CISSP Domain 3 questions – Scenario Based

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Question {1-4}

Question 1: If Alice wishes to send Bob an encrypted message, what key does she use to encrypt the message?
Bob’s public key
This is Correct. In an asymmetric cryptosystem, the sender of a message always encrypts the message using the recipient’s public key.
Bob’s private key
This is Incorrect.
Alice’s private key
This is Incorrect.
Alice’s public key
This is Incorrect.
Question 2: When Bob receives the encrypted message from Alice, what key does he use to decrypt the message?
Bob’s private key
This is Correct. When Bob receives the message, he uses his own private key to decrypt it. Since he is the only one with his private key, he is the only one who should be able to decrypt it, thus preserving confidentiality.
Bob’s public key
This is Incorrect.
Alice’s private key
This is Incorrect.
Alice’s public key
This is Incorrect.
Question 3: Which one of the following keys would Bob not possess in this scenario?
Alice’s private key
This is Correct.
Alice’s public key
This is Incorrect.
Bob’s private key
This is Incorrect.
Bob’s public key
This is Incorrect.
Question 4: Alice would also like to digitally sign the message that she sends to Bob. What key should she use to create the digital signature?
Alice’s private key
This is Correct. Alice creates the digital signature using her own private key. Then Bob, or any other user, can verify the digital signature using Alice’s public key.
Alice’s public key
This is Incorrect.
Bob’s private key
This is Incorrect.
Bob’s public key
This is Incorrect.
Question 5: Alison is examining a digital certificate presented to her by her bank’s website. Which one of the following requirements is not necessary for her to trust the digital certificate?
She knows that the server belongs to the bank.
This is Correct. The point of the digital certificate is to prove to Alison that the server belongs to the bank, so she does not need to have this trust in advance. To trust the certificate, she must verify the CA’s digital signature on the certificate, trust the CA, verify that the certificate is not listed on a CRL, and verify that the certificate contains the name of the bank.
She trusts the certificate authority.
This is Incorrect.
She verifies that the certificate is not listed on a CRL.
This is Incorrect.
She verifies the digital signature on the certificate.
This is Incorrect.
Question 6: During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?
Request a new certificate using a new key
This is Correct. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.
Notify all customers that their data may have been exposed
This is Incorrect.
Remove the key from the bucket
This is Incorrect.
Nothing, because the private key should be accessible for validation
This is Incorrect.
Question 7: Alex’s employer creates most of their work output as PDF files. Alex is concerned about limiting the audience for the PDF files to those individuals who have paid for them. What technology can he use to most effectively control the access to and distribution of these files?
DRM
This is Correct. Alex can use digital rights management technology to limit use of the PDFs to paying customers. While DRM is rarely a perfect solution, in this case, it may fit his organization’s needs. EDM is electronic dance music, which his customers may appreciate but which won’t solve the problem. Encryption and digital signatures can help to keep the files secure, and to prove who they came from but won’t solve the rights management issue Alex is tackling.
EDM
This is Incorrect.
Digital Signature
This is Incorrect.
Encryption
This is Incorrect.
Question 8: Howard is choosing a cryptographic algorithm for his organization, and he would like to choose an algorithm that supports the creation of digital signatures. Which one of the following algorithms would meet his requirement?
RSA
This is Correct. Digital signatures are possible only when using an asymmetric encryption algorithm. Of the algorithms listed, only RSA is asymmetric and supports digital signature capabilities.
AES
This is Incorrect.
Blowfish
This is Incorrect.
DES
This is Incorrect.
Question 9: Raj is selecting an encryption algorithm for use in his organization and would like to be able to vary the strength of the encryption with the sensitivity of the information. Which one of the following algorithms allows the use of different key strengths?
Blowfish
This is Correct. Blowfish allows the user to select any key length between 32 and 448 bits.
Skipjack
This is Incorrect.
DES
This is Incorrect.
IDEA
This is Incorrect.
Question 10: Sherry conducted an inventory of the cryptographic technologies in use within her organization and found the following algorithms and protocols in use. Which one of these technologies should she replace because it is no longer considered secure?
MD5
This is Correct. The MD5 hash algorithm has known collisions and, as of 2005, is no longer considered secure for use in modern environments.
3DES
This is Incorrect.
PGP
This is Incorrect.
WPA2
This is Incorrect.
Question 11: Gary intercepts a communication between two individuals and suspects that they are exchanging secret messages. The content of the communication appears to be the image shown here. What type of technique may the individuals use to hide messages inside this image?
Steganography
This is Correct. Steganography is the art of using cryptographic techniques to embed secret messages within other content. Some steganographic algorithms work by making alterations to the least significant bits of the many bits that make up image files.
Cryptographic hashing
This is Incorrect.
Transport layer security
This is Incorrect.
Visual cryptography
This is Incorrect.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.