4.8 Success Answers
1. The main role of a cryptographic hash function is in the provision of:
A. Message integrity checks and digital signatures
B. Message integrity checks only
C. Digital signatures only
D. Signature algorithm computations
Explanation: The main role of a cryptographic hash function is in the provision of message integrity checks and digital signatures. Since hash functions are generally faster than encryption or digital signature algorithms, it is typical to compute the digital signature or integrity check to some document by applying cryptographic processing to the document's hash value, which is small compared to the document itself.
2. What is used to allow verification of the claim that a specific public key does in fact belong to a specific individual?
B. Key ring
Explanation: Certificates are issued by the certificate authority. Certificates are digital documents attesting to the binding of a public key to an individual or other entity. They allow verification of the claim that a specific public key does in fact belong to a specific individual. Certificates help prevent someone from using a phony key to impersonate someone else. In some cases it may be necessary to create a chain of certificates, each one certifying the previous one until the parties involved are confident in the identity in question.
A key ring may be used to hold an individual's collection of keys. SA's and tickets are used in distributed cryptosystems but are not specifically involved in authentication.
3. To protect the data while in transit on a network, what is used to identify errors and omissions in the information?
A. Record sequence checking
B. Transmission error correction
C. Retransmission controls
D. Hash total
Explanation: Hash totals - these identify errors and omissions in the information, A has algorithm provides a hexadecimal checksum of the data. This is stored in a record prior to transmission, and then sent to the remote computer with the data. The remote system can then compute the checksum, and if it agrees with the value that was calculated before transmission, the information arrived intact.
Record sequence checking would verify that records were received in the correct order, but not verify record contents. TCP-level techniques do not protect against alteration of data during transmission, since packets could potentially be inserted with altered information.
4. A digital certificate contains what data? (choose all that apply)
A. A subject name, which identifies the person or object that the certificate represents.
B. The public key belonging to the subject.
C. The identity of a Certificate Authority (CA) that has signed the certificate to certify that the public key and the identity both belong to the subject.
D. The digital signature of the named CA.
E. An expiration date for the Certificate
5. From the list, select the symmetric algorithms
Explanation: AES, Blowfish, CAST5, CAST128, DES, DESede, GOST, IDEA, LOKI91, Mars, RC2, RC4, RC5, RC6, SAFER, Skipjack, SPEED, Square, TEA and Twofish are symmetric algorithms.
PGP and IPSec are asymmetric algorithms.
6. A digitally signed message offers
A. Authentication of Origin
B. Integrity of Data
Explanation: Signing a message does not mean the message IS encrypted. It is possible, but not MANDATORY. Without encryption, confidentiality is not offered. Diffie-Hellman -- "The Diffie-Hellman variant described requires the recipient to have a certificate, but the originator may have a static key pair (with the public key placed in a certificate) or an ephemeral key pair. -- RFC 2631
7. The definition of a Certificate Policy is
A. Found in US Title Code (Federal law)
B. Determined by the CA
C. Both choices are correct
D. No choice is correct
Explanation: "Certificate Policy is defined and maintained in conjunction with related policies in the organization." -- Entrust White Paper. These policies are not specifically determined by law.
8. What does CPS mean?
A. Cycles Per Second
B. Certificate Practice Statements
C. Certificate Policy Statements
D. Certificate Procedure Statements
E. No choice is correct
Explanation: While Cycles per Second would be accurate in an electronics certification test, this is about Security+.
"A Certification Practice Statement (CPS) is a statement of the practices that a CA employs in managing the certificates that it issues." -- Entrust White Paper
9. Certificate Revoking is based on
B. Expiration date
C. Administrator action
D. No choice is correct
E. Some choices are correct
Explanation: Expiration date is one part of policy that is standardized. The real issue addressed here is the policy of compromised keys.
"The certificate revocation policies of your organization include policies for revoking certificates and policies for certificate revocation lists (CRLs).
Policies for Revoking Certificates
Your certificate revocation policy specifies the circumstances that justify revoking a certificate. For example, you can specify that certificates must be revoked when employees are terminated or transferred to other business units. You can also specify that certificates must be revoked if users misuse their security privileges or the private keys are compromised (a lost smart card, for instance). For computer certificates, you can specify that certificates must be revoked if the computer is replaced or permanently removed from service, or if the key is compromised.
Policies for Certificate Revocation Lists
Your CRL policies specify where you will distribute CRLs and the publishing schedule for CRLs. For example, you can specify that certain CRLs will be distributed to commonly used public folders and Web pages, as well as to Active Directory. You can also specify that certain CRLs be published daily instead of using the default weekly publication." -- Microsoft Resource Kit, Planning Your Public Key Infrastructure.
10. Select the protocol that is utilized for management and negotiation of SA's.
Explanation: "The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA)." -- RFC 2048
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.