Cryptography and PKI (5) Flashcards
The CIO has instructed you to set up a system where credit card data will be encrypted with the most secure symmetric algorithm with the least amount of CPU usage. Which of the following algorithms would you choose?
AES
SHA-1
MD5
AES
AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that uses the least amount of CPU usage
Which of the following encryption methods is used by RADIUS?
Asymmetric
Symmetric
Elliptic curve
Symmetric
RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security
When setting up a secure wireless company network, which of the following should you avoid?
WPA
WPA2
EAP-TLS
WPA
WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. WPA is less secure than WPA2
You want to authenticate and log connections from wireless users connecting with EAP-TLS. Which of the following should be used?
Kerberos
SAML
RADIUS
RADIUS
RADIUS is a networking protocol that provides centralized AAA for users connecting and using a network service. EAP-TLS offers a good deal of security with the use of TLS and uses PKI to secure communication to the RADIUS authentication server
Which of the following would be used to allow certain traffic to traverse from a wireless network to an internal network?
WPA
Load balancers
802.1x
- 1x
- 1x enhances security within a WLAN by providing an authentication framework. Users are authenticated by a central authority before they are allowed within the network
You are asked to see if several confidential files have changed, and you decide to use an algorithm to create message digests for the confidential files. Which algorithm would you use?
RC4
Blowfish
SHA-1
SHA-1
SHA-1 is a hashing algorithm that creates message digests and is used for integrity
Network data needs to be encrypted, and you are required to select a cipher that will encrypt 128 bits at a time before the data are sent across the network. Which of the following would you choose?
Stream cipher
Hash algorithm
Block cipher
Block cipher
Block ciphers encrypt data one block, or fixed block, at a time
Which of the following are considered cryptographic hash functions? (Choose two.)
AES
MD5
RC4
SHA-256
MD5
SHA-256
MD5 and SHA are considered cryptography hashing functions that transform a string of characters into a fixed-length value
A company’s database is beginning to grow, and the data-at-rest are becoming a concern with the security administrator. Which of the following is an option to secure the data-at-rest?
SSL certificate
Encryption
Hashing
Encryption
Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory. If the device the data is stored on is stolen, the unauthorized person will not be able to read the data due to the encryption
Which of the following hardware devices can store keys? (Choose two.)
USB flash drive
Smartcard
PCI expansion card
Cipher lock
USB flash drive
Smartcard
USB flash drives and smartcards can carry a token and store keys for authentication to systems. They are often used in a multifactor authentication situation
You are a security manager and have been asked to encrypt database system information that contains employee social security numbers. You are looking for an encryption standard that is fast and secure. Which of the following would you suggest to accomplish the requirements?
SHA-256
AES
RSA
AES
AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that is fast and secure
James is a security administrator and wants to ensure the validity of public trusted certificates used by the company’s web server, even if there is an Internet outage. Which of the following should James implement?
Key escrow
OCSP
CSR
OCSP
OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. OCSP can prepackage a list of revoked certificates and distribute them through browser updates and can be checked if there is an Internet outage
You are a security administrator looking to implement a two-way trust model. Which of the following would you use?
PGP
WPA2
PKI
PKI
PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. A trust model is used to set up trust between CAs. A certificate has a subject alternative name (SAN) for machines (fully qualified domain names) or users (user principal name)
If a threat actor obtains an SSL private key, what type of attack can be performed? (Choose two.)
Eavesdropping
Man-in-the-middle
Social engineering
Brute force
Eavesdropping
Man-in-the-middle
A threat actor can create an eavesdropping and a man-in-the-middle attack. Eavesdropping with a private key can allow the threat actor to see data in clear text. A man-in-the-middle attack can allow the threat actor to modify the data transmitting to the server, such as adding malware to the data
Most authentication systems make use of a one-way encryption process. Which of the following is an example of a one-way encryption?
Symmetric algorithm
Hashing
PKI
Hashing
Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages
Which of the following transpires in a PKI environment?
The CA signs the certificate.
The RA signs the certificate.
The CA creates the certificate and the RA signs it.
The CA signs the certificate.
A CA (certificate authority) is a trusted entity that creates and digitally signs certificates so the receiver can verify the certificate came from that specific CA
Which of the following statements best describes how a digital signature is created?
The sender encrypts a message digest with the receiver’s public key.
