Chapter 5. Domain 5.0: Cryptography
Recently, modern cryptography has become increasingly important and ubiquitous. There has been increasing concern about the security of data, which continues to rapidly grow across information systems and traverse and reside in many different locations. This combined with more sophisticated attacks and a growing economy around computer-related fraud and data theft makes the need to protect the data itself even more important than in the past. A public key infrastructure (PKI) makes use of both public and private keys. It also provides the foundation for binding keys to an identity via a certificate authority (CA), thus providing the system for the secure exchange of data over a network through the use of an asymmetric key system. This system for the most part consists of digital certificates and the CAs that issue the certificates. These certificates identify individuals, systems, and organizations that have been verified as authentic and trustworthy. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these basic foundational elements. The following list includes the key areas from Domain 5 that you need to master for the exam:
Explain general cryptography concepts.
Explain basic hashing concepts and map various algorithms to appropriate applications.
Explain basic encryption concepts and map various algorithms to appropriate applications.
Explain and implement protocols.
Explain core concepts of public key cryptography.
Implement PKI and certificate management.
Practice Questions
Objective 5.1: Explain general cryptography concepts.
1. Which of the following best describes a cryptography key?
A. Plaintext data converted into an unreadable format
B. Messages hidden from unintended recipients
C. A string of bits used to encrypt and decrypt data
D. Mathematical sequence used to perform encryption and decryption
Quick Answer: 278
Detailed Answer: 281
2. Which of the following best describes steganography?
A. Plaintext data converted into an unreadable format
B. Messages hidden from unintended recipients
C. A string of bits used to encrypt and decrypt data
D. Mathematical sequence used to perform encryption and decryption
Quick Answer: 278
Detailed Answer: 281
3. Which of the following best describes an algorithm?
A. Plaintext data converted into an unreadable format
B. Messages hidden from unintended recipients
C. A string of bits used to encrypt and decrypt data
D. Mathematical sequence used to perform encryption and decryption
Quick Answer: 278
Detailed Answer: 281
4. Which of the following best describes encryption?
A. Plaintext data converted into an unreadable format
B. Messages hidden from unintended recipients
C. A string of bits used to encrypt and decrypt data
D. Mathematical sequence used to perform encryption and decryption
Quick Answer: 278
Detailed Answer: 281
5. Which of the following best describes why cryptography has become increasingly important? (Select all correct answers.)
A. Concerns over the security of data
B. Steganography has become more prevalent
C. Attacks have become more sophisticated
D. Concerns over increasing virus infections
Quick Answer: 278
Detailed Answer: 281
6. Which of the following are fundamental types of encryption algorithms? (Select all correct answers.)
A. Hash function
B. Asymmetric key
C. Trusted platform
D. Symmetric key
Quick Answer: 278
Detailed Answer: 282
7. Which of the following best describes symmetric key cryptography?
A. A hashing algorithm that uses a common shared key between the sender and receiver
B. An encryption system that uses a common shared key between the sender and receiver
C. An encryption system where each user has a pair of keys, one public and one private
D. A hashing algorithm that uses a common shared key between the sender and receiver
Quick Answer: 278
Detailed Answer: 282
8. Which of the following best describes asymmetric key cryptography?
A. A hashing algorithm that uses a common shared key between the sender and receiver
B. An encryption system that uses a common shared key between the sender and receiver
C. An encryption system where each user has a pair of keys, one public and one private
D. A hashing algorithm that uses a common shared key between the sender and receiver
Quick Answer: 278
Detailed Answer: 282
9. Which of the following best describes where the user’s public key is maintained in an asymmetric encryption?
A. On a centralized server so that anyone can access it
B. Maintained on the host system or application
C. In the cryptographic vault of the organization
D. In the users shared network folder for easy access
Quick Answer: 278
Detailed Answer: 282
10. Which of the following best describes where the user’s private key is maintained in an asymmetric encryption?
A. On a centralized server so that anyone can access it
B. Maintained on the host system or application
C. In the cryptographic vault of the organization
D. In the user’s shared network folder for easy access
Quick Answer: 278
Detailed Answer: 282
11. Which of the following is another name for asymmetric algorithms?
A. Private key algorithms
B. Shared key algorithms
C. Public key algorithms
D. Secret key algorithms
Quick Answer: 278
Detailed Answer: 282
12. Which of the following is another name for symmetric algorithms? (Select all correct answers.)
A. Private key algorithms
B. Shared key algorithms
C. Public key algorithms
D. Secret key algorithms
Quick Answer: 278
Detailed Answer: 282
13. Which of the following best describes how a message encrypted with the private key is decrypted?
A. The public key can never decrypt the message.
B. The public key can always decrypt the message.
C. The public key can sometimes decrypt the message.
D. The public key can decrypt the message only when used by an administrator.
Quick Answer: 278
Detailed Answer: 282
14. Which of the following best describes the function of the public key in asymmetric algorithms?
A. The public key can never decrypt a message that it was used to encrypt with.
B. The public key can always decrypt a message that it was used to encrypt with.
C. The public key can sometimes decrypt a message that it was used to encrypt with.
D. The public key can decrypt a message that it was used to encrypt with only when used by an administrator.
Quick Answer: 278
Detailed Answer: 282
15. Which of the following best describes the difference between steganography and cryptography?
A. Steganography seeks to expose the presence of a hidden message; cryptography transforms a message from a readable form to unreadable form.
B. Cryptography seeks to hide the presence of a message; steganography transforms a message from a readable form to unreadable form.
C. Cryptography seeks to expose the presence of a hidden message; steganography transforms a message from an unreadable form to a readable form.
D. Steganography seeks to hide the presence of a message; cryptography transforms a message from a readable form to unreadable form.
Quick Answer: 278
Detailed Answer: 283
16. Which of the following best describes the coding used by many printers consisting of tiny dots that reveal serial numbers and time stamps?
A. Phishing
B. Steganography
C. Cryptography
D. Hashing
Quick Answer: 278
Detailed Answer: 283
17. Which of the following best describes the main concern of confidentiality?
A. Unauthorized disclosure of sensitive information
B. Unauthorized modification of information or systems
C. Specifying if an identity should be granted access to a resource
D. Maintaining continuous operations without service disruptions
Quick Answer: 278
Detailed Answer: 283
18. Which of the following best describes the main concern of integrity?
A. Unauthorized disclosure of sensitive information
B. Unauthorized modification of information or systems
C. Specifying if an identity should be granted access to a resource
D. Maintaining continuous operations without service disruptions
Quick Answer: 278
Detailed Answer: 283
19. Which of the following best describes the main concern of availability?
A. Unauthorized disclosure of sensitive information
B. Unauthorized modification of information or systems
C. Specifying if an identity should be granted access to a resource
D. Maintaining continuous operations without service disruptions
Quick Answer: 278
Detailed Answer: 283
20. An organization implements PGP. This is an example of which of the following? (Select all correct answers.)
A. Integrity
B. Availability
C. Confidentiality
D. Authorization
Quick Answer: 278
Detailed Answer: 283
21. Which of the following best describes the assurance that data and information can only be modified by those authorized to do?
A. Integrity
B. Availability
C. Confidentiality
D. Authorization
Quick Answer: 278
Detailed Answer: 283
22. Which of the following best describes limiting the disclosure of private information?
A. Integrity
B. Availability
C. Confidentiality
D. Authorization
Quick Answer: 278
Detailed Answer: 284
23. Which of the following best describes requiring the accessibility of information and information systems?
A. Integrity
B. Availability
C. Confidentiality
D. Authorization
Quick Answer: 278
Detailed Answer: 284
24. Which of the following best describes the main intent of nonrepudiation?
A. To prevent unauthorized modification of information or systems
B. To prevent unauthorized disclosure of sensitive information
C. To specify if an identity should be granted access to a specific resource
D. To provide an irrefutable method of accountability for the source of data
Quick Answer: 278
Detailed Answer: 284
25. Which of the following are key elements that nonrepudiation services provide? (Select all correct answers.)
A. Proof of service
B. Proof of origin
C. Proof of delivery
D. Proof of receipt
Quick Answer: 278
Detailed Answer: 284
26. An organization is implementing a security solution that attempts to guarantee the identity of the person sending the data from one point to another. Which of the following best describes this implementation?
A. Hashing function
B. Steganography
C. Cryptography
D. Digital signature
Quick Answer: 278
Detailed Answer: 284
27. Which of the following would be the best implementation solution for an organization to mitigate the risks associated with lost or stolen laptops and the accompanying disclosure laws?
A. Whole disk encryption
B. Trusted Platform Module
C. Digital signatures
D. Hashing functions
Quick Answer: 278
Detailed Answer: 284
28. Which of the following would an organization implement to secure the storage of keys, passwords, and digital certificates at the hardware level?
A. Whole disk encryption
B. Trusted Platform Module
C. Digital signatures
D. Hashing functions
Quick Answer: 278
Detailed Answer: 284
29. When conducting an online banking transaction, one can be assured they are at the legitimate site by verifying the server-side certificate. Which of the following best describes this type of certificate?
