The application software maintenance scope covers updating passwords, deleting users from access lists, updating remote access, and changing roles and responsibilities of users and maintenance personnel, which are mostly routine in nature. The cryptographic key maintenance scope includes key archiving, key destruction, and key change, as it is mostly done in the disposal phase.
112. During the operational phase of cryptography, key recovery means which of the following?
1. Acquiring keying material from backup
2. Acquiring keying material by reconstruction
3. Binding keying material to information
4. Binding keying material to attributes
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
112. a. Acquiring the keying material from backup or by reconstruction is commonly known as key recovery. The other items deal with key registration, which results in the binding of keying material to information or attributes associated with a particular entity. A trusted third party (for example, Kerberos realm server or a PKI certification authority) performs the binding.
113. During the operational phase of cryptography, which of the following keying material does not require backup storage?
a. Domain parameters
b. Passwords
c. Audit information
d. Random number generator seed
113. d. The keying material backup on an independent, secure storage medium provides a source for key recovery. Keying material maintained in backup should remain in storage for at least as long as the same keying material is maintained in storage for normal operational use. Not all keys need be backed up. For example, random number generator (RNG) seed need not be backed up because it is a secret value that is used to initialize a deterministic random bit generator. In addition, storing the RNG seed would actually decrease the security of the keys by increasing the risk of the material being used to reverse-engineer the keys.
Domain parameters are incorrect because they can be backed up. It is a parameter used with some public key algorithm to generate key pairs, to create digital signatures, or to establish keying material. Passwords are incorrect because they can be backed up. A password is a string of characters (for example, letters, numbers, and other symbols) that are used to authenticate an identity or to verify access authorization. Audit information is incorrect because it can be backed up and can be used to trace events and actions.
114. During the post-operational phase of cryptography, which of the following keying material does not require archive storage?
a. Initialization vector
b. Audit information
c. Passwords
d. Domain parameters
114. c. During the post-operational phase, keying material is no longer in operational use, but access to the keying material may still be possible. A key management archive is a repository containing keying material and other related information of historical interest. Not all keying material needs to be archived. For example, passwords which often change need not be archived because storing passwords for the keys can increase the risk of disclosure.
Initialization vector is incorrect because it can be archived. It can be retained until it’s no longer needed to process the protected data. An initialization vector is a vector used in defining the starting point of a cryptographic process. Audit information can be archived and can be retained until no longer needed. Domain parameters are incorrect because they can be archived. These parameters can be retained until all keying material, signatures, and signed data using the domain parameters are removed from the archive.
115. Regarding cryptographic key management systems, which of the following require frequent audits?
a. Security plans
b. Security procedures
c. Human actions
d. Protective mechanisms
115. c. On a more frequent basis, the actions of the humans who use, operate, and maintain the system should be reviewed to verify that they continue to follow established security procedures. Strong cryptographic systems can be compromised by lax and inappropriate human actions. Highly unusual events should be noted and reviewed as possible indicators of attempted attacks on the system.
Security plans, security procedures, and protective mechanisms are incorrect because they are considered as part of the human actions audit and they continue to support the cryptographic key management policy.
116. Regarding cryptographic key management system survivability, which of the following keys need to be backed up to decrypt stored enciphered information?
1. Master keys
2. Key encrypting key
3. Public signature verification keys
4. Authorization keys
a. 1 only
b. 3 only
c. 4 only
d. 1, 2, 3, and 4
116. d. Without access to the cryptographic keys that are needed to decrypt information, organizations risk losing their access to that information. Consequently, it is prudent to retain backup copies of the keys necessary to decrypt stored enciphered information, including master keys, key encrypting keys, public signature verification keys, and authorization keys. These items should be stored until there is no longer any requirement for access to the underlying plain text information.
117. Which of the following is not a critical component of cryptographic key management system?
a. Point-to-point environment
b. Key distribution center environment
c. Key translation center environment
d. Key disclosure center environment
117. d. A cryptographic key management system must have three components to operate: a point-to-point environment, a key distribution center environment, and a key translation center environment. A key disclosure center environment is not relevant here.
118. Which of the following is not used to obtain nonrepudiation service?
a. Digital signatures
b. Digital message receipts
c. Integrity checks
d. Timestamps
118. c. Nonrepudiation services are obtained by employing various techniques or mechanisms such as digital signatures, digital message receipts, and timestamps, not integrity checks. Integrity checks are used with operating systems.
119. In cryptographic key management, key zeroization means which of the following?
a. Key recovery
b. Key regeneration