Security+ Guide to Network Security Fundamentals, 2e Solutions 9-1
Chapter 9 Review Questions
1. _____ cryptography uses one key to both encrypt and decrypt messages.
d. Dual Key Hashing (DKH)
2. The primary weakness of symmetric cryptography is _________________,
a. key management
b. RAM memory requirements
c. CPU processing speed
d. Hard disk storage space
3. A _____ is a shorter version of the message itself that is created by the contents of
the message and the sender’s private key.
a. hash algorithm
b. certificate authority
c. digital certificate
d. digital signature
4. Revoked digital certificates are listed in a(n) ___________________.
a. Certificate Revocation List (CRL)
b. Certification Authority Revocation Algorithm (CARA)
c. 509.X certificate
d. Public Key Crypto Folder (PKCF)
5. A subordinate certification authority server is known as a _____ server.
a. Registration Authority (RA)
b. CA proxy
c. Certificate Extension Server (CES)
d. Digital CA Directory Access Proxy
6. When using symmetric cryptography it is acceptable to use the same key for
encrypting documents sent to several different users. True or false?
7. Another alternative to a certificate authority (CA) is to provide the information in
a publicly accessible directory called a Certificate Repository (CR). True or
8. A Public Key Infrastructure (PKI) is a system that manages encryption keys and
identity information for the human and mechanical components of a network that
require asymmetric cryptography. True or false?
9. Public Key Cryptography Standards (PKCS) is a numbered set of standards that
are widely accepted in the industry. True or false?
10. A web of trust model uses multiple certification authority (CA) servers. True or
11. The primary disadvantage of _____ cryptography is that it is a computing-
intensive process. public key (asymmetric)
Security+ Guide to Network Security Fundamentals, 2e Solutions 9-2
12. _____ defines the format for the digital certificate and is the most widely used
certificate format for PKI. X.509
13. _____ certificates are issued directly to individuals and are typically used to
secure e-mail transmissions through S/MIME and SSL/TLS. Personal
14. Key management can either be centralized or _____. decentralized
15. One way to provide more security than a single set of public and private (single-
dual) keys can offer is to use _____ pairs of dual keys. multiple
16. Explain the difference between a certificate policy (CP) and a certificate practice
A certificate policy (CP) is a published set of rules that govern the operation
of the PKI and may be used by a certificate user to determine the
trustworthiness of a certificate for a particular application. The CP provides
recommended baseline security requirements for the use and operation of
Certificate Authorities (CA), Registration Authorities (RA), and other PKI
components. A Certificate Practice Statement (CPS) is a more technical
document compared to a CP. A CPS describes in detail how the CA uses and
17. What is key escrow? Why is it used?
Keys that are managed by a third-party entity is known as key escrow. There
are a number of organizations that will provide this service, such as a trusted
CA. When using key escrow the private key is actually split with each half
encrypted. The two halves are sent to the third party, which stores each key
in a separate location. If the private key must be retrieved then the two
halves are combined together and then decrypted. Although key escrow
relieves the end user from the worry of losing her private key, by having a
copy of the key makes it vulnerable to attacks.
18. Explain M-of-N control and tell how it works.
What happens if an employee is hospitalized for an extended period of time
yet the organization for which she works needs to transact business using her
keys? How can her key be recovered? One technique is known as M-of-N
control. Well before a user is incapacitated her private key is encrypted and
divided into a specific number of parts, for example three. The parts are
distributed to other individuals, with an overlap so that multiple individuals
have the same part. For example, the three parts could be distributed to six
people, with two people each having the same part. This is known as the N
group. If it is necessary to recover the key, a smaller subset of the N group
known as the M group must meet together and agree that the key should be
recovered. If a majority of the M group agree then they can piece back
together the key.
19. What is the difference between key destruction and key revocation?
Key destruction removes all private and public keys along with the user’s
identification information in the CA. When a key is revoked or expired the
user’s information remains on the CA.
20. Why should keys not be renewed?
Keys should be allowed to expire because it provides additional security. If
an attacker has unknowingly captured a user’s key she could use that key
Security+ Guide to Network Security Fundamentals, 2e Solutions 9-3
indefinitely without the user’s knowledge. If, however, the key is allowed to
expire then a new key must be generated, making the attacker’s stolen key no