Introduction to Cryptography Flashcards
A network technician notices TCP port 80 traffic when users authenticate to their mail server. What should the technician configure to protect the confidentiality of these transmissions?
MD5
SHA-512
HTTPS
HTTPS
TCP port 80 is Hypertext Transfer Protocol (HTTP) network traffic. Web browsers use HTTP to connect to web servers. In this case, users are using web-based e-mail that is not encrypted. Hypertext Transfer Protocol Secure (HTTPS) uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt HTTP traffic. This requires the installation of a digital certificate on the server. Remember that digital certificates have an expiration date. If time is not properly synchronized on device, the certificate chain of trust could be broken
Which of the following allows secured remote access to a UNIX host?
SSH
SSL
SSO
SSH
Secure Shell (SSH) listens on TCP port 22 and is used commonly on UNIX and Linux hosts to allow secure remote administration. An SSH daemon must be running on the server, and an SSH client (such as PuTTY) is required to make the connection. Unlike its predecessor, Telnet, SSH encrypts network traffic
An IT manager asks you to recommend a LAN encryption solution. The solution must support current and future software that does not have encryption of its own. What should you recommend?
SSL
SSH
IPSec
IPSec
IP Security (IPSec) is not specific to an application; all network traffic is encrypted and authenticated. Both sides of the secured connection must be configured to use IPSec
Which protocol supersedes SSL?
TLS
SSO
TKIP
TLS
Transport Layer Security (TLS) replaces Secure Sockets Layer (SSL). For example, TLS offers more secure data authentication to ensure data has not been tampered with while in transit
Which TCP port would a firewall administrator configure to enable users to access SSL-enabled web sites?
443
80
3389
443
Secure Sockets Layer (SSL) users TCP port 443
Data integrity is provided by which of the following?
RC4
AES
MD5
MD5
Message Digest 5 (MD5) is a hashing algorithm that computes a digest from provided data. Any change in the data will invalidate the digest; thus, data integrity is attained
You are configuring a network encryption device and must account for other devices that may not support newer and stronger algorithms. Which of the following lists encryption standards from weakest to strongest?
DES, 3DES, RSA
3DES, DES, AES
RSA, DES, Blowfish
DES, 3DES, RSA
Digital Encryption Standard (DES) is a 56-bit cipher, and 3DES is a 168-bit cipher; both are symmetric encryption algorithms. RSA (named after its creators, Rivest, Shamir, and Adleman) is a public and private key (asymmetric) encryption and digital signing standard whose bit strength varies. The bit length of a cipher is not the only factor influencing its strength; the specific implementation of the cryptographic functions also plays a role
Which of the following uses two mathematically related keys to secure data transmissions?
AES
RSA
3DES
RSA
RSA is an asymmetric cryptographic algorithm that uses mathematically related public and private key pairs to digitally sign and encrypt data
Your company has implemented a PKI. You would like to encrypt e-mail messages you send to another employee, Amy. What do you require to encrypt messages to Amy?
Amy’s private key
Amy’s public key
Your private key
Amy’s public key
A public key infrastructure (PKI) implies the use of public and private key pairs. To encrypt messages for Amy, you must have her public key. This can be installed locally on a computer or published centrally on a directory server that should be secured using protocols such as Lightweight Directory Access Protocol Secure (LDAPS). The related private key, which only Amy should have access to, is used to decrypt the message
You decide that your LAN computers will use asymmetric encryption with IPSec to secure LAN traffic. While evaluating how this can be done, you are presented with an array of encryption choices. Choose the correct classification of cryptography standards.
Symmetric: 3DES, DES
Asymmetric: Blowfish, RSA
Symmetric: 3DES, DES
Asymmetric: RC4, RSA
Symmetric: AES, 3DES
Asymmetric: RSA
Symmetric: AES, 3DES
Asymmetric: RSA
Advanced Encryption Standard (AES) and Triple Digital Encryption Standard (3DES) are cryptographic standards using symmetric algorithms. This means a single key is used both to encrypt and decrypt. RSA (named after its creators, Rivest, Shamir, and Adleman) is an asymmetric encryption algorithm. This means two mathematically related keys (public and private) are used to secure data; normally, a public key encrypts data and a private key decrypts it
Data is provided confidentially by which of the following?
MD5
Disk encryption
E-mail digital signatures
Disk encryption
Encryption provides data confidentiality. Only authorized parties have the ability to decrypt disk contents. Encrypting stored data is referred to the encryption of data-at-rest, encrypting data being transmitted is called encryption of data-in-transit, and the encryption of data being used is called encryption of data-in-use
Which symmetric block cipher supersedes Blowfish?
Twofish
Fourfish
RSA
Twofish
Twofish is a symmetric block cipher that replaces Blowfish
A user connects to a secured online banking web site. Which of the following statements is incorrect?
The workstation public key is used to encrypt data transmitted to the web server. The web server private key performs the decryption.
