Cryptography and PKI (4) Flashcards
Zack, an administrator, needs to renew a certificate for the company’s web server. Which of the following would you recommend Zack submit to the CA?
CSR
Key escrow
CRL
CSR
A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate
Which of the following types of encryption offers easy key exchange and key management?
Obfuscation
Asymmetric
Symmetric
Asymmetric
Asymmetric encryption is also known as public key cryptography and uses public and private keys to exchange a session key between two parties. It offers key management by administering the life cycle of cryptographic keys and protecting them from loss or misuse
Which of the following is used to exchange cryptographic keys?
Diffie-Hellman
HMAC
ROT13
Diffie-Hellman
Diffie-Hellman is used to establish a shared secret between two users and is primarily used as a method of exchanging cryptography keys
Which of the following encryption algorithms is used to encrypt and decrypt data?
MD5
HMAC
RC4
RC4
RC4 is a stream cipher used for encrypting and decrypting data, but there are known weaknesses and using it is not recommended
Which of the following provides additional encryption strength by repeating the encryption process with additional keys?
3DES
AES
Twofish
3DES
3DES is a symmetric algorithm used to encrypt data by applying the DES cipher algorithm three times to the data
Which of the following security mechanisms can be used for the purpose of nonrepudiation?
Encryption
Digital signature
Collision
Digital signature
Digital signatures are created by using the user’s or computer’s private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something
You are a network administrator for your company, and the single AP that allows clients to connect to the wireless LAN is configured with a WPA-PSK preshared key of the company name followed by the number 1. Which of the following statements is correct regarding this implementation?
It is secure because the preshared key is at least five characters long.
It is not secure because the preshared key includes only one number and the company name so it can be easily guessed.
It is not secure because WPA-PSK is as insecure as WEP and should never be used.
It is not secure because the preshared key includes only one number and the company name so it can be easily guessed.
With a single number appended to the company name, the preshared key can be easily guessed. A secure preshared key is at least eight ASCII characters in length and follows the complexity rule
You are a security technician and have been given the task to implement a PKI on the company’s network. When verifying the validity of a certificate, you want to ensure bandwidth isn’t consumed. Which of the following can you implement?
CRL
OCSP
Key escrow
CRL
A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted
Which of the following types of device are found in a network that supports Wi-Fi Protected Setup (WPS) protocol? (Choose three.)
Registrar
Supplicant
Enrollee
Access Point
Registrar
Enrollee
Access Point
The WiFi Protected Setup protocols define the following devices in a network. A registrar is the device with the authority to issue or revoke access to the network. The enrollee is a client device that is seeking to join the wireless network. The AP (access point) functions as a proxy between the registrar and the enrollee
You are a network administrator for a distribution company and the manager wants to implement a secure wireless LAN for a BYOD policy. Through research, you determine that the company should implement AES encryption and the 802.1x authentication protocol. You also determine that too many APs and clients will be installed and you will need to configure each one with a preshared key passphrase. Which of the following will meet your needs?
WEP
WPA2-Personal
WPA2-Enterprise
WPA2-Enterprise
WPA2-Enterprise will implement AES and require an authentication infrastructure with an authentication server (RADIUS) and an authenticator. WPA2-Enterprise provides better protection of critically important information with BYOD (Bring Your Own Device)
The process of deleting data by sending a single erase or clear instruction to an address of the nonvolatile memory is an example of securing which of the following?
Data-in-transit
Data-in-use
Data-at-rest
Data-at-rest
Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory
Which of the following is an authentication service and uses UDP as a transport medium?
TACACS+
RADIUS
LDAP
RADIUS
RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security, and messages are sent as UDP
Which of the following is true regarding the importance of encryption of data-at-rest for sensitive information?
It renders the recovery of data more difficult should the user lose their password.
It allows the user to verify the integrity of the data on the stored device.
It prevents the sensitive data from being accessed after a theft of the physical equipment.
It prevents the sensitive data from being accessed after a theft of the physical equipment.
Should a hard drive be stolen, the data will not be able to be read as the data is scrambled, or encrypted, and can be read only by the corresponding key
You are a network administrator and your manager has asked you to enable WPA2 CCMP for wireless clients, along with an encryption to protect the data transmitting across the network. Which of the following encryption methods would you use along with WPA2 CCMP?
RC4
DES
AES
AES
Using AES with CCMP incorporates two cryptographic techniques that provide a more secure protocol between a mobile client and the access point
Which of the following is the least secure hashing algorithm?
MD5
SHA-1
AES
MD5
MD5 produces a 128-bit message digest regardless of the length of the input text
Which of the following types of attack sends two different messages using the same hash function, causing a collision?
Xmas attack
Logic bomb
Birthday attack
Birthday attack
A birthday attack can be used to find hash collisions. It’s based off the birthday paradox stating there is a 50 percent chance of someone sharing your birthday with at least 23 people in the room
Which of the following defines a file format commonly used to store private keys with associated public key certificates?
