Introduction to Cryptography

Question 1

Which cryptographic operations use an asymmetric private key? (Choose two.)

Creating a digital signature

Verifying a digital signature

Encrypting a message

Decrypting messages

Answer 1

Creating a digital signature

Decrypting messages

Digital signatures assure the recipient of a message that it is authentic and has not been modified. The message sender’s private key is used to create a digital signature thus constituting nonrepudiation; the sender cannot deny having sent and signed the message because only the sender has access to their private key. Private keys are also used to decrypt messages, such as e-mail messages

Question 2

Which cryptographic operation does not use a cryptographic key?

Encrypting

Hashing

Decrypting

Answer 2

Hashing

Hashing is used to verify that a file or message has not changed. The origin data is fed into a one-way cryptographic algorithm resulting in a unique value called a hash; a cryptographic key is not used. One-way algorithms are easy to compute given input, but it is very difficult to take a hash and determine the original value

Question 3

Which type of key is used by an IPSec VPN configured with a pre-shared key (PSK)?

Private

Asymmetric

Symmetric

Answer 3

Symmetric

With symmetric encryption, the same key is used for encryption and decryption. The IPSec VPN PSK must be configured on both ends of the VPN tunnel

Question 4

You are evaluating a secure network management solution that will be used to monitor and configure network infrastructure devices remotely. Which of the following is the best choice?

SFTP

FTPS

SNMPv3

Answer 4

SNMPv3

The Simple Network Management Protocol (SNMP) version 3 supports authenticated and encrypted messages when remotely monitoring and managing devices running an SNMP agent such as routers, switches, and server operating systems. SNMP normally uses UDP port 161

Question 5

Your company provides remote word processing and spreadsheet file access using FTP. After a security audit, the findings suggest employing TLS to harden FTP access. Which protocol should you configure to address this concern?

SFTP

FTPS

SNMPv3

Answer 5

FTPS

FTPS uses TLS to enable the secure transfer of files between FTP hosts over TCP port 21 (explicit FTPS) or 990 (implicit FTPS); traditional FTP passes credentials and data over the network in clear text

Question 6

You are reviewing network perimeter firewall rules for the firewall public interface and notice allowances for incoming UDP port 161 and TCP port 443 traffic. What type of traffic will be allowed through the firewall public interface, assuming default ports are being used? (Choose two.)

SFTP

SNMPv3

FTPS

HTTPS

Answer 6

SNMPv3

HTTPS

SNMP uses UDP port 161 and HTTPS uses TCP 443

Question 7

Which encryption algorithms can SNMPv3 use?

AES, MD5

SHA-256, 3DES

3DES, AES

Answer 7

3DES, AES

SNMPv3 can use Triple Digital Encryption Standard (3DES) or the newer Advanced Encryption Standard (AES) algorithm to encrypt SNMP data sent over the network

Question 8

You are configuring SNMPv3 authentication. Which of the following hashing algorithms are available?

MD5, RSA

MD5, SHA

SHA, AES

Answer 8

MD5, SHA

MD5 and SHA are hashing algorithms that are used to verify the integrity of data and can be used for authentication SNMPv3 connections over the network

Question 9

You have configured LDAP over SSL (LDAPS) with default settings to secure directory service queries across subnets. Which port must be open on the subnet firewall?

TCP 389

TCP 22

TCP 636

Answer 9

TCP 636

Lightweight Directory Access Protocol Secure (LDAPS) uses a PKI certificate to secure LDAP connections over the network and uses TCP port 636. LDAP is used to connect to and query a centralized network directory service database such as Microsoft Active Directory

Question 10

Secure POP mail transmissions use which standard port number?

995

110

993

Answer 10

995

The Post Office Protocol (POP) is a client mail retrieval standard and can be secured using a PKI certificate. Secure POP uses a standard port number of TCP 995

Question 11

Which IPSec configuration mode encapsulates origin IP packets?

ESP

AH

Tunnel

Answer 11

Tunnel

IPSec tunnel mode can place an entire IP packet within another IP packet (encapsulation) and encrypt that payload

Question 12

You are planning your SMTP mail system so that mail transfers are encrypted. Which protocol should you use?

NTS

SRTP

S/MIME

Answer 12

S/MIME

Mail traffic can be encrypted and digitally signed through the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, which requires SMTP hosts to be configured with a PKI certificate

Question 13

Which term refers to providing random data as additional input to a hashing algorithm?

Key stretching

Salting

Perfect forward secrecy

Answer 13

Salting

Salting enhances hashing security using random bits in addition to origin data, such as a passphrase that is fed into a one-way hashing algorithm. To calculate the original passphrase value, the salt value must be known. Salting makes dictionary attacks much less likely to succeed

Question 14

Which cryptographic operations use a public key? (Choose two.)

Verifying digital signatures

Encrypting messages

Creating digital signatures

Decrypting messages

Answer 14

Verifying digital signatures

Encrypting messages

Private keys create a digital signature and the related public key is used to verify the signature. The sender of an encrypted message must have access to the public key of message recipients to encrypt the message for them

Question 15

Which technology is described as “a secure distributed public ledger of transactions”?