The workstation session key is encrypted with the server public key and transmitted to the web server. The web server private key performs the decryption.
The workstation-generated session key is used to encrypt data sent to the web server.
The workstation public key is used to encrypt data transmitted to the web server. The web server private key performs the decryption.
It is not the workstation public key that is used; it is the server’s. The workstation-generated session key is encrypted with the server public key and transmitted to the web server where a related private key decrypts the message to reveal the session key
Which term describes the process of concealing messages within a file?
Trojan
Steganography
Encryption
Steganography
Steganography can be used to hides messages within files. For example, a message could be hidden within an inconspicuous JPEG picture file
Which term best describes the assurance that a message is authentic and neither party can dispute its transmission or receipt?
Digital signature
Encryption
Nonrepudiation
Nonrepudiation
Nonrepudiation means neither the sending nor receiving party can dispute the fact that a transmission occurred. The recipient is assured of data authenticity and integrity via a digital signature applied with the sender’s private key
You are a developer at a software development firm. Your latest software build must be made available on the corporate web site. Internet users require a method of ensuring that they have downloaded an authentic version of the software. What should you do?
Generate a file hash for the download file and make it available on the web site.
Make sure Internet users have antivirus software installed.
Configure the web site to use TLS.
Generate a file hash for the download file and make it available on the web site.
File hashing performs a calculation on a file resulting in a hash. Changing a file in some way and then performing the same calculation would result in a different hash. This is one way to verify that the file is the correct version. The probability of a hash collision (different data inputs resulting in the same hash output) is very small
Which cryptographic approach uses points on a curve to define public and private key pairs?
RSA
DES
ECC
ECC
Elliptic curve cryptography (ECC) is public key cryptography based on points on an elliptic curve
Your company currently uses an FTP server, and you have been asked to make FTP traffic secure using SSL. What should you configure?
FTPS
SFTP
IPSec
FTPS
File Transfer Protocol Secure (FTPS) can use Secure Sockets Layer (SSL) to secure FTP traffic
On which protocol is SCP built?
FTP
SSL
SSH
SSH
Secure Copy (SCP) is a secure way of copying files between computers over an SSH session
Which of the following are true regarding ciphers? (Choose two.)
Block ciphers analyze data patterns and block malicious data from being encrypted.
Stream ciphers encrypt data one byte at a time.
Block ciphers encrypt chunks of data.
Stream ciphers encrypt streaming media traffic.
Stream ciphers encrypt data one byte at a time.
Block ciphers encrypt chunks of data.
Stream ciphers encrypt data a bit or a byte at a time, whereas block ciphers encrypt segments (blocks) of data at one time in various block sizes
Which of the following are block ciphers? (Choose two.)
DES
RSA
RC4
AES
DES
AES
Block ciphers encrypt data a block at a time (rather than a bit or byte at a time). Digital Encryption Standard (DES) and Advanced Encryption Standard (AES) are both block ciphers
Which of the following are message digest algorithms? (Choose two.)
3DES
RIPEMD
Blowfish
HMAC
RIPEMD
HMAC
RACE Integrity Primitives Evaluation Message Digest (RIPEMD) and Hash-based Message Authentication Code (HMAC) are both cryptographic hashing functions
A military institution requires the utmost in security for transmitting messages during wartime. What provides the best security?
AES
3DES
One-time pad
One-time pad
One-time pads are used to combine completely random keys with plain text resulting in cipher text, after which one-time pads are not used again. A randomized initialization vector (IV), or salt, is used to derive keys. An item used only once is referred to as a nonce. Both communicating parties must have the same one-time pads, which presents a problem if communicating with a large number of entities. No amount of computing power or time can increase the likelihood of breaking this type of cipher text. Pseudo-random numbers, on the other hand, are not considered completely random due to the process that generates them
When hardening a VPN, what should you consider? (Choose two.)
Enabling PAP
Disabling PAP
Disabling EAP-TLS
Enabling EAP-TLS
Disabling PAP
Enabling EAP-TLS
Password Authentication Protocol (PAP) should be disabled. PAP sends unencrypted passwords across the network during authentication. Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) should not be disabled when hardening VPNs; it is considered very secure because of its mutual authentication of both VPN client and VPN server
Encrypting and digitally signing e-mail with public and private keys can be done with which technology?
3DES
DES
PGP
PGP
Pretty Good Privacy (PGP) uses public and private key pairs to encrypt and digitally sign messages. Gnu Privacy Guard (GPG) is an implementation of open PGP standards
Which of the following is considered the least secure?
NTLM v2
EAP-TLS
PAP
PAP
Password Authentication Protocol (PAP) is considered insecure because it does not encrypt transmitted credentials
A user digitally signs a sent e-mail message. What security principle does this apply to?
