Cryptography and PKI Flashcards
Which of the following is most directly associated with providing or supporting perfect forward secrecy?
PBKDF2
ECDHE
HMAC
ECDHE
Elliptic Curve Diffie-Hellman Ephemeral, or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE), implements perfect forward secrecy through the use of elliptic curve cryptography (ECC). PBKDF2 is an example of a key-stretching technology not directly supporting perfect forward secrecy. HMAC is a hashing function. OCSP is used to check for certificate revocation
Which of the following symmetric-encryption algorithms offers the strength of 168-bit keys?
Data Encryption Standard
Advanced Encryption Standard
Triple DES
Triple DES
Triple DES (3DES) offers the strength of 168-bit keys. The Data Encryption Standard (DES) offers the strength of 56-bit keys. The Advanced Encryption Standard (AES) offers the strength of 128-, 192-, or 256-bit keys. The International Data Encryption Algorithm (IDEA) offers the strength of 128-bit keys
The security service that protects the secrecy of data, information, or resources is known as what?
Integrity
Authentication
Confidentiality
Confidentiality
The security service that protects the secrecy of data, information, or resources is known as confidentiality. Integrity protects the reliability and correctness of data. Authentication verifies the identity of the sender or receiver of a message. Nonrepudiation prevents the sender of a message or the perpetrator of an activity from being able to deny that they sent the message or performed the activity
Digital signatures can be created using all but which of the following?
Asymmetric cryptography
Hashing
Key escrow
Key escrow
Key escrow isn’t used in digital signatures, but it’s a fault-tolerance feature of certificate and key management. Asymmetric and symmetric cryptography, along with hashing, are used in digital signatures
When a subject or end user requests a certificate, they must provide which of the following items? (Choose all that apply.)
Proof of identity
A hardware storage device
A public key
A private key
Proof of identity
A public key
Proof of identity and the subject’s public key must be provided to the CA when the subject requests a certificate. The private key should never be revealed to anyone, not even the CA. A hardware storage device is used after a key or certificate has been issued, not as part of the requesting process
From a private corporate perspective, which of the following is most secure?
Decentralized key management
Centralized key management
Individual key management
Centralized key management
Centralized key management is more secure, or at least more desirable, from a private corporate perspective. From a public or individual perspective, decentralized key management is more secure. Individual and distributed key management are nonstandard terms that could be used to refer to decentralized key management
When should a key or certificate be renewed?
Every quarter
Just after it expires
Just before it expires
Just before it expires
Keys and certificates should be renewed just before they expire. All the other choices are incorrect
Which mode of operation used by symmetric encryption algorithms ensures unique cipher text by integrating an IV into the operation and linking each cipher text block to the next plain text block?
Cipher Block Chaining
Electronic Codebook
Galois Counter Mode
Cipher Block Chaining
CBC (Cipher Block Chaining) mode is used to prevent the creation of duplicate cipher-text blocks. This is accomplished by adding an IV into the operation of encryption. The IV is integrated with the first block using XOR. The result is then encrypted using the selected secret key. The cipher text of the first block is then used as the IV for the second block. This linking or chaining of the blocks for use as an IV ensures that every block results in cipher text that is unique
You are the communications officer for a large organization. Your data transfer system encrypts each file before sending it across the network to the recipient. There have been issues with the keys being intercepted as they are sent along the same path as the protect files. What alternative system should be used for key exchange?
Ephemeral
Out-of-band
Sequential
Out-of-band
Out-of-band key exchange takes place outside of the current communication channel or pathway, such as through a secondary channel, via a special secured exchange technique in the channel, or with a complete separate pathway technology. Out-of-band key exchange is generally considered more secure, because any attack monitoring the initial channel is less likely to be monitoring or have access to the alternate or separate communications path
You are a programmer with a new app for use on smartphones. Your app provides users with a means to securely store personal data, such as their calendar, financial information, and personal contacts in an encrypted container. There is concern that users will be unable to remember a long random encryption key, but you want to use something stronger than just a remembered password. What technique can be used to minimize the information remembered by the user while maximizing the security of the encryption?
Session key
Ephemeral key
Key stretching
Key stretching
Key stretching is a collection of techniques that can take a weak key or password and stretch it to make it more secure, at least against brute-force attacks
What is the least effective form of security?
Ephemeral keys
Security through obscurity
Implicit deny
Security through obscurity
Security through obscurity is the concept of attempting to gain security by hiding or not being noticed among the crowd of other targets. This is effectively security hide-and-seek. It is not considered a valid security approach for any organization
As a security-focused systems designer, you need to select the means by which symmetric keys are generated and exchanged between communication endpoints. Which of the following will provide your product with the most secure solution?
Digital envelopes
Static keys
ECDHE
ECDHE
Elliptic Curve Diffie-Hellman Ephemeral, or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE), implements perfect forward secrecy through the use of elliptic curve cryptography (ECC). ECC has the potential to provide greater security with less computational burden than that of DHE. Digital envelopes allow one side of a communication to select the key and provide it to the other side; this can result in less secure keys than if both sides participate in the key generation process. Static keys and sequential keys are insecure
What is the result of the following calculation: 1 0 0 1 0 0 1 1 ⊕ 0 0 0 1 1 1 0 0?
1 0 0 1 1 1 1 1
0 1 1 1 0 0 0 0
1 0 0 0 1 1 1 1
1 0 0 0 1 1 1 1
XOR (eXclusive OR) is an exclusive disjunction, which means that it produces an output of truth (or 1) whenever the two inputs differ (such as one is a 0 [false] and the other is a 1 [true]). It’s referred to in mathematical literature as the XOR function and is commonly represented by the ⊕ symbol. When the two values being XORed are both 0 or both 1, the result is 0. When the values are different, the result is 1
What form of wireless can use a RADIUS server to authenticate a wireless client?
WEP
WPA PSK
WPA-2 ENT
WPA-2 ENT
WPA and WPA-2 support two forms of authentication: PSK and ENT. PSK, or preshared key, is also known as personal. PSK is the use of a static fixed password for authentication. ENT, or enterprise, is also known as IEEE 802.1x/EAP. ENT enables the leveraging of an existing AAA service, such as RADIUS or TACACS+, to be used to authenticate. WEP only supports fixed key authentication. WPS (WiFi Protected Setup) adds a new client to a wireless network, but other than pressing the WPS button or sending the PIN to the WAP, no authentication is taking place
What form of EAP is considered one of the strongest options, negotiates security using digital certificates similar to HTTPS, and can function over wireless connections?
EAP-SIM
PEAP
EAP-TLS
EAP-TLS
EAP-TLS (EAP Transport Layer Security) is an open IETF standard which is an implementation of the TLS protocol for use in protecting authentication traffic. EAP-TLS is considered one of the strongest EAP standards available. EAP-TLS is most effective when both client and server (wireless endpoint device and wireless base station) have digital certificates
