182. Electronic signatures and handwritten signatures are useful in their own ways. Which of the following statements is not true about these two types of signatures?

a. Both signatures have the same legal status.

b. Both signatures are subject to forgery with equal difficulty.

c. Both signatures link a document with a particular person.

d. Both signatures are subject to trickery or coercion.

182. b. An electronic signature is a cryptographic mechanism that performs a similar function to a handwritten signature. It is used to verify the origin and contents of a message. For example, a recipient of data (such as an e-mail message) can verify who signed the data and that the data was not modified after being signed. This also means that the originator (for example, sender of an e-mail message) cannot falsely deny having signed the data. Electronic signatures are difficult to forge; although, written signatures are easily forged. Electronic signatures can use either secret (private) key or public key cryptography; however, public key methods are generally easier to use.

The other three choices are incorrect because they are true statements. In general, electronic signatures have received the same legal status as that of written signatures. Cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures rely on the secrecy of the keys, the link or binding between the owner of the key, and the key itself. If a key is compromised due to social engineering by theft, coercion, or trickery, then the electronic originator of a message may not be the same as the owner of the key. Although the binding of cryptographic keys to actual people is a significant problem, it does not necessarily make electronic signatures less secure than written signatures. Trickery and coercion are problems for written signatures as well.

183. Which of the following security services or statements is not true about the U.S. digital signature standard (DSS)?

a. It generates a digital signature.

b. It does not require a third-party certificate.

c. It assures nonrepudiation of a message.

d. It verifies a digital signature.

183. b. A digital signature provides two distinct services: nonrepudiation and message integrity. The digital signature standard (DSS) specifies a digital signature algorithm (DSA) that should be used when message and data integrity is required. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and the integrity of the data can be verified.

The DSA provides the capability to generate and verify digital signatures. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. It is assumed that the public knows about public keys. Private keys are never shared. Anyone can verify the signature of a user by employing that user’s public key. Only the possessor of the user’s private key can perform signature generation. Because of this, nonrepudiation of a message is achieved. This means that the parties to an electronic communication could not dispute having participated in the communication, or it can prove to a third party that data was actually signed by the generator of the signature.

The DSS can be implemented in hardware, software, and/or firmware and is subject to U.S. Commerce Department export controls. The DSS technique is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and origin authentication.

A digital signature system requires a means for associating pairs of public and private keys with the corresponding users. A mutually trusted third party such as a certifying authority can bind a user’s identity and his public key. The certifying authority could issue a “certificate” by signing credentials containing a user’s identity and public key. Hence, a third-party certificate is needed.

184. Pretty good privacy (PGP) and privacy enhanced mail (PEM) are electronic-mail security programs. Which of the following statements is not true about PGP and PEM?

a. They both encrypt messages.

b. They both sign messages.

c. They both have the same uses.

d. They are both based on public-key cryptography.

184. c. Both pretty good privacy (PGP) and privacy enhanced mail (PEM) encrypt messages and sign messages based on public-key cryptography. However, they operate on different philosophies. PGP is based on a distributed network of individuals. PEM is based on the concept of a hierarchical organization. PGP is suited for individuals communicating on the Internet, whereas PEM might be more suited for application systems in all organizations. PGP is a product, not a standard. It does not interoperate with any other security product, either PEM or non-PEM. PGP is portable to a wide variety of hardware platforms.

185. It is particularly important to protect audit trail data against modification during communication between parties. Which of the following security control techniques would protect against such modifications?

a. Strong access controls, such as passwords

b. Digital signatures

c. Logging before and after image records of modifications

d. Review of audit trail data

185. b. A digital signature is a cryptographic checksum computed as a function of a message and a user’s private key. A user’s digital signature varies with the data and protects against modification. This does not prevent deletion or modification of the audit trail, but it provides an alert that the audit trail has been altered. Access to online audit logs should be strictly controlled

Passwords are not strong access controls due to their weaknesses, such as sharing or writing them down. Logging before and after image records of modification is incorrect because it is a passive activity and does not protect against modification. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis.

186. Cryptography is a branch of mathematics based on the transformation of data. Which of the following is not a true statement about cryptography used in computer security?

a. Cryptography ensures data confidentiality.

b. Cryptography ensures data integrity.

c. Cryptography ensures data availability.

d. Cryptography ensures electronic signatures.

186. c. Cryptography, a hidden writing, is an important tool for protecting information and is used in many aspects of computer security. It can help provide data confidentiality, data integrity, electronic signatures, and advanced user authentication. It has nothing to do with data availability, which is a property that a given resource will use during a given time period.

187. In cryptography, the Rivest, Shamir, and Adelman (RSA) scheme has which of the following pairs of characteristics?