106. b. Critical security parameters (CSP) contain security-related information (for example, secret and private cryptographic keys, and authentication data such as passwords and PINs) whose disclosure or modification can compromise the security of a cryptographic module or the security of the information protected by the module. Public security parameters (PSP) deal with security-related public information (for example, public keys) whose modification can compromise the security of a cryptographic module. Sensitive security parameters (SSP) contain both CSP and PSP. In other words, SSP = CSP + PSP. A trusted channel is generally established to transport the SSPs, data, and other critical information shared by the cryptographic module and the module’s operator.
The other three choices are incorrect. A port is a physical entry or exit point of a cryptographic module that provides access to the module for physical signals represented by logical information flows. The port security parameters along with data/program security parameters are not that important to the cryptographic module. The private security parameters do not exist.
107. The U.S. government imposes export controls on strong cryptography. Which of the following is the acceptable encryption key for use behind the firewall for use in foreign countries or in networks that include nodes in a foreign country?
a. 40 bits
b. 56 bits
c. 75 bits
d. 90 bits
107. a. Encryption using keys of 40 or fewer bits is only acceptable for use behind the firewall. Leading cryptographers recommend businesses use key lengths of at least 75 bits, with 90 bits being preferable. The Data Encryption Standard (DES) uses 56 keys, which is still acceptable for near term use.
108. Which of the following should be considered during configuration of cryptographic controls in the implementation phase of a system development life cycle (SDLC) as it applies to selecting cryptographic mechanisms?
1. Mathematical soundness of the algorithm
2. Length of the cryptographic keys
3. Key management
4. Mode of operation
a. 2 only
b. 3 only
c. 1, 2, and 3
d. 1, 2, 3, and 4
108. d. In the implementation phase, the focus is on configuring the system for use in the operational environment. This includes configuring the cryptographic controls. After the system has been configured, certification testing is performed to ensure that the system functions as specified and that the security controls are operating effectively. The security provided by a cryptographic control depends on the mathematical soundness of the algorithm, the length of the cryptographic keys, key management, and mode of operation. A weakness in any one of these components may result in a weakness or compromise to the security of the cryptographic control. A weakness may be introduced at any phase of the system life cycle.
109. Audit trails should be considered as part of which of the following security controls during the security design, implementation, and use of a cryptographic module?
a. Physical access controls
b. Logical access controls
c. Integrity controls
d. User authentication
109. c. Cryptography may provide methods that protect security-relevant software, including audit trails, from undetected modification. This is addressed as part of the integrity controls. Physical access controls are incorrect because they deal with prevention, detection, physical replacement or modification of the cryptographic system, and the keys within the system. Logical access controls are incorrect because they may provide a means of isolating the cryptographic software from attacks and modifications. The cryptographic module boundary may consist of the hardware, operating system, and cryptographic software. User authentication is incorrect because it includes use of cryptographic authentication to provide stronger authentication of users.
110. Which of the following is not a rule that guides the cryptography implementation in a system development life cycle (SDLC) as it applies to selecting cryptographic mechanisms?
a. Determine what information must be provided using a cryptographic function.
