CCNA Security FAQ: Introducing Cryptographic Services

CCNA Security FAQ: Introducing Cryptographic Services

Question. Fill in the blanks with the best choice from the list. Cryptography is the art of code __________ and cryptanalysis is the art of code __________.
A. Graphing, analyzing
B. Generation, cracking
C. Making, breaking
D. Breaking, making
E. None of the above

Answer: is C. Cryptography is the art of creating and using cryptosystems, whereas cryptanalysis is the process of analyzing a cryptographic algorithm for weaknesses and exploiting them to break the code. They are essentially opponents in the security arena.

Question. Read the following sentence and choose the type of attack that is being described from the list of choices.
Several examples of ciphertext created by the same cryptosystem are statistically analyzed to deduce underlying plaintext by pattern analysis.
A. Known-Plaintext
B. Meet-in-the-Middle
C. Brute Force
D. Ciphertext-Only
E. Chosen-Ciphertext

Answer: The correct answer is D. This kind of attack is not practical with modern ciphers because they use pseudorandom output to resist statistical analysis.
Question. What form of attack are all algorithms susceptible to?
A. Meet-in-the-middle
B. Spoofing
C. Stream cipher
D. Brute-force

Answer: D
Question. Which type of cipher achieves security by rearranging the letters in a string of text?
A. Vigenère cipher
B. Stream cipher
C. Transposition cipher
D. Block cipher

Answer: C
Question. In terms of constructing a good encryption algorithm, what does it mean to create an avalanche effect?
A. Changing only a few bits of a plain-text message causes the ciphertext to be completely different.
B. Altering the key length causes the ciphertext to be completely different.
C. Changing only a few bits of a ciphertext message causes the plain text to be completely different.
D. Altering the key length causes the plain text to be completely different.

Answer: A
Question. Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.)
A. Block ciphers
B. Message Authentication Codes (MAC)
C. One-time pad
D. Stream ciphers
E. Vigenère ciphers

Answer: A, B, and D
Question. Which of the following is not a common stream cipher?
A. RC4
B. RSA
C. SEAL
D. DES

Answer: B

Question. Match the following crypto algorithms with the letter corresponding to its key length.

  • AES:           ___
  • 3DES:         ___
  • DES:           ___
  • RC4:           ___
  • Blowfish:   ___

Your choices are:
A. 1 to 256 bits
B. 112 and 168 bits
C. 56 bits
D. 128, 192, and 256 bits
E. 32 to 448 bits

Answers:

  • AES:              D
  • 3DES:            B
  • DES:              C
  • RC4:              A
  • Blowfish:      E

Question. True or false. AES is considered a trusted encryption algorithm by virtue of its strong 128-bit encryption keys and its 20+ years of use in crypto systems.

Answers:False. AES has not yet reached the level of trustworthiness of ciphers such as DES and 3DES precisely because it has not been tested in the field nearly as long. Although AES is cryptographically stronger and a simpler algorithm computationally, DES and 3DES have been in use for over 35 years and found not to possess any flaws.

Question. What is the best choice of category of encryption algorithm for situations where large volumes of data are transmitted and speed is important? (Choose one from the list.)
A. Block cipher
B. Stream cipher
C. Symmetric key encryption
D. Asymmetric key encryption
E. DES

Answer: C is correct. Answers A and B are both incorrect because they define categories of ciphers that may be used both for symmetric and asymmetric key encryption. Answer D is incorrect because asymmetric key encryption is best employed for small amounts of data and where speed isn’t as important. Answer E is incorrect since DES is 1) an example of an obsolete symmetric key encryption algorithm, and 2) not a category of encryption algorithm.
Question. Which of the following characteristics accurately describe symmetric encryption algorithms? (Choose all that apply.)
A. They are faster than asymmetric algorithms.
B. They have longer key lengths than asymmetric encryption algorithms.
C. They are stronger than asymmetric algorithms.
D. They are less complex mathematically than asymmetric algorithms.
E. They are slower than asymmetric algorithms.
F. They are weaker than asymmetric algorithms

Answer: A, C, and D
Question. DES typically operates in block mode, where it encrypts data in what size blocks?
A. 56-bit blocks
B. 40-bit blocks
C. 128-bit blocks
D. 64-bit blocks

Answer: D
Question. Stream ciphers operate on which of the following?
A. Fixed-length groups of bits called blocks
B. Individual digits, one at a time, with the transformations varying during the encryption
C. Individual blocks, one at a time, with the transformations varying during the encryption
D. Fixed-length groups of digits called blocks

Answer: B
Question. Which statement accurately describes ECB mode?
A. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.
B. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.
C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.

D. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.

Answer: C
Question. What method does 3DES use to encrypt plain text?
A. 3DES-EDE
B. EDE-3DES
C. 3DES-AES
D. AES-3DES

Answer: A

Question. Figure 6.14 illustrates what type of PKI topology? (Choose the one best answer.)
6-1

FIGURE 6.14 What PKI technology is this?

A. Subordinate-Tiered CA
B. Cross-Certified CA
C. Central CA
D. Hierarchical CA
E. Independent-Mesh CA

Answer: is D. Answers A and E are incorrect because they are made-up terms

Question. Figure 6.15 illustrates the part of the enrollment process that occurs after a PKI participant has retrieved and validated the CA’s certificate. What is always contained in the PKCS #7 message that the PKI participant is retrieving from the CA? (Choose all the correct answers.)
6-2

FIGURE 6.15 What is contained in the PKCS #7 message?

A. X.509 certificate
B. CA’s private key
C. CA’s public key
D. PKI participant’s signed public key
E. CA’s encryption usage keys
F. None of the above.

Answers: A and D are correct. At this point in the enrollment process, the PKI participant retrieves the certificate that contains its CA-signed public key. Answer B is incorrect because the private key is always retained on the CA and is never transmitted at any time during enrollment. The security of the whole PKI depends on safeguarding the CA’s private key. Answer E is incorrect because this is made-up terminology.

Question. Which of the following list of protocols are part of NIST’s Digital Signature Standard (DSS)? (Choose all that apply.)
A. DSA
B. Digital Signatures using Reversible Public Key Cryptography
C. SEAL
D. Blowfish
E. ECDSA

Answers: A, B, and E are correct. Answers C and D are incorrect because they are examples of encryption algorithms.
Question. Which of the following is not considered a trustworthy symmetric encryption algorithm?
A. 3DES
B. IDEA
C. EDE
D. AES

Answers: C
Question. In a brute-force attack, generally an attacker has to search through what percentage of the keyspace until he or she finds the key that decrypts the data?
A. Roughly 10 percent
B. Roughly 75 percent
C. Roughly 66 percent
D. Roughly 50 percent

Answers: D
Question. How many weak keys are a part of the overall DES keyspace?
A. Five
B. One
C. Four
D. None

Answers: C
Question. Which of the following is not a component of the key management life cycle?
A. Key verification
B. Key transposition
C. Key generation
D. Key exchange
E. Key storage

Answers: B
Question. Hashing is used to provide which of the following?
A. Data consistency
B. Data binding
C. Data checksums
D. Data integrity

Answers: D

Question. Fill in the blanks in the following sentence with the letter corresponding to the best choice. (Choose three.)
Hashing functions are used to validate a message’s __________ but do not provide for __________ like HMACs. If __________ is required, the use of digital signatures is specified.
A. Confidentiality
B. Integrity
C. Authentication
D. Non-repudiation
E. Origin authentication

Answer: The correct choices, in order, are B, E, and D. Answer A is incorrect since hashes, HMACS, and digital signatures do not encrypt. Answer C is incorrect because HMACs’ strength is that they authenticate the origin of the data in a cryptosystem.

Question. Which one of the following statements best compares MD5 and SHA-1 as hashing algorithms?
A. MD5 theoretically has higher security than SHA-1; however, SHA-1 remains more commonly used.

B. MD5 is not recommended for new cryptosystems because SHA-1 is preferred for its theoretically higher security.

C. SHA-1 is less resistant to a brute force attack than MD5, and its 32-bit longer buffer makes it faster than MD5.

D. SHA-1 and MD5’s security is not based on encryption keys.

E. None of the above.

Answer: is B. Answers A and C are exactly opposite to correct. Answer D is incorrect because the security of a hashing cryptosystem is completely based on the safeguarding of the encryption keys that, together with the hash, create the message digest.

About the author

Scott

Leave a Comment