Introduction to Cryptography

Question 1

A network technician notices TCP port 80 traffic when users authenticate to their mail server. What should the technician configure to protect the confidentiality of these transmissions?

MD5

SHA-512

HTTPS

Answer 1

HTTPS

TCP port 80 is Hypertext Transfer Protocol (HTTP) network traffic. Web browsers use HTTP to connect to web servers. In this case, users are using web-based e-mail that is not encrypted. Hypertext Transfer Protocol Secure (HTTPS) uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt HTTP traffic. This requires the installation of a digital certificate on the server. Remember that digital certificates have an expiration date. If time is not properly synchronized on device, the certificate chain of trust could be broken

Question 2

Which of the following allows secured remote access to a UNIX host?

SSH

SSL

SSO

Answer 2

SSH

Secure Shell (SSH) listens on TCP port 22 and is used commonly on UNIX and Linux hosts to allow secure remote administration. An SSH daemon must be running on the server, and an SSH client (such as PuTTY) is required to make the connection. Unlike its predecessor, Telnet, SSH encrypts network traffic

Question 3

An IT manager asks you to recommend a LAN encryption solution. The solution must support current and future software that does not have encryption of its own. What should you recommend?

SSL

SSH

IPSec

Answer 3

IPSec

IP Security (IPSec) is not specific to an application; all network traffic is encrypted and authenticated. Both sides of the secured connection must be configured to use IPSec

Question 4

Which protocol supersedes SSL?

TLS

SSO

TKIP

Answer 4

TLS

Transport Layer Security (TLS) replaces Secure Sockets Layer (SSL). For example, TLS offers more secure data authentication to ensure data has not been tampered with while in transit

Question 5

Which TCP port would a firewall administrator configure to enable users to access SSL-enabled web sites?

443

80

3389

Answer 5

443

Secure Sockets Layer (SSL) users TCP port 443

Question 6

Data integrity is provided by which of the following?

RC4

AES

MD5

Answer 6

MD5

Message Digest 5 (MD5) is a hashing algorithm that computes a digest from provided data. Any change in the data will invalidate the digest; thus, data integrity is attained

Question 7

You are configuring a network encryption device and must account for other devices that may not support newer and stronger algorithms. Which of the following lists encryption standards from weakest to strongest?

DES, 3DES, RSA

3DES, DES, AES

RSA, DES, Blowfish

Answer 7

DES, 3DES, RSA

Digital Encryption Standard (DES) is a 56-bit cipher, and 3DES is a 168-bit cipher; both are symmetric encryption algorithms. RSA (named after its creators, Rivest, Shamir, and Adleman) is a public and private key (asymmetric) encryption and digital signing standard whose bit strength varies. The bit length of a cipher is not the only factor influencing its strength; the specific implementation of the cryptographic functions also plays a role

Question 8

Which of the following uses two mathematically related keys to secure data transmissions?

AES

RSA

3DES

Answer 8

RSA

RSA is an asymmetric cryptographic algorithm that uses mathematically related public and private key pairs to digitally sign and encrypt data

Question 9

Your company has implemented a PKI. You would like to encrypt e-mail messages you send to another employee, Amy. What do you require to encrypt messages to Amy?

Amy’s private key

Amy’s public key

Your private key

Answer 9

Amy’s public key

A public key infrastructure (PKI) implies the use of public and private key pairs. To encrypt messages for Amy, you must have her public key. This can be installed locally on a computer or published centrally on a directory server that should be secured using protocols such as Lightweight Directory Access Protocol Secure (LDAPS). The related private key, which only Amy should have access to, is used to decrypt the message

Question 10

You decide that your LAN computers will use asymmetric encryption with IPSec to secure LAN traffic. While evaluating how this can be done, you are presented with an array of encryption choices. Choose the correct classification of cryptography standards.