A. Digital signature
B. Hashing function
C. Single sided
D. Dual sided
Quick Answer: 278
Detailed Answer: 285
30. An organization is concerned about back doors and flaws undermining encryption algorithms. Which of the following technologies should the organization choose?
A. An algorithm based on DES
B. An already proven algorithm
C. A proprietary vendor algorithm
D. An in-house-developed algorithm
Quick Answer: 278
Detailed Answer: 285
Objective 5.2: Explain basic hashing concepts and map various algorithms to appropriate applications.
1. Which of the following best describes a hash?
A. Plaintext data converted into an unreadable format
B. A generated summary from a mathematical rule
C. A string of bits used to encrypt and decrypt data
D. Mathematical sequence used to perform encryption and decryption
Quick Answer: 278
Detailed Answer: 285
2. Which of the following best describes how hashing functions work?
A. By taking a string of any length and producing a string the exact same length for output
B. By taking a string of any length and encrypting it bit by bit one at a time
C. By taking a string of any length and producing a fixed-length string for output
D. By taking a string of any length and encrypting it in fixed-length chunks
Quick Answer: 278
Detailed Answer: 285
3. Which of the following is correct about a hash created from a document?
A. The document can be unencrypted using the same hash.
B. The document can be re-created from the hash.
C. The document can be re-created by using the same encryption.
D. The document cannot be re-created from the hash.
Quick Answer: 278
Detailed Answer: 285
4. Which of the following is the correct strength hash that SHA can generate?
A. 160 bits in length
B. 64 bits in length
C. 128 bits in length
D. 256 bits in length
Quick Answer: 278
Detailed Answer: 285
5. Which of the following is the correct strength hash that the MD series can generate?
A. 160 bits in length
B. 64 bits in length
C. 128 bits in length
D. 256 bits in length
Quick Answer: 278
Detailed Answer: 286
6. Which of the following best describes message authentication code?
A. An encryption system that uses a common shared key between the sender and receiver
B. A piece of data derived by applying a message combined with a secret key to a cryptographic algorithm
C. An encryption system where each user has a pair of keys, one public and one private
D. A hash algorithm pioneered by the National Security Agency and widely used in the U.S. government
Quick Answer: 278
Detailed Answer: 286
7. Which of the following are primary weaknesses of the LM hash? (Select all correct answers.)
A. Before being hashed, all lowercase characters in the password are converted to uppercase characters.
B. The authenticity of the public key can easily be forged by an attacker.
C. Passwords longer than seven characters are broken down into two chunks.
D. Management of the keys is often overlooked and they can easily be compromised.
Quick Answer: 278
Detailed Answer: 286
8. An organization wants to select a hashing method that will be able to resist forgery and is not open to man in the middle attacks. Which of the following would be the most appropriate choice for the organization?
A. SHA
B. NTLM
C. MD
D. MAC
Quick Answer: 278
Detailed Answer: 286
9. Which of the following hashing algorithms is the most resource intensive?
A. MD5
B. SHA
C. LM
D. NTLM
Quick Answer: 278
Detailed Answer: 286
10. An organization wants to select the most appropriate hashing method that can be used to secure Windows authentication. Which of the following should the organization choose?
A. MD5
B. SHA
C. LM
D. NTLM
Quick Answer: 278
Detailed Answer: 286
Objective 5.3: Explain basic encryption concepts and map various algorithms to appropriate applications.
1. Which of the following are classifications of symmetric algorithms? (Select all correct answers.)
A. Classical cipher
B. Block cipher
C. Stream cipher
D. Simple cipher
Quick Answer: 279
Detailed Answer: 286
2. DES is which of the following types of cipher?
A. Classical cipher
B. Block cipher
C. Stream cipher
D. Simple cipher
Quick Answer: 279
Detailed Answer: 287
3. Which of the following is the total effective key length of 3DES?
A. 168 bit in length
B. 64 bit in length
C. 128 bit in length
D. 256 bit in length
Quick Answer: 279
Detailed Answer: 287
4. Which of the following is a stream cipher?
A. RC5
B. Blowfish
C. IDEA
D. RC4
Quick Answer: 279
Detailed Answer: 287
5. Which of the following block ciphers can perform encryption with any length key up to 448-bits?
A. RC5
B. Blowfish
C. IDEA
D. RC4
Quick Answer: 279
Detailed Answer: 287
6. An organization wants to be able to export encrypted files to a country that only allows 56-bit encryption. Which of the following would the organization choose?
A. 3DES
B. RC5
C. DES
D. AES
Quick Answer: 279
Detailed Answer: 287
7. An organization wants to use an encryption method that uses a 168-bit key length. Which of the following would the organization choose?
A. 3DES
B. RC5
C. DES
D. AES
Quick Answer: 279
Detailed Answer: 287
8. An organization wants to use an encryption method that uses a 256-bit key length. Which of the following could the organization choose? (Select all correct answers.)
A. 3DES
B. RC5
C. DES
D. AES
Quick Answer: 279
Detailed Answer: 287
9. Which of the following ciphers has earned the mark of being completely unbreakable?
A. RC5
B. OTP
C. IDEA
D. DES
Quick Answer: 279
Detailed Answer: 287
10. In an implementation of Advanced Encryption Standard (AES), which of the following is the correct number of layers that the data passes through?
A. Five
B. Four
C. Three
D. Two
Quick Answer: 279
Detailed Answer: 288
11. An organization wants to use an encryption algorithm that uses little overhead. Which of the following could the organization? (Select all correct answers.)
A. ECC
B. RSA
C. RC5
D. DES
Quick Answer: 279
Detailed Answer: 288
12. An organization wants to use system that incorporates a mixed approach, using both asymmetric and symmetric encryption. Which of the following meets this requirement?
A. OTP
B. PGP
C. DES
D. ECC
Quick Answer: 279
Detailed Answer: 288
13. Which of the following asymmetric algorithm is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet?
A. RSA
B. ECC
C. OTP
D. DES
Quick Answer: 279
Detailed Answer: 288
14. An organization wants to use an encryption algorithm that combines a compact design with extreme difficulty to break. Which of the following meets this requirement?
A. RSA
B. ECC
C. OTP
D. DES
Quick Answer: 279
Detailed Answer: 288
15. Which of the following ciphers has the highest storage and transmission costs?
A. RC5
B. OTP
C. IDEA
D. DES
Quick Answer: 279
Detailed Answer: 288
16. For most environments today, which of the following encryption key strengths is considered adequate?
A. 1024 bit in length
B. 56 bit in length
C. 128 bit in length
D. 256 bit in length
Quick Answer: 279
Detailed Answer: 288
17. An organization wants to use a system for the encryption and decryption of email along with digitally signing emails. Which of the following meets this requirement?
A. OTP
B. PGP
C. DES
D. ECC
Quick Answer: 279
Detailed Answer: 289
18. Which of the following AES encryption key strengths is most commonly found today on secure USB sticks?
A. 128 bit in length
B. 192 bit in length
C. 256 bit in length
D. 1024 bit in length
Quick Answer: 279
Detailed Answer: 289
19. Which of the following ciphers does TKIP use?
A. RC5
B. Blowfish
C. IDEA
D. RC4
Quick Answer: 279
Detailed Answer: 289
20. Which of the following ciphers does WEP use?
A. RC5
B. Blowfish
C. IDEA
D. RC4
Quick Answer: 279
Detailed Answer: 289
Objective 5.4: Explain and implement protocols.
1. Which of the following are the most commonly used cryptographic protocols for managing secure communication between a client and server over the Web? (Select all correct answers.)
A. SSL
B. TLS
C. PPTP
D. WEP
Quick Answer: 279
Detailed Answer: 289
2. An organization wants to use an encapsulated tunneling protocol the does not send authentication information in cleartext to support the creation of VPNs. Which of the following meets this requirement?
A. HTTP
B. PPTP
C. MIME
D. L2TP
Quick Answer: 279
Detailed Answer: 289
3. An organization wants to use a network protocol that enables the secure transfer of data from a remote client to a private enterprise server. Which of the following meets this requirement?
A. HTTP
B. PPTP
C. MIME
D. L2TP
Quick Answer: 279
Detailed Answer: 289
4. Which of the following supports on-demand, multiprotocol, and virtual private networking over public networks?
A. HTTP
B. PPTP
C. MIME
D. L2TP
Quick Answer: 279
Detailed Answer: 290
5. Which of the following cryptographic methods is used by SSH?
A. RSA
B. ECC
C. OTP
D. PGP
Quick Answer: 279
Detailed Answer: 290
6. Which of the following algorithms can SSH use for data encryption? (Select all correct answers.)
A. IDEA
B. Blowfish
C. DES
D. Diffie-Hellman
Quick Answer: 279
Detailed Answer: 290
7. Which of the following secure utilities are encapsulated in the SSH suite? (Select all correct answers.)
A. slogin
B. rlogin
C. rsh
D. scp
Quick Answer: 279
Detailed Answer: 290
8. Which of the following protocols does IPsec use to provide authentication services, as well as encapsulation of data?
A. HTTP
B. PPTP
C. IKE
D. PKI
Quick Answer: 279
Detailed Answer: 290
9. An organization wants to use a protocol that has connectionless integrity and data origin authentication for IP packets. Which of the following meets this requirement?
