hello quizlet
Home
Subjects
Expert solutions
Create
Study sets, textbooks, questions
Log in
Sign up
Upgrade to remove ads
Only $35.99/year
Science
Computer Science
Computer Security and Reliability
CNA 210 - Chapter 4
Flashcards
Learn
Test
Match
Flashcards
Learn
Test
Match
Terms in this set (118)
Which of the following is NOT a method for strengthening a key?
A) Randomness
B) Cryptoperiod
C) Length
D) Variability
D) Variability
Which of the following block ciphers XORs each block of plaintext with the previous block of ciphertext before being encrypted?
A) Electronic Code Book (ECB)
B) Galois/Counter (GCM)
C) Counter (CTR)
D) Cipher Block Chaining (CBC)
D) Cipher Block Chaining (CBC)
What entity calls in crypto modules to perform cryptographic tasks?
A) Certificate Authority (CA)
B) OCSP Chain
C) Intermediate CA
D) Crypto service provider
D) Crypto service provider
______ are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity.
A) Encrypted signatures
B) Session keys
C) Digital certificates
D) Digital digests
B) Session keys
Which of these is considered the strongest cryptographic transport protocol?
A) TLS v1.2
B) TLS v1.0
C) SSL v2.0
D) SSL v2.0
A) TLS v1.2
The strongest technology that would assure Alice that Bob is the sender of a message is a(n) __________.
A) digital signature
B) encrypted signature
C) digest
D) digital certificate
D) digital certificate
A digital certificate associates ________.
A) a user's public key with his private key
B) the user's identity with his public key
C) a user's private key with the public key
D) a private key with a digital signature
B) the user's identity with his public key
Digital certificates can be used for each of these EXCEPT.
A) to verify the authenticity of the Registration Authorizer
B) to encrypt channels to provide secure communication between clients and servers
C) to verify the identity of clients and servers on the Web
D) to encrypt messages for secure email communications
A) to verify the authenticity of the Registration Authorizer
An entity that issues digital certificates is a:
A) certificate signatory (CS)
B) digital signer (DS)
C) certificate authority (CA)
D) signature authority (SA)
C) certificate authority (CA)
A centralized directory of digital certificates is called a(n).
A) Digital Signature Permitted Authorization (DSPA)
B) Digital Signature Approval List (DSAP)
C) Certificate Repository (CR)
D) Authorized Digital Signature (ADS)
C) Certificate Repository (CR)
_______ performs a real-time lookup of a digital certificate's status.
A) Certificate Revocation List (CRL)
B) Real-Time CA Verification (RTCAV)
C) Online Certificate Status Protocol (OCSP)
D) CA Registry Database (CARD)
C) Online Certificate Status Protocol (OCSP)
What is a value that can be used to ensure that hashed plaintext will not consistently result in the same digest?
A) Algorithm
B) Initialization vector (IV)
C) Nonce
D) Salt
D) Salt
Which digital certificate displays the name of the entity behind the website?
A) Online Certificate Status Certificate
B) Extended Validation (EV) Certificate
C) Session Certificate
D) X.509 Certificate
B) Extended Validation (EV) Certificate
Which trust model has multiple CAs, one of which acts as a facilitator?
A) Bridge
B) Hierarchical
C) Distributed
D) Web
A) Bridge
Which statement is NOT true regarding hierarchical trust models?
A) It is designed for use on a large scale.
B) The root signs all digital certificate authorities with a single key.
C) It assigns a single hierarchy with one master CA.
D) The master CA is called the root.
A) It is designed for use on a large scale.
Public key infrastructure (PKI) ___________.
A) generates public/private keys automatically
B) creates private key cryptography
C) is the management of digital certificates
D) requires the use of an RA instead of a CA
C) is the management of digital certificates
A(n)______ is a published set of rules that govern the operation of a PKI.
A) signature resource guide (SRG)
B) enforcement certificate (EF)
C) certificate practice statement (CPS)
D) certificate policy (CP)
D) certificate policy (CP)
Which of these is NOT part of the certificate life cycle?
