Cryptography and PKI (4)

Question 1

Zack, an administrator, needs to renew a certificate for the company’s web server. Which of the following would you recommend Zack submit to the CA?

CSR

Key escrow

CRL

Answer 1

CSR

A CSR (certificate signing request) is a request an applicant sends to a CA for the purpose of applying for a digital identity certificate

Question 2

Which of the following types of encryption offers easy key exchange and key management?

Obfuscation

Asymmetric

Symmetric

Answer 2

Asymmetric

Asymmetric encryption is also known as public key cryptography and uses public and private keys to exchange a session key between two parties. It offers key management by administering the life cycle of cryptographic keys and protecting them from loss or misuse

Question 3

Which of the following is used to exchange cryptographic keys?

Diffie-Hellman

HMAC

ROT13

Answer 3

Diffie-Hellman

Diffie-Hellman is used to establish a shared secret between two users and is primarily used as a method of exchanging cryptography keys

Question 4

Which of the following encryption algorithms is used to encrypt and decrypt data?

MD5

HMAC

RC4

Answer 4

RC4

RC4 is a stream cipher used for encrypting and decrypting data, but there are known weaknesses and using it is not recommended

Question 5

Which of the following provides additional encryption strength by repeating the encryption process with additional keys?

3DES

AES

Twofish

Answer 5

3DES

3DES is a symmetric algorithm used to encrypt data by applying the DES cipher algorithm three times to the data

Question 6

Which of the following security mechanisms can be used for the purpose of nonrepudiation?

Encryption

Digital signature

Collision

Answer 6

Digital signature

Digital signatures are created by using the user’s or computer’s private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something

Question 7

You are a network administrator for your company, and the single AP that allows clients to connect to the wireless LAN is configured with a WPA-PSK preshared key of the company name followed by the number 1. Which of the following statements is correct regarding this implementation?

It is secure because the preshared key is at least five characters long.

It is not secure because the preshared key includes only one number and the company name so it can be easily guessed.

It is not secure because WPA-PSK is as insecure as WEP and should never be used.

Answer 7

It is not secure because the preshared key includes only one number and the company name so it can be easily guessed.

With a single number appended to the company name, the preshared key can be easily guessed. A secure preshared key is at least eight ASCII characters in length and follows the complexity rule

Question 8

You are a security technician and have been given the task to implement a PKI on the company’s network. When verifying the validity of a certificate, you want to ensure bandwidth isn’t consumed. Which of the following can you implement?

CRL

OCSP

Key escrow

Answer 8

CRL

A CRL (certificate revocation list) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should not be trusted

Question 9

Which of the following types of device are found in a network that supports Wi-Fi Protected Setup (WPS) protocol? (Choose three.)

Registrar

Supplicant

Enrollee

Access Point

Answer 9

Registrar

Enrollee

Access Point

The WiFi Protected Setup protocols define the following devices in a network. A registrar is the device with the authority to issue or revoke access to the network. The enrollee is a client device that is seeking to join the wireless network. The AP (access point) functions as a proxy between the registrar and the enrollee

Question 10

You are a network administrator for a distribution company and the manager wants to implement a secure wireless LAN for a BYOD policy. Through research, you determine that the company should implement AES encryption and the 802.1x authentication protocol. You also determine that too many APs and clients will be installed and you will need to configure each one with a preshared key passphrase. Which of the following will meet your needs?

WEP

WPA2-Personal

WPA2-Enterprise

Answer 10

WPA2-Enterprise

WPA2-Enterprise will implement AES and require an authentication infrastructure with an authentication server (RADIUS) and an authenticator. WPA2-Enterprise provides better protection of critically important information with BYOD (Bring Your Own Device)

Question 11

The process of deleting data by sending a single erase or clear instruction to an address of the nonvolatile memory is an example of securing which of the following?

Data-in-transit

Data-in-use

Data-at-rest

Answer 11

Data-at-rest

Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory

Question 12

Which of the following is an authentication service and uses UDP as a transport medium?

TACACS+

RADIUS

LDAP

Answer 12

RADIUS

RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security, and messages are sent as UDP

Question 13

Which of the following is true regarding the importance of encryption of data-at-rest for sensitive information?

It renders the recovery of data more difficult should the user lose their password.

It allows the user to verify the integrity of the data on the stored device.

It prevents the sensitive data from being accessed after a theft of the physical equipment.

Answer 13

It prevents the sensitive data from being accessed after a theft of the physical equipment.

Should a hard drive be stolen, the data will not be able to be read as the data is scrambled, or encrypted, and can be read only by the corresponding key

Question 14

You are a network administrator and your manager has asked you to enable WPA2 CCMP for wireless clients, along with an encryption to protect the data transmitting across the network. Which of the following encryption methods would you use along with WPA2 CCMP?

RC4

DES

AES

Answer 14

AES

Using AES with CCMP incorporates two cryptographic techniques that provide a more secure protocol between a mobile client and the access point

Question 15

Which of the following is the least secure hashing algorithm?

MD5

SHA-1

AES

Answer 15

MD5

MD5 produces a 128-bit message digest regardless of the length of the input text

Question 16

Which of the following types of attack sends two different messages using the same hash function, causing a collision?

