Understanding Cryptography

Question 1

What will always create a fixed-size string of bits regardless of the size of the original data? (Choose all that apply.)    
  
A. MD5      
B. SHA      
C. One-time pad      
D. CRL

Answer 1

A, B. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are both hashing algorithm that create hashes of a fixed length. MD5 creates a 128-bit hash and SHA-256 creates a 256-bit hash. One-time pads are hardcopy printouts of keys in a pad of paper. A certificate revocation list (CRL) is a list of revoked certificates.

Question 2

Of the following choices, what can ensure the integrity of e-mail messages?

A. MD5
B. AES
C. TwoFish
D. RSA

Answer 2

A. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, including e-mail messages. Advanced Encryption Standard (AES) and TwoFish are symmetric encryption algorithms, not hashing algorithms. RSA is an asymmetric encryption algorithm based on prime numbers.

Question 3

What are two basic components of encryption?

A. Algorithms and keys
B. CAs and CRLs
C. Certificates and private keys
D. Public keys and session keys

Answer 3

A. Two basic components of encryption are algorithms and keys. Certificate authorities (CAs), certificates, and certificate revocation lists (CRLs) only apply to asymmetric encryption, not other types of encryption. Keys are only one element of encryption and can’t encrypt data without an algorithm.

Question 4

A system encrypts data prior to transmitting it over a network, and the system on the other end of the transmission media decrypts it. If the systems are using a symmetric encryption algorithm for encryption and decryption, which of the following statements is true?

A. A symmetric encryption algorithm uses the same key to encrypt and decrypt data at both ends of the transmission media
B. A symmetric encryption algorithm uses different keys to encrypt and decrypt data at both ends of the transmission media
C. A symmetric encryption algorithm does not use keys to encrypt and decrypt data at both ends of the transmission media
D. A symmetric encryption algorithm is an insecure method used to encrypt data transmitted over transmission media

Answer 4

A. Symmetric encryption uses the same key to encrypt and decrypt data at both ends of a transmission medium. Asymmetric encryption uses two keys for encryption and decryption. Both symmetric and asymmetric encryption use keys. Symmetric encryption is commonly used to transmit data over transmission media.

Question 5

Which of the following is an encryption algorithm that uses 128-bit keys?

A. DES
B. AES
C. 3DES
D. MD5

Answer 5

B. Advanced Encryption Standard (AES) uses 128-, 192-, or 256-bit keys. Data Encryption Standard (DES) uses 56-bit keys. 3DES uses 56-, 112-, or 168-bit keys. MD5 is a hashing algorithm used to enforce integrity.

Question 6

Which of the following uses 56-bit keys for encryption?

E. AES
F. DES
G. MD5
H. SHA

Answer 6

B. Data Encryption Standard (DES) uses 56-bit keys and is a weak encryption protocol. Advanced Encryption Standard (AES) uses 128-, 192-, or 256-bit keys. MD5 and SHA are hashing algorithms, but the question is asking about encryption.

Question 7

Which of the following is an encryption algorithm that uses multiple keys and encrypts data multiple times?

A. DES
B. AES
C. 3DES
D. MD5

Answer 7

C. Triple Data Encryption Standard (3DES) is an improvement over DES and encrypts data using multiple keys and multiple passes of the DES algorithm. Data Encryption Standard (DES) uses a single 56-bit key and encrypts the data one time. Advanced Encryption Standard (AES) use a single 128-bit, 192-bit, or 256-bit key, and is preferable over 3DES, but if hardware doesn’t support AES, 3DES may be used. MD5 is a hashing algorithm used to enforce integrity.

Question 8

Which of the following statements accurately describes the relationship between keys in a PKI?
A. Data encrypted with a public key can only be decrypted with the matching private key
B. Data encrypted with a public key can only be decrypted with the matching public key
C. Data encrypted with a private key can only be decrypted with the matching private key
D. The public key always encrypts and the private key always decrypts

Answer 8

A. Data encrypted with a public key can only be decrypted with the matching private key, and data encrypted with the private key can only be encrypted with the matching public key. The same asymmetric key used to encrypt data cannot decrypt the same data. Depending on the usage, either the public key or the private key can encrypt or decrypt.

Question 9

Which encryption algorithm uses prime numbers to generate keys?

A. RSA
B. SHA
C. S/ MIME
D. PGP 10.

Answer 9

A. RSA uses prime numbers to generate public and private keys. Secure Hash Algorithm (SHA) is a hashing algorithm that can ensure the integrity of data, and it doesn’t use a key. S/ MIME and PGP digitally sign and encrypt e-mail, and both use RSA, but they don’t generate keys with prime numbers.

Question 10

Of the following choices, what is an encryption algorithm that is commonly used in small portable devices, such as mobile phones?

A. Steganography
B. 3DES
C. PGP
D. Elliptic curve

Answer 10

D. Elliptic curve cryptography is an encryption technology commonly used with small mobile devices, and it provides strong confidentiality using the least amount of computing resources. Steganography is the practice of hiding data within a file. Triple Data Encryption Standard (3DES) is an improvement over DES and is used when AES is not supported. Pretty Good Privacy (PGP) uses RSA and public key cryptography to secure e-mail.

Question 11

A website includes graphic files. A security professional is comparing the hash of a graphic file captured last week with the hash of what appears to be the same graphic file today. What is the security professional looking for?

A. CRL
B. Steganography
C. Key
D. Digital signature

Answer 11

B. Steganography is the practice of hiding data within a file and comparing hashes between two apparently identical files can verify if data is hidden within a file. A certificate revocation list (CRL) is a list of revoked certificates. A key is used for encryption, but a hash can’t discover a key. A digital signature is an encrypted hash of a message, but it wouldn’t be in a graphic file.

Question 12

Which of the following protocols requires a CA for authentication?

A. FTP
B. PEAP-TLS
C. AES
D. PKI

Answer 12

B. Protected Extensible Authentication Protocol Transport Layer Security (PEAP-TLS) uses TLS for the authentication process, and TLS requires a certificate provided by a certification authority (CA). File Transfer Protocol (FTP) is transferred in clear text and does not use certificates. Advanced Encryption Standard (AES) is a symmetric algorithm and doesn’t use a CA. A Public Key Infrastructure (PKI) issues and manages certificates used in asymmetric encryption and verifies a certificate’s authenticity.

Question 13

An organization wants to verify the identity of anyone sending e-mails. The solution should also verify integrity of the e-mails. What can it use?      
A. AES      
B. Encryption      
C. CRL      
D. Digital signatures

Answer 13

D. Digital signatures provide authentication (verified identification) of the sender, integrity of the message, and non-repudiation. Advanced Encryption Standard (AES) is a symmetric encryption algorithm that uses 128-, 192-, or 256-bit keys, but encryption doesn’t verify identities or integrity. A certificate revocation list (CRL) is a list of revoked certificates.

Question 14

Sally is sending an e-mail, and she encrypted a portion of the e-mail with her private key. What can this provide?

A. Confidentiality
B. Validation of her certificate
C. Non-repudiation
D. One-time pad

Answer 14

C. A digital signature provides non-repudiation (in addition to authentication and integrity) and is encrypted with the sender’s private key. Encryption provides confidentiality, but if the e-mail is encrypted with the sender’s private key, anyone with the publically available public key can decrypt it. A certification authority (CA) validates a certificate with a certificate revocation list (CRL), but the digital signature doesn’t validate the certificate. A one-time pad is a hardcopy printout of encryption keys on different pages of a pad of paper.

Question 15

Sally is sending data to Joe. She uses asymmetric encryption to encrypt the data to ensure that only Joe can decrypt it. What key does Sally use to encrypt the data?

A. Sally’s public key
B. Sally’s private key
C. Joe’s public key
D. Joe’s private key

Answer 15

C. Sally uses Joe’s public key (the recipient’s public key) to encrypt the data, and because Joe is the only person with Joe’s private key, Joe is the only person that can decrypt the data. Sally would use her private key to create a digital signature, but would not use her keys for encryption. Sally would not have access to Joe’s private key.

Question 16

A user visits an e-commerce website and initiates a secure connection. What type of key does the website provide to the user?

A. Symmetric key
B. Private key
C. Public key
D. MD5 key

Answer 16

C. The website provides its public key in a certificate, and the user’s system uses this to encrypt a symmetric key. The symmetric key encrypts data in the session. Private keys are kept private so the website will not provide its private key to the user. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, but it doesn’t use a key.

Question 17

Of the following choices, what can you use to encrypt e-mail?

A. HMAC
B. RIPEMD
C. PII
D. S/ MIME

Answer 17

D. Secure/ Multipurpose Internet Mail Extensions (S/ MIME) can encrypt e-mail at rest (stored on a drive) and in transit (sent over the network). Hash-based Message Authentication Code (HMAC) and RACE Integrity Primitives Evaluation Message Digest (RIPEMD) are both hashing algorithms used to provide integrity. Pretty Good Privacy (PGP, not PII) can also encrypt e-mail.

Question 18

Sally and Joe decide to use PGP to exchange secure e-mail. What should Sally provide to Joe so that Joe can encrypt e-mail before sending it to her?