A) Expiration
B) Revocation
C) Authorization
D) Creation
C) Authorization
_______ refers to a situation in which keys are managed by a third party, such as a trusted CA.
A) Key authorization
B) Key escrow
C) Remote key administration
D) Trusted key authority
B) Key escrow
_________ is a protocol for securely accessing a remote computer.
A) Transport Layer Security (TLS)
B) Secure Shell (SSH)
C) Secure Sockets Layer (SSL)
D) Secure Hypertext Transport Protocol (SHTTP)
B) Secure Shell (SSH)
What is a value that serves as input to an algorithm and then turns plaintext into ciphertext?
cryptographic key
True or False
A key is a random string of bits that serves as an input parameter symmetric, but not asymmetric, cryptographic algorithms.
False, it is used for both symmetric and asymmetric
True or False
A key is different from a password.
True
Explain the difference between keys and passwords.
Keys are used by software or hardware that are running cryptographic algorithms
Passwords are for people to input and remember
What is key strength?
Characteristics that determine the resiliency of the key to attacks
The primary characteristics of key strength, listed in this chapter, are: (Choose all that apply)
A) Randomness
B) Cuteness
C) Length
D) Crytomalleability
E) Cryptoperiod
F) Some of the above
A) Randomness
C) Length
E) Cryptoperiod
True or False
It is recommended to have the same cryptoperiods for different types of keys as long as they are limited
False, different keys recommend different cryptoperiods
A(n) ________ ________ is an attempt to hide the existence of an algorithm for enhanced security.
secret algorithm
Possible Bonus: Auguste Kerckhoffs published his six design standards for military ciphers in his work called ______ ____.
Kerchhoff Principles
What specifies how block ciphers should handle blocks?
block cipher mode of operation
The book lists a bunch of fun block cipher modes of operation, identify them.
Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Counter (CTR)
Galois/Counter (GCM)
This block cipher mode of operation encrypts the plaintext, feeds each ciphertext back into the encryption process and moves on to the next plaintext. The blocks of plaintext are XORed with the previous block of ciphertext before being encrypted, what lends to it's security is that the ciphertext is dependent on the previous ciphertext block, the plaintext and the key.
(CBC) Cipher Block Chaining
This block cipher mode of operation is the most basic, it divides the plaintext into blocks and separately encrypts them. This mode is consider unsuitable for use as different blocks of plaintext can have identical ciphertext blocks.
(ECB) Electronic Code Book
This block cipher mode of operation requires that both the sender and receiver have access to a counter that computes a new value each time a ciphertext block is exchanged. It's weakness lies in the fact that the sender and receiver must be in sync with the same counter.
(CTR) Counter
You better not have missed this, the answer is listed twice in the definition.
This block cipher mode of operation computes a message authentication code (MAC) and encrypts plaintext to ensure the message sender. The MAC also makes sure the message was not tampered with during transmission. Just like CTR, this mode uses a counter. It also adds a plaintext string called additional authentication data (AAD) that may contain addresses and parameters of a network protocol.
(GCM) Galois/Counter
A __ _________ ___ allows an application to implement an encryption algorithm for execution.
crypto service provider
These modules perform specific tasks directed by crypto service providers.
crypto modules
This process typically implements cryptographic algorithms, generates keys, provides key storage and authenticates users.
crypto service provider
True or False
Applications can manipulate the keys created by crypto service providers and alter the cryptographic algorithm as long as they are directed by a domain level or higher administrator.
False, applications cannot manipulate the keys
In addition to a key, some cryptographic algorithms require that an additional value must be inputted, these may be called _____ __ __.
algorithm input values
A value added to plaintext to ensure that when hashed it was not consistently result in the same digest.
salt
This means 'number used once'.
nonce
An input value that must be unique within a specified scope.
nonce
A(n) _____ ________ is a nonce that is selected in a non-predictable way, used for transporting encrypted items.
initialization vector (IV)
True or False
A nonce is not required to be randomized but an IV should be randomized and never repeated.
True
A female name that this chapter calls "he".
Mallory
Electronically signed by a trusted third party, this technology is used to identify a public key.
digital certificate
A _________ ____________ can be thought of as a container for a ___ ___.
digital certificate
public key
This is a user request for a digital certificate.
Certificate Signing Request (CSR)
This entity processes the CSR and cerifies the authenticity of the user on behalf of a CA.
intermediate certificate authority
This entity is responsible for digital certificates.
certificate authority (CA)
True or False
The names that identify the connection to a CA network are in-band CA and out-of-band CA.
False, offline and online CA
A ______ __________ is a publicly accessible centralized directory of digital certificates.
certificate repository (CR)
True or False
This directory of digital certificates can be used to view the status of a digital certificate is called a certificate repository. It can also be managed locally by setting it up as a storage area connected to a CA server.
