1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 161
Выбрать главу

d. Using parity bit code

138. c. As part of controls, all encrypted messages must contain some redundancy as part of the message but have no meaning to the message, such as cryptographic hash or a Hamming code, to do error detection or correction to make the attacker work harder. The redundancy should not be in the form of “n” zeros at the start or end of a message because they yield predictable results to the attacker. Hamming code is based on Hamming distance, which is the number of bit positions in which two codewords differ. The codeword contains both data and check bits. The goal is to keep the Hamming distance shorter.

The cyclic redundancy code (CRC) is also known as the polynomial code, which is based on treating bit strings as representations of polynomials with coefficients of 0 and 1 only. Checksums based on CRC are not effective in detecting errors because it yields undetected errors due to the lack of random bits in the checksums. The CRC uses an algorithm for generating error detection bits in a data link protocol. The receiving station performs the same calculation as done by the transmitting station. If the results differ, then one or more bits are in error. CRC is not a cryptographically secure mechanism unlike a cryptographic hash or message authentication code (MAC). Hence, CRC is least effective in verifying against malicious tampering of data.

The parity bit code is not as effective as the Hamming code because the former is used to detect single errors whereas the latter is used to detect both single and burst errors. Hence, the Hamming code is the most efficient way of detecting transmission errors.

139. For large volumes of data, asymmetric-key cryptography is not efficient to support which of the following?

a. Authentication

b. Confidentiality

c. Integrity

d. Nonrepudiation

139. b. Asymmetric key algorithms are used to achieve authentication, integrity, and nonrepudiation, and not to support confidentiality for handling large volumes of data efficiently. These algorithms are used to perform three operations such as digital signatures, key transport, and key agreement. Although the asymmetric key is not efficient to handle large volumes of data, it can be used to encrypt short messages, thus providing for confidentiality for short messages. The asymmetric key (public key) is an encryption system that uses a public-private key pair for encrypting/decrypting data and for generating/verifying digital signature.

140. The secure hash algorithm (SHA) and hash-based message authentication code (HMAC) provide the basis for which of the following?

a. Data integrity

b. Confidentiality

c. Authentication

d. Nonrepudiation

140. a. The secure hash algorithm (SHA) and hash-based message authentication code (HMAC) provide the basis for data integrity in electronic communications. They do not provide confidentiality and are a weak tool for authentication or nonrepudiation.

141. Which of the following is not part of public key infrastructure (PKI) data structures?

a. Public key certificate

b. Certificate revocation lists

c. Attribute certificate

d. Subject certificate

141. d. Two basic data structures are used in PKIs. These are the public key certificates and the certificate revocation lists (CRLs). A third data structure, the attribute certificate, may be used as an addendum. The certificate authority (CA) issues a public key certificate for each identity confirming that the identity has the appropriate credentials. CAs must also issue and process CRLs, which are lists of certificates that have been revoked. The X.509 attribute certificate binds attributes to an attribute certificate holder. This definition is being profiled for use in Internet applications. Subject certificate is meaningless here.

142. Which of the following is an example of asymmetric encryption algorithm?

a. DH

b. DES

c. 3DES

d. IDEA

142. a. The concept of public-key cryptography (asymmetric encryption algorithm) was introduced by Diffie-Hellman (DH) to solve the key management problem with symmetric algorithms. The other three choices are incorrect because they are examples of symmetric encryption algorithms.

143. Which of the following are examples of cryptographic hash functions?

a. SHA and 3DES

b. DES and CBC

c. MD5 and SHA-1

d. DAC and MAC

143. c. Both message digests 4 and 5 (MD4 and MD5) are examples of hashing algorithms. They are effective when they work with SHA-1 algorithms. Cryptographic hash functions such as MD5 and SHA-1 execute much faster and use less system resources than typical encryption algorithms. The other three choices are not relevant here.

144. Which of the following statement is true about hash functions?

a. They produce a larger message digest than the original message.

b. They produce a much smaller message digest than the original message.

c. They produce the same size message digest as the original message.

d. They produce a much larger message digest than the original message.

144. b. Hash functions produce a much smaller message digest than the original message. Encrypting them saves time and effort and improves performance.

145. Which of the following is the best technique to detect duplicate transactions?

a. ECDSA and SHA

b. ECDSA and SHA-1

c. ECDSA and MID

d. ECDSA and MD5

145. c. When the elliptic curve digital signature algorithm (ECDSA) is used with a message identifier (MID), it provides the capability of detecting duplicate transactions. The MID operates on checking the sequence number of transactions.

146. Countermeasures against replay attacks do not include which of the following?

a. Time-stamps

b. Protocols

c. Nonces

d. Kerberos

146. b. The term “protocols” is too generic to be of any use. A replay attack refers to the recording and retransmission of message packets in the network. Nonces are random numbers that are unique and fresh each time of use. Kerberos and timestamps go hand-in-hand.

147. A cryptographic module is undergoing testing. Which of the following provides the highest level of testing?

a. Algorithm level

b. Module level

c. Application level

d. Product level

147. c. The highest level of testing occurs at the application or system level. This level is also called certification testing. Algorithm level and module level are incorrect because they provide low-level testing. Product level is incorrect because it is the next higher level above algorithm and module level testing.

148. For message digests to be effectively used in digital certificates, what must they be?

~ 161 ~