Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
40 Cards in this Set
- Front
- Back
|
What does hashing ensure? |
That data has retained integrity (not been modified) |
|
|
What is a hash? |
A hash is a number derived from performing a calculation on data, such as a message, patch, or updated file. |
|
|
What are the two common hashing algorithms? |
MD5 and Secure Hash Algorithm (SHA) |
|
|
T/F Confidentiality ensures that data is only viewable by authorized users. |
True. |
|
|
__________________protects the confidentiality of data. |
Encryption. |
|
|
What is the difference between symmetric encryption and asymmetric encryption? |
Symmetric encryption uses the same key to encrypt and decrypt data. Asymmetric encryption uses two keys (public and private) created as a matched pair. |
|
|
Anything encrypted with the public key can only be decrypted with the matching ________key |
private |
|
|
How does a stream cipher encrypt data? |
one bit at a time. |
|
|
How do block ciphers encrypt data? |
in blocks |
|
|
Authentication validates ________________ |
an identity. |
|
|
What prevents a party from denying an action? |
Non-repudiation |
|
|
What provide authentication, non-repudiation and integrity? |
Digital signatures |
|
|
What is MD5? |
A common hashing algorithm that produces a 128-bit hash. Many applications use MD5 to verify the integrity of files. This includes email, files stored on disks, files downloaded from the internet, executable files, and more. |
|
|
What are hexadecimal characters composed of? |
They are composed of four bits and use the number 0 through 9 and the characters a through f.
|
|
|
What is SHA? |
A hashing algorithm. There are several variations of SHA grouped into four families- SHA-0, SHA-1, SHA-2, and SHA-3. |
|
|
T/F SHA-0 is not used. |
True. |
|
|
What is HMAC? |
Hash-based Message Authentication Code. An HMAC is a fixed-length string of bits similar to other hashing algorithms such as MD% and SHA-1 (known as HMAC-MD5 and HMAC-SHA-1). However, HMAC also uses a shared secret key to add some randomness to the result and only the sender and receiver know the secret key. |
|
|
How does HMAC provide both integrity and authenticity of messages? |
The MD5 portion of the hash provides integrity just as MD5 does. However, because only the server and receiver know the secret key, if the receiver can calculate the same HMAC-MD5 hash as the sender, it knows that the sender used the same key. If an attacker was trying to impersonate the sender, the message wouldn't pass this authenticity check because the attacker wouldn't have the secret key. |
|
|
How are hashes one-way functions? |
You can calculate a hash on a file or a message, but you can't use the hash to reproduce the original data. The hashing algorithms always create a fixed-size bit string regardless of the size of the original data. |
|
|
T/F Passwords are often stored as hashes. |
True. When a user creates a new password, the system calculates the hash for the password and then stores the hash. Later, when the user authenticates by entering a username and password, the system calculates the hash of the entered password, and then compares it with the stored hash. If the hashes are the same, it indicates that the user entered the correct password. |
|
|
Of the following choices, what can you use to verify data integrity? A. AES B. DES C. RC4 D. SHA |
Correct Answer: D. Secure Hash Algorithm (SHA) is one of the many available hashing algorithms used to verify data integrity. None of the other options are hashing algorithms. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Rivest Cipher 4 (RC4) are symmetric encryption algorithms. |
|
|
A security technician runs an automated script every night designed to detect changes in files. Of the following choices, what are the most likely protocols used in this script? A. PGP and MD5 B. ECC and HMAC C. AES and Twofish D. MD5 and HMAC |
Correct Answer: D. Hashing algorithms can detect changes in files (or verify the files have not lost integrity) and Message Digest 5 (MD5) and Hash-based Message Authentication Code (HMAC) are both hashing algorithms. Pretty Good Privacy (PGP) is a method used to secure email communication. Elliptic curve cryptography (ECC), Advanced Encryption Standard (AES) a, and TwoFish are all encryption algorithms. |
|
|
Some encryption algorithms use stream ciphers and some use block ciphers. Which of the following are examples of block ciphers? (select three) A. AES B. DES C. MD5 D. SHA E. RC4 F. Blowfish |
Correct Answer: A, B, F. Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Blowfish are all block ciphers. Although it's not listed, Triple DES (3DES) is also a block cipher. Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) are hashing algorithms. Rivest Cipher 4 (RC4) is a stream cipher. |
|
|
Which of the following algorithms encrypts data in 64-bit blocks? A. AES B. DES C. Twofish D. RC4 |
Correct B. Data Encryption Standard (DES) encrypts data in 64-bit blocks similar to how 3DES and Blowfish encrypt data in 64-bit blocks. Advanced Encryption Standard (AES) and Twofish encrypt data in 12-bit blocks. Rivest Cipher 4 (RC4) is a stream cipher and it encrypts data one bit at a time.
