c. RSA and IDEA

d. RSA and DSS

223. d. Public-key cryptography is particularly useful when the parties wanting to communicate cannot rely upon each other or do not share a common key (for example, Rivest-Shamir-Adelman [RSA] and digital signature standard [DSS]). Mandatory access control (MAC) and discretionary access control (DAC) are examples of access control mechanisms. Data encryption standard, DES, (56-bit key), three key triple data encryption standard, 3DES, (168-bit key), and international data encryption algorithm, IDEA, (128-bit key) are examples of private-key cryptographic systems. IDEA is another block cipher, similar to DES, and is a replacement for or an improvement over DES. IDEA is used in pretty good privacy (PGP) for data encryption.

224. Which one of the following is unlike the others?

a. Social engineering attack

b. Side-channel attack

c. Phishing attack

d. Shoulder surfing attack

224. b. Side channel attacks result from the physical implementation of a cryptosystem through the leakage of information by monitoring sound from computations to reveal cryptographic key-related information. Side-channel attacks are based on stealing valuable information whereas the other three choices deal with deceiving people.

Social engineering attacks focus on coercing people to divulge passwords and other valuable information. Phishing attack involves tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing is a digital form of social engineering that uses authentic-lookingbut boguse-mails to request information from users or direct them to a fake website that requests valuable personal information. Shoulder surfing attack is similar to social engineering where the attacker uses direct observation techniques such as looking over someone’s shoulder to obtain passwords, PINs, and other valuable codes.

225. A cryptographic key may pass through several states between its generation and its distribution. A cryptographic key may not enter the compromised state from which of the following states?

a. Pre-activation state

b. Destroyed state

c. Active state

d. Deactivated state

225. b. A cryptographic key may pass through several states between its generation and its destruction. Six key-states include pre-activation state, active state, deactivated state, destroyed state, compromised state, and destroyed compromised state. In general, keys are compromised when they are released to or determined by an unauthorized entity. If the integrity or secrecy of the key is suspect, the compromised key is revoked. A cryptographic key may enter the compromised state from all states except the destroyed state and destroyed compromised states. A compromised key is not used to apply cryptographic protection to information. Even though the key no longer exists in the destroyed state, certain key attributes such as key name, key type, and crypto-period may be retained, which is risky.

The other three choices are not risky. In the pre-activation state, the key has been generated but is not yet authorized for use. In this state the key may be used only to perform proof-of-possession or key confirmation. In the active state, a key may be used to cryptographically protect information or to cryptographically process previously protected information (for example, decrypt ciphertext or verify a digital signature) or both. When a key is active, it may be designated to protect only, process only, or both protect and process. In the deactivated state, a key’s crypto-period has expired, but it is still needed to perform cryptographic processing until it is destroyed.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 7.

The ARK Company just discovered that its mail server was used for phishing by an outside attacker. To protect its reputation and reduce future impersonation attacks, the company wants to implement reasonable, cost-effective, public key infrastructure (PKI) tools.

1. Which of the following is required to accept digital certificates from multiple vendor certification authorities?

a. The application must be PKI-enabled.

b. The application must be PKI-aware.

c. The application must use X.509 Version 3.

d. The application must use PKI-vendor plug-ins.

1.c. Using the X.509 Version 3 standard helps application programs in accepting digital certificates from multiple vendor CAs, assuming that the certificates conform to a consistent Certificate Profiles. Application programs either have to be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509 Version 3 standard. Version 3 is more interoperable so that an application program can accept digital certificates from multiple vendor certification authorities. Version 3 standard for digital certificates provides specific bits that can be set in a certificate to ensure that the certificate is used only for specific services such as digital signature, authentication, and encryption.

2. Which of the following provides a unique user ID for a digital certificate?

a. Username

b. User organization

c. User e-mail

d. User message digest

2. d. The digital certificate contains information about the user’s identity (for example, name, organization, and e-mail), but this information may not necessarily be unique. A one-way (hash) function can be used to construct a fingerprint (message digest) unique to a given certificate using the user’s public key.

3. Which of the following is not included in the digital signature standard (DSS)?

a. Digital signature algorithm (DSA)

b. Data encryption standard (DES)

c. Rivest, Shamir, Adleman algorithm (RSA)

d. Elliptic curve digital signature algorithm (ECDSA)

3. b. DSA, RSA, and ECDSA are included in the DSS that specifies a digital signature used in computing and verifying digital signatures. DES is a symmetric algorithm and is not relevant here. DES is a block cipher and uses a 56-bit key.

4. Digital signatures are not used for which of the following?

a. Authentication

b. Availability

c. Nonrepudiation

d. Integrity

4. b. Digital signatures provide authentication, nonrepudiation, and integrity services. Availability is a system requirement intended to ensure that systems work promptly and that service is not denied to authorized users.

5. What keys are used to create digital signatures?

a. Public-key cryptography

b. Private-key cryptography

c. Hybrid-key cryptography

d. Primary-key cryptography

5. a. Public-key cryptography has been recommended for distribution of secret keys and in support of digital signatures. Private-key cryptography has been recommended for encryption of messages and can be used for message integrity check computations. Hybrid keys combine the best of both public and private keys. Primary keys are used in database design and are not relevant here.