Mesh (network) PKI model is incorrect because trust is established between any two CAs in peer relationships (cross-certification), thus allowing the possibility of multiple trust paths between any two CAs. Independent CAs cross-certify each other resulting in a general mesh of trust relationships between peer CAs. The bridge PKI model was designed to connect enterprise PKIs regardless of the architecture; enterprises can link their own PKIs to those of their business partners. The complex PKI model is a combination of hierarchical PKI model and mesh PKI model because they are not mutually exclusive.

204. Which of the following should not be archived during the disposition phase of a system development life cycle (SDLC) because it applies to selecting cryptographic mechanisms?

a. Long-term symmetric key

b. Signing keys used by traditional certification authorities (CAs)

c. An individual’s signing keys

d. Signing keys used by non-traditional CAs

204. c. When a system is shut down or transitioned to a new system, one of the primary responsibilities is ensuring that cryptographic keys are properly destroyed or archived. Long-term symmetric keys may need to be archived to ensure that they are available in the future to decrypt data. Signing keys used by traditional and non-traditional CAs may also need to be maintained for signature verification.

An individual’s signing keys should not be archived due to constant changes and employee turnover.

205. Which of the following provides the level of “trust” required for the digital certificates to reliably complete a transaction?

a. Certificate policy

b. Certification practices statement

c. Identity proofing

d. Outsourcing

205. c. A level of “trust” is required for an organization to complete the digital certificate transaction reliably. This includes determining the level of identity proofing required for a subscriber to get a certificate, the strength of the key lengths and algorithms employed, and how the corresponding private key is protected. The Certificate Authority (CA) operates under a Certificate Policy (CP) and Certification Practices Statement (CPS) that collectively describe the CA’s responsibilities and duties to its customers and trading partners. Organizations can operate their own certification authority duties or outsource that function.

206. A birthday attack is targeted at which of the following?

a. MD5

b. SSL

c. SLIP

d. SET

206. a. A birthday attack is against message digest 5 (MD5), a hash algorithm. The attack is based on probabilities where it finds two messages that hash to the same value and then exploits it to attack. MD5 is a message authentication method based on producing a 128-bit hash code (signature or fingerprint) from a message. The other three choices are not subjected to birthday attacks. SSL is secure sockets layer, SLIP is serial line interface protocol, and SET is secure electronic transaction.

207. A fundamental principle for protecting cryptographic keys includes which of the following?

a. Zeroization and total knowledge

b. Split knowledge and dual control

c. Single control and formal proof

d. Zero-knowledge proof and triple control

207. b. One of the fundamental principles for protecting keys is the practice of split knowledge and dual control. These are used to protect the centrally stored secret keys and root private keys and secure the distribution of user tokens. Zeroization is a method of erasing electronically stored data by altering the contents of the data storage so as to prevent the recovery of data. Zero-knowledge proof is where one party proving something to another without revealing any additional information. Total knowledge, single control, triple control, and formal proof are not relevant here.

208. The primary goal of a public key infrastructure (PKI) is to create which of the following?

a. Closed environment

b. Trusted environment

c. Open environment

d. Bounded environment

208. b. Use of electronic processes provides benefits such as time savings, enhanced services, cost-savings, and improved data quality and integrity. Public key technology can create a trusted environment that promotes the use and growth of all electronic processes, not just digital signatures.

209. In a public key infrastructure (PKI), which one of the following certificate authorities (CA) is subordinate to another CA and has a CA subordinate to it?

a. Root CA

b. Superior CA

c. Intermediate CA

d. Subordinate CA

209. c. This is the definition of an intermediate CA in that he has a superior CA and a subordinate CA. In a hierarchical PKI, the root CA’s public key serves as the most trusted datum (i.e., the beginning of trusted paths) for a security domain. The superior CA has certified the certificate signature key of another CA and who constrains the activities of that CA. Another CA certifies the subordinate CA’s certificate signature key.

210. Digital signatures are not used for which of the following?

a. Authentication

b. Availability

c. Nonrepudiation

d. Integrity

210. b. Digital signatures provide authentication, nonrepudiation, and integrity services. Availability is a system requirement intended to ensure that systems work promptly and that service is not denied to authorized users.

211. What are public-key cryptographic systems known as?

a. Two-keys or asymmetric systems

b. Two-keys or symmetric systems

c. One-key or symmetric systems

d. One-key or asymmetric systems

211. a. Public-key cryptographic systems are known as two-key or asymmetric systems. Private-key cryptographic systems are known as one-key or symmetric systems.

212. Cryptographic key management is a difficult problem for which of the following?

a. Symmetric-key algorithms

b. Asymmetric-key algorithms

c. Hybrid-key algorithms

d. Hash-key algorithms

212. a. In symmetric key algorithms, parties share a single, secret key. Establishing that shared key is called key management, and it is a difficult problem. In asymmetric key algorithms, there are two keys (public and private) for each party. The public and private keys are generated at the same time, and data encrypted with one key can be decrypted with the other key. Hybrid key algorithms combine the best features of public and private key systems. Hash key algorithms is meaningless here.

213. Which of the following should be used to prevent an eavesdropping attack from remote access to firewalls?

a. File encryption

b. Bulk encryption

c. Session encryption

d. Stream encryption

213. c. Session encryption is used to encrypt data between application and end users. This provides strong authentication. File encryption protects data in storage. Bulk encryption is simultaneous encryption of all channels of a multichannel telecommunications trunk. Stream encryption encrypts and decrypts arbitrarily sized messages—not a strong authentication.