A. IKE
B. SSH
C. IP
D. AH
Quick Answer: 279
Detailed Answer: 290
10. If IPsec is configured to use AH only, which of the following protocol traffic must be permitted to pass through the firewall?
A. Protocol 255
B. Protocol 51
C. Protocol 50
D. Protocol 2
Quick Answer: 279
Detailed Answer: 291
11. If IPsec is configured to use ESP only, which of the following protocol traffic must be permitted to pass through the firewall?
A. Protocol 255
B. Protocol 51
C. Protocol 50
D. Protocol 2
Quick Answer: 279
Detailed Answer: 291
12. If IPsec is configured for nested AH and ESP, IP can be configured to let only which of the following protocol’s traffic to pass through the firewall?
A. Protocol 255
B. Protocol 51
C. Protocol 50
D. Protocol 2
Quick Answer: 279
Detailed Answer: 291
13. Which of the following encryption schemes does S/MIME use?
A. RSA
B. ECC
C. OTP
D. PGP
Quick Answer: 279
Detailed Answer: 291
14. Which of the following protocols was developed to support connectivity for banking transactions and other secure web communications, but is not commonly used?
A. HTTP
B. PPTP
C. S-HTTP
D. S/MIME
Quick Answer: 279
Detailed Answer: 291
15. Which of the following is a specification that provides email privacy using encryption and authentication via digital signatures?
A. HTTP
B. PPTP
C. S-HTTP
D. S/MIME
Quick Answer: 279
Detailed Answer: 291
16. Which of the following encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA?
A. S/MIME
B. PGP/MIME
C. HTTP
D. PPTP
Quick Answer: 279
Detailed Answer: 292
17. Which of the following TLS protocols allows the client and server to authenticate to one another?
A. Record protocol
B. Alert protocol
C. Application protocol
D. Handshake protocol
Quick Answer: 279
Detailed Answer: 292
18. Which of the following TLS protocols provides connection security?
A. Record protocol
B. Alert protocol
C. Application protocol
D. Handshake protocol
Quick Answer: 279
Detailed Answer: 292
19. An organization is concerned about web-based connections and wants to implement encryption and authentication. Which of the following ports will the organization typically use for secured communication?
A. 8080
B. 80
C. 443
D. 445
Quick Answer: 279
Detailed Answer: 292
20. An organization is concerned about the cleartext communications of a Telnet session. Which of the following will the organization implement to authenticate and encrypt the data stream?
A. SSL
B. TLS
C. WEP
D. SSH
Quick Answer: 279
Detailed Answer: 292
Objective 5.5: Explain core concepts of public key cryptography.
1. Which of the following best describes a public key infrastructure?
A. A de facto standard that defines a framework for authentication services by a directory
B. A collection of varying technologies and policies for the creation and use of digital certificates
C. The de facto cryptographic message standards developed and published by RSA Laboratories
D. The development of Internet standards for X.509-based key infrastructures
Quick Answer: 279
Detailed Answer: 292
2. Which of the following best describes the scenario where all certificates are issued by a third-party certificate authority (CA) and if one party trusts the CA, then it automatically trusts the certificates that CA issues?
A. Certificate trust model
B. Certificate authority
C. Registration authority
D. Certificate practice statement
Quick Answer: 279
Detailed Answer: 293
3. Which of the following best describes the Public Key Cryptography Standards?
A. A de facto standard that defines a framework for authentication services by a directory
B. A collection of varying technologies and policies for the creation and use of digital certificates
C. The de facto cryptographic message standards developed and published by RSA Laboratories
D. The development of Internet standards for X.509-based key infrastructure
Quick Answer: 279
Detailed Answer: 293
4. Which of the following provides authentication to the CA as to the validity of a client’s certificate request?
A. Certificate trust model
B. Certificate authority
C. Registration authority
D. Certificate practice statement
Quick Answer: 279
Detailed Answer: 293
5. Which of the following is true about the validity period of X.509 standard digital certificates?
A. It can be of any duration period.
B. It is renewed on a six-month period.
C. It can only be one year.
D. It cannot be more than three years.
Quick Answer: 279
Detailed Answer: 293
6. Which of the following information is contained in a X.509 standard digital certificate? (Select all correct answers.)
A. User’s private key
B. Signature algorithm identifier
C. User’s public key
D. Serial number
Quick Answer: 279
Detailed Answer: 293
7. Which of the following issue certificates, verifies the holder of a digital certificate, and ensures that the holder of the certificate is who they claim to be?
A. Certificate trust model
B. Certificate authority
C. Registration authority
D. Certificate practice statement
Quick Answer: 279
Detailed Answer: 293
8. Which of the following best describes the X.509 standard?
A. A de facto standard that defines a framework for authentication services by a directory
B. A collection of varying technologies and policies for the creation and use of digital certificates
C. The de facto cryptographic message standards developed and published by RSA Laboratories
D. The development of Internet standards for X.509-based key infrastructures
Quick Answer: 279
Detailed Answer: 294
9. Which of the following is a legal document created and published by a CA for the purpose of conveying information?
A. Certificate trust model
B. Certificate authority
C. Registration authority
D. Certificate practice statement
Quick Answer: 279
Detailed Answer: 294
10. Which of the following best describes PKIX?
A. A de facto standard that defines a framework for authentication services by a directory
B. A collection of varying technologies and policies for the creation and use of digital certificates
C. The de facto cryptographic message standards developed and published by RSA Laboratories
D. The development of Internet standards for X.509-based certificate infrastructures
Quick Answer: 279
Detailed Answer: 294
11. Which of the following are functions of a registration authority? (Select all correct answers.)
A. Serves as an aggregator of information
B. Conveys information in the form of a legal document
C. Ensures that the holder of the certificate is who they claim to be
D. Provides authentication about the validity of a certificate request
Quick Answer: 279
Detailed Answer: 294
12. An organization determines that some clients have fraudulently obtained certificates. Which of the following would be the most likely action the organization will take?
A. Use a recovery agent
B. Revoke the certificates
C. Change the trust model
D. Implement key escrow
Quick Answer: 279
Detailed Answer: 294
13. Which of the following provides the rules indicating the purpose and use of an assigned digital certificate?
A. Registration authority
B. Key escrow
C. Trust model
D. Certificate policy
Quick Answer: 279
Detailed Answer: 294
14. Which of the following is used to describe the situation where a CA or other entity maintains a copy of the private key associated with the public key signed by the CA?
A. Registration authority
B. Key escrow
C. Trust model
D. Certificate policy
Quick Answer: 279
Detailed Answer: 295
15. Which of the following best describes the difference between a certificate policy and a certificate practice statement?
A. The focus of a certificate policy is on the CA; the focus of a CPS is on the certificate.
B. The focus of a certificate policy is on the private key; the focus of a CPS is on the public key.
C. The focus of a certificate policy is on the certificate; the focus of a CPS is on the CA.
D. The focus of a certificate policy is on the public key; the focus of a CPS is on the private key.
Quick Answer: 279
Detailed Answer: 295
16. An organization determines that some clients have fraudulently obtained certificates. Which of the following is used to distribute certificate revocation information?
A. CPS
B. CRL
C. ACL
D. PKI
Quick Answer: 279
Detailed Answer: 295
17. Which of the following CA models is most closely related to a web of trust?
A. Cross-certification model
B. Hierarchical model
C. Bridge model
D. Virtual bridge model
Quick Answer: 279
Detailed Answer: 295
18. An organization requires a process that can be used for restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Which of the following will meet the organizational requirement?
A. Key storage
B. Key revocation
C. Key escrow
D. Key recovery
Quick Answer: 279
Detailed Answer: 295
19. An organization decides to implement a single CA architecture. Which of the following is the greatest potential issue the organization will face in using this model?
A. Sole point of compromise
B. Multiple points of compromise
C. Difficult key management
D. Complex certificate management
Quick Answer: 279
Detailed Answer: 295
20. An organization is implementing a certificate architecture. Which of the following CAs would the organization take offline?
A. Subordinate CA
B. Secondary CA
C. Bridge CA
D. Root CA
Quick Answer: 279
Detailed Answer: 296
Objective 5.6: Implement PKI and certificate management.
1. An organization is formulating policies for the certificate lifecycle. Which of the following documents will the organization include? (Select all correct answers.)
A. Certificate revocation statement
B. Certificate policy
C. Key escrow
D. Certification practice statement
Quick Answer: 279
Detailed Answer: 296
2. An organization decides to implement a centralized key management system. Which of the following are the greatest potential issues the organization will face in implementing this system? (Select all correct answers.)
A. Need for a secure channel to transmit the private key
B. Additional required infrastructure
C. Additional administrative overhead
D. Need for secure channel to transmit the public key
Quick Answer: 280
Detailed Answer: 296
3. An organization wishes to allow a CA to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user. Which of the following best meets this requirement?
