D5 Cryptography Flashcards
Carla’s organization recently suffered a data breach when an employee misplaced a laptop containing sensitive customer information. Which one of the following controls would be least likely to prevent this type of breach from reoccurring in the future?
A. Full disk encryption
B. File encryption
C. File integrity monitoring
D. Data minimization
C. File integrity monitoring
Explanation
Protecting the sensitive information with either full disk encryption or file encryption would render it unreadable to anyone finding the device. Data minimization would involve the removal of sensitive information from the device. File integrity monitoring would detect any changes in information stored on the device but would not protect against data loss.
Which one of the following cryptographic systems is most closely associated with the Web of Trust?
A. RC4
B. SHA
C. AES
D. PGP
Explanation
Phil Zimmerman’s Pretty Good Privacy (PGP) software is an encryption technology based upon the Web of Trust (WoT). This approach extends the social trust relationship to encryption keys.
Max is the security administrator for an organization that uses a remote access VPN. The VPN depends upon RADIUS authentication, and Max would like to assess the security of that service. Which one of the following hash functions is the strongest cryptographic hash protocol supported by RADIUS?
A. MD5
B. SHA 2
C. SHA‐512
D. HMAC
A. MD5
Explanation
Unfortunately, the RADIUS protocol only supports the weak MD5 hash function. This is the major criticism of the RADIUS protocol. Most organizations require that RADIUS be protected with additional encryption to compensate for this vulnerability.
Your organization regularly handles three types of data: information that it shares with customers, information that it uses internally to conduct business, and trade secret information that offers the organization significant competitive advantages. Information shared with customers is used and stored on web servers, while both the internal business data and the trade secret information are stored on internal file servers and employee workstations.
What technique could you use to mark your trade secret information in case it was released or stolen and you need to identify it?
A. Classification
B. Symmetric encryption
C. Watermarks
D. Metadata
C. Watermarks
xplanation
A watermark is used to digitally label data and can be used to indicate ownership. Encryption would have prevented the data from being accessed if it was lost, while classification is part of the set of security practices that can help make sure the right controls are in place. Finally, metadata is used to label data and might help a data loss prevention system flag it before it leaves your organization.
Maria’s organization is building a property records system that will rely upon a distributed immutable ledger to preserve transaction records. What technology is best suited to assist with this implementation?
A. PKI
B. Blockchain
C. Digital signatures
D. Digital certificates
B. Blockchain
Explanation
It is possible that any of these technologies could play a role in this system, but the relevant words in this question are that Maria is seeking a distributed, immutable ledger. This is the core function of blockchain solutions, making blockchain the best possible answer.
What protocol is preferred over Telnet for remote server administration via the command line?
A. SCP
B. SFTP
C. WDS
D. SSH
B. SFTP
Explanation
Secure Shell (SSH) is an encrypted protocol for remote login and command‐line access. SCP and SFTP are both secure file transfer protocols, while WDS is the acronym for Windows Deployment Services, which provides remote installation capabilities for Windows operating systems.
Linux systems that use bcrypt are using a tool based on what DES alternative encryption scheme?
A. 3DES
B. AES
C. Diffie–Hellman
D. Blowfish
D. Blowfish
Explanation
Bcrypt is based on Blowfish (the b is a key hint here). AES and 3DES are both replacements for DES, while Diffie‐Hellman is a protocol for key exchange.
Which one of the following is not considered PII under U.S. federal government regulations?
A. Name
B. Social Security number
C. Student ID number
D. ZIP code
D. ZIP code
Explanation
Personally identifiable information includes any information that can uniquely identify an individual. This would include name, Social Security number, and any other unique identifier (including a student ID number). ZIP code, by itself, does not uniquely identify an individual.
What type of encryption is typically used for data at rest?
A. Asymmetric encryption
B. Symmetric encryption
C. DES
D. OTP
B. Symmetric encryption
Explanation
Symmetric encryption like AES is typically used for data at rest. Asymmetric encryption is often used during transactions or communications when the ability to have public and private keys is necessary. DES is an outdated encryption standard, and OTP is the acronym for onetime password.
Ed has been asked to send data that his organization classifies as confidential and proprietary via email. What encryption technology would be appropriate to ensure that the contents of the files attached to the email remain confidential as they traverse the Internet?