|
|
|
An application developer needs to use an encryption protocol to encrypt credit card data within a database used by the application. Which of the following would be the FASTEST, while also providing strong confidentiality? A. AES-256 B. DES C. Blowfish D. SHA-2 |
Correct Answer: C. Blowfish would be the fastest in this scenario. Blowfish provides strong encryption so would provide strong confidentiality. Advanced Encryption Standard-256 (AES-256) is a strong encryption protocol, but Blowfish is faster than AES in some situations such as when comparing it against AES-256. Data Encryption Standard (DES) is not secure and it not recommended today. Secure Hash Algorithm version 2 (SHA-2) is a hashing algorithm used for integrity. |
|
|
Your organization uses several different types of cryptographic techniques. Which of the following techniques uses a private key and a public key? A. AES B. RSA C. Blowfish D. MD5 |
Correct Answer: B. Rivest, Shamir, Adleman (RSA) is an asymmetric algorithm and all asymmetric algorithms use public and private keys. Advanced Encryption Standard (AES) and Blowfish are strong block-based symmetric encryption algorithms. Message Digest 5 (MD5) is a hashing algorithm. |
|
|
Your network requires a secure method of sharing encryption keys over a public network. Which of the following is the BEST choice? A. Symmetric encryption B. Bcrypt C. Diffie-Hellman D. Steganography |
Correct Answer: C. Diffie-Hellman allow entities to negotiate encryption keys securely over a public network. Once the entities negotiate the keys, they use symmetric encryption, but they can't share keys using symmetric encryption without first using a secure method such as Diffie-Hellman. Bcrypt is a key stretching technique used by some Unix systems to make password cracking more difficult. Steganography hides data within data, but it isn't the best method of sharing encryption keys over a public network.
|
|
|
Your organization plans to issues some employees mobile devices such as smartphones and tablets. These devices don't have a lot of processing power. Which of the following crytographic methods has the LEAST overhead and will work with these mobile devices? A. ECC B. 3DES C. Bcrypt D. PBKDF2 |
Correct Answer: A. Elliptic curve cryptography (ECC) has minimal overhead and is often used with mobile devices for encryption. Triple Data Encryption Standard (3DES) consumes a lot of processing time and isn't as efficient as ECC. Password-Based Key Derivation Function 2 (PBKDF2) and bcrypt are key stretching techniques that salt passwords with additional bits to protect against brute force attempts.
|
|
|
A manager is suspected of leaking trade secrets to a competitor. A security investigator is examining his laptop and notices a large volume of vacation pictures on the hard drive. Data on this laptop automatically uploads to a private cloud owned by the company once a week. The investigator noticed that the hashes of most of the pictures on the hard drive are different from the hashes of the pictures in the cloud location. Which of the following is the MOST likely explanation for this scenario? A. The manager is leaking data using hashing methods. B. The manager is leaking data using digital signatures. C. The manager is leaking data using steganography methods. D. The manager is not leaking data. |
Correct Answer: C. The manager is most likely leaking data using steganography methods by embedding the data into the vacation pictures. If the file is the same, the hash of the file and the hash of a file copy should be the same. Because the hashes are different, it indicates the files are different and the most likely explanation is because some of the files have other data embedded within them. Hashing and digital signatures are not methods that would support leaking data. The scenario indicates the manager is suspected of leaking data, and the different hashes provide evidence to support this suspicion.
|
|
|
A heavily used application accesses a financial database on a server within your network. Due to recent data breaches, management wants to ensure transport encryption protects this data. Which of the following algorithms is the BEST choice to meet this goal? A. SSL B. SHA C. TLS D. CRL |
Correct Answer: C. Transport Layer Security (TLS) is a transport encryption protocol that can protect the data while it is in transit. Secure Sockets Layer (SSL) is also a transport encryption protocol, but TLS is recommended instead. Secure Hash Algorithm (SHA) is a hashing algorithm, not an encryption protocol. Both SSL and TLS user certificates and revoked certificates are published in a certificate revocation list (CRL), but a CRL is not a transport encryption protocol.
|
|
|
You are planning to encrypt data in transit. Which of the following protocols meets this need and encapsulates IP packets within an additional IP header? A. TLS B. SSL C. HMAC D. IPsec |
Correct Answer: D. Internet Protocol Security (IPsec) can encrypt data in transit, and it encapsulates IP packets with an additional IP header. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are both transport encryption protocols that can protect the data while it is in transit. Although they both use certificates for security, they do not encapsulate IP packets within an additional IP header. Hash-based Message Authentication Code (HMAC) is often used with IPsec, but HMAC does not encrypt data.