A. Key storage
B. Key revocation
C. Key escrow
D. Key recovery
Quick Answer: 280
Detailed Answer: 296
4. An administrator is tasked with checking the state of several digital certificates. Which of the following will the administrator use to perform this function? (Select all correct answers.)
A. Certificate policy
B. Certificate revocation lists
C. Online Certificate Status Protocol
D. Certification practice statement
Quick Answer: 280
Detailed Answer: 296
5. An organization discovers that some clients may have fraudulently obtained certificates. The organization wants to allow the certificates to stay in place until the validity can be verified. Which of the following is the most appropriate action for the organization?
A. Certificate revocation
B. Certificate suspension
C. Key recovery
D. Key escrow
Quick Answer: 280
Detailed Answer: 296
6. An organization discovers that some clients may have corrupt key pairs but the keys are still considered valid and trusted. Which of the following is the most appropriate action for the organization?
A. Certificate revocation
B. Certificate suspension
C. Key recovery
D. Key escrow
Quick Answer: 280
Detailed Answer: 297
7. An organization chooses to implement a decentralized key management system. For which of the following functions will a user be responsible?
A. Revocation of the digital certificate
B. Creation of the digital certificate
C. Key recovery and archiving
D. Creation of the private and public keys
Quick Answer: 280
Detailed Answer: 297
8. An organization wants to reduce the complexity of using a large cross-certification model. Which of the following will meet this requirement?
A. A subordinate CA model
B. A hierarchical model
C. A bridge CA model
D. A root CA model
Quick Answer: 280
Detailed Answer: 297
9. A reorder associate needs a key pair for signing and sending encrypted messages and a key pair for restricted equipment ordering limited to a specific dollar amount. Which of the following is true about the number of key pairs required in this situation?
A. Only one key pair is needed.
B. Two key pairs are required.
C. Three key pairs are required.
D. Four key pairs are required.
Quick Answer: 280
Detailed Answer: 297
10. The key usage extension of the certificate specifies which of the following?
A. The cryptographic algorithm used
B. How the private key can be used
C. The time frame the key can be used
D. How the public key can be used
Quick Answer: 280
Detailed Answer: 297
11. Which of the following are best practices regarding key destruction if the key pair is used for digital signatures? (Select all correct answers.)
A. The certificate should be added to the CRL.
B. The public key portion should be destroyed first.
C. The private key portion should be destroyed first.
D. The certificate should be added to the CPS.
Quick Answer: 280
Detailed Answer: 297
12. Which of the following are correct functions of the certificate key usage extension? (Select all correct answers.)
A. Peer negotiation
B. Creation of digital signatures
C. Exchange of sensitive information
D. Securing of connections
Quick Answer: 280
Detailed Answer: 298
13. Which of the following is true regarding the encryption and decryption of email using an asymmetric encryption algorithm?
A. The public key is used to either encrypt or decrypt.
B. The private key is used to decrypt data encrypted with the public key.
C. The private key is used to encrypt and the public key is used to decrypt.
D. A secret key is used to perform both encrypt and decrypt operations.
Quick Answer: 280
Detailed Answer: 298
14. Which of the following best describes what happens when a certificate expires?
A. It gets automatically renewed.
B. It can be extended for another equal period.
C. A new certificate must be issued.
D. A new identity is issued for the current one.
Quick Answer: 280
Detailed Answer: 298
15. Which of the following events comprise the certificate lifecycle? (Select all correct answers.)
A. Creation
B. Preservation
C. Usage
D. Destruction
Quick Answer: 280
Detailed Answer: 298
16. An organization had an incident where a private key was compromised. Which of the following methods can the organization use to notify the community that the certificate is no longer valid? (Select all correct answers.)
A. Certificate policy statement
B. Certificate revocation list
C. Certification practice statement
D. Online Certificate Status Protocol
Quick Answer: 280
Detailed Answer: 298
17. Which of the following best describes the difference between certificate suspension and certificate revocation?
A. In suspension, new credentials are not needed; in revocation, new credentials are issued.
B. In suspension, new credentials are issued; in revocation, new credentials are not needed.
C. In suspension, the key pair is restored from backup; in revocation, the key pair is restored from escrow.
D. In suspension, the key pair is restored from escrow; in revocation, the key pair is restored from backup.
Quick Answer: 280
Detailed Answer: 298
18. The organizational wants to implement the backing up the public and private key across multiple systems. Which of the following satisfies this requirement?
A. Key escrow
B. M of N control
C. Key recovery
D. Version control
Quick Answer: 280
Detailed Answer: 298
19. Which of the following are basic status levels existing in most PKI solutions? (Select all correct answers.)
A. Active
B. Valid
C. Revoked
D. Suspended
Quick Answer: 280
Detailed Answer: 299
20. Which of the following problems does key escrow enable an organization to overcome?
A. Forgotten passwords
B. Forged signatures
C. Phishing emails
D. Virus infection
Quick Answer: 280
Detailed Answer: 299
Quick-Check Answer Key
Objective 5.1: Explain general cryptography concepts.
1. C
2. B
3. D
4. A
5. A, C
6. B, D
7. B
8. C
9. A
10. B
11. C
12. A, C, D
13. B
14. A
15. D
16. B
17. A
18. B
19. D
20. A, C
21. A
22. C
23. B
24. D
25. B, C, D
26. D
27. A
28. B
29. C
30. B
Objective 5.2: Explain basic hashing concepts and map various algorithms to appropriate applications.
1. B
2. C
3. D
4. A
5. C
6. B
7. A, C
8. D
9. B
10. D
Objective 5.3: Explain basic encryption concepts and map various algorithms to appropriate applications.
1. B, C
2. B
3. A
4. D
5. B
6. C
7. A
8. B, D
9. B
10. C
11. C, D
12. B
13. A
14. B
15. B
16. C
17. B
18. C
19. D
20. D
Objective 5.4: Explain and implement protocols.
1. A, B
2. D
3. B
4. B
5. A
6. A, B, C
7. A, D
8. C
9. D
10. B
11. C
12. B
13. A
14. C
15. D
16. B
17. D
18. A
19. C
20. D
Objective 5.5: Explain core concepts of public key cryptography.
1. B
2. A
3. C
4. C
5. A
6. B, C, D
7. B
8. A
9. D
10. D
11. A, D
12. B
13. D
14. B
15. C
16. B
17. A
18. D
19. A
20. D
Objective 5.6: Implement PKI and certificate management.
1. B, D
2. A, B
3. C
4. B, C
5. B
6. C
7. D
8. C
9. B
10. B
11. A, C
12. B, C
13. B
14. C
15. A, C, D
16. B, D
17. A
18. B
19. B, C, D
20. A
Answers and Explanations
Objective 5.1: Explain general cryptography concepts.
1. Answer: C. A cryptography key describes a string of bits, which are used for encrypting and decrypting data. These keys can also be thought of as a password or table. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption.
2. Answer: B. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption.
3. Answer: D. An algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption. Answer A is incorrect because it describes encryption. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data.
4. Answer: A. Encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer B is incorrect because it describes steganography. Steganography is a method for hiding messages so that unintended recipients aren’t even aware of any message. Answer C is incorrect because it describes a cryptography key. A cryptography key is a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect; an algorithm is the mathematical procedure or sequence of steps taken to perform encryption and decryption.
5. Answer: A, C. There has been growing concerns over the security of data, which continues to rapidly grow across information systems and reside in many different locations. Combining this with more sophisticated attacks and a growing economy around computer related fraud and data theft, make the need to protect the data itself even more important than in the past. Answers B and D are incorrect; the increase in virus infections and use of steganography has nothing to do with cryptography.
6. Answer: B, D. There are two fundamental types of encryption algorithms: symmetric key and asymmetric key. Answer A is incorrect. Hashing algorithms are not encryption methods, but offer additional system security via a “signature” for data confirming the original content. Answer C is incorrect; Trusted Platform is the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information.
7. Answer: B. Symmetric key cryptography is an encryption system that uses a common shared key between the sender and receiver. Answers A and D are incorrect because hashing is different from encryption. Answer C is incorrect because it describes asymmetric key cryptography.
8. Answer: C. The asymmetric encryption algorithm has two keys: a public one and a private one. Answers A and D are incorrect because hashing is different from encryption. Answer B is incorrect because it describes symmetric key cryptography.
9. Answer: A. The asymmetric encryption algorithm has two keys: a public one and a private one. The public key is made available to whoever is going to encrypt the data sent to the holder of the private key. Often the public encryption key is made available in a number of fashions, such as email or centralized servers that host a pseudo address book of published public encryption keys. Answer B is incorrect because this is where the private key is stored. Answer C is incorrect because a cryptographic vault is used for theft resistance. It is a small crypto file system containing all the secrets in unencrypted form. Answer D is incorrect; the user shared network folder is not used to store the public key.
10. Answer: B. The asymmetric encryption algorithm has two keys: a public one and a private one. The private key is maintained on the host system or application. Answer A is incorrect because this is where the public key is stored. The public encryption key is made available in a number of fashions, such as email or centralized servers that host a pseudo address book of published public encryption keys. Answer C is incorrect because a cryptographic vault is used for theft resistance. It is a small crypto file system containing all the secrets in unencrypted form. Answer D is incorrect; the user shared network folder is not used to store the public key.
