship.

Answer 136

A

Answer:
A. Steganography

Explanation:

Correct:

A: Steganography hides data within another medium (e.g., an image) without altering its visible appearance.

Incorrect:

B: Tokenization replaces sensitive data with tokens, which alters its appearance.

C: Data masking disguises sensitive data, altering its appearance.

D: Encryption transforms data into an unreadable format, altering its appearance.

Answer 137

A

Answer:
A, B, D

Explanation:

Correct Options:

A: Downgrade attacks force systems to use weaker or older cryptographic protocols, exploiting vulnerabilities in outdated versions.

B: Collision attacks aim to find two different inputs that produce the same hash output, undermining data integrity.

D: Quantum computing threats involve the potential for quantum computers to break traditional encryption algorithms by rapidly solving complex math problems.

Incorrect Option:

C: Brute-force attacks are not specifically mentioned in the content as a type of cryptographic attack. They are a general method of guessing keys or passwords but are not categorized as a cryptographic attack in this context.

Answer 138

A

Answer:
A

Explanation:

Correct Option:

A: Downgrade attacks aim to force systems to use weaker or older cryptographic protocols, exploiting vulnerabilities in outdated versions.

Incorrect Options:

B: This describes a collision attack.

C: This refers to the threat of quantum computing.

D: This describes a brute-force attack, not a downgrade attack.

Answer 139

A

Answer:
A

Explanation:

Correct Option:

A: The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack is a real-world example of a downgrade attack that forced systems to use the insecure SSL 3.0 protocol.

Incorrect Options:

B: The Birthday attack is related to collision attacks, not downgrade attacks.

C: Quantum factorization is a threat posed by quantum computing, not a downgrade attack.

D: Brute-force attacks are unrelated to downgrade attacks.

Answer 140

A

Answer:
B

Explanation:

Correct Option:

B: Collision attacks aim to find two different inputs that produce the same hash output, undermining the integrity of cryptographic systems.

Incorrect Options:

A: This describes a downgrade attack.

C: This refers to the threat of quantum computing.

D: This describes a brute-force attack.

Answer 141

A

Answer:
B

Explanation:

Correct Option:

B: MD5 (Message Digest Algorithm 5) is known to be vulnerable to collision attacks due to its structural weaknesses.

Incorrect Options:

A: SHA-256 is considered secure against collision attacks.

C: AES is a symmetric encryption algorithm, not a hashing algorithm.

D: RSA is an asymmetric encryption algorithm, not a hashing algorithm.

Answer 142

A

Answer:
B

Explanation:

Correct Option:

B: The Birthday Paradox refers to the probability that two distinct inputs, when processed through a hashing function, will produce the same output (a collision).

Incorrect Options:

A: This is the general definition of the Birthday Paradox but not its cryptographic application.

C: This refers to the threat of quantum computing.

D: This is unrelated to the Birthday Paradox.

Answer 143

A

Answer:
A, C

Explanation:

Correct Options:

A: Quantum computers can rapidly factorize large prime numbers, threatening asymmetric encryption algorithms like RSA.

C: Quantum computers can solve discrete logarithmic problems quickly, undermining algorithms like ECC (Elliptic Curve Cryptography).

Incorrect Options:

B: This describes a downgrade attack, not a quantum computing threat.

D: This describes a downgrade attack, not a quantum computing threat.

Answer 144

A

Answer:
B

Explanation:

Correct Option:

B: Post-quantum cryptography aims to create algorithms that are resistant to attacks from future quantum computers.

Incorrect Options:

A: This is a countermeasure for downgrade attacks, not post-quantum cryptography.

C: This is not the primary purpose of post-quantum cryptography.

D: This describes collision attacks, not post-quantum cryptography.

Answer 145

A

Answer:
A, C, D

Explanation:

Correct Options:

A: CRYSTALS-Kyber is recommended for general encryption needs.

C: CRYSTALS-Dilithium is recommended for digital signatures.

D: SPHINCS+ is another digital signature algorithm recommended by NIST.

Incorrect Option:

B: MD5 is a hashing algorithm vulnerable to collision attacks and is not a post-quantum algorithm.

Answer 146

A

Answer:
B

Explanation:

Correct Option:

B: A qubit (quantum bit) can represent multiple combinations of 0 and 1 simultaneously through superposition, enabling quantum computers to process vast amounts of information.

Incorrect Options:

A: This describes a traditional bit, not a qubit.

