1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 145
Выбрать главу

d. Hypertext transfer protocol (HTTP)

5. c. Secure hypertext transfer protocol (S-HTTP) is used for encrypting data flowing over the Internet, but it is limited to individual messages. Secure sockets layer (SSL) and transport layer security (TLS) are designed to establish a secure connection between two computers. Hypertext transfer protocol (HTTP) cannot do encryption and is not as secure as S-HTTP.

6. For cryptography, which of the following refers to the worst-case measure of uncertainty for a random variable with the greatest lower bound?

a. Max-entropy

b. Min-entropy

c. Guessing entropy

d. Min-Max entropy

6. b. Entropy is the uncertainty of a random variable, which is stated in bits. Min-entropy is the worst-case measure of uncertainty for a random variable with the greatest lower bound. Min-entropy is a measure of the difficulty that an attacker has to guess the most commonly chosen password used in a system. Guessing entropy is a measure of the difficulty that an attacker has to guess the value of a secret (e.g., a password). Guessing entropy refers to an attacker that knows the actual password frequency distribution. Max-entropy and min-max entropy are not usually used in the context of entropy.

7. Countermeasures against brute force attacks on cryptographic keys include which of the following?

1. Change keys

2. Increase key length

3. Change protocol

4. Change algorithm

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1 and 3

7. a. Changing cryptographic keys frequently and increasing the key length can fight against the brute force attacks on keys. Changing protocols and algorithms cannot fight against the brute force attacks because the changed protocols and algorithms could be subjected to the same attacks or different attacks.

8. For cryptography, what is nonce?

a. Timestamp plus sequence number

b. Checksum plus check digit

c. Payload plus protocol

d. Public key plus private key

8. a. Nonce is a time-varying and nonrepeating cryptographic value with the use of a timestamp, a sequence number, or combination, which are freshly generated random values. Checksums and check digits are used to ensure data accuracy during data entry and data transmission. Payload is a part of the data stream representing the user information in a communication. Protocol is a set of rules used by two or more entities that describe the message order and data structures for information exchange between the entities. A public key is a cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and that may be made public. A private key is a cryptographic key, used with a public key cryptographic algorithm that is uniquely associated with an entity and that is not made public.

9. For cryptography, which of the following protects the integrity of the data but does not guarantee authenticity of the information?

a. X.509 public key certificate

b. Public key certificate

c. Private key certificate

d. Self-signed certificate

9. d. A self-signed certificate is a public key certificate whose digital signature may be verified by the public key contained within the certificate. The signature on a self-signed certificate protects the integrity of the data but does not guarantee authenticity of the information. The trust of a self-signed certificate is based on the secure procedures used to distribute it.

The X.509 certificate comes in two types: X.509 public key certificate (most common) and the X.509 attribute certificate (less common). A public key certificate is a set of data that uniquely identifies an entity and binds the public key to the entity. The private key is mathematically linked with a corresponding public key.

10. Which of the following is an example of optional-to-implement cryptographic algorithms that provide greater security?

a. DES

b. RSA-512 bit key

c. AES-128 bit key

d. RC2

10. c. The AES-128 bit key is an example of optional-to-implement encryption algorithm that provides a greater security. Other variants of AES include AES-192 bit keys and AES-256 bit keys. The DES algorithm, RC2, and the RSA-512 bit key do not provide adequate security. The DES and RC2 are examples of mandatory-to-implement encryption algorithms that do not provide adequate security. Mandatory-to-implement algorithms will be in any product that meets the public standards, enabling interoperability between products. Optional-to-implement algorithms are next-generation algorithms with improved security that could increase the longevity of a system.

11. Which of the following enables one to locate organizations, individuals, files, and devices in a network whether on the Internet or on a corporate intranet?

a. Online certificate status protocol (OCSP)

b. Certificate management protocol (CMP)

c. Lightweight directory access protocol (LDAP)

d. Over-the-air rekeying protocol (OTAR)

11. c. A lightweight directory access protocol (LDAP) is a centralized directory that becomes a major focal point as a tool for access control. It uses names, addresses, groups, roles, devices, files, and profiles to enable a modular, expandable access control and single sign-on solution to be deployed rapidly for all application systems.

The other three choices do not have such capabilities as the LDAP does. An online certificate status protocol (OCSP) responder is a trusted system and provides signed status information, on a per certificate basis, in response to a request from a relying party. Both certification authority (CA) and registration authority (RA) software support the use of a certificate management protocol (CMP). An over-the-air rekeying (OTAR) protocol is used in digital radios to handle cryptographic security. LDAP, CRLs, and OCSP are used to provide a path validation in a public-key certificate.

12. Most commonly, what are certificate revocation lists (CRLs) distributed through?

1. Certificate management protocol

2. LDAP directories protocol

3. Web servers

4. HTTP URLs

a. 1 or 2

b. 2 or 3

c. 1 or 3

d. 3 or 4

12. b. Most commonly, the certificate revocation lists (CRLs) are distributed via lightweight directory access protocol (LDAP) directories or Web servers. The certificate management protocol (CMP) and HTTP uniform resource locators (HTTP URLs) are not used to distribute CRLs. Both the LDAP and HTTP URLs are used to specify the location of CRLs. Both certification authority (CA) and registration authority (RA) software support the use of a certificate management protocol (CMP). An LDAP is a centralized directory that becomes a major focal point as a tool for access control.

13. Which of the following is generally the most difficult method of attacking a computer system?

a. Password cracking

b. Packet sniffing

c. Encryption key breaking

~ 145 ~