Professional Documents
Culture Documents
CISSP 5 Cryptography
CISSP 5 Cryptography
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
Answer: RC4
Answer: Availability
Because keys are at risk of being lost, destroyed of corrupted, careful key
management is always required. Backup copies should be available and easily
accessible should the need arise. If a key to encrypted data is accidentally lost,
this information would be lost forever.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, chapter 8: Cryptography (page 557).
Thanks to Christian Vezina for providing details and a reference to this question.
5. Which of the following encryption algorithms does not deal with discrete
logarithms?
Answer: RSA
6. Microsoft and Netscape offer two version of Web browser, export and domestic.
Which of the following differentiates the versions?
Answer: The browser for domestic market uses 128-bit encryption and the
browser for international market uses 40-bit encryption.
Answer: Availability
The primary security concerns relative to LDAP servers are availability and
integrity. For example, denial of service attacks on an LDAP server could prevent
access to the Certificate Revocation List and, thus, permit the use of a revoked
certificate.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001,
Chapter 4: Cryptography (page 165).
The Message Digest or Hash is computed from original message using one of the
Hashing algorithms like MD-5 and SHA. A message is said to be digitally signed,
if it is sent with Message Digest encrypted with sender's Private Key.
Source: Building E-Commerce Infrastructure, White Paper from Verisign, Page 5
section 5 - Digital Signatures.
Also check out: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001,
Chapter 4: Cryptography (page 160).
Thanks to Jamil Siddique for providing this question and to Brian Kang for
providing an extra reference to this question.
10. What is called a mathematical encryption operations that can not be reversed?
Thanks to Rakesh Sud for providing this question and to Christian Vezina for
improving it.
11. Which of the following is not provided by a public key infrastructure (PKI)?
Answer: Reliability
12. Which of the following can best be defined as a key distribution protocol that
uses hybrid encryption to convey session keys that are used to encrypt data in IP
packets?
Answer: Information stays encrypted from one end of its journey to the other.
When using link encryption, packets have to be decrypted at each hop and
encrypted again. Information staying encrypted from one end of its journey to the
other is a characteristic of end-to-end encryption, not link encryption.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 6). Available at http://www.cccure.org.
14. What level of assurance for a digital certificate verifies a user's name, address,
social security number, and other information against a credit bureau database?
Answer: Level 2
Users can obtain certificates with various levels of assurance. For example, level
1 certificates verify electronic mail addresses. This is done through the use of a
personal information number that a user would supply when asked to register.
This level of certificate may also provide a name as well as an electronic mail
address; however, it may or may not be a genuine name (i.e., it could be an alias).
Level 2 certificates verify a user's name, address, social security number, and
other information against a credit bureau database. Level 3 certificates are
available to companies. This level of certificate provides photo identification to
accompany the other items of information provided by a level 2 certificate. A
level 4 certificate is not defined yet.
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security
Management Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3,
Secured Connections to External Networks (page 54).
15. What encryption algorithm is best suited for communication with handheld
wireless devices?
Answer: ECC
The Elliptic Curve Cryptosystems (ECC) are used as asymmetric algorithms and
can provide signature, key distribution and encryption functionality. The fact that
it uses less resource makes it appropriate for small handheld devices.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 8: Cryptography (page 531).
Strong encryption refers to an encryption process that uses at least a 128-bit key.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, page 100.
Answer: RC4
Ron's Code 4 (RC4) is an algorithm used for encryption and does not provide
hashing functions.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 8: Cryptography (page 550).
VeriSign's SSL use public-key cryptography to secure session key, while session
key (private key) to secure communication between both parties.
19. Which DES mode of operation is best suited for database encryption?
Answer: Electronic Code Book (ECB) mode
Electronic Code Book (ECB), as opposed to other modes, does not depend on the
results of a previous operation. ECB mode works with blocks of data
independently, thus data within the file does not have to be encrypted in a certain
order, making it appropriate for encrypting databases containing different pieces
of data accessed in random order. Choice B (CRC) is not a DES mode.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 8: Cryptography (page 527).
Answer: A message that is encrypted with a secret key and accompanied with that
key, encrypted with a public key.
Reference: RFC 2459: Internet X.509 Public Key Infrastructure Certificate and
CRL Profile.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
22. Which of the following would best describe a Concealment cipher?
Answer: Every X number of words within a text, is a part of the real message.
When using concealment cipher is used, every X number of words within a text,
is a part of the real message. A transposition cipher uses permutations. A
substitution cipher replaces bits, characters, or blocks of characters with different
bits, characters or blocks. Steganography refers to hiding the very existence of the
message.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 1). Available at http://www.cccure.org.
Answer: The authentic distribution of the new root CA certificate to all PKI
participants
The main task here is the authentic distribution of the new root CA certificate as
new trust anchor to all the PKI participants (e.g. the users). In some of the
rollover-scenarios there is no automatic way, often explicite assignment of trust
from each user is needed, which could be very costly. Other methods make use
the old root CA certificate for automatic trust establishment (see PKIX-reference),
but these solutions works only well for scenarios with currently valid root CA
certificates (and not for emergency cases e.g. compromitation of the current root
CA certificate). The rollover of the root CA certificate is a specific and delicate
problem and therefore are often ignored during PKI deployment.
Reference: Camphausen, I.; Petersen, H.; Stark, C.: Konzepte zum Root CA
Zertifikatswechsel, conference Enterprise Security 2002, March 26-27, 2002,
Paderborn; RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and
CRL Profile.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
26. What is called the substitution cipher that shifts the alphabet by 13 places?
The Cesar cipher is a simple substitution cipher that involves shifting the alphabet
three positions to the right. ROT13 is a substitution cipher that shifts the alphabet
by 13 places. Polyalphabetic cipher refers to using multiple alphabets at a time.
