88. What is a major drawback of digital certificates?
a. Certificate authority
b. Internet addresses
c. Message digest
d. Digital signature
88. b. A major drawback of digital certificates is that they do not identify individuals, only Internet addresses. A different person could use the same computer with bad intent and be seen as the legitimate owner of the digital certificate. The certificate authority, the message digest, and the digital signatures are the strengths of digital certificates.
89. Which of the following methods can prevent eavesdropping?
a. Authentication
b. Access controls
c. Encryption
d. Intrusion detection
89. c. Encryption can be used to prevent eavesdroppers from obtaining data traveling over unsecured networks. The items mentioned in the other three choices do not have the same features as encryption.
Authentication is the act of verifying the identity of a user and the user’s eligibility to access computerized information. Access controls determine what users can do in a computer system. Intrusion detection systems are software or hardware systems that detect unauthorized use of, or attack upon, a computer or network.
90. Which of the following is more secure?
a. Private key system
b. Public key system
c. Authentication key system
d. Encryption key system
90. b. The public key system is more secure because transmission involves the public key only; the private key is never transmitted and is kept secret by its holder. On the other hand, in a private key system, both the sender and the recipient know the secret key and thus it can be less secure. Authentication and encryption key systems are incorrect because they can be either public (more secure) or private (less secure) key systems.
91. For security protection mechanisms for cryptographic data in transit, side channel attacks are possible in which of the following cryptographic services?
a. Confidentiality
b. Availability
c. Integrity
d. Labels
91. c. Improper error handling during a transmission between a sender and a receiver can result in side channel attacks, which can result in integrity failures. A security policy should define the response to such a failure. Remedies for integrity failures can include retransmission limited to a predetermined number of times and storing the error data in an audit log for later identification of the source of the error.
The other three choices do not allow side channel attacks because they do not deal with transmission errors. Confidentiality deals with privacy and nondisclosure of information, and more. Availability deals with making data and systems within the reach of users. Labels are used to identify attributes, parameters, or the intended use of a key.
92. Public key authentication systems:
a. Are faster than private key systems
b. Do not use digital signatures
c. Are slower than private key systems
d. Do not use alpha characters in the key
92. c. Public key methods are much slower than private methods and cause overhead, which are their main disadvantages. The public key contains alphanumeric characters. The public key systems use digital signatures for authentication.
93. Which of the following is not a common route to data interception?
a. Direct observation
b. Data encryption
c. Interception of data transmission
d. Electromagnetic interception
93. b. There are three routes of data interception: direct observation, interception of data transmission, and electromagnetic interception. Data encryption can be a solution to data interception.
94. The combination of XEX tweakable block cipher with ciphertext stealing and advanced encryption standard (XTS-AES) algorithm was designed to provide which of the following?
1. Encryption of data on storage devices
2 Encryption of data in transit
3. Confidentiality for the protected data
4. Authentication of data
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
94. c. The XTS-AES mode was designed for the cryptographic protection of data on storage devices that use fixed length data units, and it was not designed for encryption of data in transit. This mode also provides confidentiality for the protected data but not authentication of data or access control.
95. Which of the following is not used for public key infrastructure-based (PKI-based) authentication of system users?
a. Validates certificates by constructing a certification path to an accepted trust anchor
b. Establishes user control of the corresponding private key
c. Maps the authenticated identity to the user account
d. Uses a radius server with extensible authentication protocol and transport layer security authentication
95. d. A radius server with extensible authentication protocol (EAP) and transport layer security (TLS) authentication is used to identify and authenticate devices on LANs and/or WANs. It is not used for authenticating system users. The other three choices are used for PKI-based authentication of system users.
96. Message authentication code (MAC) provides which of the following security services?
a. Confidentiality and integrity
b. Authentication and integrity
c. Accountability and availability
d. Assurance and reliability
96. b. The message authentication code (MAC) provides data authentication and integrity. A MAC is a cryptographic checksum on the data that is used to provide assurance that the data has not changed and that the MAC was computed by the expected entity. It cannot provide other security services.
97. Which of the following are countermeasures against traffic analysis attacks?
1. Traffic flow signal control
2. Traffic encryption key
3. Traffic flow security
4. Traffic padding
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
97. d. Traffic flow security is a technique to counter traffic analysis attacks, which is the protection resulting from encrypting the source and destination addresses of valid messages transmitted over a communications circuit. Security is assured due to use of link encryption and because no part of the data is known to an attacker. Traffic padding, which generates mock communications or data units to disguise the amount of real data units being sent, also protects traffic analysis attacks.