Читаем CISSP Practice полностью

17. d. A transport layer security (TLS) session requires server authentication and requests certificates from the client and the server. The RSA key transport method implicitly authenticates the server to the client. In a Diffie-Hellman (DH) key agreement, the server authenticates itself by supplying a signed static DH key in a certificate or by signing an ephemeral key and sending a certificate with its public signing key. Thus, the server will always send a certificate, with either a signing key or a key-establishment key. In a static-to-static DH key agreement, client certificates will not contain a signing key thus are not recommended to use in a TLS session. This is because the server may request a certificate from the client.

18. What is encrypting a symmetric key using another symmetric key called?

a. Key transport

b. Key update

c. Key wrapping

d. Key bundle

18. c. A key used for key wrapping is known as a key encrypting key, which is used to encrypt a symmetric key using another symmetric key. Key wrapping provides both confidentiality and integrity protection using a symmetric key.

The other three choices are not used in key wrapping. Key transport is a key establishment procedure whereby one party (sender) selects and encrypts the keying material and then distributes the material to another party (the receiver). Key update is a function performed on a cryptographic key to compute a new but related key. Key bundle is a set of keys used during one operation, typically a TDEA operation.

19. Which of the following represents the correct order of nodes (from highest to lowest) in a cryptographic key management infrastructure?

1. Client node

2. User entities

3. Key processing facility

4. Service agent

a. 4, 2, 3, and 1

b. 3, 4, 1, and 2

c. 3, 4, 2, and 1

d. 2, 4, 1, and 3

19. b. A key management infrastructure provides a unified and seamless structure for the generation, distribution, and management of cryptographic keys. It starts at the central oversight authority (the highest node, which is not used in the question) and moves down to key processing facility (the next highest node), service agent, client node, and user entities (the lowest node).

20. In a cryptographic key management infrastructure, which of the following supports single point-of-access for other nodes?

a. Key processing facility

b. User entities

c. Client nodes

d. Service agents

20. d. Service agents support an organization’s key management infrastructure as single point-of-access for other nodes, including key processing facility, client nodes, and user entities.

21. A digital signature is implemented using which of the following cryptographic techniques?

a. Public key cryptography

b. Key escrow cryptography

c. Secret key cryptography

d. Hybrid cryptographic systems

21. a. Recent advances in cryptographic technology have lead to the development of public key cryptographic algorithms. These algorithms are referred to as “asymmetric” because they rely on two different keys to perform cryptographic processing of data. These keys are generated and used in pairs consisting of private and public key components.

Public key crypto-systems make possible authentication schemes in which a secret can be verified without the need to share that secret. In public key cryptography, each user independently generates two mathematically related keys. One is typically made public, so it is referred to as the public key. The other is kept private, so it is referred to as the user’s private key. The public key becomes in effect part of the user’s identity and should be made well known as necessary, like a phone number. Conversely, the private key should be known only to the user because it can be used to prove ownership of the public key and thus the user’s identity. It is computationally infeasible to derive a user’s private key from the corresponding public key, so free distribution of the public key poses no threat to the secrecy of the private key.