Читаем CISSP Practice полностью

35. The owner of a cryptographic key pair demonstrates proof-of-possession by using:

a. Private key

b. Public key

c. Ephemeral key

d. Encrypted key

35. a. The proof-of-possession is a verification process whereby it is proven that the owner of a key pair actually has the private key associated with the public key. The owner demonstrates the possession by using the private key in its intended manner. Without the assurance of possession, it would be possible for the certificate authority to bind the public key to the wrong entity. The other three choices do not demonstrate proof-of-possession.

36. Which of the following can be specified in bits?

1. Security strength of a cryptographic algorithm

2. Entropy

3. Hash function

4. Internet Protocol (IP) address identifier

a. 1 and 4

b. 2 and 3

c. 1, 3, and 4

d. 1, 2, 3, and 4

36. d. The security strength of a cryptographic algorithm as well as entropy, hash function, and the Internet Protocol (IP) address identifier are specified in bits.

37. Which of the following is often distributed as a self-signed certificate?

a. Trust anchors

b. Root certificate store

c. Trust list

d. Trust keys

37. a. Certificate authorities (CAs) generally issue a self-signed certificate (called root certificate), which is also called a trust anchor. CAs that a relying party trusts directly are called trust anchors. When multiple trust anchors are recognized, the set of trust anchors is referred to as the trust list. CA certificates play a key role in many protocols and applications and are generally kept in what is often called a root certificate store. Trust keys are used in trust anchors. Root certificate store is used in validating certificate path.

38. Which of the following does not require cryptographic keys?

a. Symmetric key algorithms

b. Asymmetric key algorithms

c. Cryptographic hash algorithms

d. Secret key algorithms

38. c. Cryptographic hash algorithms (hash functions) do not require keys. The hash functions generate a relatively small digest (hash value) from a large input that is difficult to reverse. However, in some instances such as in the generation of hashed message authentication codes (HMAC), keyed hash functions are used.

Symmetric key algorithms (known as secret/private) transform data that is difficult to undo without knowledge of a secret key. Asymmetric key algorithms (known as public) use two related keys to perform their functions (i.e., a public key and a private key forming a key pair).

39. Which of the following is a noncryptographic technique that provides message integrity and creates insecurity?

a. Message authentication code

b. Error detection codes

c. Cryptographic checksum

d. Block cipher algorithms

39. b. Although message integrity is often provided using noncryptographic techniques known as error detection codes, these codes can be altered by an attacker for his benefit and hence create insecurity. Use of message authentication code (MAC) can alleviate this problem as it is based on block cipher algorithm. The cryptographic checksum is an algorithm that uses the bits in the transmission to create a checksum value and hence is secure. A noncryptographic technique does not use a cryptographic key.

40. Key wrapping provides which of the following services to the wrapped material?

a. Confidentiality and integrity

b. Authentication and integrity

c. Accountability and availability

d. Assurance and reliability

40. a. Key wrapping is the encryption of a key by a key encrypting key using a symmetric algorithm. Key wrapping provides both confidentiality and integrity services to the wrapped material and does not provide services listed in the other three choices.

41. Countermeasures against man-in-the-middle attacks include which of the following?

1. Implement digital signatures

2. Use split knowledge procedures

3. Use faster hardware

4. Use packet filters

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1 and 4

41. a. The man-in-the-middle (MitM) attack takes advantage of the store-and-forward mechanism used by insecure networks such as the Internet. Digital signatures and split knowledge procedures are effective against such attacks. Faster hardware and packet filters are effective against denial-of-service (DoS) attacks.

42. Digital signatures cannot provide which of the following security services?

a. Confidentiality

b. Authentication