Only $2.99/month

ST0-401:6 TS Quiz Cryptography

Terms in this set (55)

"
Answer:
L2TP


Explanation:
Layer 2 Tunneling Protocol (L2TP) operates at the Data Link layer, or Layer 2, of the Open Systems Interconnection (OSI) model. L2TP is a tunneling protocol that is used to create virtual private network (VPN) connections, typically through the Internet.

Internet Protocol Security (IPSec) is a suite of protocols designed to protect Internet Protocol (IP) communications by encrypting IP data packets. IPSec can operate in tunnel mode to support VPNs or in transport mode to support typical IP communications. IPSec operates at the Network layer, or Layer 3, of the OSI model.

Intermediate System to Intermediate System (IS-IS) is a Network layer protocol that enables intermediate systems within a routing domain to exchange information regarding the routing topology.

Transmission Control Protocol (TCP) is a protocol in the TCP/IP protocol suite that operates at Layer 4, or the Transport layer, of the OSI model. TCP provides connection-oriented communications for hosts on TCP/IP networks.

You need to understand and be able to comparatively analyze the OSI layer at which the protocols work. The OSI model layers and the protocols that work at each layer are as follows:

Layer 7: Application - FTP, TFTP, DNS, SMTP, SFTP, SNMP, HTTP, Telnet, DHCP, Secure Copy Protocol (SCP)
Layer 6: Presentation - MPEG, JPEG, TIFF
Layer 5: Session - NetBIOS, PPTP, RTP, NFS, Session Control Protocol (SCP)
Layer 4: Transport - TCP, UDP
Layer 3: Network - IP, ICMP, IPSec, IGMP, AppleTalk, OSPF, RIP, ARP, RARP
Layer 2: Data Link - SLIP, PPP, MTU, L2TP, Frame Relay, SDLC
Layer 1: Physical - IEEE 802, USB, Bluetooth, RS-232, DSL

Remember that Secure Copy (SCP) operates at the Application layer, but Session Control Protocol (SCP) operates at the Session layer.

"
"
Answer:
message integrity


Explanation:
Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures integrity of the messages. MAC adds authentication capability to a one-way hashing function.

MAC cannot ensure the availability of the data or the system.

MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the middle attacks.

A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted and hashing can be reproduced. One-way hashing converts a message of arbitrary length into a value of fixed length. Given the digest value, it should be computationally infeasible to find the corresponding message. It should be impossible or rare to derive the same digest from two different messages. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message.

There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. When an HMAC function is used, a symmetric key is combined with the message, and then that result is put though a hashing algorithm. The result is an HMAC value. HMAC provides data origin authentication and data integrity. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well. HMAC provides integrity and data origin authentication; CBC-MAC uses a block cipher for the process of creating a MAC.

MAC was developed to prevent fraud in electronic fund transfers involved in online transactions.

"
"
Answer:
message integrity


Explanation:
Message authentication code (MAC), which is also referred to as message integrity code (MIC), ensures the integrity of messages. MAC adds authentication capability to a one-way hashing function.

MAC does not ensure message replay. It provides protection against message replay attacks. A message replay can be performed to gain access to information and to reinsert the information back to a legitimate connection through attacks, such as man-in-the-middle attacks.

MAC cannot ensure the availability of the data or the system.

A one-way hashing function does not use any key and only ensures that the message that is transferred is not tampered with by calculating a checksum value. Messages with one-way hashing can be intercepted, and hashing can be reproduced. MAC applies a secret key to the message that is known to the authorized recipient only. Block chaining cryptography uses MAC to ensure the authenticity of the message.

MAC was developed to prevent fraud in electronic fund transfers involved in online transactions. There are two basic types of MAC: Hash-MAC (HMAC) and CBC-MAC. In HMAC, a symmetric key is appended to the message that is known only to the authorized recipient. However, HMAC lacks confidentiality. In CBC-MAC, the message is encrypted with a symmetric block cipher in CBC mode. Some MAC algorithms use stream ciphers as well.

You need to understand the difference between block and stream ciphers. A block cipher uses an algorithm that conducts operations on fixed-length groupings of bits, or blocks. A stream cipher takes plain text characters or digits and combines them with a pseudo-random cipher digit stream, or key stream.

"
"
Answer:
ECC requires fewer resources.


Explanation:
The advantage of Elliptic Curve Cryptography (ECC) over the Rivest, Shamir, and Adleman (RSA) algorithm is its improved efficiency and requirement of fewer resources than RSA. ECC has a higher strength per bit than an RSA.

ECC is a method used to implement public-key (asymmetric) cryptography. ECC serves as an alternative to the RSA algorithm and provides similar functionalities. The functions of ECC are as digital signature generation, secure key distribution, and encryption and decryption of data.

Wireless devices, handheld computers, smart cards, and cellular telephones have limited processing power, storage, power, memory, and bandwidth compared to other systems. To ensure efficient use of resources, ECC provides encryption by using shorter key lengths. Shorter key lengths do not imply less secure systems. Therefore, ECC provides the same level of security as RSA by using a shorter key that enables easier processing by the resource-constrained devices. For example, a 224-bit ECC key provides the same level of security as the 2048-bit keys used by legacy schemes. A 3072-bit legacy key and a 256-bit ECC key provide equivalent security. This is an obvious advantage when the future lies in smaller devices and increased security.

Also keep in mind that you need to understand ephemeral keys and perfect forward secrecy. An ephemeral key is used when a key is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once within a single session when the sender generates only one ephemeral key pair per message and the private key is combined separately with each recipient's public key.

