CISSP Practice полностью

202. Which of the following are examples of block cipher algorithms for encryption and decryption?

a. AES and RAS

b. TDEA and DES

c. AES and TDEA

d. MAC and HMAC

202. c. Encryption is used to provide data confidentiality. The data to be protected is called plain-text. Encryption transforms the plain-text data into ciphertext data. Cipher-text can be transformed back into plain-text using decryption. The approved algorithms for encryption and decryption include the advanced encryption standard (AES) and the triple data encryption algorithms (TDEA). Each of these algorithms operates on blocks (chunks) of data during an encryption or decryption operation. For this reason, these algorithms are commonly referred to as block cipher algorithms.

RAS is remote access server, which is not a block cipher, and DES is data encryption standard, which is a block cipher.

Message authentication code (MAC) is incorrect because it is not a block cipher because it provides an assurance of authenticity and integrity. HMAC is a MAC that uses a cryptographic hash function in combination with a secret key. Both MAC and HMAC are based on hash functions, which are used by (i) keyed hash message authentication coded algorithms, (ii) digital signature algorithms, (iii) key derivation functions for key agreement, and (iv) random number generators. Typically, MACs are used to detect data modifications that occur between the initial generation of the MAC and the verification of the received MAC. They do not detect errors that occur before the MAC is originally generated.

203. Cross-certification is not allowed in which of the following public key infrastructure (PKI) architectures?

a. Hierarchical PKI model

b. Mesh PKI model

c. Bridge PKI model

d. Complex PKI model

203. a. There are four architectures used to link certificate authorities (CAs), including hierarchical, mesh, bridge, and complex. In a hierarchical PKI model, authorities are arranged hierarchically under a “root CA” that issues certificates to subordinate CAs. A CA delegates when it certifies a subordinate CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. Therefore, cross-certification is not allowed in the hierarchical PKI model.

Mesh (network) PKI model is incorrect because trust is established between any two CAs in peer relationships (cross-certification), thus allowing the possibility of multiple trust paths between any two CAs. Independent CAs cross-certify each other resulting in a general mesh of trust relationships between peer CAs. The bridge PKI model was designed to connect enterprise PKIs regardless of the architecture; enterprises can link their own PKIs to those of their business partners. The complex PKI model is a combination of hierarchical PKI model and mesh PKI model because they are not mutually exclusive.

204. Which of the following should not be archived during the disposition phase of a system development life cycle (SDLC) because it applies to selecting cryptographic mechanisms?

a. Long-term symmetric key

b. Signing keys used by traditional certification authorities (CAs)

c. An individual’s signing keys

d. Signing keys used by non-traditional CAs

204. c. When a system is shut down or transitioned to a new system, one of the primary responsibilities is ensuring that cryptographic keys are properly destroyed or archived. Long-term symmetric keys may need to be archived to ensure that they are available in the future to decrypt data. Signing keys used by traditional and non-traditional CAs may also need to be maintained for signature verification.

An individual’s signing keys should not be archived due to constant changes and employee turnover.

205. Which of the following provides the level of “trust” required for the digital certificates to reliably complete a transaction?

a. Certificate policy

b. Certification practices statement

c. Identity proofing

d. Outsourcing