Xmas attack

Logic bomb

Birthday attack

Answer 16

Birthday attack

A birthday attack can be used to find hash collisions. It’s based off the birthday paradox stating there is a 50 percent chance of someone sharing your birthday with at least 23 people in the room

Question 17

Which of the following defines a file format commonly used to store private keys with associated public key certificates?

PKCS #3

PKCS #7

PKCS #12

Answer 17

PKCS #12

PKCS #12 is a file that contains both the private key and the X.509 certificate and can be installed by the user on servers or workstations. X.509 certificates can be a wildcard certificate for multiple entities under a single fully qualified domain name

Question 18

Which of the following statements are true regarding ciphers? (Choose two.)

Stream ciphers encrypt fixed sizes of data.

Stream ciphers encrypt data one bit at a time.

Block ciphers encrypt data one bit at a time.

Block ciphers encrypt fixed sizes of data.

Answer 18

Stream ciphers encrypt data one bit at a time.

Block ciphers encrypt fixed sizes of data.

Stream ciphers is a low latency operation that encrypt data one bit at a time, and block ciphers encrypt data one block, or fixed block, at a time

Question 19

How many effective key sizes of bits does 3DES have? (Choose three.)

56

112

128

168

Answer 19

56

112

168

3DES is a symmetric key block cipher that applies the DES cipher algorithm three times to each data block. 3DES has three keying options. First, all three keys are independent, so 3 × 56 = 168-bit key length. Second, key 1 and key 2 are independent and the third key is the same as the first key, so 2 × 56 = 112-bit key length. Third, all three keys are identical, so 1 × 56 = 56-bit key length

Question 20

Which of the following statements is true about symmetric algorithms?

They hide data within an image file.

They use one key to encrypt data and another to decrypt data.

They use a single key to encrypt and decrypt data.

Answer 20

They use a single key to encrypt and decrypt data.

A symmetric algorithm, also known as a secret key algorithm, uses the same key to encrypt and decrypt data

Question 21

The CA is responsible for revoking certificates when necessary. Which of the following statements best describes the relationship between a CRL and OSCP?

OCSP is a protocol to submit revoked certificates to a CRL.

CRL is a more streamlined approach to OCSP.

OCSP is a protocol to check the CRL during a certificate validation process.

Answer 21

OCSP is a protocol to check the CRL during a certificate validation process.

Revoked certificates are stored on a CRL (certificate revocation list). The CA continuously pushes out CRL values to clients to ensure they have the updated CRL. OCSP (Online Certificate Status Protocol) performs this work automatically in the background and returns a response such as “good,” “revoked,” and “unknown.” OCSP uses a process called stapling to reduce communication from the user to the CA to check the validity of a certificate

Question 22

Which of the following takes each bit in a character and is XORed with the corresponding bit in the secret key?

PBKDF2

Obfuscation

One-time pad

Answer 22

One-time pad

A one-time pad is a stream cipher that encrypts the plain text with a secret random key that is the same length as the plain text. The encryption algorithm is the XOR operation

Question 23

Which of the following works similarly to stream ciphers?

One-time pad

RSA

AES

Answer 23

One-time pad

A stream cipher encrypts one plain text digit at a time with the corresponding digit of the keystream. Stream ciphers provide the same type of protection as one-time pads do

Question 24

Your manager wants to implement a security measure to protect sensitive company data that reside on the remote salespeople’s laptops should they become lost or stolen. Which of the following measures would you implement?

Implement WPS on the laptops.

Set BIOS passwords on the laptops.

Use whole-disk encryption on the laptops.

Answer 24

Use whole-disk encryption on the laptops.

Whole-disk encryption, such as BitLocker on a Windows OS, will protect the contents of a laptop if it is lost or stolen. If the thief were to take the hard drive out of the laptop and try reading the content, they would be unsuccessful

Question 25

You want to send confidential messages to a friend through email, but you do not have a way of encrypting the message. Which of the following methods would help you achieve this goal?

Collision

RSA

Steganography

Answer 25

Steganography

Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files

Question 26

Which of the following cipher modes uses a feedback-based encryption method to ensure that repetitive data result in unique cipher text?

ECB

CBC

GCM

Answer 26

CBC

CBC (Cipher Block Chaining) mode uses feedback information to ensure the current block ciphertext differs from other blocks even if the same data is being encrypted

Question 27

Which statement is true regarding the difference between a secure cipher and a secure hash?

A secure hash can be reversed; a secure cipher cannot.

A secure cipher can be reversed; a secure hash cannot.

A secure hash produces a variable output for any input size; a secure cipher does not.

Answer 27

A secure cipher can be reversed; a secure hash cannot.

Secure ciphers can be reverse engineered, but hashes cannot be reversed when reverse engineered attempting to re-create a data file. Hashing is a one-way encryption that is used for integrity purposes

Question 28

Which certificate format is typically used on Windows OS machines to import and export certificates and private keys?

AES

PEM

PFX

Answer 28

PFX

PFX (personal information exchange) files are typically used with Windows OSs that include digital certificates and are used for authentication processes involved in determining if a user or device can access certain files

Question 29

What is another name for an ephemeral key?

MD5

PKI public key

Session key

Answer 29

Session key

A session key is another name for an ephemeral key. An ephemeral key includes a private and public key, and systems use this key pair for a single session and then discard it

Question 30

Why would a threat actor use steganography?

To test integrity

To conceal information

To encrypt information

Answer 30

To conceal information

Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files