Symmetric: 3DES, DES

Asymmetric: Blowfish, RSA

Symmetric: 3DES, DES

Asymmetric: RC4, RSA

Symmetric: AES, 3DES

Asymmetric: RSA

Answer 10

Symmetric: AES, 3DES

Asymmetric: RSA

Advanced Encryption Standard (AES) and Triple Digital Encryption Standard (3DES) are cryptographic standards using symmetric algorithms. This means a single key is used both to encrypt and decrypt. RSA (named after its creators, Rivest, Shamir, and Adleman) is an asymmetric encryption algorithm. This means two mathematically related keys (public and private) are used to secure data; normally, a public key encrypts data and a private key decrypts it

Question 11

Data is provided confidentially by which of the following?

MD5

Disk encryption

E-mail digital signatures

Answer 11

Disk encryption

Encryption provides data confidentiality. Only authorized parties have the ability to decrypt disk contents. Encrypting stored data is referred to the encryption of data-at-rest, encrypting data being transmitted is called encryption of data-in-transit, and the encryption of data being used is called encryption of data-in-use

Question 12

Which symmetric block cipher supersedes Blowfish?

Twofish

Fourfish

RSA

Answer 12

Twofish

Twofish is a symmetric block cipher that replaces Blowfish

Question 13

A user connects to a secured online banking web site. Which of the following statements is incorrect?

The workstation public key is used to encrypt data transmitted to the web server. The web server private key performs the decryption.

The workstation session key is encrypted with the server public key and transmitted to the web server. The web server private key performs the decryption.

The workstation-generated session key is used to encrypt data sent to the web server.

Answer 13

The workstation public key is used to encrypt data transmitted to the web server. The web server private key performs the decryption.

It is not the workstation public key that is used; it is the server’s. The workstation-generated session key is encrypted with the server public key and transmitted to the web server where a related private key decrypts the message to reveal the session key

Question 14

Which term describes the process of concealing messages within a file?

Trojan

Steganography

Encryption

Answer 14

Steganography

Steganography can be used to hides messages within files. For example, a message could be hidden within an inconspicuous JPEG picture file

Question 15

Which term best describes the assurance that a message is authentic and neither party can dispute its transmission or receipt?

Digital signature

Encryption

Nonrepudiation

Answer 15

Nonrepudiation

Nonrepudiation means neither the sending nor receiving party can dispute the fact that a transmission occurred. The recipient is assured of data authenticity and integrity via a digital signature applied with the sender’s private key

Question 16

You are a developer at a software development firm. Your latest software build must be made available on the corporate web site. Internet users require a method of ensuring that they have downloaded an authentic version of the software. What should you do?

Generate a file hash for the download file and make it available on the web site.

Make sure Internet users have antivirus software installed.

Configure the web site to use TLS.

Answer 16

Generate a file hash for the download file and make it available on the web site.

File hashing performs a calculation on a file resulting in a hash. Changing a file in some way and then performing the same calculation would result in a different hash. This is one way to verify that the file is the correct version. The probability of a hash collision (different data inputs resulting in the same hash output) is very small

Question 17

Which cryptographic approach uses points on a curve to define public and private key pairs?

RSA

DES

ECC

Answer 17

ECC

Elliptic curve cryptography (ECC) is public key cryptography based on points on an elliptic curve

Question 18

Your company currently uses an FTP server, and you have been asked to make FTP traffic secure using SSL. What should you configure?

FTPS

SFTP

IPSec

Answer 18

FTPS

File Transfer Protocol Secure (FTPS) can use Secure Sockets Layer (SSL) to secure FTP traffic

Question 19

On which protocol is SCP built?

FTP

SSL

SSH

Answer 19

SSH

Secure Copy (SCP) is a secure way of copying files between computers over an SSH session

Question 20

Which of the following are true regarding ciphers? (Choose two.)

Block ciphers analyze data patterns and block malicious data from being encrypted.

Stream ciphers encrypt data one byte at a time.

Block ciphers encrypt chunks of data.

Stream ciphers encrypt streaming media traffic.

Answer 20

Stream ciphers encrypt data one byte at a time.

Block ciphers encrypt chunks of data.

Stream ciphers encrypt data a bit or a byte at a time, whereas block ciphers encrypt segments (blocks) of data at one time in various block sizes

Question 21

Which of the following are block ciphers? (Choose two.)

DES

RSA

RC4

AES

Answer 21

DES

AES

Block ciphers encrypt data a block at a time (rather than a bit or byte at a time). Digital Encryption Standard (DES) and Advanced Encryption Standard (AES) are both block ciphers

Question 22

Which of the following are message digest algorithms? (Choose two.)

3DES

RIPEMD

Blowfish

HMAC

Answer 22

RIPEMD

HMAC

RACE Integrity Primitives Evaluation Message Digest (RIPEMD) and Hash-based Message Authentication Code (HMAC) are both cryptographic hashing functions

Question 23

A military institution requires the utmost in security for transmitting messages during wartime. What provides the best security?

AES

3DES

One-time pad

Answer 23

One-time pad

One-time pads are used to combine completely random keys with plain text resulting in cipher text, after which one-time pads are not used again. A randomized initialization vector (IV), or salt, is used to derive keys. An item used only once is referred to as a nonce. Both communicating parties must have the same one-time pads, which presents a problem if communicating with a large number of entities. No amount of computing power or time can increase the likelihood of breaking this type of cipher text. Pseudo-random numbers, on the other hand, are not considered completely random due to the process that generates them

Question 24

When hardening a VPN, what should you consider? (Choose two.)

Enabling PAP

Disabling PAP

Disabling EAP-TLS

Enabling EAP-TLS

Answer 24

Disabling PAP

Enabling EAP-TLS

Password Authentication Protocol (PAP) should be disabled. PAP sends unencrypted passwords across the network during authentication. Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) should not be disabled when hardening VPNs; it is considered very secure because of its mutual authentication of both VPN client and VPN server

Question 25

Encrypting and digitally signing e-mail with public and private keys can be done with which technology?

3DES

DES

PGP

Answer 25

PGP

Pretty Good Privacy (PGP) uses public and private key pairs to encrypt and digitally sign messages. Gnu Privacy Guard (GPG) is an implementation of open PGP standards

Question 26

Which of the following is considered the least secure?

NTLM v2

EAP-TLS

PAP

Answer 26

PAP

Password Authentication Protocol (PAP) is considered insecure because it does not encrypt transmitted credentials

Question 27

A user digitally signs a sent e-mail message. What security principle does this apply to?

Least privilege

Integrity

Confidentiality

Answer 27

Integrity

Integrity is achieved when digitally signing an e-mail message. The sender’s private key creates the unique signature, which is verified on the receiving end using the sender’s related public key. If the message has not changed since it was sent, the signature will be considered valid

Question 28

Which of the following are true regarding a user’s private key? (Choose two.)

It is used to encrypt sent messages.

It is used to decrypt received messages.

It is used to create digital signatures.

It is used to verify digital signatures.

Answer 28

It is used to decrypt received messages.

It is used to create digital signatures.

Because the recipient’s public key is used to encrypt a message, the related private key is used for decryption. Digitally signing a message must assure the recipient that it came from who it says it came from. Because only the owner of a private key has access to it, the private key is used to create digital signatures. The related public key verifies the validity of that signature

Question 29

You are the IT director for a company with military contracts. An employee, Sandra, leaves the company, and her user account is removed. A few weeks later, somebody requires access to Sandra’s old files but is denied access. After investigating the issue, you determine that Sandra’s files are encrypted with a key generated from a passphrase. What type of encryption is this?

WEP

Asymmetric

Symmetric

Answer 29

Symmetric

Symmetric encryption uses the same key for encryption and decryption. In this case, if the same passphrase is used, the data can be decrypted

Question 30

Which of the following best describes the Diffie-Hellman protocol?

It is a key exchange protocol for asymmetric encryption.

It is a symmetric encryption algorithm.

It is a key exchange protocol for symmetric encryption.

Answer 30

It is a key exchange protocol for asymmetric encryption.

Diffie-Hellman is a secure key exchange protocol used for asymmetric encryption and is provide through a cryptographic service provider, often in the form of an API library or module

Question 31

Which of the following apply to symmetrical keys? (Choose two.)

The public key is used for encryption.

The private key is used for decryption.

The same key is used for encryption and decryption.

They are exchanged out-of-band.

Answer 31

The same key is used for encryption and decryption.

They are exchanged out-of-band.

The same symmetrical key is used on both sides of a secured connection, and the keys are exchanged out-of-band. (Outside of the normal message communication channel, for example, the key is communicated over the telephone or in person on a USB flash drive.) Keys exchanged within the normal communication channel, as is the case with the Diffie-Hellman protocol, is referred to as in-band key exchange

Question 32

Which of the following are two common negotiation protocols used by TLS? (Choose two.)

Quantum cryptography

DHE

RSA

ECDHE

Answer 32

DHE

ECDHE

Diffie-Hellman Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) are commonly used with Transport Layer Security (TLS) to provide perfect forward secrecy. Diffie-Hellman groups are used in security negotiation processes to determine the key strength

Question 33

What is another name for an ephemeral key?

PKI private key

SHA

Session key

Answer 33

Session key

Ephemeral keys are short-lived keys, such as a unique session key. Diffie-Hellman Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHC) are common key negotiation protocols

Question 34

During the monthly IT meeting in your office, your IT manager, Julia, expresses concern about weak user passwords on corporate servers and how they might be susceptible to brute-force password attacks. When allaying Julia about her concerns, which term might you use?

Key forging

Key escrow

Key stretching

Answer 34

Key stretching

Key stretching converts weak keys such as passwords into stronger keys that are less susceptible to brute-force attacks. Bcrypt and PBKDF2 are common key-stretching algorithms

Question 35

After reviewing the results of a network security audit, your IT team decides to implement auditor recommendations to secure internal traffic. Which solution addresses the potential poisoning of name resolution server records?

IPsec

DNSSEC

SSL

Answer 35

DNSSEC

DNS security extensions (DNSSEC) uses signatures for DNS records that get verified on clients to establish trust when client issue domain name resolution queries. This prevents DNS records from being tampered with and then trusted

Question 36

Management has asked you, the head of IT security, to implement a centralized and unified IT threat management system for all six offices, which are spread throughout Western Europe. There is a very limited IT security budget available. Which solution can properly secure the six locations with minimal cost?

Use a subscription-based service.

Purchase the appropriate hardware and licenses for each location. Configure the solution to monitor threats at all sites.

Update the anti-malware software on devices at all six locations.

Answer 36

Use a subscription-based service.

Security as a Service (SECaaS) provides a subscription-based cloud service that enables organizations to outsource the acquisition and maintenance of security hardware and software while allowing customized threat management configurations. This is much less expensive initially, since hardware, software, and licenses do not need to be purchased, configured, and maintained

Question 37

Which block cipher mode uses a feedback-based encryption method to ensure that repetitive data results in unique cipher text?

ECB

GCM

CBC

Answer 37

CBC

Cipher Block Chaining (CBC) mode uses feedback information to help ensure that the current block cipher text differs from other blocks even if the exact same data is being encrypted

Question 38

Which term describes multiple inputs resulting in the same hash value?

Collision

Confusion

Obfuscation

Answer 38

Collision

Collisions occur in hashing when different inputs result in the exact same hash. This is very rare but has been proven possible even with Secure Hashing Algorithm 1 (SHA-1)

Question 39

Which term most accurately describes smartcards?

Low power

Something you know

PKI certificate authority

Answer 39

Low power

Low-power devices such as smartcards can still perform sufficient cryptographic calculations to be used in secure IT environments