8. Which of the following storage methods for file encryption system (FES) is less secure?
a. Public key cryptography standard
b. Key encryption key
c. Hardware token
d. Asymmetric user owned private key
8. a. The public key cryptography standard (PKCS) is less secure because the security is dependent only on the strength of the password used. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner’s asymmetric private key. It requires either a user password or a user token.
9. Which of the following storage methods for file encryption system (FES) is more expensive?
a. Public key cryptography standard
b. Key encryption key
c. Hardware token
d. Asymmetric user owned private key
9. c. The file encryption system (FES) uses per-file encryption keys that are split into two components that will be an Exclusive-Or operation (XORed) to re-create the key, with one key component stored on hardware token and the other key component derived from a password using the public key cryptography standard (PKCS) to derive the key. Because of the key split, hardware tokens are more expensive.
The public key cryptography standard (PKCS) generates a single key from a user’s password. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner’s asymmetric private key. It requires either a user password or a user token.
10. Which of the following storage methods for file encryption system (FES) is highly secure?
a. Public key cryptography standard
b. Key encryption key
c. Hardware token
d. Asymmetric user owned private key
10. c. Because of the key split, hardware tokens are highly secure if implemented correctly. The other three choices are not highly secure. The public key cryptography standard (PKCS) generates a single key from a user’s password. Key encryption key is relatively a new technology where keys are stored on the same computer as the file. It utilizes per-file encryption keys, which are stored on the hard disk, encrypted by a key encryption key. The asymmetric user owned private key utilizes per-file encryption keys, which are encrypted under the file owner’s asymmetric private key. It requires either a user password or a user token.
11. Which of the following can limit the number of network access points to an information system that enables monitoring of inbound and outbound network traffic?
a. Trusted path
b. Trusted computer system
c. Trusted computing base
d. Trusted Internet connection
11. d. The trusted Internet connection (TIC) initiative is an example of limiting the number of managed network access points. The other three choices do not limit the number of network access points.
12. The IT architecture and system security design should focus first on which of the following?
a. Information availability
b. Hardware availability
c. Software availability
d. System availability
12. d. System availability, which includes hardware availability and software availability, should be the first focus, and information availability should be the next focus because a system contains information, not the other way around.
13. Regarding cryptographic modules, which of the following refers to verifying the design between a formal model and functional specifications?
a. Proof-of-wholeness
b. Proof-of-origin
c. Proof-of-correspondence
d. Proof-of-correctness
13. c. The proof-of-correspondence deals with verifying the design between a formal model and the functional specifications. A proof-of-wholeness is having all of an object’s parts or components include both the sense of unimpaired condition (i.e., soundness) and being complete and undivided (i.e., completeness). It applies to preserving the integrity of objects in that different layers of abstraction for objects cannot be penetrated, and their internal mechanisms cannot be modified or destroyed. A proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin. A proof-of-correctness applies mathematical proofs-of-correctness to demonstrate that a computer program conforms exactly to its specifications and to prove that the functions of the computer programs are correct.
14. Regarding cryptographic modules, the implementation of a trusted channel protects which of the following?
1. Plaintext critical security parameters
2. Cryptographic module software
3. Use of untrusted software
4. Spoofing by a remote system
a. 1 and 2
b. 1 and 3
c. 3 and 4
d. 1, 2, 3, and 4
14. d. The implementation of a trusted channel protects plaintext critical security parameters (CSPs) and the software of the cryptographic module from other untrusted software that may be executing on the system. The trusted channel also protects from spoofing by a remote system.
15. For cryptographic modules, additional life-cycle assurance is provided through which of the following?
1. Automated configuration management
2. Detailed design
3. Low-level testing
4. Operator authentication
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
15. d. For cryptographic modules, additional life-cycle assurance is provided through automated configuration management, detailed design, low-level testing, and operator authentication using vendor-provided authentication information.
16. From a security risk viewpoint, which of the following situations is not acceptable?
a. Fail in a known state
b. Return to an operational state
c. Fail in a safe but unknown state
d. Restore to a secure state
16. c. It is not good to assume that an unknown state is safe until proven because it is risky. The other three choices are examples of acceptable situations because of little or no risk.