1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 148
Выбрать главу

27. For the encapsulating security protocol (ESP) header of the Internet Protocol security (IPsec), which of the following cryptographic algorithms or modes provides both encryption and integrity services to the ESP-protected traffic?

a. AES-128 bit in cipher block chaining (CBC) mode

b. AES-128 bit in counter mode

c. HMAC SHA1-96 bit

d. AES-128 bit in counter mode with CBC-MAC

27. d. The AES-128 bit key in counter mode with CBC-MAC provides both encryption and integrity protection. The AES-128 bit in CBC mode and the AES-128 bit in counter mode provide only encryption whereas the HMAC SHA1-96 bit provides only integrity protection. The encrypted ESP should not be used without integrity protection because the ESP needs both encryption and integrity protection.

28. Within the Internet Protocol security (IPsec) protocol suite, which of the following should not be used because it introduces unnecessary complexity in processing?

a. Authentication header (AH)

b. Encapsulating security protocol (ESP)

c. Security association (SA)

d. Internet key exchange (IKE)

28. a. The authentication header (AH) protects the Internet Protocol (IP) header and the data following the IP header. However, the AH processing introduces unnecessary complexity. Because the encapsulating security protocol (ESP) can provide equivalent functionality as the AH, the use of AH is not recommended due to its complexity in processing. Moreover, the ESP protects the source and destination addresses in the IP header in both transport and tunnel modes. Hence, the ESP is better than the AH.

29. The security of which of the following cryptographic algorithm’s confidentiality mechanism is not compromised?

a. AES-GCM (Galois counter mode)

b. AES-GMAC (Galois message authentication code)

c. The Internet key exchange (IKE)

d. Data encryption standard-cipher block chaining (DES-CBC) mode

29. c. The counter value in the AES-GCM or AES-GMAC is used for more than one packet with the same key. Therefore, the security of these algorithms’ confidentiality mechanism is compromised. The DES-CBC mode is susceptible to compromise. Also, the AES-GCM and AES-GMAC should not be used with manually distributed keys. Automated keying using the Internet key exchange (IKE) establishes secret keys for the two peers within each security association (SA) with low probability of duplicate keys.

30. The transport layer security (TLS) protocol does not provide which of the following cryptographic services?

a. Authentication

b. Integrity

c. Nonrepudiation

d. Encryption

30. c. After completion of the handshake sequence, the transport layer security (TLS) protocol provides a secure communication channel between the server and client for the duration of a communication session. All cipher suites provide authentication and integrity protection for transferred data, and most TLS cipher suites also provide encryption. If encryption is provided, data is encrypted when sent and decrypted when received. TLS does not, however, provide a cryptographic nonrepudiation service to allow a validation of the session data or authentication after the communication session has been ended by a third party.

31. In secure/multipurpose Internet mail extension (S/MIME), TDEA in CBC mode or AES-128 bit in CBC mode is used to provide which of the following?

a. Digital signatures

b. Hash values

c. Key transport

d. Encryption

31. d. The secure/multipurpose Internet mail extension (S/MIME) provides a consistent way to send and receive secure Internet mail. However, S/MIME is not restricted to e-mail; it can be used with any transport mechanism that employs MIME protocols, such as HTTP. The TDEA in CBC mode or AES-128-bit key in CBC mode is used to provide encryption only.

32. Using the security features within a secure/multipurpose Internet mail extension (S/MIME) implementation, end users should not do which of the following?

a. Operate their systems according to instructions.

b. Use unique digital certificates for each security function.

c. Protect their private key from unauthorized disclosure.

d. Send the same message both encrypted and in plaintext.

32. d. An end user is the individual using a client to access the system. Even within a centrally managed environment, end users may find that they have a significant amount of control over some of the security features within an S/MIME implementation. End users should not send the same message both encrypted and in plaintext. The end users can do the other three choices.

33. The RSA-1024-bit key or the DSA-1024 bit key is used to provide which of the following?

a. Digital signatures

b. Hash values

c. Key agreement

d. Encryption

33. a. Either the Rivest, Shamir, and Adelman (RSA) or digital signature algorithm (DSA) with key sizes greater than or equal to 1024 bits is used to provide digital signatures. They are not used for hash values and key agreement, although less than 1024-bit keys are used for encryption.

34. The Diffie-Hellman (DH) algorithm is used to provide which of the following?

a. Digital signatures

b. Hash values

c. Key agreement

d. Encryption

34. c. The Diffie-Hellman (DH) algorithm is used to provide key agreement. The DH algorithm cannot provide digital signatures, hash values, and encryption.

35. The owner of a cryptographic key pair demonstrates proof-of-possession by using:

a. Private key

b. Public key

c. Ephemeral key

d. Encrypted key

35. a. The proof-of-possession is a verification process whereby it is proven that the owner of a key pair actually has the private key associated with the public key. The owner demonstrates the possession by using the private key in its intended manner. Without the assurance of possession, it would be possible for the certificate authority to bind the public key to the wrong entity. The other three choices do not demonstrate proof-of-possession.

36. Which of the following can be specified in bits?

1. Security strength of a cryptographic algorithm

2. Entropy

3. Hash function

4. Internet Protocol (IP) address identifier

a. 1 and 4

b. 2 and 3

c. 1, 3, and 4

d. 1, 2, 3, and 4

36. d. The security strength of a cryptographic algorithm as well as entropy, hash function, and the Internet Protocol (IP) address identifier are specified in bits.

~ 148 ~