# CISSP (Chapter 7 - Cryptography) Flashcards

1
Q

What is the goal of cryptanalysis?
A. To determine the strength of an algorithm
B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used

A

A. Cryptanalysis is the process of trying to reverse-engineer a cryptosystem, with the possible goal of uncovering the key used. Once this key is uncovered, all other messages encrypted with this key can be accessed. Cryptanalysis is carried out by the white hats to test the strength of the algorithm.

2
Q

The frequency of successful brute force attacks has increased because
A. The use of permutations and transpositions in algorithms has increased.
B. As algorithms get stronger, they get less complex, and thus more susceptible to attacks.
C. Processor speed and power have increased.
D. Key length reduces over time

A

C. A brute force attack is resource-intensive. It tries all values until the correct one is obtained. As computers have more powerful processors added to them, attackers can carry out more powerful brute force attacks.

3
Q

Which of the following is not a property or characteristic of a one-way hash function?
A. It converts a message of arbitrary length into a value of fixed length.
B. Given the digest value, it should be computationally infeasible to find the corresponding message.
C. It should be impossible or rare to derive the same digest from two different messages.
D. It converts a message of fixed length to an arbitrary length value.

A

D. A hashing algorithm will take a string of variable length, the message can be any size, and compute a fixed-length value. The fixed-length value is the message digest. The MD family creates the fixed-length value of 128 bits, and SHA creates one of 160 bits.

4
Q

What would indicate that a message had been modified?
A. The public key has been altered.
B. The private key has been altered.
C. The message digest has been altered.
D. The message has been encrypted properly

A

C. Hashing algorithms generate message digests to detect whether modification has taken place. The sender and receiver independently generate their own digests, and the receiver compares these values. If they differ, the receiver knows the message has been altered.

5
Q
```Which of the following is a U.S. federal government algorithm developed for creating secure message digests?
A. Data Encryption Algorithm
B. Digital Signature Standard
C. Secure Hash Algorithm
D. Data Signature Algorithm```
A

C. SHA was created to generate secure message digests. Digital Signature Standard (DSS) is the standard to create digital signatures, which dictates that SHA must be used. DSS also outlines the digital signature algorithms that can be used with SHA: RSA, DSA, and ECDSA

6
Q

Which of the following best describes the difference between HMAC and CBC-MAC?
A. HMAC creates a message digest and is used for integrity; CBC-MAC is used to encrypt blocks of data for confidentiality.
B. HMAC uses a symmetric key and a hashing algorithm; CBC-MAC uses the first block for the checksum.
C. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.
D. HMAC encrypts a message with a symmetric key and then puts the result through a hashing algorithm; CBC-MAC encrypts the whole message

A

C. In an HMAC operation, a message is concatenated with a symmetric key and the result is put through a hashing algorithm. This provides integrity and system or data authentication. CBC-MAC uses a block cipher to create a MAC, which is the last block of ciphertext

7
Q

What is an advantage of RSA over DSA?
A. It can provide digital signature and encryption functionality.
B. It uses fewer resources and encrypts faster because it uses symmetric keys.
C. It is a block cipher rather than a stream cipher.
D. It employs a one-time encryption pad

A

A. RSA can be used for data encryption, key exchange, and digital signatures. DSA can be used only for digital signatures

8
Q

Many countries restrict the use or exportation of cryptographic systems. What is the reason given when these types of restrictions are put into place?
A. Without standards, there would be many interoperability issues when trying to employ different algorithms in different programs.
B. The systems can be used by some countries against their local people.
C. Criminals could use encryption to avoid detection and prosecution.
D. Laws are way behind, so adding different types of encryption would confuse the laws more.

A

C. The U.S. government has greatly reduced its restrictions on cryptography exportation, but there are still some restrictions in place. Products that use encryption cannot be sold to any country the United States has declared is supporting terrorism. The fear is that the enemies of the country would use encryption to hide their communication, and the government would be unable to break this encryption and spy on their data transfers.

9
Q
```What is used to create a digital signature?
B. The sender’s public key
C. The sender’s private key
A

C. A digital signature is a message digest that has been encrypted with the sender’s private key. A sender, or anyone else, should never have access to the receiver’s private key.

10
Q

Which of the following best describes a digital signature?
A. A method of transferring a handwritten signature to an electronic document
B. A method to encrypt confidential information
C. A method to provide an electronic signature and encryption
D. A method to let the receiver of the message prove the source and integrity of a message

A

D. A digital signature provides authentication (knowing who really sent the message), integrity (because a hashing algorithm is involved), and nonrepudiation (the sender cannot deny sending the message).

11
Q
```How many bits make up the effective length of the DES key?
A. 56
B. 64
C. 32
D. 16```
A

A. DES has a key size of 64 bits, but 8 bits are used for parity, so the true key size is 56 bits. Remember that DEA is the algorithm used for the DES standard, so DEA also has a true key size of 56 bits, because we are actually talking about the same algorithm here. DES is really the standard, and DEA
is the algorithm. We just call it DES in the industry because it is easier

12
Q

Why would a certificate authority revoke a certificate?
A. If the user’s public key has become compromised
B. If the user changed over to using the PEM model that uses a web
of trust
C. If the user’s private key has become compromised
D. If the user moved to a new location

A

C. The reason a certificate is revoked is to warn others who use that person’s public key that they should no longer trust the public key because, for some reason, that public key is no longer bound to that particular individual’s identity. This could be because an employee left the company, or changed his name and needed a new certificate, but most likely it is because the person’s private key was compromised.

13
Q
```What does DES stand for?
A. Data Encryption System
B. Data Encryption Standard
C. Data Encoding Standard
D. Data Encryption Signature```
A

B. Data Encryption Standard was developed by NIST and the NSA to encrypt sensitive but unclassified government data.

14
Q

Which of the following best describes a certificate authority?
A. An organization that issues private keys and the corresponding
algorithms
B. An organization that validates encryption processes
C. An organization that verifies encryption keys
D. An organization that issues certificates

A

D. A registration authority (RA) accepts a person’s request for a certificate and verifies that person’s identity. Then the RA sends this request to a certificate authority (CA), which generates and maintains the certificate.

15
Q
```What does DEA stand for?
A. Data Encoding Algorithm
B. Data Encoding Application
C. Data Encryption Algorithm
D. Digital Encryption Algorithm```
A

C. DEA is the algorithm that fulfilled the DES standard. So DEA has all of the attributes of DES: a symmetric block cipher that uses 64-bit blocks, 16 rounds, and a 56-bit key.

16
Q
```Who was involved in developing the first public key algorithm?
B. Ross Anderson
C. Bruce Schneier
D. Martin Hellman```
A

D. The first released public key cryptography algorithm was developed by Whitfield Diffie and Martin Hellman.

17
Q
```What process usually takes place after creating a DES session key?
A. Key signing
B. Key escrow
C. Key clustering
D. Key exchange```
A

D. After a session key has been created, it must be exchanged securely. In most cryptosystems, an asymmetric key (the receiver’s public key) is used to encrypt this session key, and it is sent to the receiver

18
Q
```DES performs how many rounds of transposition/permutation and substitution?
A. 16
B. 32
C. 64
D. 56```
A

A. DES carries out 16 rounds of mathematical computation on each 64-bit block of data it is responsible for encrypting. A round is a set of mathematical formulas used for encryption and decryption processes.

19
Q

Which of the following is a true statement pertaining to data encryption when it is used to protect data?
A. It verifies the integrity and accuracy of the data.
B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.

A

B. Data encryption always requires careful key management. Most algorithms are so strong today it is much easier to go after key management rather than to launch a brute force attack. Hashing algorithms are used for data integrity, encryption does require a good amount of resources, and keys do not have to be escrowed for encryption.

20
Q
```If different keys generate the same ciphertext for the same message, what is this called?
A. Collision
B. Secure hashing
C. MAC
D. Key clustering```
A

D. Message A was encrypted with key A and the result is ciphertext Y. If that same message A were encrypted with key B, the result should not be ciphertext Y. The ciphertext should be different since a different key was used. But if the ciphertext is the same, this occurrence is referred to as key clustering.

21
Q

What is the definition of an algorithm’s work factor?
A. The time it takes to encrypt and decrypt the same plaintext
B. The time it takes to break the encryption
C. The time it takes to implement 16 rounds of computation
D. The time it takes to apply substitution functions

A

B. The work factor of a cryptosystem is the amount of time and resources necessary to break the cryptosystem or its encryption process. The goal is to make the work factor so high that an attacker could not be successful in breaking the algorithm or cryptosystem.

22
Q

What is the primary purpose of using one-way hashing on user passwords?
A. It minimizes the amount of primary and secondary storage needed to store passwords.
C. It avoids excessive processing required by an asymmetric algorithm.
D. It prevents replay attacks.

A

B. Passwords are usually run through a one-way hashing algorithm so the actual password is not transmitted across the network or stored on a system
in plaintext. This greatly reduces the risk of an attacker being able to obtain the actual password

23
Q
```Which of the following is based on the fact that it is hard to factor large numbers into two original prime numbers?
A. ECC
B. RSA
C. DES
D. Diffie-Hellman```
A

B. The RSA algorithm’s security is based on the difficulty of factoring large numbers into their original prime numbers. This is a one-way function. It is easier to calculate the product than it is to identify the prime numbers used to generate that product.

