1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 163
Выбрать главу

b. It must have a proper contract.

c. It must be trusted.

d. It must have a good reputation.

159. c. A public key certificate is a credential that binds a key pair and the identity of the owner of the key (i.e., to a legal person). The necessary trust may come from several sources such as the role and independence of the certification authority, reputation, contract, management integrity, and other legal obligations.

160. Which of the following statements is true about elliptic curve cryptography?

a. It uses an asymmetric-key algorithm.

b. It competes with the Whitfield-Diffie algorithm.

c. It competes with the digital signature algorithm.

d. It uses a symmetric-key algorithm.

160. a. The elliptic curve is well suited for low bandwidth systems and uses an asymmetric-key algorithm for encryption. The Rivest, Shamir, and Adelman (RSA) and elliptic curve algorithms are used for encryption, where the latter is a new one with shorter key lengths and is less computationally intensive. The Whitfield-Diffie algorithm is used for secure key exchange. The digital signature algorithm is used only for digital signatures. Both Whitfield and digital signatures do not compete with elliptic curve.

161. What is the best way to encrypt data?

a. Bulk encryption

b. Link encryption

c. Transaction encryption

d. End-to-end encryption

161. b. There are two modes of implementation of encryption in a network, namely link (online) and end-to-end. Link encryption encrypts all the data along a communications path (for example, a satellite link, telephone circuit, or T1 line) and encrypts both headers and trailer of the packet, which is the best thing to do. It provides good protection against external threats such as traffic analysis because all data flowing on links can be encrypted, including addresses and routing information. Although a major advantage of link encryption is that it is easy to incorporate into network protocols at the lower levels of the OSI model, a major disadvantage is that it encrypts and decrypts a message several times at each link or node in the clear text, thus leading to node compromise.

Bulk encryption is simultaneous encryption of all channels of a multichannel telecommunications trunk. Transaction encryption is used in the payment card industry, perhaps using secure electronic transaction (SET) protocol for secure transactions over the Internet.

In end-to-end encryption, a message is encrypted and decrypted only at endpoints, does not encrypt headers and trailers, and operates at the higher levels of the OSI model, thereby largely circumventing problems that compromise intermediate nodes. In this type of encryption, routing information remains visible and is a potential risk.

162. What is the correct sequence of keys in a triple data encryption standard (3DES) algorithm operating with three keys?

a. Encrypt-decrypt-encrypt

b. Decrypt-encrypt-decrypt

c. Encrypt-encrypt-encrypt

d. Decrypt-decrypt-decrypt

162. c. With three keys operating, the sequence is encrypt-encrypt-encrypt, that is, one key is used for each mode of operation. Encrypt-decrypt-encrypt is incorrect because it is an example of operating with two keys where the first key is used to encrypt, the second key is to decrypt, and the first key again to encrypt. The other two choices are not meaningful here.

163. Which of the following is best qualified to evaluate the security of Public Key Infrastructure (PKI) systems and procedures?

a. Certification authorities

b. Registration authorities

c. Trusted third parties

d. Subscribers

163. c. Trusted third parties, who are independent of the certification and registration authorities and subscribers and who are employed by independent audit or consulting organizations are good candidates to conduct security evaluations (for example, reviews and audits) of the PKI systems and procedures. A written report is published after the security evaluation. A certification authority is a person or institution that is trusted and can vouch for the authenticity of a public key. The authority can be a principal or a government agency that is authorized to issue a certificate. A registration authority manages the certificate life cycle in terms of maintenance and revocation. Subscribers include both individuals and business organizations that use the certificate in their businesses.

164. Which of the following statements is not true about Secure Sockets Layer (SSL)?

a. It uses both symmetric and asymmetric key cryptography.

b. It is used to perform authentication.

c. It is a point-to-point protocol.

d. It is a session-oriented protocol.

164. c. Secure sockets layer (SSL) uses a combination of symmetric and asymmetric key cryptography to perform authentication and encryption services. It is a session-oriented protocol used to establish a secure connection between the client and the server for a particular session. SSL is not a point-to-point protocol.

165. The two protocol algorithms used in cryptographic applications for compressing data are which of the following?

a. SHA1 and MD5

b. 3DES and IDEA

c. DSA and DSS

d. RSA and SKIPJACK

165. a. The secure hash algorithm (SHA1) produces a 160-bit hash of the message contents. Message digest 5 (MD5) produces a 128-bit hash of the message contents. Many cryptographic applications generate and process both SHA1 and MD5. These are faster and take less space to store data. The algorithms mentioned in the other three choices do not have the ability to compress data. 3DES uses a 168-bit key.

166. Which of the following statements is not true about asymmetric-key cryptography?

a. It is used to provide an authentication service.

b. It is used to provide a digital signature service.

c. It can be used to encrypt large amounts of data.

d. It can be used to provide nonrepudiation service.

166. c. A disadvantage of asymmetric-key cryptography is that it is much slower than symmetric-key cryptography and is therefore impractical or efficient for use in encrypting large amounts of data. The other three choices are examples of advantages of using the asymmetric-key cryptography.

167. What is the major purpose of a digital certificate?

a. To achieve the availability goal

b. To maintain more information on the certificate

c. To verify the certificate authority

d. To establish user and device authentication

167. d. Digital certificates are used as a means of user and device authentication. Entities can prove their possession of the private key by digitally signing known data or by demonstrating knowledge of a secret exchanged using public-key cryptographic methods.

168. For integrity protection, most Internet Protocol security (IPsec) implementations use which of the following algorithms?

~ 163 ~