CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

6.Which one of the following is a cryptographic goal that cannot be achieved by a secret key cryptosystem?

A.Nonrepudiation

B.Confidentiality

C.Availability

D.Integrity

7.When correctly implemented, what is the only cryptosystem known to be unbreakable?

A.Transposition cipher

B.Substitution cipher

C.Advanced Encryption Standard

D.One-time pad

8.What is the output value of the mathematical function 16 mod 3?

A.0

B.1

C.3

D.5

9.In the 1940s, a team of cryptanalysts from the United States successfully broke a Soviet code based upon a one-time pad in a project known as VENONA. What rule did the Soviets break that caused this failure?

A.Key values must be random.

B.Key values must be the same length as the message.

C.Key values must be used only once.

D.Key values must be protected from physical disclosure.

10.Which one of the following cipher types operates on large pieces of a message rather than individual characters or bits of a message?

A.Stream cipher

B.Caesar cipher

C.Block cipher

D.ROT3 cipher

11.What is the minimum number of cryptographic keys required for secure two-way communications in symmetric key cryptography?

A.One

B.Two

C.Three

D.Four

282 Chapter 9 Cryptography and Private Key Algorithms

12.What is the minimum number of cryptographic keys required for secure two-way communications in asymmetric key cryptography?

A.One

B.Two

C.Three

D.Four

13.Which one of the following Data Encryption Standard (DES) operating modes can be used for large messages with the assurance that an error early in the encryption/decryption process won’t spoil results throughout the communication?

A.Cipher Block Chaining (CBC)

B.Electronic Codebook (ECB)

C.Cipher Feedback (CFB)

D.Output Feedback (OFB)

14.What encryption algorithm is used by the Clipper chip, which supports the Escrowed Encryption Standard sponsored by the U.S. government?

A.Data Encryption Standard (DES)

B.Advanced Encryption Standard (AES)

C.Skipjack

D.IDEA

15.What is the minimum number of cryptographic keys required to achieve a higher level of security than DES with the Triple DES algorithm?

A.A,1

B.2

C.3

D.4

16.What approach to key escrow divides the secret key into several pieces that are distributed to independent third parties?

A.Fair Cryptosystems

B.Key Escrow Standard

C.Escrowed Encryption Standard

D.Fair Escrow

17.What kind of attack makes the Caesar cipher virtually unusable?

A.Meet-in-the-middle attack

B.Escrow attack

C.Frequency attack

D.Transposition attack

18.What type of cryptosystem commonly makes use of a passage from a well-known book for the encryption key?

A.Vernam cipher

B.Running key cipher

C.Skipjack cipher

D.Twofish cipher

19.Which AES finalist makes use of prewhitening and postwhitening techniques?

A.Rijndael

B.Twofish

C.Blowfish

D.Skipjack

20.Matthew and Richard wish to communicate using symmetric cryptography but do not have a prearranged secret key. What algorithm might they use to resolve this situation?

A.DES

B.AES

C.Diffie-Hellman

D.Skipjack

284 Chapter 9 Cryptography and Private Key Algorithms

Answers to Review Questions

1.C. The four goals of cryptographic systems are confidentiality, integrity, authentication, and nonrepudiation.

2.A. Nonrepudiation prevents the sender of a message from later denying that they sent it.

3.A. DES uses a 56-bit key. This is considered one of the major weaknesses of this cryptosystem.

4.B. Transposition ciphers use a variety of techniques to reorder the characters within a message.

5.A. The Rijndael cipher allows users to select a key length of 128, 192, or 256 bits depending upon the specific security requirements of the application.

6.A. Nonrepudiation requires the use of a public key cryptosystem to prevent users from falsely denying that they originated a message.

7.D. Assuming that it is used properly, the one-time pad is the only known cryptosystem that is not vulnerable to attacks.

8.B. Option B is correct because 16 divided by 3 equals 5, with a remainder value of 1.

9.A. The cryptanalysts from the United States discovered a pattern in the method the Soviets used to generate their one-time pads. After this pattern was discovered, much of the code was eventually broken.

10.C. Block ciphers operate on message “chunks” rather than on individual characters or bits. The other ciphers mentioned are all types of stream ciphers that operate on individual bits or characters of a message.

11.A. Symmetric key cryptography uses a shared secret key. All communicating parties utilize the same key for communication in any direction.

12.D. In asymmetric (public key) cryptography, each communicating party must have a pair of public and private keys. Therefore, two-way communication between parties requires a total of four cryptographic keys (a public and private key for each user).

13.D. Cipher Block Chaining and Cipher Feedback modes will all carry errors throughout the entire encryption/decryption process. Electronic Codebook (ECB) operation is not suitable for large amounts of data. Output Feedback (OFB) mode does not allow early errors to interfere with future encryption/decryption.

14.C. The Skipjack algorithm implemented the key escrow standard supported by the U.S. government.

15.B. To achieve added security over DES, 3DES must use at least two cryptographic keys.

16.A. The Fair Cryptosystems approach would have independent third parties each store a portion of the secret key and then provide them to the government upon presentation of a valid court order.