A. Her private key
B. Her public key
C. Her recovery key
D. Her steganography key

Answer 18

B. Pretty Good Privacy (PGP) uses RSA and public key cryptography, and e-mail is encrypted with the recipient’s public key (Sally’s public key). Users will never give out their private key. A recovery key is used to recover encrypted data if the user’s private key is inaccessible. Steganography doesn’t use a key.

Question 19

Two systems need to establish a secure session between each other without any prior communication. What is needed to support this?

A. Symmetric encryption
B. PKI
C. AES
D. MD5

Answer 19

B. A Public Key Infrastructure (PKI) is a group of technologies used to request, create, manage, store, distribute, and revoke digital certificates used with asymmetric encryption. Asymmetric (not symmetric) encryption allows two entities to privately share symmetric keys without any prior communication. Advanced Encryption Standard (AES) is a symmetric encryption algorithm that uses 128-, 192-, or 256-bit keys. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data.

Question 20

What entity verifies the authenticity of certificates?      
A. CRILL      
B. Digital signature      
C. CA      
D. Recovery agent

Answer 20

C. A certificate authority (CA) within a public key infrastructure (PKI) verifies authenticity of certificates. The certificate revocation list (CRL, not CRILL) includes a list of revoked certificates and is published by the CA. Digital signatures provide authentication (verified identification) of the sender, integrity, and non-repudiation for e-mail. A recovery agent can recover an encryption key or encrypted data if the original key is lost.

Question 21

A user browses to a website and sees this message: “The site’s certificate is not trusted.” What is a likely reason?

A. The CA’s root certificate is in the trusted root certification authority store
B. The certificate is listed in the CRL
C. The CA is not a trusted root CA
D. The certificate is not in the CRL

Answer 21

C. If the certificate authority (CA) isn’t trusted, web browsers will display a message indicating that the site’s certificate is not trusted. If the CA’s root certificate is in the trusted root certification store, the certificate will be trusted. If a certificate is in the certification revocation list (CRL), the browser will indicate the certificate is revoked, but it won’t indicate a lack of trust. If it’s not in the CRL, it indicates it is not revoked.

Question 22

Which of the following choices are valid reasons to revoke a certificate holding a key? (Choose all that apply.)

A. Key compromise
B. CA compromise
C. Loss of data
D. Database breach

Answer 22

A, B. Valid reasons to revoke a certificate include key compromise and CA compromise. A certificate is not revoked in response to loss of data or a database breach unless this actually compromised the key or the CA.

Question 23

An organization wants to ensure that it does not use compromised certificates. What should it check?

A. Trusted root certification authorities store B. Key escrow
C. CRL
D. RSA

Answer 23

C. A certificate revocation list (CRL) is a list of revoked certificates, and regularly retrieving a copy of the CRL to validate certificates reduces the risk of using compromised certificates. The trusted root certification authorities store identifies trusted certificate authorities (CAs). A key escrow stores a copy of private keys used within a public key infrastructure (PKI) for recovery purposes. RSA is a public key encryption method based on prime numbers.

Question 24

A company is using a key escrow for its PKI. What does this provide?

A. It maintains a copy of a private key for recovery purposes
B. It maintains a copy of a public key for recovery purposes
C. It provides a copy of revoked certificates D. It provides a digital signature

Answer 24

A. A key escrow stores a copy of private keys used within a public key infrastructure (PKI) that can be used if the original private key is lost or inaccessible. Public keys are publically available and do not need to be stored in escrow. Revoked certificates are identified in a certificate revocation list (CRL) and there’s no need to keep a copy of revoked certificates. Digital signatures provide authentication (verified identification) of the sender, integrity of the message, and non-repudiation for e-mail.

Question 25

What can a PKI recovery agent recover?

A. Public key
B. CRL
C. Private key
D. MD5 key

Answer 25

C. Public Key Infrastructure (PKI) recovery agents can recover private keys or, in some cases, recover encrypted data using a different key. Public keys are public and do not need to be recovered. A certification revocation list (CRL) is a publically available list of revoked certificates. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, but it does not use a key.

Question 26

Sally encrypted a project file with her public key. Later, an administrator accidentally deleted her account that had exclusive access to her private key. Can this project file be retrieved?

A. No. If the private key is lost, the data cannot be retrieved.
B. Yes. The public key can decrypt the file. C. Yes, if a copy of her public key is stored in escrow.
D. Yes, if the organization uses a recovery agent.

Answer 26

D. If an organization uses a recovery agent, the recovery agent can decrypt the file, in some cases by recovering a copy of the private key and in other cases by using a special recovery agent key. Data encrypted with a public key cannot be decrypted with the same public key. A private key is stored in escrow, but a public key would not be stored in escrow.