Least privilege
Integrity
Confidentiality
Integrity
Integrity is achieved when digitally signing an e-mail message. The sender’s private key creates the unique signature, which is verified on the receiving end using the sender’s related public key. If the message has not changed since it was sent, the signature will be considered valid
Which of the following are true regarding a user’s private key? (Choose two.)
It is used to encrypt sent messages.
It is used to decrypt received messages.
It is used to create digital signatures.
It is used to verify digital signatures.
It is used to decrypt received messages.
It is used to create digital signatures.
Because the recipient’s public key is used to encrypt a message, the related private key is used for decryption. Digitally signing a message must assure the recipient that it came from who it says it came from. Because only the owner of a private key has access to it, the private key is used to create digital signatures. The related public key verifies the validity of that signature
You are the IT director for a company with military contracts. An employee, Sandra, leaves the company, and her user account is removed. A few weeks later, somebody requires access to Sandra’s old files but is denied access. After investigating the issue, you determine that Sandra’s files are encrypted with a key generated from a passphrase. What type of encryption is this?
WEP
Asymmetric
Symmetric
Symmetric
Symmetric encryption uses the same key for encryption and decryption. In this case, if the same passphrase is used, the data can be decrypted
Which of the following best describes the Diffie-Hellman protocol?
It is a key exchange protocol for asymmetric encryption.
It is a symmetric encryption algorithm.
It is a key exchange protocol for symmetric encryption.
It is a key exchange protocol for asymmetric encryption.
Diffie-Hellman is a secure key exchange protocol used for asymmetric encryption and is provide through a cryptographic service provider, often in the form of an API library or module
Which of the following apply to symmetrical keys? (Choose two.)
The public key is used for encryption.
The private key is used for decryption.
The same key is used for encryption and decryption.
They are exchanged out-of-band.
The same key is used for encryption and decryption.
They are exchanged out-of-band.
The same symmetrical key is used on both sides of a secured connection, and the keys are exchanged out-of-band. (Outside of the normal message communication channel, for example, the key is communicated over the telephone or in person on a USB flash drive.) Keys exchanged within the normal communication channel, as is the case with the Diffie-Hellman protocol, is referred to as in-band key exchange
Which of the following are two common negotiation protocols used by TLS? (Choose two.)
Quantum cryptography
DHE
RSA
ECDHE
DHE
ECDHE
Diffie-Hellman Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) are commonly used with Transport Layer Security (TLS) to provide perfect forward secrecy. Diffie-Hellman groups are used in security negotiation processes to determine the key strength
What is another name for an ephemeral key?
PKI private key
SHA
Session key
Session key
Ephemeral keys are short-lived keys, such as a unique session key. Diffie-Hellman Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHC) are common key negotiation protocols
During the monthly IT meeting in your office, your IT manager, Julia, expresses concern about weak user passwords on corporate servers and how they might be susceptible to brute-force password attacks. When allaying Julia about her concerns, which term might you use?
Key forging
Key escrow
Key stretching
Key stretching
Key stretching converts weak keys such as passwords into stronger keys that are less susceptible to brute-force attacks. Bcrypt and PBKDF2 are common key-stretching algorithms
After reviewing the results of a network security audit, your IT team decides to implement auditor recommendations to secure internal traffic. Which solution addresses the potential poisoning of name resolution server records?
IPsec
DNSSEC
SSL
DNSSEC
DNS security extensions (DNSSEC) uses signatures for DNS records that get verified on clients to establish trust when client issue domain name resolution queries. This prevents DNS records from being tampered with and then trusted
Management has asked you, the head of IT security, to implement a centralized and unified IT threat management system for all six offices, which are spread throughout Western Europe. There is a very limited IT security budget available. Which solution can properly secure the six locations with minimal cost?
Use a subscription-based service.
Purchase the appropriate hardware and licenses for each location. Configure the solution to monitor threats at all sites.
Update the anti-malware software on devices at all six locations.
Use a subscription-based service.
Security as a Service (SECaaS) provides a subscription-based cloud service that enables organizations to outsource the acquisition and maintenance of security hardware and software while allowing customized threat management configurations. This is much less expensive initially, since hardware, software, and licenses do not need to be purchased, configured, and maintained
Which block cipher mode uses a feedback-based encryption method to ensure that repetitive data results in unique cipher text?
ECB
GCM
CBC
CBC
Cipher Block Chaining (CBC) mode uses feedback information to help ensure that the current block cipher text differs from other blocks even if the exact same data is being encrypted
Which term describes multiple inputs resulting in the same hash value?
Collision
Confusion
Obfuscation
Collision
Collisions occur in hashing when different inputs result in the exact same hash. This is very rare but has been proven possible even with Secure Hashing Algorithm 1 (SHA-1)
Which term most accurately describes smartcards?
Low power
Something you know
PKI certificate authority
Low power
Low-power devices such as smartcards can still perform sufficient cryptographic calculations to be used in secure IT environments
