In order to securely communicate using PGP, the sender of an email must do which of the following when sending an email to a recipient for the first time?
A. Import the recipient’s public key B. Import the recipient’s private key C. Export the sender’s private key D. Export the sender’s public key
Answer: A
Explanation: See step 4 below.
1.
When a user encrypts plaintext with PGP, PGP first compresses the plaintext.
2.
PGP then creates a session key, which is a one-time-only secret key.
3.
This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext.
4.
Once the data is encrypted, the session key is then encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.
Peter, a user, in a coffee shop is checking his email over a wireless network. An attacker records the temporary credentials being passed to Peter’s browser. The attacker later uses the credentials to impersonate Peter and creates SPAM messages. Which of the following attacks allows for this impersonation?
A. XML injection B. Directory traversal C. Header manipulation D. Session hijacking
Answer: D
Explanation: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer.
A company uses PGP to ensure that sensitive email is protected. Which of the following types of cryptography is being used here for the key exchange?
A. Symmetric B. Session-based C. Hashing D. Asymmetric
Answer: A
Explanation: PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.
When using PGP, which of the following should the end user protect from compromise? (Select TWO).
A. Private key B. CRL details C. Public key D. Key password E. Key escrow F. Recovery agent
Answer: A,D
Explanation: A: In PGP only the private key belonging to the receiver can decrypt the session key. PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.
D: PGP uses a passphrase to encrypt your private key on your machine. Your private key is encrypted on your disk using a hash of your passphrase as the secret key. You use the passphrase to decrypt and use your private key.
In Kerberos, the Ticket Granting Ticket (TGT) is used for which of the following?
A. Identification B. Authorization C. Authentication D. Multifactor authentication
Answer: C
Explanation: An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process. When the client receives an authentication ticket, the client sends the ticket back to the server along with additional information verifying the client’s identity. The server then issues a service ticket and a session key (which includes a form of password), completing the authorization process for that session. In the Kerberos model, all tickets are time-stamped and have limited lifetimes. This minimizes the danger that hackers will be able to steal or crack the encrypted data and use it to compromise the system. Ideally, no authentication ticket remains valid for longer than the time an expert hacker would need to crack the encryption. Authentication tickets are session-specific, further improving the security of the system by ensuring that no authentication ticket remains valid after a given session is complete.
Symmetric encryption utilizes __________, while asymmetric encryption utilizes _________.
A. Public keys, one time B. Shared keys, private keys C. Private keys, session keys D. Private keys, public keys
Answer: D
Explanation: Symmetrical systems require the key to be private between the two parties. With asymmetric systems, each circuit has one key. In more detail:
*
Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn’t disclosed to people who aren’t authorized to use the encryption system.
*
Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.
During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).
A. SSL 1.0 B. RC4 C. SSL 3.0 D. AES E. DES F. TLS 1.0
Answer: A,E
Explanation: TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0”. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security. TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.
Users need to exchange a shared secret to begin communicating securely. Which of the following is another name for this symmetric key?
A. Session Key B. Public Key C. Private Key D. Digital Signature
Answer: C
Explanation: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn’t disclosed to people who aren’t authorized to use the encryption system.