PKCS #3
PKCS #7
PKCS #12
PKCS #12
PKCS #12 is a file that contains both the private key and the X.509 certificate and can be installed by the user on servers or workstations. X.509 certificates can be a wildcard certificate for multiple entities under a single fully qualified domain name
Which of the following statements are true regarding ciphers? (Choose two.)
Stream ciphers encrypt fixed sizes of data.
Stream ciphers encrypt data one bit at a time.
Block ciphers encrypt data one bit at a time.
Block ciphers encrypt fixed sizes of data.
Stream ciphers encrypt data one bit at a time.
Block ciphers encrypt fixed sizes of data.
Stream ciphers is a low latency operation that encrypt data one bit at a time, and block ciphers encrypt data one block, or fixed block, at a time
How many effective key sizes of bits does 3DES have? (Choose three.)
56
112
128
168
56
112
168
3DES is a symmetric key block cipher that applies the DES cipher algorithm three times to each data block. 3DES has three keying options. First, all three keys are independent, so 3 × 56 = 168-bit key length. Second, key 1 and key 2 are independent and the third key is the same as the first key, so 2 × 56 = 112-bit key length. Third, all three keys are identical, so 1 × 56 = 56-bit key length
Which of the following statements is true about symmetric algorithms?
They hide data within an image file.
They use one key to encrypt data and another to decrypt data.
They use a single key to encrypt and decrypt data.
They use a single key to encrypt and decrypt data.
A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data
The CA is responsible for revoking certificates when necessary. Which of the following statements best describes the relationship between a CRL and OSCP?
OCSP is a protocol to submit revoked certificates to a CRL.
CRL is a more streamlined approach to OCSP.
OCSP is a protocol to check the CRL during a certificate validation process.
OCSP is a protocol to check the CRL during a certificate validation process.
Revoked certificates are stored on a CRL (certificate revocation list). The CA continuously pushes out CRL values to clients to ensure they have the updated CRL. OCSP (Online Certificate Status Protocol) performs this work automatically in the background and returns a response such as “good,” “revoked,” and “unknown.” OCSP uses a process called stapling to reduce communication from the user to the CA to check the validity of a certificate
Which of the following takes each bit in a character and is XORed with the corresponding bit in the secret key?
PBKDF2
Obfuscation
One-time pad
One-time pad
A one-time pad is a stream cipher that encrypts the plain text with a secret random key that is the same length as the plain text. The encryption algorithm is the XOR operation
Which of the following works similarly to stream ciphers?
One-time pad
RSA
AES
One-time pad
A stream cipher encrypts one plain text digit at a time with the corresponding digit of the keystream. Stream ciphers provide the same type of protection as one-time pads do
Your manager wants to implement a security measure to protect sensitive company data that reside on the remote salespeople’s laptops should they become lost or stolen. Which of the following measures would you implement?
Implement WPS on the laptops.
Set BIOS passwords on the laptops.
Use whole-disk encryption on the laptops.
Use whole-disk encryption on the laptops.
Whole-disk encryption, such as BitLocker on a Windows OS, will protect the contents of a laptop if it is lost or stolen. If the thief were to take the hard drive out of the laptop and try reading the content, they would be unsuccessful
You want to send confidential messages to a friend through email, but you do not have a way of encrypting the message. Which of the following methods would help you achieve this goal?
Collision
RSA
Steganography
Steganography
Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files
Which of the following cipher modes uses a feedback-based encryption method to ensure that repetitive data result in unique cipher text?
ECB
CBC
GCM
CBC
CBC (Cipher Block Chaining) mode uses feedback information to ensure the current block ciphertext differs from other blocks even if the same data is being encrypted
Which statement is true regarding the difference between a secure cipher and a secure hash?
A secure hash can be reversed; a secure cipher cannot.
A secure cipher can be reversed; a secure hash cannot.
A secure hash produces a variable output for any input size; a secure cipher does not.
A secure cipher can be reversed; a secure hash cannot.
Secure ciphers can be reverse engineered, but hashes cannot be reversed when reverse engineered attempting to re-create a data file. Hashing is a one-way encryption that is used for integrity purposes
Which certificate format is typically used on Windows OS machines to import and export certificates and private keys?
AES
PEM
PFX
PFX
PFX (personal information exchange) files are typically used with Windows OSs that include digital certificates and are used for authentication processes involved in determining if a user or device can access certain files
What is another name for an ephemeral key?
MD5
PKI public key
Session key
Session key
A session key is another name for an ephemeral key. An ephemeral key includes a private and public key, and systems use this key pair for a single session and then discard it
Why would a threat actor use steganography?
To test integrity
To conceal information
To encrypt information
To conceal information
Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files