11. Answer: C. Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm. Answers A, B, and D are incorrect; symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms.
12. Answer: A, C, D. Symmetric key algorithms are often referred to as secret key algorithms, private key algorithms, and shared secret algorithms. Answer B is incorrect. Asymmetric algorithms are often referred to as public key algorithms because of their use of the public key as the focal point for the algorithm.
13. Answer: B. Some general rules for asymmetric algorithms include the following: the public key can never decrypt a message that it was used to encrypt with, private keys should never be able to be determined through the public key (if it is designed properly), and each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it; therefore, answers A and C are incorrect. Answer D is incorrect because the public key can never be used to decrypt a message even by an administrator.
14. Answer: A. Some general rules for asymmetric algorithms include the following: the public key can never decrypt a message that it was used to encrypt with, private keys should never be able to be determined through the public key (if it is designed properly), and each key should be able to decrypt a message made with the other. For instance, if a message is encrypted with the private key, the public key should be able to decrypt it; therefore, answers B and C are incorrect. Answer D is incorrect because the public key can never be used to decrypt a message even by an administrator.
15. Answer: D. Steganography seeks to hide the presence of a message, whereas the purpose of cryptography is to transform a message from readable plaintext into an unreadable form known as ciphertext. Answer A is incorrect because steganography seeks to hide the presence of a message not expose it. Answers B and C are incorrect because the descriptions of each are reversed and cryptography has nothing to do with hiding or exposing hidden messages.
16. Answer: B. Steganography has been used by many printers, using tiny dots that reveal serial numbers and time stamps. Answer A is incorrect; phishing is the fraudulent process of attempting to acquire sensitive information. Answer C is incorrect; cryptography transforms a message from readable plaintext into an unreadable form known as ciphertext. Answer D is incorrect; a hash is a generated summary from a mathematical rule or algorithm.
17. Answer: A. Confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer B is incorrect; integrity pertains to preventing unauthorized modifications of information or systems. Answer C is incorrect; authorization is the function of specifying access rights to resources. Answer D is incorrect; availability is about maintaining continuous operations and preventing service disruptions.
18. Answer: B. Integrity pertains to preventing unauthorized modifications of information or systems. Answer A is incorrect; confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer C is incorrect; authorization is the function of specifying access rights to resources. Answer D is incorrect; availability is about maintaining continuous operations and preventing service disruptions.
19. Answer: D. Availability is about maintaining continuous operations and preventing service disruptions. Answer A is incorrect; confidentiality is concerned with the unauthorized disclosure of sensitive information. Answer B is incorrect; integrity pertains to preventing unauthorized modifications of information or systems. Answer C is incorrect; authorization is the function of specifying access rights to resources.
20. Answer: A, C. Pretty Good Privacy (PGP) is a computer program used for signing, encrypting, and decrypting email messages. PGP is used to send and receive emails in a confidential, secure fashion. Answer B is incorrect. Availability is about maintaining continuous operations and preventing service disruptions. Answer D is incorrect; authorization is the function of specifying access rights to resources.
21. Answer: A. Integrity is the assurance that data and information can only be modified by those authorized to do so. Answer B is incorrect; availability refers to the accessibility of information and information systems, when they are needed. Answer C is incorrect; confidentiality describes the act of limiting disclosure of private information. Answer D is incorrect because authorization is the function of specifying access rights to resources.
22. Answer: C. Confidentiality describes the act of limiting disclosure of private information. Answer A is incorrect; integrity is the assurance that data and information can only be modified by those authorized to do so. Answer B is incorrect; availability refers to the accessibility of information and information systems, when they are needed. Answer D is incorrect because authorization is the function of specifying access rights to resources.
23. Answer: B. Availability refers to the accessibility of information and information systems, when they are needed. Answer A is incorrect; integrity is the assurance that data and information can only be modified by those authorized to do so. Answer C is incorrect; confidentiality describes the act of limiting disclosure of private information. Answer D is incorrect because authorization is the function of specifying access rights to resources.
24. Answer: D. Nonrepudiation is intended to provide, through encryption, a method of accountability in which there is no refute from where data has been sourced (or arrived from). Answer A is incorrect because it describes integrity. Answer B is incorrect because it describes confidentiality. Answer C is incorrect because it describes authorization.
25. Answer: B, C, D. The four key elements that nonrepudiation services provide are proof of origin, proof of submission, proof of delivery, and proof of receipt. Answer A is incorrect because proof of service is a court paper filed by a process server as evidence that the witness or party to the lawsuit was served with the court papers as instructed.
26. Answer: D. Digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer A is incorrect; a hash is a generated summary from a mathematical rule or algorithm. Answer B is incorrect; steganography seeks to hide the presence of a message. Answer C is incorrect; cryptography transforms a message from readable plaintext into an unreadable form known as ciphertext.
27. Answer: A. Whole disk encryption helps mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws when the organization is required to report data breaches. Answer B is incorrect; Trusted Platform Module is the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information. Answer C is incorrect; digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer D is incorrect; a hash is a generated summary from a mathematical rule or algorithm.
28. Answer: B. At the most basic level, TPM provides for the secure storage of keys, passwords, and digital certificates, and is hardware based, typically attached to the circuit board of the system. Answer A is incorrect because whole disk encryption helps mitigate the risks associated with lost or stolen laptops and accompanying disclosure laws. Answer C is incorrect; digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer D is incorrect; a hash is a generated summary from a mathematical rule or algorithm.
29. Answer: C. In most cases, the use of SSL and TLS is single sided. Only the server is being authenticated as valid with a verifiable certificate. For example, when conducting an online banking transaction, one can be assured they are at the legitimate site by verifying the server side certificate, whereas the client is verified by a means other than a certificate, such as a username and password. Answer A is incorrect; digital signatures attempt to guarantee the identity of the person sending the data from one point to another. Answer B is incorrect; a hash is a generated summary from a mathematical rule or algorithm. Answer D is incorrect; in a dual-sided scenario, not only is the server authenticated using a certificate, but the client side is as well. This certainly can provide for a more secure environment, but additional overhead is created. Furthermore, a unique client side certificate now needs to be created and managed for every client rather than just a single server.
30. Answer: B. Because of the sensitive nature behind the uses of cryptography, the use of well-known, proven technologies is crucial. Back doors and flaws, for example, can undermine any encryption algorithm, which is why proven algorithms should always be considered. Although various vendors might have their own encryption solutions, most of these depend upon well-known, time-tested algorithms, and generally speaking one should be skeptical of any vendor using a proprietary nonproven algorithm; therefore, answers C and D are incorrect. Answer A is incorrect; DES is only a 56-bit encryption key algorithm and is considered weak.
Objective 5.2: Explain basic hashing concepts and map various algorithms to appropriate applications.
1. Answer: B. A hash is a generated summary from a mathematical rule or algorithm, and is used commonly as a “digital fingerprint” to verify the integrity of files and messages as well as to ensure message integrity and provide authentication verification. Answer A is incorrect; encryption takes plaintext data and converts it into an unreadable format (ciphertext) by using an algorithm (cipher). Answer C is incorrect because a cryptography key describes a string of bits, which are used for encrypting and decrypting data. Answer D is incorrect. An algorithm is the mathematical procedure or sequence of steps taken to perform a variety of functions. Hashing and encryption are examples of how algorithms can be used.
2. Answer: C. Hash functions work by taking a string (for example, a password or email) of any length, and producing a fixed-length string for output. Based on this information, answers A, B, and D are incorrect.
3. Answer: D. Although you can create a hash from a document, you cannot re-create the document from the hash. Keep in mind that hashing is a one-way function. Based on this information, answers A, B, and C are incorrect.
4. Answer: A. Secure Hash Algorithm (SHA, SHA-1) are hash algorithms pioneered by the National Security Agency and widely used in the U.S. government. SHA-1 can generate a 160-bit hash from any variable length string of data, making it very secure but also resource intensive. Based on this information, answers B, C, and D are incorrect.
5. Answer: C. Message Digest Series Algorithms MD2, MD4, and MD5 are a series of encryption algorithms created by Ronald Rivest (founder of RSA Data Security, Inc.), that are designed to be fast, simple, and secure. The MD series generates a hash of up to a 128-bit strength out of any length of data. Based on this information, answers A, B, and D are incorrect.
6. Answer: B. A Message Authentication Code (MAC) is similar to a hash function. The MAC is a small piece of data known as an authentication tag, which is derived by applying a message or file combined with a secret key to a cryptographic algorithm. The resulting MAC value can ensure the integrity of the data as well as its authenticity as one in possession of the secret key can subsequently detect if there are any changes from the original. Answer A is incorrect because it describes symmetric encryption. Answer C is incorrect because it describes asymmetric encryption. Answer D is incorrect because it describes the Secure Hash Algorithm.
