64.c. A digital certificate is a password-protected and encrypted file that contains identification information about its holder. It is not a modem-protected file.

65. Most commonly used X.509 certificates do not refer to which of the following?

a. Tamper-evident envelope

b. Attribute certificate

c. Public key certificate

d. Basic certificate content

65. b. The ISO/ITU-T X.509 standard defines two types of certificates: the X.509 public key certificate and the X.509 attribute certificate. Most commonly, an X.509 certificate refers to the X.509 public key certificate. The public key certificate contains three nested elements: (i) the tamper-evident envelope (digitally signed by the source), (ii) the basic certificate content (for example, identifying information and public key), and (iii) extensions that contain optional certificate information. The X.509 attribute certificate is less commonly used.

66. Which of the following features of Secure Hypertext Transfer Protocol (S-HTTP) achieves higher levels of protection?

a. Freshness feature

b. Algorithm independence feature

c. Syntax compatibility feature

d. Recursive feature

66. d. In the recursive feature, the message is parsed one protection at a time until it yields a standard HTTP content type. Here, protections are applied in layers, one layer after another to achieve higher levels of protection. S-HTTP uses a simple challenge-response to ensure that data being returned to the server is “fresh.” Algorithm independence means new cryptographic methods can be easily implemented. Syntax compatibility means that the standard HTTP messages are syntactically the same as secure HTTP messages.

67. The Secure Sockets Layer (SSL) transport protocol provides all the following services except:

a. Mutual authentication

b. Message privacy

c. Message integrity

d. Mutual handshake

67. d. The Secure Sockets Layer (SSL) is an open and nonproprietary protocol that provides services such as mutual authentication, message privacy, and message integrity. Mutual handshake is not done by SSL.

68. Which of the following can be used with traffic padding security mechanisms?

a. Passwords

b. Smart tokens

c. Encryption

d. Memory tokens

68. c. Traffic padding is a function that generates a continuous stream of random data or ciphertext. True data is mixed with extraneous data thus making it difficult to deduce the amount of traffic, that is, traffic analysis. Encryption is good with traffic padding because it can disguise the true data very well and requires a key to decipher the encrypted data.

Passwords are incorrect because they are most often associated with user authentication, not with traffic padding. Smart tokens and memory tokens are incorrect because they are also used to authenticate users. Memory tokens store, but do not process, information, whereas smart tokens both store and process information.

69. Effective controls to ensure data integrity of messages does not include:

a. Encryption algorithms

b. Hashing algorithms

c. File seals

d. File labels

69. d. File labels are used in computer job runs to process application systems data to ensure that the right file is used. Encryption algorithms, due to their encryption and decryption mechanisms and by keeping the encryption keys secure, provide integrity to the message transmitted or stored. Hashing algorithms are a form of authentication that provides data integrity. File seal is adding a separate signature to software and partly works with virus checking software. When the file seal and virus checking software signatures do not match, it is an indication that data integrity has been compromised.

70. During the design of data communication networks, a functional capability of providing link encryption and end-to-end encryption is addressed by which of the following?

a. Administrative control

b. Access control

c. Cost control

d. Technical control

70. b. Functional capabilities can be placed inside network components to control access and protect information from misuse. Automated access control systems can require users and systems to log on to a network by identifying themselves and providing an automated password or similar control. Link and end-to-end encryption devices can protect information from misuse during transmission over a circuit or through a network. Link encryption is the application of online crypto-operation to a link of a communications system so that all information passing over the link is encrypted in its entirety. End-to-end encryption is the encryption of information at its origin and decryption at its intended destination without any intermediate decryption.

Administrative control is incorrect because it deals with handling the paperwork associated with operating a network. The scope includes receiving requests for service from prospective users, notifying operations personnel of dates that devices should be connected and disconnected, maintaining a directory of network users and services, authorizing users to access the network and, issuing passwords.

Cost control is incorrect because it deals with cost recovery and avoidance. It includes price setting for network services and billing the users. The price of network services is often a function of the volume of information exchanged, the duration of usage, the distance between parties, and the time of day of usage.

Technical control is incorrect because it includes activities such as failure detection, problem diagnosis, and service restoration of network components. The scope includes alarms, status indicators, test-equipment interfaces, remote controls, and automatic monitoring.

71. Which of the following is an example of passive wiretapping?

a. Traffic analysis

b. Message modification

c. Message delay

d. Message deletion

71. a. Passive wiretapping includes not only information release but also traffic analysis (using addresses, other header data, message length, and message frequency). Security measures such as traffic padding can be used to prevent traffic analysis attacks. Active wiretapping includes message stream modifications, including delay, duplication, deletion, or counterfeiting.

72. What is a hash-based message authentication code (HMAC) based on?

a. Asymmetric key

b. Public key

c. Symmetric key

d. Private key

72. c. A hash-based message authentication code (HMAC) is based on a symmetric key authentication method using hash functions. A symmetric key is a cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code (MAC), and to verify the code.

Asymmetric key is incorrect because there are two related keys in asymmetric keys; a public key and a private key that are used to perform complementary operations, such as encryption and decryption, or signature generation and signature verification. Public key is incorrect because it is the public part of an asymmetric key pair that is typically used to verify signatures or encrypt data. Private key is incorrect because it is the secret part of an asymmetric key pair that is typically used to digitally sign or decrypt data.