175. Which of the following provides both integrity and confidentiality services for data and messages?

a. Digital signatures

b. Encryption

c. Cryptographic checksums

d. Granular access control

175. b. An encryption security mechanism provides security services such as integrity, confidentiality, and authentication. The data and message integrity service helps to protect data and software on workstations, file servers, and other local-area network (LAN) components from unauthorized modification, which can be intentional or accidental.

The use of cryptographic checksums and granular access control and privilege mechanisms can provide this service. The more granular the access control or privilege mechanism, the less likely an unauthorized or accidental modification can occur.

The data and message integrity service also helps to ensure that a message is not altered, deleted, or added to in any manner during transmission. A message authentication code, which is a type of cryptographic checksum, can protect against both accidental and intentional but not against unauthorized data modification. The use of digital signatures can also be used to detect the modification of data or messages. It uses either public key or private key cryptography. A digital signature provides two distinct services: nonrepudiation and message integrity. The message authentication code can also be used to provide a digital signature capability. Nonrepudiation helps ensure that the parties or entities in a communication cannot deny having participated in all or part of the communication.

176. Which of the following independent statements is not true about security?

a. The security of the cryptography can never be greater than the security of the people using it.

b. The security of any electronic-mail program cannot be greater than the security of the machine where the encryption is performed.

c. The security of an encryption algorithm is no more or less than the security of the key.

d. The security of each electronic-mail message is encrypted with a standard, nonrandom key.

176. d. Each electronic-mail message is encrypted with its own unique key. The security program generates a random key and uses it to encrypt the message. It is true that the (i) security of the cryptography can never be greater than the security of the people using it because it is the people who make the security a success, (ii) security of any electronic-mail program cannot be greater than the security of the machine where the encryption is performed because security is an extension of the machine, and (iii) security of an encryption algorithm is no more or less than the security of the key because it assumes that the algorithm used is a good one.

177. Which of the following statements about encryption is not true?

a. Software encryption degrades system performance.

b. Hardware encryption is faster.

c. Encryption is a desirable option in a local-area network.

d. Key management is an administrative burden.

177. c. Encryption is a desirable option in mainframe but not in a local-area network (LAN) environment due to performance problems. Although hardware-based encryption is faster, it degrades system performance as found in software-based encryption. In addition, keys used in the encryption require management’s attention in terms of key distribution and disposition. Therefore, encryption is not a desirable option for LANs. As the capacity of CPU processors increase, it could become a desirable option for LANs for mitigating insider risks.

178. Which of the following encryption schemes is more secure?

a. Encrypting once with the same key

b. Encrypting twice with the same key

c. Encrypting twice with two keys

d. Multiple encryptions with different keys

178. d. Any encryption scheme can be made more secure through multiple encryptions with different keys. Similarly, a triple encryption is stronger than a double or single encryption. However, costs and overhead increase as the number of encryptions increase. Also, system performance degrades as the number of encryptions increase.

For example, 2DES encryption with two keys is no more secure than a 1DES encryption due to the possibility of the meet-in-the middle attack. Therefore, 3DES (triple DES) should be considered.

179. Which of the following technologies are required to ensure reliable and secure telecommunications networks?

a. Cryptography and trusted encryption keys

b. Advanced identification and authentication techniques and cryptography

c. Firewalls, cryptography, and trusted encryption keys

d. Cryptography, advanced identification and authentication techniques, firewalls, and trusted encryption keys

179. d. Secure and reliable telecommunications networks must have effective ways for authenticating information and assuring the confidentiality of information. There is no single technology or technique that can produce the needed security and reliability of networks. A range of technologies, including cryptography, improved identification and authentication technologies, and firewalls will be required, along with trusted encryption keys and security management infrastructures.

180. Which of the following should not be subject to review during a periodic review of a cryptographic system?

a. Parameters

b. Operations

c. Keys

d. Controls

180. c. A cryptographic system should be monitored and periodically reviewed to ensure that it is satisfying its security objectives. All parameters associated with correct operation of the cryptographic system should be reviewed, and operation of the system itself should be periodically tested and the results evaluated. Certain information, such as secret keys or private keys in public key systems, should not be subject to review. However, nonsecret or nonprivate keys could be used in a simulated review procedure. Physical protection of a cryptographic module is required to prevent physical replacement or modification of the cryptographic system.

181. Which of the following threats is not addressed by digital signatures and random number challenges?

a. Masquerade

b. Replay attacks

c. Password compromise

d. Denial-of-service

181. d. Denial-of-service (DoS) is any action or series of actions that prevent any part of a system from functioning in accordance with its intended purpose. This includes any action that causes the unauthorized destruction, modification, or delay of service.

By using a private key to generate digital signatures for authentication, it becomes computationally infeasible for an attacker to masquerade as another entity. Using random number challenges (tokens) and digital signatures eliminates the need for transmitting passwords for authentication, thus reducing the threat of their compromise. The use of random number challenges also prevents an intruder from copying an authentication token signed by another user and replaying it successfully at a later time. However, a new random number challenge should be generated for each authentication exchange.