Transposition cipher is a different type of cipher.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001,
Chapter 4: Cryptography (page 136).
Answer: Plain text is encrypted with a public key and decrypted with a private
key.
Block ciphers do not use public cryptography (private and public keys). Block
ciphers is a type of symmetric-key encryption algorithm that transforms a fixed-
size block of plaintext (unencrypted text) data into a block of ciphertext
(encrypted text) data of the same length. They are appropriate for software
implementations and can be operated as stream.
Source: DUPUIS, Clément, CISSP Open Study Guide on domain 5,
cryptography, April 1999. Available at http://www.cccure.org.
28. Which of the following is not a known type of Message Authentication Code
(MAC)?
29. In a SSL session between a client and a server, who is responsible for generating
the master secret that will be used as a seed to generate the symmetric keys that
will be used during the session?
Once the merchant server has been authenticated by the browser client, the
browser generates a master secret that is to be shared only between the server and
client. This secret serves as a seed to generate the session (private) keys. The
master secret is then encrypted with the merchant's public key and sent to the
server. The fact that the master secret is generated by the client's browser provides
the client assurance that the server is not reusing keys that would have been used
in a previous session with another client.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6:
Cryptography (page 112).
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
31. Windows 98 includes the ability to check the digitally signed hardware drivers.
Which of the following are true?
Answer: Drivers are the only files supplied with W98 that can be checked for
digital signatures and all drivers included with W98 have been digitally signed
32. Which of the following is best defined as a cryptographic key that is used to
encipher application data?
34. A X.509 public key certificate with the key usage attribute "non repudiation" can
be used for which of the following?
References: RFC 2459 : Internet X.509 Public Key Infrastructure Certificate and
CRL Profile; GUTMANN, P., X.509 style guide.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
35. Which of the following layers is not used by the Rijndael algorithm?
The Rijndael algorithm was chosen by NIST as a replacement standard for DES.
It is a block cipher with a variable block length and key length. It employs a
round transformation that is comprised of three layers of distinct and invertible
transformations: The non-linear layer, the linear mixing layer and the key addition
layer. It is suited for high speed chips with no area restrictions or a compact co-
processor on a smart card.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 3). Available at http://www.cccure.org.
A stream cipher treats the message as a stream of bits or bytes and performs
mathematical functions on them individually. The key is a random value input
into the stream cipher, which it uses to ensure the randomness of the keystream
data. They are more suitable for hardware implementations, because they encrypt
and decrypt one bit at a time. They are intensive because each bit must be
manipulated, which works better at the silicon level. Block ciphers operate a the
block level, dividing the message into blocks of bits. Cipher Block chaining
(CBC) and Electronic Code Book (ECB) are operation modes of DES, a block
encryption algorithm.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 2). Available at http://www.cccure.org.
37. Which protocol makes use of an electronic wallet on a customer's PC and sends
encrypted credit card information to merchant's Web server, which digitally signs
it and sends it on to its processing bank?
Answer: SET
The Secure Electronic Transaction (SET) protocol was introduced by Visa and
Mastercard to allow for more credit card transaction possibilities. It is comprised
of three different pieces of software, running on the customer's PC (an electronic
wallet), on the merchant's Web server and on the payment server of the merchant's
bank. The credit card information is sent by the customer to the merchant's Web
server, but it does not open it and instead digitally signs it and sends it to its
bank's payment server for processing.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 8: Cryptography (page 571).
Reference: SET Specification.
38. In the mid-1970's, what encryption method was chosen as a national standard to
be incorporated into software-based encryption products?
There is no standard. The NSA chose DES as a national standard for hardware-
based encryption, but no corresponding method was chosen as a standard for
software-based encryption.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics,
O'Reilly, 1991, pg. 182.
The CISSP Prep Guide states, "Because there are more calculations associated
with public key cryptography, it is 1,000 to 10,000 times slower than secret key
cryptography."
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001,
page 156.
40. Which of the following cryptographic attacks describes when the attacker has a
copy of the plaintext corresponding to the ciphertext?
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, page 163.
Answer: Confidentiality
When using symmetric cryptography, both parties will be using the same key for
encryption and decryption. Symmetric cryptography is generally fast and can be
hard to break, but it offers limited overall security in the fact that it can only
provide confidentiality.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 2). Available at http://www.cccure.org.
Answer: This mode does not provide protection if the nodes along the
transmission path can be compromised.
Thanks to Christian Vezina for providing this question and to Don Murdoch for
providing an extra reference.
43. What is NOT true with pre shared key authentication within IKE / IPsec protocol?
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
Answer: 16
DES is a block encryption algorithm using 56-bit keys and 64-bit blocks that are
divided in half and each character is encrypted one at a time. The characters are
put through 16 rounds of transposition and substitution functions. Triple DES uses
48 rounds.
Source: WALLHOFF, John, CBK#5 Cryptography (CISSP Study Guide), April
2002 (page 3). Available at http://www.cccure.org.
48. Which of the following can best be defined as a cryptanalysis technique in which
the analyst tries to determine the key from knowledge of some plaintext-
ciphertext pairs?
49. What does the directive of the European Union on Electronic Signatures deal
with?
Reference: FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce:
Building the Infrastructure for Digital Signatures and Encryption (2nd Edition),
2000, Prentice Hall PTR, Page 589; Directive 1999/93/EC of 13 December 1999
on a Community framework for electronic signatures.
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.
Answer: Tamperproof, mobile storage and application of private keys of the users
A very special thanks to Claus Stark and his wife Shubhangi for submitting this
question.