C: This is unrelated to qubits.

D: This describes a downgrade attack, not a qubit.

Answer 147

A

Correct Answer:
A. Use HMAC, as it relies on a shared secret key and is efficient for ensuring integrity and authenticity.

Explanations:

A. Use HMAC, as it relies on a shared secret key and is efficient for ensuring integrity and authenticity.

Why Correct: Since Alice and Bob already share a secret key, they can use HMAC to ensure the integrity and authenticity of the message. HMAC uses symmetric key cryptography combined with a hashing algorithm like SHA (e.g., HMAC-SHA-256) to produce a unique message authentication code. This approach is fast, secure, and perfect for scenarios where both parties trust each other and pre-share a key.
Why Important: HMAC does not involve computationally expensive public-private key cryptography, making it an ideal choice for closed systems like this one.
B. Use Digital Signatures, as they provide non-repudiation and use public-private key cryptography.

Why Incorrect: While digital signatures are great for providing non-repudiation and open communication, they are unnecessary here since Alice and Bob already trust each other and share a secret key. Digital signatures are also slower than HMAC because they rely on asymmetric key algorithms like RSA or ECDSA, which require more computational power.
C. Use HMAC, as it does not require any shared secret key for operation.

Why Incorrect: This statement is false. HMAC requires a shared secret key for operation. Without a shared key, neither Alice nor Bob could generate or verify the HMAC.
D. Use Digital Signatures, as they are always faster than HMAC for authenticating messages.

Why Incorrect: This statement is also false. Digital signatures are generally slower than HMAC because they rely on computationally intensive asymmetric cryptography. HMAC is faster because it uses symmetric key cryptography combined with hashing.

Answer 148

A

Correct Answer:
A. HMAC uses a shared secret key and a hashing algorithm like SHA-256 to provide authentication and integrity.

Explanations:

A. HMAC uses a shared secret key and a hashing algorithm like SHA-256 to provide authentication and integrity.

Why Correct: HMAC (Hash-Based Message Authentication Code) combines a secret key with a hashing algorithm like SHA-256 to generate a secure authentication code. This code ensures that the message has not been altered (integrity) and that it was generated by someone possessing the secret key (authentication).
B. HMAC uses public-private key cryptography for authentication and integrity.

Why Incorrect: This statement is false. HMAC does not use public-private key cryptography. It uses symmetric key cryptography, where a single shared key is used by both parties.
C. HMAC provides non-repudiation, making it suitable for legal and financial transactions.

Why Incorrect: HMAC does not provide non-repudiation because both parties share the same secret key. Either party could have generated the HMAC, so it cannot be used to prove the sender’s identity to a third party. Non-repudiation is a feature of digital signatures, not HMAC.
D. HMAC works without the need for any key and relies solely on the hashing algorithm.

Why Incorrect: This is incorrect because HMAC requires a secret key to generate the authentication code. Without the key, HMAC cannot function.

Answer 149

A

Correct Answer:
B. HMAC requires a shared secret key, while digital signatures require a public-private key pair.

Explanations:

A. HMAC provides non-repudiation, while digital signatures do not.

Why Incorrect: This is false. HMAC does not provide non-repudiation because both parties share the same secret key. Digital signatures, on the other hand, provide non-repudiation because only the sender has the private key used for signing.
B. HMAC requires a shared secret key, while digital signatures require a public-private key pair.

Why Correct: HMAC uses symmetric cryptography, meaning both parties share the same secret key for generating and verifying the code. Digital signatures use asymmetric cryptography, where a private key is used to sign messages, and a public key is used to verify them.
C. Digital signatures rely on symmetric cryptography, while HMAC uses asymmetric cryptography.

Why Incorrect: This is the reverse of the truth. Digital signatures rely on asymmetric cryptography, while HMAC relies on symmetric cryptography.
D. HMAC is slower than digital signatures because it uses hashing algorithms like SHA-256.

Why Incorrect: This is false. HMAC is generally faster than digital signatures because it uses efficient symmetric key cryptography and hashing. Digital signatures, which rely on asymmetric cryptography, are computationally more expensive.

Brainscape's Knowledge GenomeTM

Cryptographic Solutions Flashcards

1.4 - Explain the importance of using appropriate cryptographic solutions 2.3 - Explain various types of vulnerabilities 2.4 - Given a scenario, you must be able to analyze indicators of malicious activity

Brainscape's Knowledge Genome^TM