|
|
|
Homer wants to send a secure email to Marge so he decides to encrypt it. Homer want to ensure that Marge can verify that he sent it. Which of the following does Marge need to verify the certificate that Homer used in this process is valid? A. The CA's private key B. The CA's public key C. Marge's public key D. Marge's private key |
Correct Answer: B. Marge would verify Homer's certificate is valid by querying the Certificate Authority (CA) that issues Homer's certificate, and the CA's public certificate includes the CA's public key. Homer would user a digital signature to provide verification that he sent the message. Homer would encrypt the digital signature with his private key, and Marge would decrypt the digital signature with Homer's public key. The CA's private key remains private. Marge's keys are not used for Homer's digital signature, but might be used for the encryption of the email. |
|
|
Bart wants to send a secure email to Lisa so he decides to encrypt it. Bart wants to ensure that Lisa can verify that he sent it. Which of the following does Lisa need to meet this requirement? A. Bart's public key B. Bart's private key C. Lisa's public key D. Lisa's private key |
Correct Answer: A. Lisa would decrypt the digital signature with Bart's public key and verify the public key is valid by querying a Certificate Authority (CA). The digital signature provides verification that Bart sent the message, non-repudiation, and integrity for the message. Bart encrypts the digital signature with his private key, which can only be decrypted with his public key. Lisa's keys are not used for Bart's digital signature, but might be used for the encryption of the email. Although not part of this scenario, Bart would encrypt the email with Lisa's public key, and Lisa would decrypt the email with Lisa's private key. |
|
|
Users in your organization sign their emails with digital signatures. What provides integrity for these certificates? A. Hashing B. Encryption C. Non-repudiation D. Private key |
Correct Answer: A. Hashing provides integrity for digital signatures and other data. A digital signature is a hash of the message encrypted with the sender's private key, but the encryption doesn't provide integrity. The digital signature provides non-repudiation, but non-repudiation does not provide integrity. The private key and public key are both needed, but the private key does not provide integrity.
|
|
|
An application requires users to log on with passwords. The application developers want to store the passwords in such a way that it will thwart rainbow table attacks. Which of the following is the BEST solution? A. SHA B. Blowfish C. ECC D. Bcrypt |
Correct Answer: D. Bcrypt is a key stretching technique designed to protect against brute force attempts and is the best choice of the given answers. Another alternative is Password-Based Key Derivation Function 2 (PBKDF2). Both salt the password with additional bits. Passwords stored using Secure Hash Algorithm (SHA) are easier to crack because they don't use salts. PBKDF2 is based on Blowfish, but Blowfish itself isn't commobnly used to encrypt passwords. Elliptic curve cryptography (ECC) is efficient and sometimes used with mobile devices, but not to encrypt passwords. |
|
|
Homer wants to use digital signatures for his emails and realizes he needs a certificate. Which of the following will issue Homer a certificate? A. CRL B. CA C. OCSP D. Recovery agent |
Correct Answer: B. A certificate authority (CA) issues and manages certificates. A certificate revocation list (CRL) is a list of revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to a CRL and validates certificates with short responses such as good, unknown, or revoked. A recovery agent can retrieve a private key if the original private key is no longer accessible.
|
|
|
You need to submit a CSR to a CA. Which of the following would you do FIRST? A. Generate a new RSA-based session key B. Generate a new RSA-based private key C. Generate the CRL D. Implement OCSP |
Correct Answer: B. You create the RSA-based private key first and then create the matching public key from it, which you include in the certificate signing request (CSR) that you send to the Certificate Authority (CA). The RSA algorithm technically creates the private key first, but most applications that create the key pair appear to create them at the same time. A session key is a symmetric key, but RSA is an asymmetric algorithm. The CA generates the certificate revocation list (CRL) to identify revoked certificates. Online Certificate Status Protocol (OCSP) is an alternative to using CRLs to validate certificates, but it is not required.
|
|
|
Your organization is planning to implement an internal PKI. What is required to ensure users can validate certificates? A. An intermediate CA B. CSR C. Wildcard certificates D. CRL |
Correct Answer: D. A certificate revocation list (CRL) includes a list of revoked certificates and it allows users to validate certificates. Any CA can issue a CRL, so an intermediate CA is not needed. Users request certificates with a certificate signing request (CSR). Wildcard certificates reduce the administrative burden for certificates, but do not have anything to do with validating certificates.
|
|
|
Your organization requires the use of a PKI and it wants to implement a protocol to validate trust with minimal traffic. Which of the following protocols validates trust by returning short responses, such as "good" or "revoked"? A. OCSP B. CRL C. CA D. CSR |
Correct Answer: A. Online Certificate Status Protocol (OCSP) validates trust with certificates. Clients send the serial number of the certificate to the Certificate Authority (CA) within the Public Key Infrastructure (PKI) and the CA returns short responses such as good, unknown, or revoked. A certificate revocation list (CRL) includes a list of revoked certificates listed by serial numbers and can become quite large after a while. The CA isn't a protocol. You request certificates with a signature signing request (CSR)
|
|
|
A user's laptop developed a problem and can no longer boot. Help-desk personnel tried to recover the data on the disk, but the disk is encrypted, Which of the following can be used to retrieve data from the hard drive? A. A trust relationship B. Public key C. Recovery agent D. CRL |
Correct Answer: C. Recovery agents can decrypt data and messages if the user's private key is no longer available. Although Certificate Authorities use trust models, a trust relationship doesn't directly apply here. A user's public key is already publicly available, so it isn't useful here. A certificate revocation list (CRL) is a list of revoked certificates and doesn't apply in this scenario. |