True
What is the name of the list that shows certificate serial numbers that have been revoked?
Certificate Revocation List (CRL)
If somebody wants to look up a certificate's status, which protocol would they use?
Online Certificate Status Protocol (OCSP)
What is it called when a web browser cannot reach the OCSP Responder server?
soft-fail
When a server requires every user's certificate be signed in real time, it is performing ________ ______.
OCSP stapling
Linking several certificates together is called: Choose the best answer.
A) certificate chaining
B) certificate linking
C) linking certificates
D) certificate grouping
E) the buddy system
A) certificate chaining
This is where a certificate chain ends.
user digital certificate
This is where a certificate chain begins.
root digital certificate
If a signed digital certificate does not require a higher level authority for authentication then is called _______-____
self-signed
This type of certificate is between a root and user digital certificate.
intermediate certificate
What is the hard-coding digital certificate within a certificate using program called?
pinning
Identify the two primary functions of web server digital certificates.
They ensure the authenticity of the web server to the client.
They can ensure the authenticity of the cryptographic connection to the web server.
What is the handshake, with keys, called between the web browser and web server?
key exchange
What are the steps of a key exchange?
1) ClientHello
2) ServerHello
3) ClientKeyExchange
During step three of the key exchange, the browser generates a random value called the ______-______ _______, encrypts it with the server's public key and sends it back to the server.
pre-master secret
When the browser and server have the same pre-master secret they can create this, which is used to create session keys.
master secret
These are symmetric keys used to encrypt and decrypt information exchanged during the session and to verify its integrity.
session keys
The book lists four domain digital certificates, name three of them. Or else.
domain validation digital certificates
extended validation digital certificates (EV)
wildcard digital certificates
subject alternative names digital certificates
Which certificate verifies the identity of the entity that has control over the domain name?
domain validation digital certificate
This certificate requires more extensive verification of the legitimacy of the business than a domain validation digital certificate.
extended validation digital certificates (EV)
This certificate validates, not on the main domain, but all its subdomains.
wildcard digital certificate
This digital certificate, which is also known as a Unified Communications Certificate, is primarily used for Microsoft Exchange servers or unified communications.
Subject Alternative Name (SAN) digital certificate
This certificate allows multiple server or domain names to use the same secure certificate by allowing different values to be associated with the certificate.
Subject Alternative Name (SAN) digital certificate
A ______ _________ ________ verifies the identity of a device in a network transaction.
machine digital certificate
True or False
It is possible for network devices to create their own self-signed machine digital certificates.
True
These digital certificates are used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and no unauthorized third party has altered or compromised it. Choose all that apply.
A) code signing digital certificates
B) machine digital certificates
C) wildcard digital certificates
D) email digital certificates
E) None of the above
A) code signing digital certificates
A user wanting to digitally sign and encrypt mail message would use which certificate?
email digital certificate
Is it possible to digitally sign a Word document or PDF with a digital certificate to create a digital signature?
Yesh, tis. Say it exactly how it's written. It's fun.
What is the standard that the ITU endorses?
X.509
What are the three encoding formats that follow the X.509 via the ITU-T X,690 standard?
BER, Basic Encoding Rules
CER, Canonical Encoding Rules
DER, Distinguished Encoding Rules
What are the three X.509 file formats?
.pem
.pfx
.p12
Which X.509 file format is designed to provide confidentiality and integrity to emails using DER coding and can have multiple certificates?
.pem (Privacy Enhancement Mail)
Which X.509 file format is the preferred file format for creating certificates to authenticate applications or websites? It's password is protected because it contains both private and public keys
.pfx (Personal Information Exchange)
Which X.509 file format is single instance of a numbered set of 15 standards defined by the RSA Corporation. This file format is based on the RSA public key algorithm and uses both public and private keys.
.p12 (PKCS#12)
__________ _____ ___ is a framework for all entities involved in digital certificates for digital certificate management to create, store, distribute, and revoke digital certificates.
Public Key Infrastructure (PKI)
This trust model, which is less secure, uses no CA and is based on direct trust where a user signs their digital certificate then exchanges certificates with all other users.
web of trust
More like web of lies am I right?
This trust model assigns a single hierarchy with one master CA called the root and signs all digital certificate authorities with a single key. Choose the best answer.
