2. d. The digital certificate contains information about the user’s identity (for example, name, organization, and e-mail), but this information may not necessarily be unique. A one-way (hash) function can be used to construct a fingerprint (message digest) unique to a given certificate using the user’s public key.
3. Which of the following is not included in the digital signature standard (DSS)?
a. Digital signature algorithm (DSA)
b. Data encryption standard (DES)
c. Rivest, Shamir, Adleman algorithm (RSA)
d. Elliptic curve digital signature algorithm (ECDSA)
3. b. DSA, RSA, and ECDSA are included in the DSS that specifies a digital signature used in computing and verifying digital signatures. DES is a symmetric algorithm and is not relevant here. DES is a block cipher and uses a 56-bit key.
4. Digital signatures are not used for which of the following?
a. Authentication
b. Availability
c. Nonrepudiation
d. Integrity
4. b. Digital signatures provide authentication, nonrepudiation, and integrity services. Availability is a system requirement intended to ensure that systems work promptly and that service is not denied to authorized users.
5. What keys are used to create digital signatures?
a. Public-key cryptography
b. Private-key cryptography
c. Hybrid-key cryptography
d. Primary-key cryptography
5. a. Public-key cryptography has been recommended for distribution of secret keys and in support of digital signatures. Private-key cryptography has been recommended for encryption of messages and can be used for message integrity check computations. Hybrid keys combine the best of both public and private keys. Primary keys are used in database design and are not relevant here.
6. Which of the following is not usually seen on a digital certificate?
a. Owner name
b. Public key
c. Effective dates for keys
d. Insurance company name
6. d. The information on the digital certificate includes the owner name, the public key, and start and end dates of its validity. The certificate should not contain any owner information that changes frequently (for example, the insurance company name).
7. What is the major purpose of a digital certificate?
a. To achieve availability goal
b. To maintain more information on the certificate
c. To verify the certificate authority
d. To establish user authentication
7. d. Digital certificates are used as a means of user authentication. Entities can prove their possession of the private key by digitally signing known data or by demonstrating knowledge of a secret exchanged using public-key cryptographic methods.
Sources and References
“Guide to Storage Encryption Technologies for End User Devices (NIST SP800-111),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2007.
“Guidelines on Electronic Mail Security (NIST SP800-45V2),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2007.
“Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations (NIST SP800-52),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2005.
“Introduction to Public Key Technology and the Federal PKI Infrastructure (NIST SP800-32),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2001.
“Recommendation for Key Management (NIST SP800-57),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2005.
Domain 6
Security Architecture and Design
Traditional Questions, Answers, and Explanations
1. A trusted channel will not allow which of the following attacks?
1. Man-in-the-middle attack
2. Eavesdropping
3. Replay attack
4. Physical and logical tampering
a. 1 and 2
b. 1 and 3
c. 1, 2, and 3
d. 1, 2, 3, and 4
1. d. A trusted channel is a mechanism through which a cryptographic module provides a trusted, safe, and discrete communication pathway for sensitive security parameters (SSPs) and communication endpoints. A trusted channel protects against man-in-the-middle (MitM) attacks, eavesdropping, replay attacks, and physical and logical tampering by unwanted operators, entities, processes, devices, both within the module and along the module’s communication link.
