1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 173
Выбрать главу

6. Which of the following is not usually seen on a digital certificate?

a. Owner name

b. Public key

c. Effective dates for keys

d. Insurance company name

6. d. The information on the digital certificate includes the owner name, the public key, and start and end dates of its validity. The certificate should not contain any owner information that changes frequently (for example, the insurance company name).

7. What is the major purpose of a digital certificate?

a. To achieve availability goal

b. To maintain more information on the certificate

c. To verify the certificate authority

d. To establish user authentication

7. d. Digital certificates are used as a means of user authentication. Entities can prove their possession of the private key by digitally signing known data or by demonstrating knowledge of a secret exchanged using public-key cryptographic methods.

Sources and References

“Guide to Storage Encryption Technologies for End User Devices (NIST SP800-111),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2007.

“Guidelines on Electronic Mail Security (NIST SP800-45V2),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2007.

“Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP800-52),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2005.

“Introduction to Public Key Technology and the Federal PKI Infrastructure (NIST SP800-32),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2001.

“Recommendation for Key Management (NIST SP800-57),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2005.

Domain 6

Security Architecture and Design

Traditional Questions, Answers, and Explanations

1. A trusted channel will not allow which of the following attacks?

1. Man-in-the-middle attack

2. Eavesdropping

3. Replay attack

4. Physical and logical tampering

a. 1 and 2

b. 1 and 3

c. 1, 2, and 3

d. 1, 2, 3, and 4

1. d. A trusted channel is a mechanism through which a cryptographic module provides a trusted, safe, and discrete communication pathway for sensitive security parameters (SSPs) and communication endpoints. A trusted channel protects against man-in-the-middle (MitM) attacks, eavesdropping, replay attacks, and physical and logical tampering by unwanted operators, entities, processes, devices, both within the module and along the module’s communication link.

2. Which of the following IT platforms most often face a single point-of-failure situation?

a. Desktop computers

b. Local-area networks

c. Servers

d. Websites

2. b. A local-area network (LAN) is owned by a single organization; it can be as small as two PCs attached to a single hub, or it may support hundreds of users and multiple servers. LANs are subject to single point-of-failures due to threats to cabling system, such as cable cuts, electromagnetic and radio frequency interferences, and damage resulting from fire, water, and other hazards. As a result, redundant cables may be installed when appropriate. Desktop computers, servers, and websites do not face single point-of-failure problems as LANs do, but they have problems in backing up data and storing the data at an offsite location. The other three choices need data backup policies, load balancing procedures, and incident response procedures.

3. Which of the following security principles does not work effectively?

a. Security-by-rules

b. Security-by-obscurity

c. Deny-by-default

d. Data-by-hiding

3. b. Security-by-obscurity is a countermeasure principle that does not work effectively in practice because attackers can compromise the security of any system at any time. This means trying to keep something secret when it is not does more harm than good.

The other three choices work effectively. Security-by-rules and data-by-hiding are commonly accepted security principles. Deny-by-default is blocking all inbound and outbound traffic that has not been expressly permitted by firewall policy.

4. Which of the following provides key cache management to protect keys used in encrypted file system (EFS)?

a. Trusted computer system

b. Trusted platform module chip

c. Trusted computing base

d. Trusted operating system

4. b. The trusted platform module (TPM) chip, through its key cache management, offers a format for protecting keys used in encrypted file system (EFS). The TPM chip, which is a specification, provides secure storage of keys on computers. The other three choices do not provide key cache management.

5. In the encrypted file system (EFS) environment, which of the following is used to secure the storage of key encryption keys on the hard drive?

a. Trusted computer system

b. Trusted platform module chip

c. Trusted computing base

d. Trusted operating system

5. b. Using the trusted platform module (TPM) chip, the key encryption keys are securely stored on the TPM chip. This key is also used to decrypt each file encryption key. The other three choices do not provide secure storage of the key encryption key.

6. Which of the following provides additional security for storing symmetric keys used in file encryption to prevent offline exhaustion attacks?

a. Encrypt the split keys using a strong password.

b. Store the random keys on the computer itself or on the hardware token.

c. After a key split, store one key component on the computer itself.

d. After a key split, store the other key component on the hardware token.

6. a. When a key is split between the hardware token and the computer, an attacker needs to recover both pieces of hardware to recover (decrypt) the key. Additional security is provided by encrypting the key splits using a strong password to prevent offline exhaustion attacks.

7. Which of the following storage methods for file encryption system (FES) is the least expensive solution?

a. Public key cryptography standard

b. Key encryption key

c. Hardware token

d. Asymmetric user owned private key

7. a. The file encryption system (FES) uses a single symmetric key to encrypt every file on the system. This single key is generated using the public key cryptography standard (PKCS) from a user’s password; hence it is the least expensive solution. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner’s asymmetric private key. It requires either a user password or a user token.

~ 173 ~