17.C. The Caesar cipher (and other simple substitution ciphers) are vulnerable to frequency attacks that analyze the rate at which specific letters appear in the ciphertext.

18.B. Running key (or “book”) ciphers often use a passage from a commonly available book as the encryption key.

19.B. The Twofish algorithm, developed by Bruce Schneier, uses prewhitening and postwhitening.

20.C. The Diffie-Hellman algorithm allows for the secure exchange of symmetric keys over an insecure medium.

286 Chapter 9 Cryptography and Private Key Algorithms

Answers to Written Lab

Following are answers to the questions in this chapter’s written lab:

1.The major obstacle to the widespread adoption of one-time pad cryptosystems is the difficulty in creating and distributing the very lengthy keys that the algorithm depends on.

2.The first step in encrypting this message requires the assignment of numeric column values to the letters of the secret keyword:

S E C U R E 5 2 1 6 4 3

Next, the letters of the message are written in order underneath the letters of the keyword:

S E C U R E 5 2 1 6 4 3 I W I L L P A S S T H E C I S S P E X A M A N D B E C O M E C E R T I F I E D N E X T M O N T H

Finally, the sender enciphers the message by reading down each column; the order in which the columns are read correspond to the numbers assigned in the first step. This produces the following ciphertext:

I S S M C R D O W S I A E E E M P E E D E F X H L H P N M I E T I A C X B C I T L T S A O T N N

3.This message is decrypted by using the following function:

P = (C - 3) mod 26

C: F R Q J U D W X O D W L R Q V B R X J R W L W

P: C O N G R A T U L A T I O N S Y O U G O T I T

And the hidden message is “Congratulations You Got It.” Congratulations, you got it!

In Chapter 9, we introduced basic cryptography concepts and explored a variety of private key cryptosystems. These symmetric cryptosystems offer fast, secure communication but introduce the

substantial challenge of key exchange between previously unrelated parties. This chapter explores the world of asymmetric (or public key) cryptography and the public key infrastructure (PKI) that supports worldwide secure communication between parties that don’t necessarily know each other prior to the communication. We’ll also explore several practical applications of cryptography: securing electronic mail, web communications, electronic commerce, and networking. This chapter concludes with an examination of a variety of attacks malicious individuals might use to compromise weak cryptosystems.

Asymmetric Cryptography

The section “Modern Cryptography” in Chapter 9 introduced the basic principles behind both private (symmetric) and public (asymmetric) key cryptography. You learned that symmetric key cryptosystems require both communicating parties to have the same shared secret key, creating the problem of secure key distribution. You also learned that asymmetric cryptosystems avoid this hurdle by using pairs of public and private keys to facilitate secure communication without the overhead of complex key distribution systems. The security of these systems relies upon the difficulty of reversing a one-way function.

In the following sections, we’ll explore the concepts of public key cryptography in greater detail and look at three of the more common public key cryptosystems in use today: RSA, El Gamal, and the Elliptic Curve Cryptosystem.

Public and Private Keys

Recall from Chapter 9 that public key cryptosystems rely on pairs of keys assigned to each user of the cryptosystem. Every user maintains both a public key and a private key. As the names imply, public key cryptosystem users make their public keys freely available to anyone with whom they want to communicate. The mere possession of the public key by third parties does not introduce any weaknesses into the cryptosystem. The private key, on the other hand, is reserved for the sole use of the individual. It is never shared with any other cryptosystem user.

Normal communication between public key cryptosystem users is quite straightforward. The general process is shown in Figure 10.1.

290 Chapter 10 PKI and Cryptographic Applications

4.Find a number, d, such that (ed – 1) mod (p – 1)(q – 1) = 0.

5.Distribute e and n as the public key to all cryptosystem users. Keep d secret as the private key.

If Alice wants to send an encrypted message to Bob, she generates the ciphertext (C) from the plaintext (P) using the following formula (where e is Bob’s public key and n is the product of p and q created during the key generation process):

C = Pe mod n

When Bob receives the message, he performs the following calculation to retrieve the plaintext message:

P = Cd mod n

Importance of Key Length

The length of the cryptographic key is perhaps the most important security parameter that can be set at the discretion of the security administrator. It’s important to understand the capabilities of your encryption algorithm and choose a key length that provides an appropriate level of protection. This judgment can be made by weighing the difficulty of defeating a given key length (measured in the amount of processing time required to defeat the cryptosystem) against the importance of the data.

Generally speaking, the more critical your data, the stronger the key you use to protect it should be. Timeliness of the data is also an important consideration. You must take into account the rapid growth of computing power—the famous Moore’s Law states that computing power doubles approximately every 18 months. If it takes current computers one year of processing time to break your code, it will take only three months if the attempt is made with contemporary technology three years down the road. If you expect that your data will still be sensitive at that time, you should choose a much longer cryptographic key that will remain secure well into the future.

The strengths of various key lengths also vary greatly according to the cryptosystem you’re using. According to a white paper published by Certicom, a provider of wireless security solutions, the key lengths shown in the following table for three asymmetric cryptosystems all provide equal protection: