Module 17

Question 1

are a mathematical technique used to provide authenticity, integrity, and nonrepudiation.

Answer 1

Digital signatures

Question 2

The following are characteristics of digital signatures:

Answer 2

• Authentic
• Unalterable
• Not reusable
• Non-repudiated

Question 3

• The signature cannot be forged and provides proof that the signer, and no one else, signed the document.

Answer 3

• Authentic

Question 4

• After a document is signed, it cannot be altered.

Answer 4

• Unalterable

Question 5

• The document signature cannot be transferred to another document.

Answer 5

• Not reusable

Question 6

• The signed document is considered to be the same as a physical document.

Answer 6

• Non-repudiated

Question 7

Digital signatures are commonly used in the following two situations:

Answer 7

code signing and
digital certificates.

Question 8

There are three Digital Signature Standard (DSS) algorithms that are used for generating and
verifying digital signatures:

Answer 8

• Digital Signature Algorithm (DSA)
• Rivest-Shamir Adelman Algorithm (RSA)
• Elliptic Curve Digital Signature Algorithm (ECDSA)

Question 9

• DSA is the original standard for generating public and private key pairs, and for generating and verifying digital signatures.

Answer 9

• Digital Signature Algorithm (DSA)

Question 10

• RSA is an asymmetric algorithm that is commonly used for generating and verifying digital signatures.

Answer 10

• Rivest-Shamir Adelman Algorithm (RSA)

Question 11

• ECDSA is a newer variant of DSA and
  provides digital signature authentication and non-repudiation with the added benefits of computational efficiency, small signature sizes, and minimal bandwidth.

Answer 11

• Elliptic Curve Digital Signature Algorithm (ECDSA)

Question 12

Digitally signing code provides several assurances about the code.

Answer 12

• The code is authentic and is actually sourced by the publisher.
• The code has not been modified since it left the software publisher.
• The publisher undeniably published the code. This provides nonrepudiation of the
  act of publishing.

Question 13

A ____ is used to authenticate and verify
that a user who is sending a message is who they claim to be. ___ can also be used to provide confidentiality for the receiver with the means to encrypt a reply.

Answer 13

digital certificate

Question 14

When establishing an asymmetric connection between two hosts, the hosts will exchange their
public key information.

Answer 14

True

Question 15

An __is a digital certificate that confirms the identity of a website domain.

Answer 15

SSL certificate

Question 16

Some examples of Certificate Authorities (CAs) are

Answer 16

IdenTrust, DigiCert, Sectigo, GlobalSign, and
GoDaddy.

These CAs charge for their services.

Let’s Encrypt is a non-profit CA that offers
certificates free of charge.

Question 17

is needed to support large-scale distribution and identification of public encryption keys.

Answer 17

Public key infrastructure (PKI)

Question 18

CAs, especially those that are outsourced, issue certificates based on classes which determine
how trusted a certificate is.

The class number is determined by how rigorous
the procedure was that verified the identity of the holder when the certificate was issued.

The higher the class number, the more trusted the certificate.

Answer 18

0 Used for testing in situations in which no checks have been performed.

1 Used by individuals who require verification of email.

2 Used by organizations for which proof of identity is required.

3 Used for servers and software signing. Independent verification and checking of identity and authority is done by the certificate authority.

4 Used for online business transactions between companies.

5 Used for private organizations or government security.

Question 19

PKI Trust System

Answer 19

PKIs can form different topologies of trust.
The simplest is the single-root PKI
topology.

On larger networks, PKI CAs may be linked using two basic architectures:

• Cross-certified CA topologies
• Hierarchical CA topologies

Question 20

Interoperability between a PKI and its
supporting services, such as Lightweight
Directory Access Protocol (LDAP) and
X.500 directories, is a concern because
many CA vendors have proposed and
implemented proprietary solutions instead
of waiting for standards to develop.

To address this interoperability concern,
the IETF published the ____

Answer 20

Internet X.509

Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527).

Question 21

The ___standard defines the format of a digital certificate.

Answer 21

X.509 version 3 (X.509 v3)

Question 22

Certificate Enrollment, Authentication, and Revocation

Answer 22

• All systems that leverage the PKI must have the CA’s public key, which is called the self-signed
  certificate. The CA public key verifies all the certificates issued by the CA and is vital for the proper operation of the PKI.
• For many systems such as web browsers, the distribution of CA certificates is handled automatically.
• The certificate enrollment process is used by a host system to enroll with a PKI. To do so, CA
  certificates are retrieved in-band over a network, and the authentication is done out-of-band (OOB)
  using the telephone.
• Authentication no longer requires the presence of the CA server, and each user exchanges their
  certificates containing public keys.
• Certificates must sometimes be revoked. The two of the most common methods of revocation are
  Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP).

Question 23

Where can PKI be used by an enterprise? The following provides a short list of common
uses of PKIs:

Answer 23

• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System (EFS)
• Implement two-factor authentication with smart cards
• Securing USB storage devices

Question 24

PKI-related issues that are
associated with security warnings include:

Answer 24

• Validity date range - The X.509v3 certificates specify “not before” and “not after” dates. If
  the current date is outside the range, the web browser displays a message. Expired
  certificates may simply be the result of administrator oversight, but they may also reflect
  more serious conditions.
• Signature validation error - If a browser cannot validate the signature on the certificate,
  there is no assurance that the public key in the certificate is authentic. Signature validation
  will fail if the root certificate of the CA hierarchy is not available in the browser’s certificate
  store.

Question 25

Here is a list of some of the things that a security analyst could do:

Answer 25

* Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and nonHTTPS SSL traffic. * Enhance security through server certificate validation using CRLs and OCSP. * Implement antimalware protection and URL filtering of HTTPS content. * Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention system (IPS)

Question 26

are a mathematical technique used to provide three basic security services: authenticity, integrity, and nonrepudiation.

Answer 26

Digital signatures

Question 27

Digital signatures are a mathematical technique used to provide three basic security services:

Answer 27

authenticity, integrity, and nonrepudiation.

Question 28

Properties of digital signature are that they are They are commonly used for code signing and digital certificates.

Answer 28

authentic, unalterable, not reusable, and non-repudiated.

Question 29

There are three DSS algorithms that are used for generating and verifying digital signatures:

Answer 29

DSA, RSA and ECDSA.

Question 30

A __is used to authenticate and verify that a user who is sending a message is who they claim to be.

Answer 30

digital certificate

Question 31

The PKI consists of ____ that are used to create, manage, distribute, use, store, and revoke digital certificates.

Answer 31

specifications, systems, and tools

Question 32

PKI-related issues that are associated with security warnings include ___. Some of these issues can be avoided with features of the SSL/TSL protocols.

Answer 32

validity date range and signature validation

Question 33

The key components of the cipher suite are

Answer 33

the MAC, the encryption algorithm, the key exchange algorithm, and the authentication algorithm.

Question 34

can be used to hide malware command and control traffic between infected hosts and the command and control servers.

Answer 34

Encryption

Question 35

What are the two important components of a public key infrastructure (PKI) used in network security? (Choose two.)

Answer 35

digital certificates certificate authority A public key infrastructure uses digital certificates and certificate authorities to manage asymmetric key distribution. PKI certificates are public information. The PKI certificate authority (CA) is a trusted third-party that issues the certificate. The CA has its own certificate (self-signed certificate) that contains the public key of the CA.

Question 36

What is the purpose of code signing?

Answer 36

integrity of source .EXE files Code signing is used to verify the integrity of executable files downloaded from a vendor website. Code signing uses digital certificates to authenticate and verify the identity of a website.

Question 37

Which statement describes the use of certificate classes in the PKI?

Answer 37

a class 5 certificate is more trustworthy than a class 4 certificate The higher the certificate number, the more trustworthy the certificate. Class 1 certificates are for individuals, with a focus on email verification. An enterprise can act as its own CA and implement PKI for internal use. In that situation, the vendor can issue certificates as needed for various purposes.​

Question 38

What role does an RA play in PKI?

Answer 38

a subordinate CA A registration authority (RA) is a subordinate CA. It is certified by a root CA to issue certificates for specific uses.

Question 39

Which protocol uses X.509 certificates to support mail protection performed by mail agents?

Answer 39

S/MIME Many applications use the X.509 standard format of digital certificates to authenticate websites, public key distribution, and end devices connected to switch ports. User email agents use the S/MIME protocol to support email protection. S/MIME uses X.509 certificates.

Question 40

What protocol is used to query the revocation status of an X.509 certificate?

Answer 40

OCSP Online Certificate Status Protocol (OCSP) is an internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate.

Question 41

In which way does the use of HTTPS increase the security monitoring challenges within enterprise networks?

Answer 41

HTTPS traffic enables end to end encryption HTTPS enables end-to-end encrypted network communication, which adds further challenges for network administrators to monitor the content of packets to catch malicious attacks.

Question 42

Which technology is used to provide assurance of the authenticity and integrity of software code?

Answer 42

digital signatures Digital signatures are commonly used to provide assurance of the authenticity and integrity of software code. Executable files are wrapped in a digitally signed envelope, which allows the end user to verify the signature before installing the software.

Question 43

Which CA class of digital certificates would be used by individuals to perform email verification?

Answer 43

1 The CA class number determines how rigorous the procedure was that verified the identity of the holder when the certificate was issued. The higher the class number, the more trusted the certificate. Class numbers range from 0 to 5. A class 5 certificate is the most trusted, and class 0 the least trusted. Class 1 is used by individuals for verification of email.

Question 44

What is a purpose of a digital certificate?

Answer 44

to authenticate and verify that a user who is sending a message is who they claim to be A digital certificate works like a physical certificate. A digital certificate can be used to authenticate and verify that a user who is sending a message is who they claim to be.

Question 45

What is an appropriate use for class 5 digital certificates?

Answer 45

used for private organizations or government security