1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 149
Выбрать главу

37. Which of the following is often distributed as a self-signed certificate?

a. Trust anchors

b. Root certificate store

c. Trust list

d. Trust keys

37. a. Certificate authorities (CAs) generally issue a self-signed certificate (called root certificate), which is also called a trust anchor. CAs that a relying party trusts directly are called trust anchors. When multiple trust anchors are recognized, the set of trust anchors is referred to as the trust list. CA certificates play a key role in many protocols and applications and are generally kept in what is often called a root certificate store. Trust keys are used in trust anchors. Root certificate store is used in validating certificate path.

38. Which of the following does not require cryptographic keys?

a. Symmetric key algorithms

b. Asymmetric key algorithms

c. Cryptographic hash algorithms

d. Secret key algorithms

38. c. Cryptographic hash algorithms (hash functions) do not require keys. The hash functions generate a relatively small digest (hash value) from a large input that is difficult to reverse. However, in some instances such as in the generation of hashed message authentication codes (HMAC), keyed hash functions are used.

Symmetric key algorithms (known as secret/private) transform data that is difficult to undo without knowledge of a secret key. Asymmetric key algorithms (known as public) use two related keys to perform their functions (i.e., a public key and a private key forming a key pair).

39. Which of the following is a noncryptographic technique that provides message integrity and creates insecurity?

a. Message authentication code

b. Error detection codes

c. Cryptographic checksum

d. Block cipher algorithms

39. b. Although message integrity is often provided using noncryptographic techniques known as error detection codes, these codes can be altered by an attacker for his benefit and hence create insecurity. Use of message authentication code (MAC) can alleviate this problem as it is based on block cipher algorithm. The cryptographic checksum is an algorithm that uses the bits in the transmission to create a checksum value and hence is secure. A noncryptographic technique does not use a cryptographic key.

40. Key wrapping provides which of the following services to the wrapped material?

a. Confidentiality and integrity

b. Authentication and integrity

c. Accountability and availability

d. Assurance and reliability

40. a. Key wrapping is the encryption of a key by a key encrypting key using a symmetric algorithm. Key wrapping provides both confidentiality and integrity services to the wrapped material and does not provide services listed in the other three choices.

41. Countermeasures against man-in-the-middle attacks include which of the following?

1. Implement digital signatures

2. Use split knowledge procedures

3. Use faster hardware

4. Use packet filters

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1 and 4

41. a. The man-in-the-middle (MitM) attack takes advantage of the store-and-forward mechanism used by insecure networks such as the Internet. Digital signatures and split knowledge procedures are effective against such attacks. Faster hardware and packet filters are effective against denial-of-service (DoS) attacks.

42. Digital signatures cannot provide which of the following security services?

a. Confidentiality

b. Authentication

c. Integrity

d. Nonrepudiation

42. a. Digital signatures cannot by themselves provide confidentiality service; instead, they provide authentication, integrity, and non-repudiation services. Specific algorithms used for digital signatures include DSA, RSA, PKCS, and ECDSA.

43. The transport layer security (TLS) protocol does not provide which of the following?

a. Integrity

b. Error recovery

c. Authentication

d. Encrypted payload

43. b. The transport layer security (TLS) protocol is protected by strong cryptographic integrity, an authentication mechanism, and encrypted payload. The TLS can detect any attack or noise event but cannot recover from errors. If an error is detected, the protocol run is simply terminated. Hence, the TLS needs to work with the TCP (transport control protocol) to recover from errors.

44. Which of the following statements is true about digital signatures using the digital signature algorithm?

a. The length of the digital signature is one-time the length of the key size.

b. The length of the digital signature is two-times the length of the key size.

c. The length of the digital signature is three-times the length of the key size.

d. The length of the digital signature is four-times the length of the key size.

44. b. The digital signature algorithm (DSA) produces digital signatures of 320, 448, or 512 bits using the key size of 160, 224, or 256 respectively. Hence, the length of the digital signature is two-times the length of the key size.

45. Cryptographic key establishment schemes use which of the following?

a. Key transport and key agreement

b. Key wrapping and key confirmation

c. Key usage and key distribution

d. Key splits and key bundles

45. a. Cryptographic key establishment schemes are used to set up keys to be used between communicating entities. The scheme uses key transport and key agreement. The key transport is the distribution of a key from one entity to another entity. The key agreement is the participation by both entities in the creation of shared keying material (for example, keys and initialization vectors). The key establishment scheme does not deal with the other three choices.

46. Network communication channels contain unintentional errors due to transmission media and create network congestion, leading to lost packets. Which of the following statements is incorrect about forward error-correcting codes?

a. Forward error-correcting codes are a subset of non-cryptographic checksums.

b. Forward error-correction mechanism should be applied before encryption.

c. Forward error-correcting codes can correct a limited number of errors without retransmission.

d. Forward error-correction mechanism should be applied after encryption.

46. b. Forward error-correcting codes are a subset of noncryptographic checksums (i.e., they use an algorithm without secret information in terms of a cryptographic key) that can be used to correct a limited number of errors without retransmission. If forward error-correction is applied before encryption and errors are inserted in the ciphertext during transmission, it is difficult to decrypt, thus making the errors uncorrectable. Therefore, it is preferable to apply the forward error-correction mechanism after the encryption process. This will allow the error correction by the receiving entity’s system before the ciphertext is decrypted, resulting in correct plaintext.

~ 149 ~