7. Answer: A, C. The two primary weaknesses of LM hash are that first all passwords longer than seven characters are broken down into two chunks, from which each piece is hashed separately. Second, before the password is hashed, all lowercase characters are converted to uppercase characters. Answers B and D are incorrect; LM hashes have nothing to do with encryption keys.
8. Answer: D. A Message Authentication Code (MAC) is similar to a hash function, but is able to resist forgery and is not open to man in the middle attacks. A MAC can be thought of as an encrypted hash, combining an encryption key and a hashing algorithm. Based on this information, answers A, B, and C are incorrect.
9. Answer: B. Both SHA and the MD series are similar in design; however, keep in mind that because of the higher bit strength of the SHA-1 algorithm, it will be in the range of 20% to 30% slower to process than the MD family of algorithms; therefore, answer A is incorrect. Answer C is incorrect; LM hash is based on DES encryption. Answer D is incorrect; NTLM hashing makes use of the MD4 hashing algorithm.
10. Answer: D. NTLM hashing makes use of the MD4 hashing algorithm, and is used on more recent versions of the Windows operating system. Answers A and B are incorrect; MD5 and SHA are typically not used in place of NTLM. Answer C is incorrect; the NTLM hash is an improvement over the LM hash. LM hash is based on DES encryption, yet it is not considered to be effective (and is technically not truly a hashing algorithm) due to a weaknesses in the design implementation.
Objective 5.3: Explain basic encryption concepts and map various algorithms to appropriate applications.
1. Answer: B, C. Symmetric algorithms can be classified into either being a block cipher or a stream cipher. A stream cipher, as the name implies, encrypts the message bit by bit, one at a time; whereas, a block cipher encrypts the message in chunks. Answer A is incorrect; historical pen and paper ciphers used in the past are sometimes known as classical ciphers. Answer D is incorrect because simple substitution ciphers and transposition ciphers are considered classical ciphers.
2. Answer: B. DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Based on this information, answers A, C, and D are incorrect.
3. Answer: A. Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the DES by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Based on this information, answers B, C, and D are incorrect.
4. Answer: D. RC4 is a stream cipher that uses a 1 to 2048 bits key length. Answers A, B, and C are incorrect because they are all block ciphers.
5. Answer: B. Blowfish Encryption Algorithm is a block cipher that can encrypt using any size chunk of data. Blowfish can also perform encryption with any length encryption key up to 448-bits, making it a very flexible and secure symmetric encryption algorithm. Answers A and C are incorrect; although they are block ciphers, the maximum key length of RC5 is 256 and the maximum key length of International Data Encryption Algorithm (IDEA) is 128. Answer D is incorrect; RC4 is a stream cipher.
6. Answer: C. Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Answer A is incorrect; with Triple Data Encryption Standard (3DES), the DES algorithm is used three times with three distinct keys. This provides a total effective key length of 168 bits. Answer B is incorrect; the key length of RC5 is 128 to 256 bits. Answer D is incorrect; the key length of Advanced Encryption Standard (AES) is 128 to 256 bits.
7. Answer: A. Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the Data Encryption Standard (DES) by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Answer B is incorrect; the key length of RC5 is 128 to 256 bits. Answer C is incorrect; DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data. Answer D is incorrect; the key length of Advanced Encryption Standard (AES) is 128 to 256 bits.
8. Answer: B, D. The key length of both RC5 and AES is 128 to 256 bits. Answer A is incorrect; Triple Data Encryption Standard (3DES), also known as Triple-DES, dramatically improves upon the Data Encryption Standard (DES) by using the DES algorithm three times with three distinct keys. This provides a total effective key length of 168 bits. Answer C is incorrect; DES is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data.
9. Answer: B. There is one type of cipher that perhaps has earned the mark as being completely unbreakable: one-time pad (OTP). Unfortunately, the OTP currently has the tradeoff of requiring a key as long as the message, thus having significant storage and transmission costs. Answer A is incorrect; the key length of RC5 is 128 to 256 bits. Answer C is incorrect; the maximum key length of IDEA is 128. Answer D is incorrect; Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data.
10. Answer: C. Advanced Encryption Standard (AES) is similar to Data Encryption Standard (DES) in that it can create keys from 128-bit to 256-bit in length and can perform the encryption and decryption of data up to 128-bit chunks of data. Similar to Triple Data Encryption Standard (3DES), the data is passed through three layers, each with a specific task, such as generating random keys based on the data and the bit strength being used. Based on this information, answers A, B, and D are incorrect.
11. Answer: C, D. Because of the additional overhead generated by using one key for encryption and another for decryption, using asymmetric algorithms requires far more resources than symmetric algorithms. Answers A and B are incorrect; both ECC and RSA are asymmetric algorithms.
12. Answer: B. PGP was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. PGP follows the OpenPGP format using a combination of public key and private key encryption. Answer A is incorrect; one-time pad (OTP) is a type of cipher that perhaps has earned the mark as being completely unbreakable. Answer C is incorrect; Data Encryption Standard (DES) is a symmetric algorithm. Answer D is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm.
13. Answer: A. Rivest, Shamir, Adleman (RSA) is a well-known cryptography system used for encryption and digital signatures. In fact, the RSA algorithm is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet. Answer B is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Data Encryption Standard (DES) is a symmetric algorithm.
14. Answer: B. Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general purpose encryption. One of the key benefits of ECC encryption algorithms is that they have a very compact design because of the advanced mathematics involved in ECC. Answer A is incorrect. The Rivest, Shamir, Adleman (RSA) algorithm, named after its inventors at MIT, is considered by many to be the standard for encryption and core technology that secures most business conducted on the Internet. Answer C is incorrect; one-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Data Encryption Standard (DES) is a symmetric algorithm.
15. Answer: B. There is one type of cipher that perhaps has earned the mark as being completely unbreakable: one-time pad (OTP). Unfortunately, the OTP currently has the tradeoff of requiring a key as long as the message, thus having significant storage and transmission costs. Answer A is incorrect; the key length of RC5 is 128 to 256 bits. Answer C is incorrect; the maximum key length of IDEA is 128. Answer D is incorrect; Data Encryption Standard (DES) is a block cipher that uses a 56-bit key and 8 bits of parity on each 64-bit chuck of data.
16. Answer: C. For most environments today, 128-bit encryption key strength is considered adequate; therefore, symmetric encryption may often suffice. However, if you want to simplify how you distribute keys, asymmetric encryption may be the better choice. Answer A is incorrect because Rivest, Shamir, Adleman (RSA) key generation on smart cards shows that the generation of up to 1024 bit prime numbers is costly both in terms of time and energy. Answer B is incorrect because 56-bit encryption is considered weak. Answer D is incorrect; although many USB drives now come with 256-bit encryption, 128 bit is sufficient for an enterprise organization.
17. Answer: B. Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails. PGP follows the OpenPGP format using a combination of public key and private key encryption. Answer A is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer C is incorrect; Data Encryption Standard (DES) is a symmetric algorithm. Answer D is incorrect; Elliptic Curve Cryptography (ECC) is an asymmetric algorithm.
18. Answer: C. Advanced Encryption Standard (AES) supports key lengths of 128, 192, and 256 bits, and many commercial offerings, to encrypt laptops or USB sticks for example, supply AES at the maximum 256-bit key length. Based on this information, answers A, B, and D are incorrect.
19. Answer: D. TKIP uses the RC4 algorithm, and does not require an upgrade to existing hardware. Based on this information, answers A, B, and C are incorrect.
20. Answer: D. Wired Equivalent Privacy (WEP) uses the RC4 cipher for confidentiality; however, the WEP algorithm, although still widely used, is no longer considered secure and has been replaced. Based on this information, answers A, B, and C are incorrect.
Objective 5.4: Explain and implement protocols.
1. Answer: A, B. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols for managing secure communication between a client and server over the Web. Both essentially serve the same purpose with TLS being the successor to SSL. Answer C is incorrect; Point-to-Point Tunneling Protocol (PPTP) is not cryptographic. Answer D is incorrect because Wired Equivalent Privacy (WEP) is inherently unsecure and is not used specifically for client server connections.
2. Answer: D. Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol often used to support the creation of virtual private networks (VPNs). Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server. PPTP sends authentication information in cleartext. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications.
3. Answer: B. Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications. Answer D is incorrect; Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol not a network protocol.
4. Answer: B. Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, and virtual private networking over public networks, such as the Internet. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer C is incorrect because Multipurpose Internet Mail Extensions (MIME) is used in email communications. Answer D is incorrect. Layer 2 Tunneling Protocol (L2TP) is an encapsulated tunneling protocol not a network protocol.
5. Answer: A. Secure Shell (SSH) utilizes the asymmetric (public key) Rivest, Shamir, Adleman (RSA) cryptography method to provide both connection and authentication. Answer B is incorrect; Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general purpose encryption. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails.
6. Answer: A, B, C. Data encryption with SSH is accomplished using one of the following algorithms: International Data Encryption Algorithm (IDEA), Blowfish, or Data Encryption Standard (DES). Answer D is incorrect because Diffie-Hellman is a mathematical algorithm that allows two computers to generate an identical shared secret on both systems, even though those systems may never have communicated with each other before.