A. SSL
B. TLS
C. PGP
D. VPN
C. PGP
Explanation
PGP, or Pretty Good Privacy (or its open source alternative, GPG), provides strong encryption of files, which can then be sent via email. Email traverses multiple servers and will be unencrypted at rest at multiple points along its path as it is stored and forwarded to its destination.
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.
If Alice wants to send Bob an encrypted message, what key does she use to encrypt the message?
A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bob’s private key
C. Bob’s public key
Explanation
In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient’s public key.
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.
Which one of the following keys would Bob not possess in this scenario?
A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bob’s private key
B. Alice’s private key
Explanation
Each user retains their private key as secret information. In this scenario, Bob would only have access to his own private key and would not have access to the private key of Alice or any other user.
Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.
Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature?
A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bob’s private key
B. Alice’s private key
Explanation
Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice’s public key.
Florian and Tobias would like to begin communicating using a symmetric cryptosystem, but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key?
A. IDEA
B. Diffie‐Hellman
C. RSA
D. MD5
B. Diffie‐Hellman
Explanation
The Diffie‐Hellman algorithm allows for the secure exchange of symmetric encryption keys over a public network.
What cryptographic principle stands behind the idea that cryptographic algorithms should be open to public inspection?
A. Security through obscurity
B. Kerckhoff’s principle
C. Defense in depth
D. Heisenburg principle
B. Kerckhoff’s principle
Explanation
Kerckhoff’s principle says that a cryptographic system should be secure even if everything about the system, except the key, is public knowledge.
herry conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure?
A. MD5
B. 3DES
C. PGP
D. WPA2
A. MD5
Explanation
The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.
Brent is selecting an encryption algorithm that will protect data that has long‐lasting sensitivity. He would like to select an algorithm that is most resistant to quantum computing attacks. Which algorithm would best meet his needs?
A. AES
B. RSA
C. DES
D. ECC
A. AES
Explanation
Answering this question requires combining information about different types of cryptographic flaws. First, symmetric algorithms are thought to be resistant to future quantum attacks, while asymmetric algorithms are likely vulnerable to these attacks. Therefore, we can eliminate the two asymmetric algorithms as options: RSA and ECC. Next, the DES algorithm is weak and should no longer be used. That leaves us with the Advanced Encryption Standard (AES) as the only viable answer.
Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths?
A. Blowfish
B. DES
C. Skipjack
D. IDEA
A. Blowfish
Explanation
Blowfish allows the user to select any key length between 32 and 448 bits.
Howard is choosing a cryptographic algorithm for his organization, and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement?
A. RSA
B. DES
C. AES
D. Blowfish
A. RSA
Explanation
Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.
Alison is examining a digital certificate presented to her by her bank’s website. Which one of the following requirements is not necessary for her to trust the digital certificate?
A. She knows that the server belongs to the bank.
B. She trusts the certificate authority.
C. She verifies that the certificate is not listed on a CRL.
D. She verifies the digital signature on the certificate.
A. She knows that the server belongs to the bank.
Explanation
The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA’s digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.
Alice is designing a cryptosystem for use by six users and would like to use a symmetric encryption algorithm. She wants any two users to be able to communicate with each other without worrying about eavesdropping by a third user. How many symmetric encryption keys will she need to generate?
A. 6
B. 12
C. 15
D. 30
C. 15
Explanation
The formula for determining the number of encryption keys required by a symmetric algorithm is ((n(n − 1))/2). With six users, you will need ((65)/2), or 15 keys.
Which one of the following cryptographic algorithms supports the goal of nonrepudiation?
A. Blowfish
B. DES
C. AES
D. RSA
D. RSA
Explanation
Nonrepudiation is possible only with an asymmetric encryption algorithm. RSA is an asymmetric algorithm. AES, DES, and Blowfish are all symmetric encryption algorithms that do not provide nonrepudiation.
Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a Certificate Revocation List. Who must add the certificate to the CRL?
A. Andrew
B. The root authority for the top‐level domain
C. The CA that issued the certificate
D. The revocation authority for the top‐level domain
C. The CA that issued the certificate
Explanation
Certificates may only be added to a Certificate Revocation List by the certificate authority that created the digital certificate.