Perfect forward secrecy (PFS) ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future. For PFS to exist, the key used to protect transmission of data must NOT be used to derive any additional keys. If the key used to protect data transmission was derived from some other keying material, that material must NOT be used to derive any more keys.
"
" the establishment of a web of trust between the users


Explanation:
Pretty Good Privacy (PGP) establishes a web of trust between the users. A web of trust implies that the users generate and distribute their public keys. These keys are signed by users for each other, establishing a community of users who trust each other for communication. Every user has a collection of signed public keys stored in a file known as a key ring. A level of trust and validity are associated with each key in that list. For example, if A trusts B more than C, there will be a higher level of trust for B compared to C.

PGP is a public key encryption standard that is used to protect e-mail and files that are transmitted over the network. PGP encrypts data using symmetric encryption. PGP provides the following functionalities:
confidentiality through the International Data Encryption Algorithm (IDEA)

integrity through the Message Digest 5 (MD5) hashing algorithm

authentication through public key certificates

non-repudiation through encrypted signed messages

PGP does not use either certification authorities (CA) servers or formal trust certificates. The users trust each other instead of trusting only the CA server before initiating the communication.
The drawback of PGP is that unlike the centralized CA server, it is hard to achieve standardized functionality using PGP. After the loss of a private key by a user, the user should inform all of the other users in the user's web of trust to avoid unauthorized communication.

PGP deploys a web of trust and does not use trust domains between the servers and the clients.

PGP does not use private keys for authentication and encryption, but instead uses public and private keys to deploy public key cryptography for authentication and encryption.

"
"
Answer:
Wi-Fi Protected Access (WPA)


Explanation:
You should implement WPA. WPA was created to fix core problems with WEP. WPA is designed to work with older wireless clients while implementing the 802.11i standard.

WAP is the default protocol used by most wireless networks and devices. However, because WAP can access Web pages and scripts, there is great opportunity for malicious code to damage a system. WAP does not provide maximum security. It is considered the weakest wireless protocol.

WEP is the security standard for wireless networks and devices that uses encryption to protect data. However, WEP does have weaknesses and is not as secure as WPA or WPA2.

WPA2 implements the 802.11i standard completely. Therefore, it does not support the use of older wireless cards. Identification and WPA2 are considered the best combination for securing a wireless network.

There are two versions of WPA: WPA and WPA2. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. WPA2 uses CCM Mode Protocol (CCMP) for encryption. Both WPA and WPA2 can operate in two modes: Personal and Enterprise. Because CCMP uses AES, TKIP is considered weaker than CCMP.

The Personal mode uses a 256-bit key and is referred to as WPA-Personal or WPA-Preshared Key (WPA-PSK) and WPA2-Personal or WPA2-PSK, depending on which version of WPA you implement.

The Enterprise mode is designed for enterprise networks and uses Extensible Authentication Protocol (EAP) for authentication. This mode is referred to as WPA-Enterprise or WPA-802.1x and WPA2-Enterprise or WPA2-802.1x, depending on which version of WPA you implement.

WPA-Enterprise is more secure than WPA2-PSK.

If you need to implement a secure wireless authentication method that uses a remote RADIUS server for authentication, you should implement Lightweight Extensible Authentication Protocol (LEAP) or Protected Extensible Authentication Protocol (PEAP). Of these two protocols, PEAP is considered the most secure.

When deploying a WPA2-Enterprise wireless network, you will need to install a digital certificate on the authentication server.
"
"
Answer:
PPTP
L2TP


Explanation:
Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point Protocol (PPP) to create a virtual Internet connection so that networks can use the Internet as their WAN link. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect, PPTP creates a secure WAN connection using dial-up access.

PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server.

Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP and can also be used to create a VPN. L2TP is a combination of PPTP and Cisco's Layer 2 Forwarding (L2F) tunneling protocols and operates at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model. L2TP uses User Datagram Protocol (UDP) for sending packets as well as for maintaining the connection. Internet Protocol Security (IPSec) is used in conjunction with L2TP for encryption of the data.

PPP is a protocol used to establish dial-up network connections.

Secure Sockets Layer (SSL) is a security protocol that uses both encryption and authentication to protect data sent in network communications.

Remote Access Service (RAS) is a service provided by the network operating system that allows remote access to the network via a dial-up connection.

L2TP can be combined with Internet Protocol Security (IPSec) to provide enhanced security. Both PPTP and L2TP create a single point-to-point, client-to-server communication link.
"
"
Answer:
Class 2 assurance for a digital certificate only verifies a user's name and e-mail address.


Explanation:
Class 2 assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database.

X.509 is a digital certificate standard that defines the certificate formats and fields for public keys. X.509 defines the manner in which a certification authority creates a digital certificate. X.509 defines the various fields, such as distinguished names of the subject, user's public key, serial number, version number, lifetime dates, and digital signature identifier, and the signature of the issuing authority, present in digital certificates. It does not contain any private keys. There are several versions of X.509 since its inception. The current version is X.509v4. The X.509 standard is used in many security protocols, such as secure socket layer (SSL) protocol.

Class 1 assurance for a digital certificate only requires an e-mail address.

Digital certification provides authentication before securely sending information to a Web server.

Certificates act as safeguards for Internet transactions in which a user makes an online transaction with a Web server by providing services, such as non-repudiation, authentication, and encryption and decryption of data.

When a certificate is created, the user's public key and the validity period are combined with the certificate issuer and the digital signature algorithm identifier before computing the digital signature.
"