7. Answer: A, D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a telnet session. The SSH suite encapsulates three secure utilities: slogin, ssh, and scp. Answers B and C are incorrect because rlogin and rsh are earlier nonsecure UNIX utilities.
8. Answer: C. IPsec provides authentication services, as well as encapsulation of data through support of the Internet Key Exchange (IKE) protocol. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for web-based communications. Answer B is incorrect. Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer D is incorrect; a public key infrastructure (PKI) is a vast collection of varying technologies and policies for the creation and use of digital certificates.
9. Answer: D. Authentication Header (AH) provides connectionless integrity and data origin authentication for IP packets. Answer A is incorrect because the Internet Key Exchange (IKE) protocol provides for additional features and ease of configuration. IKE specifically provides authentication for IPsec peers and negotiates IPsec keys and security associations. Answer B is incorrect because Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a telnet session. Answer C is incorrect; Internet Protocol (IP) is part of the TCP/IP suite.
10. Answer: B. If IPsec is configured to do authentication only (AH), you must permit protocol 51 traffic to pass through the stateful firewall or packet filter. Answer A is incorrect; Protocol 255 is an Internet Assigned Numbers Authority (IANA) reserved value. Answer C is incorrect; in an IP header, ESP can be identified as IP protocol number 50. Answer D is incorrect; Protocol 2 is Internet Group Management (IGMP).
11. Answer: C. Encapsulating Security Payload (ESP) provides encryption and limited traffic flow confidentiality, or connectionless integrity, data origin authentication, and an antireplay service. In an IP header, ESP can be identified as IP protocol number 50. Answer A is incorrect; Protocol 255 is a IANA reserved value. Answer B is incorrect; Authentication Header (AH) provides connectionless integrity and data origin authentication for IP packets. In an IP header, AH can be identified as IP protocol number 51. Answer D is incorrect; Protocol 2 is Internet Group Management (IGMP).
12. Answer: B. If IPsec uses nested Authentication Header (AH) and Encapsulating Security Payload (ESP), IP can be configured to let only protocol 51 (AH) traffic pass through the stateful firewall or packet filter. Answer A is incorrect; Protocol 255 is an Internet Assigned Numbers Authority (IANA) reserved value. Answer C is incorrect; IP can be configured to let only protocol 51 (AH) traffic pass. Answer D is incorrect; Protocol 2 is Internet Group Management (IGMP).
13. Answer: A. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme to encrypt electronic mail transmissions over public networks. Answer B is incorrect; Elliptic Curve Cryptography (ECC) techniques utilize a method in which elliptic curves could be used to calculate simple, but very difficult to break, encryption keys to use in general purpose encryption. Answer C is incorrect. One-time pad (OTP) is one type of cipher that perhaps has earned the mark as being completely unbreakable. Answer D is incorrect; Pretty Good Privacy (PGP) was originally designed to provide for the encryption/decryption of email, as well as for digitally signing emails.
14. Answer: C. An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications. Answer A is incorrect because HTTP is used for unsecured web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer D is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks.
15. Answer: D. S/MIME utilizes the Rivest, Shamir, Adleman (RSA) asymmetric encryption scheme is a specification that provides email privacy using encryption and authentication via digital signatures. Answer A is incorrect because Hypertext Transfer Protocol (HTTP) is used for unsecured web-based communications. Answer B is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks. Answer C is incorrect. An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications.
16. Answer: B. PGP/MIME derives from the Pretty Good Privacy application and is an alternative to S/MIME. Basically, it encrypts and decrypts email messages using asymmetric encryptions schemes such as RSA. Answer A is incorrect; Multipurpose Internet Mail Extensions (MIME) does not encrypt email. MIME extends the original Simple Mail Transfer Protocol (SMTP) to allow the inclusion of nontextual data within an email message. Answer C is incorrect because Hypertext Transfer Protocol (HTTP) is used for unsecured web-based communications. Answer D is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.
17. Answer: D. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security. Therefore, Answer A is incorrect. Answer B is incorrect; the alert protocol is used to signal errors. Answer C is incorrect; application protocol is a generic term that can be used to describe TLS.
18. Answer: A. Transport Layer Security (TLS) consist of two additional protocols: the TLS record protocol and the TLS handshake protocol. The handshake protocol allows the client and server to authenticate to one another and the record protocol provides connection security; therefore, Answer D is incorrect. Answer B is incorrect; the alert protocol is used to signal errors. Answer C is incorrect; application protocol is a generic term that can be used to describe TLS.
19. Answer: C. Hypertext Transfer Protocol Secure (HTTPS) traffic typically occurs over port 443. Answer A is incorrect; port 8080 is a popular alternative to port 80 for offering web services. Answer B is incorrect; the default port for unencrypted HTTP traffic is port 80. Answer D is incorrect; TCP port 445 is used for Server Message Block (SMB) over TCP.
20. Answer: D. Secure Shell (SSH) provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a Telnet session. Answers A and B are incorrect; Secure Socket Layer (SSL) and Transport Layer Security (TLS) are best known for protecting Hypertext Transfer Protocol (HTTP) web traffic and transactions, commonly known as Hypertext Transfer Protocol over SSL (HTTPS), which is a secure HTTP connection. Answer C is incorrect; Wired Equivalent Privacy (WEP) uses the RC4 cipher for confidentiality of wireless communications.
Objective 5.5: Explain core concepts of public key cryptography.
1. Answer: B. A public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates. Answer A is incorrect because it describes the X.509 standard. Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS). Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX).
2. Answer: A. In a certificate trust model, everybody’s certificate is issued by a third party called certificate authority (CA). If one trusts the CA, he automatically trusts the certificates that CA issues. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
3. Answer: C. The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and published by RSA Laboratories. Answer B is incorrect because it describes a public key infrastructure (PKI). Answer A is incorrect because it describes the X.509 standard. Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX).
4. Answer: C. A registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called the certificate authority (CA). If one trusts the CA, then he automatically trusts the certificates that CA issues. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
5. Answer: A. The validity period identifies the time frame for which the private key is valid, if the private key has not been compromised. This period is indicated with both a start and an end time, and may be of any duration, but it is often set to one year. Based on this information, answers B, C, and D are incorrect.
6. Answer: B, C, D. Information about the signature algorithm identifier, user’s public key, and serial number of the issuing certificate authority (CA) is all included within a digital certificate. A user’s private key should never be contained within the digital certificate and should remain under tight control; therefore, answer A is incorrect.
7. Answer: B. Certificate authorities (CAs) are trusted entities and are an important concept within public key infrastructure (PKI). The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called certificate authority (CA). If one trusts the CA, then he automatically trusts the certificates that CA issues. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer D is incorrect; a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
8. Answer: A. The X.509 standard defines a framework for authentication services by a directory and the format of required data for digital certificates. Answer B is incorrect because it describes a public key infrastructure (PKI). Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS). Answer D is incorrect because it describes public key infrastructure (X.509) (PKIX).
9. Answer: D. A certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer A is incorrect because in a certificate trust model, everybody’s certificate is issued by a third party called a certificate authority (CA). If one trusts the CA, he automatically trusts the certificates that CA issues. Answer B is incorrect; certificate authorities (CAs) are trusted entities and are an important concept within PKI. The CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be. Answer C is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information.
10. Answer: D. Public key infrastructure (X.509) (PKIX) describes the development of Internet standards for X.509-based public key infrastructure (PKI). Answer B is incorrect because it describes a PKI. Answer A is incorrect because it describes the X.509 standard. Answer C is incorrect because it describes Public Key Cryptography Standards (PKCS).
11. Answer: A, D. A registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer B is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer C is incorrect because the CA’s job is to issue certificates, as well as to verify the holder of a digital certificate, and ensure that the holder of the certificate is who they claim to be.
12. Answer: B. Revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. For example, if a certificate holder’s private key is compromised, the certificate is most likely to be revoked. Answer A is incorrect because recovery is necessary if a certifying key is compromised but the certificate holder is still considered valid and trusted. In this case, it is not true. Answer C is incorrect because changing the trust model would necessitate unneeded changes. Answer D is incorrect. Key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA.
13. Answer: D. A certificate policy indicates specific uses applied to a digital certificate, as well as other technical details. Thus, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer A is incorrect because a registration authority (RA) provides authentication to the certificate authority (CA) as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer B is incorrect; key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer C is incorrect because a trust model is an architecture within a public key infrastructure (PKI) for certificate authorities.
14. Answer: B. Key escrow occurs when a CA or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer A is incorrect because a registration authority (RA) provides authentication to the CA as to the validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. Answer C is incorrect because a trust model is an architecture within a PKI for certificate authorities. Answer D is incorrect; a certificate policy indicates specific uses applied to a digital certificate, as well as other technical details. Thus, the certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate.
15. Answer: C. The focus of a certificate policy is on the certificate, whereas the focus of a certificate practice statement is on the certificate authority (CA) and the way that the CA issues certificates. Answer A is incorrect because the focus in the given statement is reversed. Answers B and D are incorrect; neither a certificate policy nor a CPS focuses solely on the keys.
