Читаем CISSP Practice полностью

182. b. An electronic signature is a cryptographic mechanism that performs a similar function to a handwritten signature. It is used to verify the origin and contents of a message. For example, a recipient of data (such as an e-mail message) can verify who signed the data and that the data was not modified after being signed. This also means that the originator (for example, sender of an e-mail message) cannot falsely deny having signed the data. Electronic signatures are difficult to forge; although, written signatures are easily forged. Electronic signatures can use either secret (private) key or public key cryptography; however, public key methods are generally easier to use.

The other three choices are incorrect because they are true statements. In general, electronic signatures have received the same legal status as that of written signatures. Cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures rely on the secrecy of the keys, the link or binding between the owner of the key, and the key itself. If a key is compromised due to social engineering by theft, coercion, or trickery, then the electronic originator of a message may not be the same as the owner of the key. Although the binding of cryptographic keys to actual people is a significant problem, it does not necessarily make electronic signatures less secure than written signatures. Trickery and coercion are problems for written signatures as well.

183. Which of the following security services or statements is not true about the U.S. digital signature standard (DSS)?

a. It generates a digital signature.

b. It does not require a third-party certificate.

c. It assures nonrepudiation of a message.

d. It verifies a digital signature.

183. b. A digital signature provides two distinct services: nonrepudiation and message integrity. The digital signature standard (DSS) specifies a digital signature algorithm (DSA) that should be used when message and data integrity is required. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and the integrity of the data can be verified.

The DSA provides the capability to generate and verify digital signatures. Signature verification makes use of a public key that corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair. It is assumed that the public knows about public keys. Private keys are never shared. Anyone can verify the signature of a user by employing that user’s public key. Only the possessor of the user’s private key can perform signature generation. Because of this, nonrepudiation of a message is achieved. This means that the parties to an electronic communication could not dispute having participated in the communication, or it can prove to a third party that data was actually signed by the generator of the signature.

The DSS can be implemented in hardware, software, and/or firmware and is subject to U.S. Commerce Department export controls. The DSS technique is intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and origin authentication.

A digital signature system requires a means for associating pairs of public and private keys with the corresponding users. A mutually trusted third party such as a certifying authority can bind a user’s identity and his public key. The certifying authority could issue a “certificate” by signing credentials containing a user’s identity and public key. Hence, a third-party certificate is needed.

184. Pretty good privacy (PGP) and privacy enhanced mail (PEM) are electronic-mail security programs. Which of the following statements is not true about PGP and PEM?

a. They both encrypt messages.

b. They both sign messages.

c. They both have the same uses.

d. They are both based on public-key cryptography.