Читаем CISSP Practice полностью

224. b. Side channel attacks result from the physical implementation of a cryptosystem through the leakage of information by monitoring sound from computations to reveal cryptographic key-related information. Side-channel attacks are based on stealing valuable information whereas the other three choices deal with deceiving people.

Social engineering attacks focus on coercing people to divulge passwords and other valuable information. Phishing attack involves tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing is a digital form of social engineering that uses authentic-lookingbut boguse-mails to request information from users or direct them to a fake website that requests valuable personal information. Shoulder surfing attack is similar to social engineering where the attacker uses direct observation techniques such as looking over someone’s shoulder to obtain passwords, PINs, and other valuable codes.

225. A cryptographic key may pass through several states between its generation and its distribution. A cryptographic key may not enter the compromised state from which of the following states?

a. Pre-activation state

b. Destroyed state

c. Active state

d. Deactivated state

225. b. A cryptographic key may pass through several states between its generation and its destruction. Six key-states include pre-activation state, active state, deactivated state, destroyed state, compromised state, and destroyed compromised state. In general, keys are compromised when they are released to or determined by an unauthorized entity. If the integrity or secrecy of the key is suspect, the compromised key is revoked. A cryptographic key may enter the compromised state from all states except the destroyed state and destroyed compromised states. A compromised key is not used to apply cryptographic protection to information. Even though the key no longer exists in the destroyed state, certain key attributes such as key name, key type, and crypto-period may be retained, which is risky.

The other three choices are not risky. In the pre-activation state, the key has been generated but is not yet authorized for use. In this state the key may be used only to perform proof-of-possession or key confirmation. In the active state, a key may be used to cryptographically protect information or to cryptographically process previously protected information (for example, decrypt ciphertext or verify a digital signature) or both. When a key is active, it may be designated to protect only, process only, or both protect and process. In the deactivated state, a key’s crypto-period has expired, but it is still needed to perform cryptographic processing until it is destroyed.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 7.

The ARK Company just discovered that its mail server was used for phishing by an outside attacker. To protect its reputation and reduce future impersonation attacks, the company wants to implement reasonable, cost-effective, public key infrastructure (PKI) tools.

1. Which of the following is required to accept digital certificates from multiple vendor certification authorities?

a. The application must be PKI-enabled.

b. The application must be PKI-aware.

c. The application must use X.509 Version 3.

d. The application must use PKI-vendor plug-ins.

1.c. Using the X.509 Version 3 standard helps application programs in accepting digital certificates from multiple vendor CAs, assuming that the certificates conform to a consistent Certificate Profiles. Application programs either have to be PKI-enabled, PKI-aware, or use PKI vendor plug-ins prior to the use of X.509 Version 3 standard. Version 3 is more interoperable so that an application program can accept digital certificates from multiple vendor certification authorities. Version 3 standard for digital certificates provides specific bits that can be set in a certificate to ensure that the certificate is used only for specific services such as digital signature, authentication, and encryption.

2. Which of the following provides a unique user ID for a digital certificate?

a. Username

b. User organization

c. User e-mail

d. User message digest