16. Answer: B. A component of public key infrastructure (PKI) includes a mechanism for distributing certificate revocation information, called certificate revocation lists (CRLs). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate. Answer A is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates. Answer C is incorrect because an access control list is used to control object permissions. Answer D is incorrect because a public key infrastructure is a vast collection of varying technologies and policies for the creation and use of digital certificates.
17. Answer: A. An alternative to the hierarchical model is the cross-certification model, often referred to as a Web of Trust. In this model, certificate authorities (CAs) are considered peers to one another. Answer B is incorrect in a hierarchical CA model, an initial root CA exists at the top of the hierarchy with subordinate CAs below. Answer C is incorrect; a solution to the complexity of a large cross-certification model is to implement what is known as a bridge CA model. By implementing bridging, you can have a single CA, known as the bridge CA, be the central point of trust. Answer D is incorrect; a virtual bridge certificate authority model is used to overcome the bridge certificate authority compromise problem and removes the cross certificates among trust domains.
18. Answer: D. Key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer A is incorrect; after the key pairs are generated and a digital certificate has been issued by the CA, both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. Answer B is incorrect once a certificate is no longer valid, certificate revocation occurs. Answer C is incorrect. Key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA.
19. Answer: A. In the single certificate authority (CA) architecture, only one CA exists to issue and maintain certificates. Although this model may be beneficial to smaller organizations because of its administrative simplicity, it has the potential to present problems. If the private key of the CA becomes compromised, all the issued certificates from that CA would then be invalid; therefore, answer B is incorrect. Answers C and D are incorrect; a single CA architecture is based on simplicity.
20. Answer: D. A root certificate authority (CA) differs from subordinate CAs in that the root CA is taken offline to reduce the risk of key compromise, and the root CA should be made available only to create and revoke certificates for subordinate CAs. Remember, if the root CA is compromised, then the entire architecture is compromised. If a subordinate CA is compromised, however, the root CA can revoke the subordinate CA. Based on this information, answer A is incorrect. Answer B is incorrect; a secondary CA is treated the same as a subordinate CA. Answer C is incorrect because a bridge CA is a solution to the complexity of a large cross-certification model.
Objective 5.6: Implement PKI and certificate management.
1. Answer: B, D. The certificate lifecycle is typically based on two documents: the certificate policy and the certification practice statement (CPS). Answer A is incorrect because certificate revocation statement is an incorrect term. The correct term is a certificate revocation list (CRL). A CRL is used when verification of digital certificate takes place to ensure the validity of a digital certificate. Answer C is incorrect because key escrow allows the certificate authority (CA) or escrow agent to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user.
2. Answer: A, B. Although the benefit of central control may be seen as an advantage, a centralized system also has other disadvantages, which include additional required infrastructure, a need to positively authenticate the end entity prior to transmitting the private key, as well as the need for a secure channel to transmit the private key. Answer C is incorrect; additional overhead is reduced with a centralized system. Answer D is incorrect; the public key does not need a secure channel.
3. Answer: C. Key escrow allows the certificate authority (CA) or escrow agent to have access to all the information that is encrypted using the public key from a user’s certificate, as well as create digital signatures on behalf of the user. Answer A is incorrect; after the key pairs are generated and a digital certificate has been issued by the CA, both keys must be stored appropriately to ensure their integrity is maintained. However, the key use must still be easy and efficient. Answer B is incorrect because once a certificate is no longer valid, certificate revocation occurs. Answer D is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys.
4. Answer: B, C. Both Online Certificate Status Protocol (OSCP) and certificate revocation lists (CRLs) are used to verify the status of a certificate Answer A is incorrect. The certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer D is incorrect because a certificate practice statement (CPS) is a legal document created and published by a certificate authority (CA) for the purpose of conveying information to those depending on the CA’s issued certificates.
5. Answer: B. Certificate suspension occurs when a certificate is under investigation to determine if it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use during the suspension. Answer A is incorrect; revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. Answer C is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer D is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys.
6. Answer: C. Key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer A is incorrect; revoking a certificate invalidates a certificate before its expiration date. Revocation typically occurs because the certificate is no longer considered trustworthy. Answer B is incorrect; certificate suspension occurs when a certificate is under investigation to determine if it should be revoked. This mechanism allows a certificate to stay in place, but it is not valid for any type of use during the suspension. Answer D is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA.
7. Answer: D. In a decentralized key system, the end user generates his or her own key pair. The other functions, such as creation of the certificate, the revocation of the certificate, and key recovery and archiving are still handled by the certificate authority; therefore, Answers A, B, and C are incorrect.
8. Answer: C. A solution to the complexity of a large cross-certification model is to implement what is known as a bridge certificate authority (CA) model. Remember that in the cross-certification model, each CA must trust the others; however, by implementing bridging, it is possible to have a single CA, known as the bridge CA, be the central point of trust. Answers A and D are incorrect because these are CA server types not models. Answer B is incorrect; in the hierarchical CA model, an initial root CA exists at the top of the hierarchy, and subordinate CAs reside beneath the root.
9. Answer: B. In some circumstances, dual or multiple key pairs might be used to support distinct and separate services. For example, a reorder associate may have one key pair to be used for signing and sending encrypted messages, and might have another restricted to ordering equipment worth no more than a specific dollar amount. Multiple key pairs require multiple certificates, because the X.509 certificate format does not support multiple keys; therefore, answers A, C, and D are incorrect.
10. Answer: B. The key usage extension of the certificate specifies how the private key can be used. It is used to either to enable the exchange of sensitive information or to create digital signatures. Answer A is incorrect because it describes the signature algorithm identifier. Answer C is incorrect because it describes the validity period. Answer D is incorrect because the public key is not of consequence to the extension usage.
11. Answer: A, C. If the key pair to be destroyed is used for digital signatures, the private key portion should be destroyed first, to prevent future signing activities with the key. In addition, a digital certificate associated with key that are no longer valid should be added to the CRL regardless of whether the key is actually destroyed or archived. Answer B is incorrect because is concern is the private key. Answer D is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
12. Answer: B, C. The key usage extension of the certificate specifies how the private key can be used. It is used to either to enable the exchange of sensitive information or to create digital signatures. Answer A is incorrect because peer negotiation is associated with SSL/TLS. Answer D is incorrect because securing connections is associated with PPTP.
13. Answer: B. In asymmetric encryption, the private key decrypts data encrypted with the public key. Answer A is incorrect because the public key cannot decrypt the same data it encrypted. Answer C is incorrect because the public key would be used to encrypt and the private key to decrypt. Answer D is incorrect because this describes symmetric encryption.
14. Answer: C. Every certificate is issued with an expiration date. When the certificate expires, a new certificate needs to be reissued. So long as the certificate holder’s needs or identity information has not changed, the process is relatively simple. After the issuing certificate authority (CA) validates the entity’s identity, a new certificate can be generated based on the current public key; therefore, answers A, B, and D are incorrect.
15. Answer: A, C, D. The certificate lifecycle refers to those events required to create, use, and destroy public keys and the digital certificates with which they are associated. The certificate lifecycle is typically based on two documents: the certificate policy and the certification practice statement (CPS). Answer B is incorrect; preservation is not included in the certificate lifecycle.
16. Answer: B, D. Revoking a certificate is just not enough. The community that trusts these certificates must be notified that the certificates are no longer valid. This is accomplished via a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP). Answer A is incorrect; it should read certificate policy. The certificate policy provides the rules that indicate the purpose and use of an assigned digital certificate. Answer C is incorrect because a certificate practice statement (CPS) is a legal document created and published by a CA for the purpose of conveying information to those depending on the CA’s issued certificates.
17. Answer: A. Certificate suspension occurs when a certificate is under investigation to determine whether it should be revoked. Like the status checking that occurs with revoked certificates, users and systems are notified of suspended certificates in the same way. The primary difference is that new credentials will not need to be retrieved; it is only necessary to be notified that current credentials have had a change in status and are temporarily not valid for use. Answer B is incorrect because the proper usage is reversed. Answers C and D are incorrect because both revocation and suspension have to do with credentials not key pair restoration.
18. Answer: B. M of N control as it relates to public key infrastructure (PKI) refers to the concept of backing up the public and private key across multiple systems. This multiple backup provides a protective measure to ensure that no one individual can re-create his or her key pair from the backup. Answer A is incorrect; key escrow occurs when a certificate authority (CA) or other entity maintains a copy of the private key associated with the public key signed by the CA. Answer C is incorrect; key recovery is the process of restoring a key pair from a backup and re-creating a digital certificate using the recovered keys. Answer D is incorrect; version control is associated software development.
19. Answer: B, C, D. Three basic status levels exist in most public key infrastructure (PKI) solutions: valid, suspended, and revoked. Answer A is incorrect; active status is a generic term that is not specifically associated with status levels in a PKI.
20. Answer: A. Key escrow enables an organization to overcome the large problem of forgotten passwords. Rather than revoke and reissue new keys, an organization can generate a new certificate using the private key stored in escrow. Answers B, C, and D are incorrect; forged signatures, phishing, and virus infections have nothing to do with key escrow.