Cryptography and PKI (5)

Question 1

The CIO has instructed you to set up a system where credit card data will be encrypted with the most secure symmetric algorithm with the least amount of CPU usage. Which of the following algorithms would you choose?

AES

SHA-1

MD5

Answer 1

AES

AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that uses the least amount of CPU usage

Question 2

Which of the following encryption methods is used by RADIUS?

Asymmetric

Symmetric

Elliptic curve

Answer 2

Symmetric

RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security

Question 3

When setting up a secure wireless company network, which of the following should you avoid?

WPA

WPA2

EAP-TLS

Answer 3

WPA

WPA (WiFi Protected Access) is a security standard that replaced and improved on WEP. WPA is less secure than WPA2

Question 4

You want to authenticate and log connections from wireless users connecting with EAP-TLS. Which of the following should be used?

Kerberos

SAML

RADIUS

Answer 4

RADIUS

RADIUS is a networking protocol that provides centralized AAA for users connecting and using a network service. EAP-TLS offers a good deal of security with the use of TLS and uses PKI to secure communication to the RADIUS authentication server

Question 5

Which of the following would be used to allow certain traffic to traverse from a wireless network to an internal network?

WPA

Load balancers

802.1x

Answer 5

802. 1x
803. 1x enhances security within a WLAN by providing an authentication framework. Users are authenticated by a central authority before they are allowed within the network

Question 6

You are asked to see if several confidential files have changed, and you decide to use an algorithm to create message digests for the confidential files. Which algorithm would you use?

RC4

Blowfish

SHA-1

Answer 6

SHA-1

SHA-1 is a hashing algorithm that creates message digests and is used for integrity

Question 7

Network data needs to be encrypted, and you are required to select a cipher that will encrypt 128 bits at a time before the data are sent across the network. Which of the following would you choose?

Stream cipher

Hash algorithm

Block cipher

Answer 7

Block cipher

Block ciphers encrypt data one block, or fixed block, at a time

Question 8

Which of the following are considered cryptographic hash functions? (Choose two.)

AES

MD5

RC4

SHA-256

Answer 8

MD5

SHA-256

MD5 and SHA are considered cryptography hashing functions that transform a string of characters into a fixed-length value

Question 9

A company’s database is beginning to grow, and the data-at-rest are becoming a concern with the security administrator. Which of the following is an option to secure the data-at-rest?

SSL certificate

Encryption

Hashing

Answer 9

Encryption

Data-at-rest is all data that is inactive and physically stored in a physical digital form such as nonvolatile memory. If the device the data is stored on is stolen, the unauthorized person will not be able to read the data due to the encryption

Question 10

Which of the following hardware devices can store keys? (Choose two.)

USB flash drive

Smartcard

PCI expansion card

Cipher lock

Answer 10

USB flash drive

Smartcard

USB flash drives and smartcards can carry a token and store keys for authentication to systems. They are often used in a multifactor authentication situation

Question 11

You are a security manager and have been asked to encrypt database system information that contains employee social security numbers. You are looking for an encryption standard that is fast and secure. Which of the following would you suggest to accomplish the requirements?

SHA-256

AES

RSA

Answer 11

AES

AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data that is fast and secure

Question 12

James is a security administrator and wants to ensure the validity of public trusted certificates used by the company’s web server, even if there is an Internet outage. Which of the following should James implement?

Key escrow

OCSP

CSR

Answer 12

OCSP

OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a certificate authority about the revocation status of a given certificate. OCSP can prepackage a list of revoked certificates and distribute them through browser updates and can be checked if there is an Internet outage

Question 13

You are a security administrator looking to implement a two-way trust model. Which of the following would you use?

PGP

WPA2

PKI

Answer 13

PKI

PKI (public key infrastructure) is an entire system of hardware, software, policies and procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates. A trust model is used to set up trust between CAs. A certificate has a subject alternative name (SAN) for machines (fully qualified domain names) or users (user principal name)

Question 14

If a threat actor obtains an SSL private key, what type of attack can be performed? (Choose two.)

Eavesdropping

Man-in-the-middle

Social engineering

Brute force

Answer 14

Eavesdropping

Man-in-the-middle

A threat actor can create an eavesdropping and a man-in-the-middle attack. Eavesdropping with a private key can allow the threat actor to see data in clear text. A man-in-the-middle attack can allow the threat actor to modify the data transmitting to the server, such as adding malware to the data

Question 15

Most authentication systems make use of a one-way encryption process. Which of the following is an example of a one-way encryption?

Symmetric algorithm

Hashing

PKI

Answer 15

Hashing

Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages

Question 16

Which of the following transpires in a PKI environment?

The CA signs the certificate.

The RA signs the certificate.

The CA creates the certificate and the RA signs it.

Answer 16

The CA signs the certificate.

A CA (certificate authority) is a trusted entity that creates and digitally signs certificates so the receiver can verify the certificate came from that specific CA

Question 17

Which of the following statements best describes how a digital signature is created?

The sender encrypts a message digest with the receiver’s public key.

The sender encrypts a message digest with the receiver’s private key.

The sender encrypts a message digest with his or her private key.

Answer 17

The sender encrypts a message digest with his or her private key.

A digital signature is a hash value (message digest) that is encrypted with the sender’s private key. The receiver performs a hashing function on the message and decrypts the sent hash value with the sender’s public key and compares the two hash values. If the hash values are the same, the message actually came from the sender. This is performed by DSA (digital signature algorithm) and allows traceability to the person signing the message through the use of their private key

Question 18

AES is an algorithm used for which of the following?

Encrypting a large amount of data

Encrypting a small amount of data

Key recovery

Answer 18

Encrypting a large amount of data

AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt large amounts of data (bulk)

Question 19

PEAP protects authentication transfers by implementing which of the following?

TLS tunnels

SSL tunnels

AES

Answer 19

TLS tunnels

PEAP is a protocol that encapsulates the EAP within a TLS tunnel

Question 20

AES-CCMP uses a 128-bit temporal key and encrypts data in what block size?

256

192

128

Answer 20

128

The AES-CCMP encryption algorithm used in the 802.11i security protocol uses the AES block cipher and limits the key length to 128 bits. AES-CCMP makes it difficult for an eavesdropper to spot patterns

Question 21

Which of the following implement Message Integrity Code (MIC)? (Choose two.)

AES

DES

CCMP

TKIP

Answer 21

CCMP

TKIP

Message Integrity Code (MIC) is a security improvement for WEP encryption within wireless networks. TKIP and CCMP use MIC, which provides an integrity check on the data packet

Question 22

James, a WLAN security engineer, recommends to management that WPA-Personal security should not be deployed within the company’s WLAN for their vendors. Which of the following statements best describe James’s recommendation? (Choose two.)

Static preshared passphrases are susceptible to social engineering attacks.

WPA-Personal uses public key encryption.

WPA-Personal uses a weak TKIP encryption.

WPA-Personal uses a RADIUS authentication server.

Answer 22

Static preshared passphrases are susceptible to social engineering attacks.

WPA-Personal uses a weak TKIP encryption.

Preshared passphrases can be obtained from a threat actor by the use of social engineering skills and connect to the AP. WPA-Personal uses TKIP encryption, which is considered a weak option

Question 23

Which of the following is correct regarding root certificates?

Root certificates never expire.

A root certificate contains the public key of the CA.

A root certificate contains information about the user.

Answer 23

A root certificate contains the public key of the CA.

A root certificate is a public key certificate that identifies the root CA (certificate authority). Digital certificates are verified using a chain of trust (certificate chaining) and the trust anchor for the certificate is the root certificate authority (CA)

Question 24

Which of the following statements are correct about public and private key pairs? (Choose two.)

Public and private keys work in isolation of each other.

Public and private keys work in conjunction with each other as a team.

If the public key encrypts the data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.

If the private key encrypts the data using an asymmetric encryption algorithm, the receiver uses the same private key to decrypt the data.

Answer 24

Public and private keys work in conjunction with each other as a team.

If the public key encrypts the data using an asymmetric encryption algorithm, the corresponding private key is used to decrypt the data.

Public and private keys work with each other to encrypt and decrypt data. If the data is encrypted with the receiver’s public key, the receiver decrypts the data with their private key

Question 25

Your company has discovered that several confidential messages have been intercepted. You decide to implement a web of trust to encrypt the files. Which of the following are used in a web of trust concept? (Choose two.)

RC4

AES

PGP

GPG

Answer 25

PGP

GPG

PGP and GPG use a web of trust to establish the authenticity of the binding between a public key and its owner

Question 26

Which of the following algorithms is typically used to encrypt data-at-rest?

Symmetric

Asymmetric

Stream

Answer 26

Symmetric

A symmetric algorithm, sometimes called a secret key algorithm, uses the same key to encrypt and decrypt data and is typically used to encrypt data-at-rest

Question 27

Which of the following can assist in the workload of the CA by performing identification and authentication of users requesting certificates?

Intermediate CA

Registered authority

OSCP

Answer 27

Registered authority

A registered authority (RA) is used to verify requests for certificates and forwards responses to the CA

Question 28

You recently upgraded your wireless network so that your devices will use the 802.11n protocol. You want to ensure all communication on the wireless network is secure with the strongest encryption. Which of the following is the best choice?

WEP

WPA

WPA2

Answer 28

WPA2

WPA2 is a security standard that secures computers connected to the 802.11n WiFi network. It provides the strongest available encryption for wireless networks

Question 29

A college wants to move data to a USB flash drive and has asked you to suggest a way to secure the data in a quick manner. Which of the following would you suggest?

3DES

SHA-256

AES-256

Answer 29

AES-256

AES-256 can encrypt data quickly and securely with a USB flash drive