1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 146
Выбрать главу

d. Sendmail

13. c. Encryption key breaking is not a common method because it is difficult to do and may take years to do. It requires an extensive knowledge of algorithms, hardware, and software that is not possessed by too many people. Password cracking involves guessing a password, which can then be used to gain access to a system. Packet sniffing involves placing a rogue program in a host computer or in a network switch. The program will then monitor all information packets as they go through the network. A malicious code can be sent along with Internet-based e-mail. When the message is received, the attacker’s code will be executed.

14. Which of the following does not need to be destroyed after the corresponding certificate expires?

a. Old key pairs

b. Private key establishment key

c. Private signature keys

d. Public keys

14. b. The user should not destroy the private key establishment key until all symmetric keys established using this key have been recovered or protected by encryption under a different key. Premature destruction of private key establishment keys may prevent recovery of the subscriber’s plaintext data. The keys in the other three choices can be destroyed safely.

15. Which of the following provides end-to-end security to protect information on the Internet?

a. DES and RC2

b. TLS and SSL

c. HTTP and HTTPS

d. TDEA and AES

15. b. The transport layer security (TLS) and secure socket layer (SSL) protocols are the primary end-to-end security protocols used to protect information on the Internet. TLS is an enhanced version of SSL; these protocols are similar but not identical. TLS is a robust protocol that is used to protect various links, such as authentication server to a wireless access point, the electronic mail link between client and server, or dedicated network infrastructure applications primarily involving machines with no human user involvement.

16. Which of the following are examples of mandatory-to-implement cryptographic algorithms that do not provide adequate security over computer networks?

a. AES or 3-TDEA

b. RSA or ECDSA

c. DES or RC2

d. DH or ECDH

16. c. Mandatory-to-implement cryptographic algorithms will be in any cryptographic product that meets the public standards (for example, IETF’s RFCs and ANSI) enabling interoperability between products. AES is an optional-to-implement algorithm now that could become mandatory-to-implement in the future. DES and RC2 are mandatory and do not provide adequate security. DH is the Diffie-Hellman algorithm, which is used to provide key agreement. ECDH is the elliptic curve Diffie-Hellman algorithm, which is used to support key establishment; 3-TDEA is three key TDEA; RSA is a public-key algorithm, whereas ECDSA is a digital signature algorithm.

17. Which of the following should not be used during a transport layer security (TLS) session between a client and a server?

a. DH key agreement

b. RSA key transport

c. Ephemeral DH key

d. Static-to-static DH key agreement

17. d. A transport layer security (TLS) session requires server authentication and requests certificates from the client and the server. The RSA key transport method implicitly authenticates the server to the client. In a Diffie-Hellman (DH) key agreement, the server authenticates itself by supplying a signed static DH key in a certificate or by signing an ephemeral key and sending a certificate with its public signing key. Thus, the server will always send a certificate, with either a signing key or a key-establishment key. In a static-to-static DH key agreement, client certificates will not contain a signing key thus are not recommended to use in a TLS session. This is because the server may request a certificate from the client.

18. What is encrypting a symmetric key using another symmetric key called?

a. Key transport

b. Key update

c. Key wrapping

d. Key bundle

18. c. A key used for key wrapping is known as a key encrypting key, which is used to encrypt a symmetric key using another symmetric key. Key wrapping provides both confidentiality and integrity protection using a symmetric key.

The other three choices are not used in key wrapping. Key transport is a key establishment procedure whereby one party (sender) selects and encrypts the keying material and then distributes the material to another party (the receiver). Key update is a function performed on a cryptographic key to compute a new but related key. Key bundle is a set of keys used during one operation, typically a TDEA operation.

19. Which of the following represents the correct order of nodes (from highest to lowest) in a cryptographic key management infrastructure?

1. Client node

2. User entities

3. Key processing facility

4. Service agent

a. 4, 2, 3, and 1

b. 3, 4, 1, and 2

c. 3, 4, 2, and 1

d. 2, 4, 1, and 3

19. b. A key management infrastructure provides a unified and seamless structure for the generation, distribution, and management of cryptographic keys. It starts at the central oversight authority (the highest node, which is not used in the question) and moves down to key processing facility (the next highest node), service agent, client node, and user entities (the lowest node).

20. In a cryptographic key management infrastructure, which of the following supports single point-of-access for other nodes?

a. Key processing facility

b. User entities

c. Client nodes

d. Service agents

20. d. Service agents support an organization’s key management infrastructure as single point-of-access for other nodes, including key processing facility, client nodes, and user entities.

21. A digital signature is implemented using which of the following cryptographic techniques?

a. Public key cryptography

b. Key escrow cryptography

c. Secret key cryptography

d. Hybrid cryptographic systems

21. a. Recent advances in cryptographic technology have lead to the development of public key cryptographic algorithms. These algorithms are referred to as “asymmetric” because they rely on two different keys to perform cryptographic processing of data. These keys are generated and used in pairs consisting of private and public key components.

Public key crypto-systems make possible authentication schemes in which a secret can be verified without the need to share that secret. In public key cryptography, each user independently generates two mathematically related keys. One is typically made public, so it is referred to as the public key. The other is kept private, so it is referred to as the user’s private key. The public key becomes in effect part of the user’s identity and should be made well known as necessary, like a phone number. Conversely, the private key should be known only to the user because it can be used to prove ownership of the public key and thus the user’s identity. It is computationally infeasible to derive a user’s private key from the corresponding public key, so free distribution of the public key poses no threat to the secrecy of the private key.

~ 146 ~