Security+ Guide to Network Security Fundamentals, 2e Solutions 9-1 Chapter 9 Review Questions 1. _____ cryptography uses one key to both encrypt and decrypt messages. a. Symmetric b. Asymmetric c. PIK d. Dual Key Hashing (DKH) 2. The primary weakness of symmetric cryptography is _________________, a. key management b. RAM memory requirements c. CPU processing speed d. Hard disk storage space 3. A _____ is a shorter version of the message itself that is created by the contents of the message and the sender’s private key. a. hash algorithm b. certificate authority c. digital certificate d. digital signature 4. Revoked digital certificates are listed in a(n) ___________________. a. Certificate Revocation List (CRL) b. Certification Authority Revocation Algorithm (CARA) c. 509.X certificate d. Public Key Crypto Folder (PKCF) 5. A subordinate certification authority server is known as a _____ server. a. Registration Authority (RA) b. CA proxy c. Certificate Extension Server (CES) d. Digital CA Directory Access Proxy 6. When using symmetric cryptography it is acceptable to use the same key for encrypting documents sent to several different users. True or false? 7. Another alternative to a certificate authority (CA) is to provide the information in a publicly accessible directory called a Certificate Repository (CR). True or false? 8. A Public Key Infrastructure (PKI) is a system that manages encryption keys and identity information for the human and mechanical components of a network that require asymmetric cryptography. True or false? 9. Public Key Cryptography Standards (PKCS) is a numbered set of standards that are widely accepted in the industry. True or false? 10. A web of trust model uses multiple certification authority (CA) servers. True or false? 11. The primary disadvantage of _____ cryptography is that it is a computing- intensive process. public key (asymmetric) Security+ Guide to Network Security Fundamentals, 2e Solutions 9-2 12. _____ defines the format for the digital certificate and is the most widely used certificate format for PKI. X.509 13. _____ certificates are issued directly to individuals and are typically used to secure e-mail transmissions through S/MIME and SSL/TLS. Personal 14. Key management can either be centralized or _____. decentralized 15. One way to provide more security than a single set of public and private (single- dual) keys can offer is to use _____ pairs of dual keys. multiple 16. Explain the difference between a certificate policy (CP) and a certificate practice statement (CPS). A certificate policy (CP) is a published set of rules that govern the operation of the PKI and may be used by a certificate user to determine the trustworthiness of a certificate for a particular application. The CP provides recommended baseline security requirements for the use and operation of Certificate Authorities (CA), Registration Authorities (RA), and other PKI components. A Certificate Practice Statement (CPS) is a more technical document compared to a CP. A CPS describes in detail how the CA uses and manages certificates. 17. What is key escrow? Why is it used? Keys that are managed by a third-party entity is known as key escrow. There are a number of organizations that will provide this service, such as a trusted CA. When using key escrow the private key is actually split with each half encrypted. The two halves are sent to the third party, which stores each key in a separate location. If the private key must be retrieved then the two halves are combined together and then decrypted. Although key escrow relieves the end user from the worry of losing her private key, by having a copy of the key makes it vulnerable to attacks. 18. Explain M-of-N control and tell how it works. What happens if an employee is hospitalized for an extended period of time yet the organization for which she works needs to transact business using her keys? How can her key be recovered? One technique is known as M-of-N control. Well before a user is incapacitated her private key is encrypted and divided into a specific number of parts, for example three. The parts are distributed to other individuals, with an overlap so that multiple individuals have the same part. For example, the three parts could be distributed to six people, with two people each having the same part. This is known as the N group. If it is necessary to recover the key, a smaller subset of the N group known as the M group must meet together and agree that the key should be recovered. If a majority of the M group agree then they can piece back together the key. 19. What is the difference between key destruction and key revocation? Key destruction removes all private and public keys along with the user’s identification information in the CA. When a key is revoked or expired the user’s information remains on the CA. 20. Why should keys not be renewed? Keys should be allowed to expire because it provides additional security. If an attacker has unknowingly captured a user’s key she could use that key Security+ Guide to Network Security Fundamentals, 2e Solutions 9-3 indefinitely without the user’s knowledge. If, however, the key is allowed to expire then a new key must be generated, making the attacker’s stolen key no longer valid.
Pages to are hidden for
"Review Questions"Please download to view full document