The sender encrypts a message digest with the receiver’s private key.
The sender encrypts a message digest with his or her private key.
The sender encrypts a message digest with his or her private key.
A digital signature is a hash value (message digest) that is encrypted with the sender’s private key. The receiver performs a hashing function on the message and decrypts the sent hash value with the sender’s public key and compares the two hash values. If the hash values are the same, the message actually came from the sender. This is performed by DSA (digital signature algorithm) and allows traceability to the person signing the message through the use of their private key
AES is an algorithm used for which of the following?
Encrypting a large amount of data
Encrypting a small amount of data
Key recovery
Encrypting a large amount of data
AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt large amounts of data (bulk)
PEAP protects authentication transfers by implementing which of the following?
TLS tunnels
SSL tunnels
AES
TLS tunnels
PEAP is a protocol that encapsulates the EAP within a TLS tunnel
AES-CCMP uses a 128-bit temporal key and encrypts data in what block size?
256
192
128
128
The AES-CCMP encryption algorithm used in the 802.11i security protocol uses the AES block cipher and limits the key length to 128 bits. AES-CCMP makes it difficult for an eavesdropper to spot patterns
Which of the following implement Message Integrity Code (MIC)? (Choose two.)
AES
DES
CCMP
TKIP
CCMP
TKIP
Message Integrity Code (MIC) is a security improvement for WEP encryption within wireless networks. TKIP and CCMP use MIC, which provides an integrity check on the data packet
James, a WLAN security engineer, recommends to management that WPA-Personal security should not be deployed within the company’s WLAN for their vendors. Which of the following statements best describe James’s recommendation? (Choose two.)
Static preshared passphrases are susceptible to social engineering attacks.
WPA-Personal uses public key encryption.
WPA-Personal uses a weak TKIP encryption.
WPA-Personal uses a RADIUS authentication server.
Static preshared passphrases are susceptible to social engineering attacks.
WPA-Personal uses a weak TKIP encryption.
Preshared passphrases can be obtained from a threat actor by the use of social engineering skills and connect to the AP. WPA-Personal uses TKIP encryption, which is considered a weak option
Which of the following is correct regarding root certificates?
Root certificates never expire.
A root certificate contains the public key of the CA.
A root certificate contains information about the user.
A root certificate contains the public key of the CA.
A root certificate is a public key certificate that identifies the root CA (certificate authority). Digital certificates are verified using a chain of trust (certificate chaining) and the trust anchor for the certificate is the root certificate authority (CA)
Which of the following statements are correct about public and private key pairs? (Choose two.)
Public and private keys work in isolation of each other.
Public and private keys work in conjunction with each other as a team.
If the public key encrypts the data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
If the private key encrypts the data using an asymmetric encryption algorithm, the receiver uses the same private key to decrypt the data.
Public and private keys work in conjunction with each other as a team.
If the public key encrypts the data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.
Public and private keys work with each other to encrypt and decrypt data. If the data is encrypted with the receiver’s public key, the receiver decrypts the data with their private key
Your company has discovered that several confidential messages have been intercepted. You decide to implement a web of trust to encrypt the files. Which of the following are used in a web of trust concept? (Choose two.)
RC4
AES
PGP
GPG
PGP
GPG
PGP and GPG use a web of trust to establish the authenticity of the binding between a public key and its owner
Which of the following algorithms is typically used to encrypt data-at-rest?
Symmetric
Asymmetric
Stream
Symmetric
A symmetric algorithm, sometimes called a secret key algorithm, uses the same key to encrypt and decrypt data and is typically used to encrypt data-at-rest
Which of the following can assist in the workload of the CA by performing identification and authentication of users requesting certificates?
Intermediate CA
Registered authority
OSCP
Registered authority
A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA
You recently upgraded your wireless network so that your devices will use the 802.11n protocol. You want to ensure all communication on the wireless network is secure with the strongest encryption. Which of the following is the best choice?
WEP
WPA
WPA2
WPA2
WPA2 is a security standard that secures computers connected to the 802.11n WiFi network. It provides the strongest available encryption for wireless networks
A college wants to move data to a USB flash drive and has asked you to suggest a way to secure the data in a quick manner. Which of the following would you suggest?
3DES
SHA-256
AES-256
AES-256
AES-256 can encrypt data quickly and securely with a USB flash drive