A) direct trust
B) third-party trust
C) house-party trust
D) hierarchical trust model
E) distributed trust model
F) bridge trust model
D) hierarchical trust model
This trust model has multiple CAs that sign digital certificates.
A) direct trust
B) third-party trust
C) house-party trust
D) hierarchical trust model
E) distributed trust model
F) bridge trust model
E) distributed trust model
This trust model has multiple CAs that sign digital certificates but there is one CA that acts as a facilitator.
A) direct trust
B) third-party trust
C) house-party trust
D) hierarchical trust model
E) distributed trust model
F) bridge trust model
F) bridge trust model
This is the published set of rules that govern the operation of a PRK.
certificate policy (CP)
These documents are more technical than a CP and include information such as how end users register for a digital certificate, how to issue digital certificates, when to revoke digital certificates, how to save a life (just kidding, that's a The Fray song that sucks), procedural controls, key pair generation/installation, and private key protection.
certificate practice statements (CPS)
According to the chapter, 8.6.753.0980085 is an example of what?
an object identifies (OID)
This name of an object or entity corresponds to a node in a hierarchy tree structure and contains numbers separated by dots.
object identifies (OID)
The life cycle of a certificate, in this chapter, is divided into four parts. Identify them.
Creation
Suspension
Revocation
Expiration
_______ _______ can be stored by embedding them within digital certificates, while _______ ______________ can be stored on the user's local system.
Public keys
private keys
This chapter lists seven procedures that can help ensure that keys are properly handled. Identify them.
Escrow
Expiration
Renewal
Revocation
Recovery
Suspension
Destruction
This type of recovery is when a user's private key is encrypted and divided into a specific number of parts and distributed to others with overlap.
M-of-N control
This cryptographic transport algorithm, developed by Netscape in 1994, is based on AES and is currently in version 3.0.
SSL (Secure Sockets Layer)
According to the book (which is not real world accurate), this cryptographic transport algorithm's latest version is 1.2. It is based on SSL 3.0 and is more secure than SSL.
TLS (Transport Layer Security)
A ____ __ is a combination of encryption, authentication, and message authentication code (MAC) used with SSL and TSL.
cipher suite
True or False
Keys of less than 2048 bits are considered weak, keys of 2048 bits are also weak, keys of 4096 are considered strong.
False, keys of 2048 are considered good.
This is an encrypted alternative to Telnet.
Secure Shell (SSH)
The book lists SSH commands, identify the command with the description:
Log on to a remote computer
Copy files between remote computers
Executing command on a remote host without logging on
slogin - Log on to a remote computer
scp - Copy files between remote computers
Ssh - Executing command on a remote host without logging on
Which ports are used by HTTP, HTTPS, SSH, Telnet, and DNS-even though it's not in this course? It's just good know about DNS.
HTTP - 80
HTTPS - 443
SSH - 22
Telnet - 23
DNS - 53
What is used by ports 22, 80, 23, and 443?
22 - SSH
80 - HTTP
23 - Telnet
443 - HTTPS
Digitally signed and secured email messages can use this protocol which is mentioned in the chapter.
S/MIME
The chapter mentions this as a standard for how an electronic message will be organized.
MIME
Typically used in VoIP, this is a secure extension which was first published in 2004.
SRPT (Secure Real-time Transport Protocol)
Not having to modify a program to run, this protocol suite aims to secure IP communications.
IPSec (Internet Protocol Security)
IPsec is considered _____________ to entities such as applications, users, and software.
transparent
There are three areas of protection that correspond to three IPsec protocols, identify them.
Confidentiality
Authentication
Key management
___________ mode protects the entire packet and is used in network-to-network communication, while ________ mode is used when a device must see the source and destination addresses to route the packet.
Tunnel
transport
Which protocol identifies the header of the packet in IPsec?
Authentication Header (AH)
Confidentiality is ensured by IPsec when it uses this protocol.
Encapsulating Security Payload (ESP)
Key management is accomplished in IPsec by this annoying initialism.
ISAKMP/Oakley (Internet Security Association and Key Management Protocol/Oakley)
Students also viewed
SP6-U3P7
53 terms
Chapter One
37 terms
Security Fundamentals Module 8 Review Questions
20 terms
Quiz Module 07 Public Key Infrastructure and Crypt…
20 terms
Other sets by this creator
CNA 210 - Chapter 15
47 terms
Chapter 12
20 terms
Intro to Network Security sixth ed chapter 12
59 terms
infosec
40 terms