24
Q

Which of the following describes the difference between the Data Encryption Standard and the Rivest-Shamir-Adleman algorithm?
A. DES is symmetric, while RSA is asymmetric.
B. DES is asymmetric, while RSA is symmetric.
C. They are hashing algorithms, but RSA produces a 160-bit hashing value.
D. DES creates public and private keys, while RSA encrypts messages.

A

A. DES is a symmetric algorithm. RSA is an asymmetric algorithm. DES is used to encrypt data, and RSA is used to create public/private key pairs.

25
Q
```Which of the following uses a symmetric key and a hashing algorithm?
A. HMAC
B. Triple-DES
C. ISAKMP-OAKLEY
D. RSA```
A

A. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data in

26
Q
```The generation of keys that are made up of random values is referred to as Key Derivation Functions (KDFs). What values are not commonly used in this key generation process?
A. Hashing values
B. Asymmetric values
C. Salts
A

B. Different values can be used independently or together to play the role of random key material. The algorithm is created to use specific hash, passwords, and\or salt values, which will go through a certain number of rounds of mathematical functions dictated by the algorithm.

27
Q

Tim is a new manager for the software development team at his company. There are different types of data that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenChapterticated before being allowed access, and once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.

```Which of the following symmetric block encryption mode(s) should be enabled in this company’s software? (Choose two.)
A. Electronic Code Book (ECB)
B. Cipher Block Chaining (CBC)
C. Cipher Feedback (CFB)
D. Output Feedback (OFB)```
A

A and B. The Electronic Code Book (ECB) mode should be used to encrypt credit card PIN values, and the Cipher Block Chaining (CBC) mode should be used to encrypt documents.

28
Q

Tim is a new manager for the software development team at his company. There are different types of data that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenChapterticated before being allowed access, and once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.

```Which of the following would be best to implement for this company’s connections?
A. End-to-end encryption
C. Trusted Platform Modules
A

B. Since data is transmitting over dedicated WAN links, link encryptors can be implemented to encrypt the sensitive data as it moves from branch to branch.

29
Q

Tim is a new manager for the software development team at his company. There are different types of data that the company’s software needs to protect. Credit card PIN values are stored within their proprietary retail credit card processing software. The same software also stores documents, which must be properly encrypted and protected. This software is used to transfer sensitive data over dedicated WAN connections between the company’s three branches. Tim also needs to ensure that every user that interacts with the software is properly authenChapterticated before being allowed access, and once the authentication completes successfully, an SSL connection needs to be set up and maintained for each connection.

```Which of the following would be best to implement for this company’s connections?
A. End-to-end encryption
C. Trusted Platform Modules
A

C. The users can be authenticated by providing digital certificates to the software within a PKI environment. This is the best authentication approach, since SSL requires a PKI environment.

30
Q

Sean is a security administrator for a financial company and has an array of security responsibilities. He needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each employee sends is sent from an authenticated individual.

Which of the following best describes the software settings that need to be implemented for internal and external traffic?
A. IPSec with ESP enabled for internal traffic and IPSec with AH enabled for external traffic
B. IPSec with AH enabled for internal traffic and IPSec with ESP enabled for external traffic
C. IPSec with AH enabled for internal traffic and IPSec with AN and ESP enabled for external traffic
D. IPSec with AH and ESP enabled for internal traffic and IPSec with ESP enabled for external traffic

A

B. IPSec can be configured using the AH protocol, which enables system authentication but does not provide encryption capabilities. IPSec can be configured with the ESP protocol, which provides authentication and encryption capabilities.

31
Q

Sean is a security administrator for a financial company and has an array of security responsibilities. He needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each employee sends is sent from an authenticated individual.

When Sean purchases laptops for his company, what does he need to ensure is provided by the laptop vendor?
A. Public key cryptography
B. Cryptography, hashing, and message authentication
D. Trusted Platform Module

A

D. Trusted Platform Module (TPM) is a microchip that is part of the motherboard of newer systems. It provides cryptographic functionality that allows for full disk encryption. The decryption key is wrapped and stored within the TPM chip.

32
Q

Sean is a security administrator for a financial company and has an array of security responsibilities. He needs to ensure that traffic flowing within the internal network can only travel from one authenticated system to another authenticated system. This traffic has to be visible to the company’s IDS sensors, so it cannot be encrypted. The data traffic that flows externally to and from the network must only travel to authenticated systems and must be encrypted. He needs to ensure that each employee laptop has full disk encryption capabilities and that each e-mail message that each employee sends is sent from an authenticated individual.

```What type of e-mail functionality is required for this type of scenario?
A. Digital signature
B. Hashing
C. Cryptography
D. Message authentication code```
A

A. A digital signature is a hash value that has been encrypted with the sender’s private key. A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. When e-mail clients have this type of functionality, each sender is authenticated through digital certificates