1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 154
Выбрать главу

A data checksum is incorrect because it catches errors that are the result of noise or other more natural or nonintentional sources. For example, most of these errors are due to human errors.

A digital signature is incorrect because it is a form of authenticator. It is decrypted using the secret decryption key and sent to the receiver. The receiver may encrypt, using the public key, and may verify the signature, but the signature cannot be forged because only the sender knows the secret decryption key. Nonpublic key algorithms can also be used for digital signatures. The basic difference between the message authentication code and the digital signature is that although message authentication codes require a secret (private) key to verify, digital signatures are verifiable with a public key, that is, a published value. Message authentication codes are used to exchange information between two parties, where both have knowledge of the secret key. A digital signature does not require any secret key to be verified.

A cyclic redundancy check (CRC) is incorrect because it uses an algorithm for generating error detection bits, and the receiving station performs the same calculation as the transmitting station. If the results differ, then one or more bits are in error. Both message authentication codes and digital signatures operate with keys (whether public or private), are based on cryptography, and are hard to attack by intruders. On the other hand, data checksums and cyclic redundancy checks operate on algorithms, are not based on cryptography, and are easily attacked by intruders.

82. For security protection mechanisms for cryptographic data in storage, the encryption mechanism should not be easier to recover the key encrypting key than it is to recover the key being encrypted is a part of which of the following cryptographic service?

a. Confidentiality

b. Availability

c. Integrity

d. Labels

82. a. For confidentiality service, encryption with an approved algorithm is needed for the cryptographic module. Moreover, the encryption mechanism should not be an easier way to recover the key encrypting key than it is to recover the key being encrypted. In other words, recovering the key being encrypted should be relatively easier and recovering the key encrypting key should be difficult.

83. Which of the following is least effective in verifying against malicious tampering?

a. Message authentication code

b. Digital signatures

c. Message digests

d. Cyclic redundancy code

83. d. Checksums are of two types: a cryptographic checksum and a noncryptographic checksum. A cyclic redundancy code is a noncryptographic checksum, which is designed to detect random bit changes, not purposeful alterations or malicious tampering. These checksums are good at finding a few bits changed at random.

The other three incorrect choices are based on cryptographic checksum techniques. Message authentication code is a message digest with a password attached to it. The intent is that someone cannot re-create the code with the same input unless that person also knows the secret key (password). A digital signature is a message digest encrypted with someone’s private key to certify the contents. Digital signatures perform three important functions: integrity, authentication, and nonrepudiation. A message digest is a hash code produced by a mathematical function. It takes variable length input and reduces it to a small value, and a small change in the input results in a significant change in the output.

Secure hash algorithms create a short message digest. The message digest is then used, with the sender’s private key and the algorithm specified in digital signature standard, to produce a message-specific signature. Verifying the digital signature standard involves a mathematical operation on the signature and message digest, using the sender’s public key and the hash standard.

84. What is password hashing?

a. Storing a hash of the password

b. Storing the password in a clear text and encrypting it as needed

c. Guessing a password

d. Cracking a password

84. a. Password hashing requires storing a password in its hash form, which is better than storing an unencrypted password. When a password is supplied, it computes the password’s hash and compares it with the stored value. If they match, the password is correct. An attacker cannot derive the password from the hashes. It is good to hide the hashed password list.

The other three incorrect choices are weak forms of handling a password. Encrypting passwords leads to judgmental errors. A password can be easily guessed if the user selects the password from a word dictionary. An exhaustive search may then “crack” the password.

85. Which of the following statements is true about message padding?

a. It is the same as traffic padding.

b. It is similar to a data checksum.

c. It is adding additional bits to a message.

d. It is the same as one-time pad.

85. c. Message padding adds bits to a message to make it a desired length—for instance, an integral number of bytes. Traffic padding involves adding bogus traffic into the channel to prevent traffic analysis, which is a passive attack. Data checksums are digits or bits summed according to arbitrary rules and used to verify the integrity of data. The one-time pad contains a random number for each character in the original message. The pad is destroyed after its initial use.

86. What is a public key cryptographic algorithm that does both encryption and digital signature?

a. Rivest, Shamir, and Adelman (RSA)

b. Data encryption standard (DES)

c. International data encryption algorithm (IDEA)

d. Digital signature standard (DSS)

86. a. RSA’s technique can be used for document encryption as well as creating digital signatures. DSS is a public key cryptographic system for computing digital signatures only, but not for encryption. Both RSA and DSS appear to be similar. DES is a secret key cryptographic scheme. IDEA is also a secret key cryptographic scheme gaining popularity. Both DES and IDEA use secret (private) key algorithms, whereas DSS and RSA use public key algorithms.

87. What is a digital signature?

a. A form of authenticator

b. An actual signature written on the computer

c. The same as the checksum

d. Different from analog signature

87. a. A digital signature authorizes and legitimizes the transaction by using a secret decryption key to send it to the receiver. An actual signature written on the computer is incorrect because it is not an actual signature. Instead, a digital signature is decrypted using the secret decryption key and sent to the receiver. Checksum is incorrect because it is a technique to ensure the accuracy of transmission, and it ensures the integrity of files. There is no such thing as an analog signature because a digital signature is needed.

~ 154 ~