1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 151
Выбрать главу

a. Hash function

b. Digital certificate

c. Handwritten signature

d. Certificate authority

56. a. A digital signature provides for nonrepudiation of origin. A simpler alternative to a digital signature is a hash function, where the message is indexed to a digest for integrity checking. It requires that both parties trust one another. However, it is of limited use because it does not provide for repudiation of origin.

A digital certificate contains identification information about its holder. It includes a public key and a unique private key. Exchanging keys and certificates allows two parties to verify each other’s identities before communicating. A handwritten signature is similar to a digital signature in that it places a unique mark on a document that verifies the identity of the sender. A major problem with the handwritten signature is that it can be forged. A certificate authority is a third party that distributes public and private key pairs.

57. Which of the following need to be archived?

a. Domain parameters

b. Shared secrets

c. Random number generator seeds

d. Intermediate results

57. a. Domain parameters should be archived until all keying material, signatures, and signed data using the domain parameters are removed from the archive. The other three choices should not be archived due to their secrecy and because they are temporary in nature. One exception is that a shared secret is sometimes permanent as in a preshared key (PSK) for a site-to-site IPsec VPN.

58. If cryptographic key materials are compromised, the compromise recovery process can be relatively simple and inexpensive for which of the following?

a. Symmetric keys used by a single user

b. A certification authority’s private key

c. A key used to protect a large number of stored keys

d. Keys used by many users of large distributed databases

58. a. Where symmetric keys or private asymmetric keys are used to protect only a single user’s local information in communications between a single pair of users, the compromise recovery process can be relatively simple and inexpensive. The damage assessment and mitigation measures are often local matters. On the other hand, damage assessment can be complex and expensive where (i) a key is shared by or affects a large number of users, (ii) certification authority’s (CA’s) private key is replaced, (iii) transport keys are widely used, (iv) keys are used by many users of large distributed databases, and (v) a key is used to protect a large number of stored keys.

59. The strength of all cryptographically based mechanisms lies in large part in which of the following?

a. The strength of the cryptographic algorithm

b. The protection provided to secret key material

c. The strength of the key size

d. The security of communication protocol

59. b. For all cryptographically based mechanisms, the strength of the mechanism lies partly in the strength of the cryptographic algorithm (including key size), partly in the security of any communication protocol, and in large part, in the protection provided to secret key material (i.e., keys and initialization vectors). A secret key is a symmetric key that is not made public and requires protection from disclosure.

60. Which of the following is not the recommended combination of authentication type key, digital signature key, and key establishment key respectively?

a. RSA 1024, RSA 2048, and DH 2048

b. ECDSA P-256, ECDSA P-256, and RSA 2048

c. RSA 1024, RSA 2048, and RSA 2048

d. ECDSA P-384, ECDSA P-384, and ECDH P-384

60. b. In general, protocols and applications are designed to use cryptographic algorithms from one mathematical family. For most uses, digital signature keys and key establishment keys should provide consistent cryptographic strength. For example, applications that encounter certificates with elliptic curve digital signature algorithm (ECDSA) digital signatures would expect to use elliptic curve Diffie-Hellman (ECDH) for the key establishment key. Rivest, Shamir, and Adelman (RSA) is not compatible with ECDSA, whereas it is compatible with DH. It is advisable that users obtain an authentication type key, a digital signature key, and a key establishment key that are complementary in nature to ensure that the keys can be used together in protocols and applications. Complementary algorithms for public keys enhance interoperability.

61. Which of the following is the major reason for the transport layer security (TLS) protocol to provide end-to-end reliable delivery of data and messages?

a. Cyclical redundancy checks

b. Message reassembly

c. Forward error correction technique

d. Message fragmentation

61. b. Reliable delivery of data implies that all messages presented to the sending TCP/IP stack are delivered in proper sequence by the receiving TCP/IP stack. These messages may be broken up into packets and fragmented or segmented as they are sent and routed through any arrangement of local-area, wide-area, or metropolitan-area networks. During routing through networks, data are augmented with cyclical redundancy checks or forward error correction techniques to help ensure that the delivered messages are identical to the transmitted messages. Reliable delivery means that the messages are properly reassembled and presented in proper sequence to the peer protocol TLS entity. Here, the TLS relies on the communications functionality of the OSI/ISO lower layer protocols.

62. The transport layer security (TLS) protocol version 1.1 mandates the use of which of the following cipher suites?

a. TLS and DES with RC4-40, RC2-CBC-40, and DES-40

b. TLS and DHE-DSA with 3DES-EDE-CBC and SHA-1

c. TLS and DHE-DSS with 3DES-EDE-CBC and SHA-1

d. TLS and RSA with 3DES-EDE-CBC and SHA-1

62. d. The TLS version 1.1 mandates the use of the TLS and RSA with 3DES-EDE-CBC and SHA-1 cipher suite, and is more commonly used. The DES with RC4-40, RC2-CBC-40, and DES-40 cannot be combined with TLS because the algorithm is deprecated. The TLS and DHE-DSA with 3DES-EDE-CBCand SHA-1 is not often used. The TLS version 1.0 uses the TLS and DHE-DSS with 3DES-EDE-CBC and SHA-1.

63. The transport layer security (TLS) protocol’s security specification for ensuring confidentiality goal is:

a. Rivest, Shamir, and Adelman (RSA)

b. Digital signature algorithm (DSA)

c. Triple-data encryption standard (3DES) using encryption-decryption-encryption (EDE) and cipher block chaining (CBC)

d. Message digest 5 (MD5)

63. c. The transport layer security (TLS) protocol’s security specification for ensuring the confidentiality goal is 3DES-EDE-CBC. RSA is used for key establishment, a DSA is used for digital signatures, and MD5 is used for hash function purposes.

64. What is a digital certificate?

a. A password-protected file

b. An encrypted file

c. A password-protected and encrypted file

d. A password-protected and modem-protected file

~ 151 ~