c. Key destruction

d. Key correction

119. c. Key zeroization means key destruction. It is a method of erasing electronically stored keys by altering the contents of key storage so as to prevent the recovery of keys. The other three choices do not need key zeroization. Key recovery is a function in the life cycle of keying material in that it allows authorized entities to retrieve keying material from the key backup or archive. Key regeneration and key correction are needed when a key is compromised.

120. Which of the following binds the identity of a user to his public key?

a. Private key technology and digital certificates

b. Symmetric key technology and digital signatures

c. Public key technology and digital certificates

d. Cryptographic key technology and electronic signatures

120. c. Binding an individual’s identity to the public key corresponds to the protection afforded to the individual’s private signature key. Digital certificates are used in this process.

121. Public key technology and digital certificates do not provide which of the following security services?

a. Authentication

b. Nonrepudiation

c. Availability

d. Data integrity

121. c. Public key technology and digital certificates can be used to support authentication, encryption, nonrepudiation, and data integrity, but not availability.

122. Quantum cryptography could be a possible replacement for public key algorithms used in which of the following computing environments?

a. Utility computing

b. On-demand computing

c. Quantum computing

d. Virtual computing

122. c. Quantum cryptography is related to quantum computing technology, but viewed from a different perspective. Quantum cryptography is a possible replacement for public key algorithms that hopefully will not be susceptible to the attacks enabled by quantum computing.

Quantum computing deals with large word size quantum computers in which the security of integer factorization and discrete log-based public-key cryptographic algorithms would be threatened. This would be a major negative result for many cryptographic key management systems that rely on these algorithms for the establishment of cryptographic keys. Lattice-based public-key cryptography would be resistant to quantum computing threats.

Utility computing means allowing users to access technology-based services without much technical knowledge. On-demand computing deals with providing network access for self-services. Virtual computing uses virtual machine with software that allows a single host to run one or more guest operating systems. Utility computing, on-demand computing, and virtual computing are part of cloud computing.

123. Which of the following is good practice for organizations issuing digital certificates?

a. Develop a consulting agreement.

b. Develop an employment agreement.

c. Develop a subscriber agreement.

d. Develop a security agreement.

123. c. Prior to issuance of digital certificates, organizations should require a “subscriber agreement” in place that the subscriber manually signs. This agreement describes his obligations to protect the private signature key, and to notify appropriate authorities if it is stolen, lost, compromised, unaccounted for, or destroyed. Often the provisions of a subscriber agreement can be placed into other documents such as an employment contract or security agreement.

124. Which of the following is required to accept digital certificates from multiple vendor certification authorities?

a. The application must be PKI-enabled.

b. The application must be PKI-aware.

c. The application must use X.509 Version 3.

d. The application must use PKI-vendor plug-ins.

124. c. Using the X.509 Version 3 standard helps application programs in accepting digital certificates from multiple vendor CAs, assuming that the certificates conform to consistent Certificate Profiles. Application programs either have to be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509 Version 3 standard. Version 3 is more interoperable so that an application program can accept digital certificates from multiple vendor certification authorities. Version 3 standard for digital certificates provides specific bits that can be set in a certificate to ensure that the certificate is used only for specific services such as digital signature, authentication, and encryption.

125. Which of the following is primarily required for continued functioning of a public key infrastructure (PKI)?

a. Disaster recovery plans

b. Service level plans

c. Fraud prevention plans

d. Legal liability plans

125. a. At a minimum, organizations should consider establishing backup and recovery sites for their key PKI components (RA, CA, and Directories) that supply the services necessary for application programs to use certificates. A PKI is an infrastructure, like a highway. By itself, it does little. It is useful when application programs employ the certificates and services that it supports. The PKI is a combination of products, services, software, hardware, facilities, policies, procedures, agreements, and people that provide for and sustain secure interactions on open networks such as the Internet. The other three choices are the side effects of using a PKI, which also needs to be developed.

126. Which of the following can mitigate threats to integrity when public key cryptography is used?

a. Data checksums and secure hashes

b. Public key signatures and secure hashes

c. Cyclic redundancy checks and secure hashes

d. Simple checksums and secure hashes

126. b. Public key cryptography verifies integrity by using public key signatures and secure hashes. A secure hash algorithm (SHA) is used to create a message digest (hash). The hash can change if the message is modified. The hash is then signed with a private key. The hash may be stored or transmitted with the data. When the integrity of the data is to be verified, the hash is recalculated, and the corresponding public key is used to verify the integrity of the message.

127. Which of the following mitigate threats to nonrepudiation?

a. Secure hashes

b. Message digest 4

c. Message digest 5

d. Digital signatures and certificates

127. d. Data is electronically signed by applying the originator’s private key to the data. The resulting digital signature can be stored or transmitted with the data. Any party using the public key of the signer can verify the signature. If the signature is verified, then the verifier has confidence that the data was not modified after being signed and that the owner of the public key was the signer. A digital certificate binds the public key to the identity of the signer.

128. Regarding data sanitization practices in a cloud computing environment, which of the following is affected most when data from one subscriber is physically commingled with the data of other subscribers?