Quantum computing

Steganography

Blockchain

Answer 15

Blockchain

Blockchain provides a distributed public ledger of transactions that cannot be modified. Because the blockchain of transactions is managed by thousands of computers, it is not controlled by a single central organization or government. Bitcoin digital currency transactions are one example of how blockchain can be used. Bitcoin transactions are considered anonymous, since the transactions are linked to a digital identity

Question 16

A government informant embeds sensitive drug cartel data in an e-mail attachment. The attachment appears to be a picture of a dog. Which data secrecy technique is being used?

Steganography

Encryption

Hashing

Answer 16

Steganography

Steganography is a technique used to hide sensitive data within other nonsensitive items, such as hiding a secret message within a photo of a dog, which often requires special software to hide and unhide the message. Messages can he hidden in many types of files, including audio and video

Question 17

Which cryptographic attribute mitigates brute-force key attacks?

Key length

Key exchange

Authentication

Answer 17

Key length

In general, the longer a cryptographic key (number of bits), the more difficult it becomes to brute-force key values due to the increased number of possible key combinations. The strength and implementation of an encryption algorithm (and not only the key size) determine its resilience to attacks

Question 18

Which of the following is a cryptographic stream cipher?

AES

Blowfish

RC4

Answer 18

RC4

The Rivest Cipher 4 (RC4) algorithm is a stream cipher, meaning that data is encrypted 1 byte at a time instead of an entire data block (more than 1 byte) being encrypted at once

Question 19

Which of the following are symmetric encryption block ciphers? (Choose two.)

AES

CBC

RC5

RC4

Answer 19

AES

RC5

AES and RC5 are symmetric block encryption ciphers. Block ciphers encrypt entire data blocks as opposed to individual bytes of data

Question 20

Which public key cryptographic design can use smaller keys while maintaining cryptographic strength?

CBC

S/MIME

ECC

Answer 20

ECC

Elliptic curve cryptography uses a set of points for a curve over a finite field instead of using prime number factoring for encryption. This allows for smaller key lengths, which minimizes required compute power. ECC small keys have the strength of much longer keys. For example, a 256-bit ECC key is equivalent to a 3072-bit RSA key

Question 21

Which encryption technique is designed to run on devices with constraints such as low power and low processing capabilities?

Homomorphic encryption

Lightweight cryptography

Entropy

Answer 21

Lightweight cryptography

Lightweight encryption requires less compute power than traditional encryption algorithms and is well suited for mobile devices. ECC is a lightweight encryption technique that uses small keys to achieve strong security. A small key size means less computational requirements

Question 22

Which cryptographic technique allows the analysis of data without first decrypting it?

Lightweight encryption

Homomorphic encryption

Entropy

Answer 22

Homomorphic encryption

Homomorphic encryption provides data confidentiality and is a computationally expensive cryptographic technique that allows encrypted data to be analyzed without fully decrypting it. Decrypting data, while it is accessed, presents a risk of unauthorized access while in a decrypted state

Question 23

Which benefit is derived from using a HSM to carry out cryptographic operations as opposed to a standard operating system such as Microsoft Windows?

Ability to store cloud-generated certificates

Lower cost

Lower computational latency

Answer 23

Lower computational latency

A hardware security module (HSM) is a tamper-proof dedicated appliance that can securely store cryptographic keys and perform cryptographic operations. Offloading these tasks from a Microsoft Windows computer results in lower computational latency, since dedicated firmware is generally faster and more reliable than a general purpose operating system

Question 24

Which statements regarding PKI certificates are correct? (Choose two.)

A certificate can be used for more than one cryptographic purpose.

A 2048-bit key is considered weak.

Certificates cannot be issued to routers.

Certificates have an expiry date.

Answer 24

A certificate can be used for more than one cryptographic purpose.

Certificates have an expiry date.

PKI certificates can be used for multiple purposes such as message encryption, digital signatures, and file encryption. Certificates have an expiry date upon which the certificate is no longer valid

Question 25

For security and performance reasons, you would like IP phone VoIP traffic to be isolated from regular TCP/IP network traffic. Which network protocol will allow this end result?

S/MIME

SSH

DHCP

Answer 25

DHCP

You can configure DHCP vendor-class options to identity the type of device making a DHCP request (IP phone), and then assign IP settings such as IP address range and default gateway

Question 26

You plan on using a web browser secured connection to manage your public cloud subscription. Which outbound port number must be allowed on your network firewall?

636

993

443

Answer 26

443

HTTPS secured connections use TCP port 443

Question 27

Which service is provided by DNSSEC?

Confidentiality

Integrity

Network address allocation

Answer 27

Integrity

DNSSEC protects DNS clients from forged DNS answers in response to client DNS queries. With DNSSEC, DNS zone records are digitally signed. DNS clients verify the signature of DNS query results using a public key to ensure that the response is valid. (DNS clients trust the private key used to sign the DNS zone)

Question 28

Which network security protocol can encrypt all network traffic using a single configuration?

TLS

SSL

IPSec

Answer 28

IPSec

IPSec can be configured to secure some or all network traffic using a single configuration, unlike application security protocols like HTTPS, which apply only to web servers, where each server requires a PKI certificate

Question 29

Which cryptographic technique is often referred to as “hiding in plain sight”?

Quantum computing

Hashing

Steganography

Answer 29

Steganography

Steganography is a technique used to hide sensitive data within other nonsensitive items, such as hiding a secret message within a photo of a dog, which requires special software to hide and unhide the message