Lesson 5: Summarizing Basic Cryptographic Concepts

1. A hospital must balance the need to keep patient privacy information

secure and the desire to analyze the contents of patient records for a
scientific study. What cryptographic technology can best support the
hospital’s needs?
A. Blockchain
B. Quantum computing
C. Perfect forward security (PFS)
D. Homomorphic encryption
2. What is the trade-off when considering which type of encryption cipher to
use?
A. Asymmetric encryption is the strongest hashing algorithm, which produces
longer and more secure digests than symmetric encryption.
B. Asymmetric encryption involves substantially more computing overhead than
symmetric encryption. Asymmetric encryption is inefficient when encrypting a
large amount of data on a disk or transporting it over a network.
C. Symmetric encryption requires substantially more overhead computing power
than asymmetric encryption. Symmetric encryption is inefficient when
transferring or encrypting large amounts of data.
D. Symmetric encryption is not considered as safe as asymmetric encryption, but
it might be required for compatibility between security products.
3. Which statement best describes a key benefit of symmetric over
asymmetric cryptographic ciphers?
A. Symmetric encryption is primarily used for encrypting large volumes of data
and uses the same key for encryption and decryption.
B. Symmetric encryption uses different keys for encryption and decryption,
similar to asymmetric encryption.
C. Symmetric encryption is primarily used for non-repudiation, similar to
asymmetric encryption.
D. Symmetric encryption is less computationally efficient compared to
asymmetric encryption when encrypting large volumes of data.
4. Examine each statement and determine which most accurately describes
a major limitation of quantum computing technology.
 A. Presently, quantum computers do not have the capacity to run useful
applications.
B. Quantum computing is not yet sufficiently secure to run current cryptographic
ciphers.
C. Quantum computing is not sufficiently agile to update the range of security
products it most frequently uses.
D. Attackers may exploit a crucial vulnerability in quantum computing to
covertly exfiltrate data.
5. Evaluate the differences between stream and block ciphers and select the
true statement.
A. A block cipher is suitable for communication applications.
B. A stream cipher is subjected to complex transposition and substitution
operations, based on the value of the key used.
C. A block cipher is padded to the correct size if there is not enough data in the
plaintext.
D. A stream cipher's plaintext is divided into equal-sized blocks.
6. Which of the following utilizes both symmetric and asymmetric encryption?
A. Digital envelope
B. Digital certificate
C. Digital evidence
D. Digital signature
7. When using a digital envelope to exchange key information, the use of
what key agreement mitigates the risk inherent in the Rivest–Shamir–
Adleman (RSA) algorithm, and by what means?
A. Perfect forward secrecy (PFS) uses Diffie-Hellman (DH) key agreement to
create ephemeral session keys without using the server's private key.
B. The Cipher Block Chaining (CBC) key agreement mode uses an initialization
vector (IV) to create ephemeral session keys without using the server’s private
key.
C. Counter mode in key agreement makes the advanced encryption standard
(AES) algorithm work as a stream cipher, by applying an initialization vector
to issue a security certificate.
D. A certificate authority (CA) validates the public key’s owner and creates an
 initialization vector to protect the exchange from snooping
8. Compare and contrast the modes of operation for block ciphers. Which of
the following statements is true?
A. ECB and CBC modes allow block ciphers to behave like stream ciphers.
B. CTM mode allows block ciphers to behave like stream ciphers.
C. ECB allows block ciphers to behave like stream ciphers.
D. CBC and CTM modes allow block ciphers to behave like stream ciphers.
9. A security team is in the process of selecting a cryptographic suite for their
company. Analyze cryptographic implementations and determine which of
the following performance factors is most critical to this selection process if
users primarily access systems on mobile devices.
A. Speed
B. Latency
C. Computational overhead 企業日常開支的;營運費用的
D. Cost
10. Which statement most accurately describes the mechanisms by which
blockchain ensures information integrity and availability?
A. Blockchain ensures availability by cryptographically linking blocks of
information, and integrity through decentralization.
B. Blockchain ensures availability through decentralization, and integrity through
cryptographic hashing and timestamping.
C. Blockchain ensures availability through cryptographic hashing and
timestamping, and integrity through decentralization.
D. Blockchain ensures both availability and integrity through decentralization and
peer-to-peer (P2P) networking.
11. During a penetration test, an adversary operator sends an encrypted
message embedded in an attached image. Analyze the scenario to
determine what techniques the operator is relying on to hide the
message. (Select all that apply.)
A. Security by obscurity
B. Integrity
C. Prepending
D. Confidentiality
12. A client contacts a server for a data transfer. Instead of requesting TLS1.3
authentication, the client claims legacy systems require the use of SSL.
What type of attack might a data transfer using this protocol facilitate?
A. Credential harvesting
B. Key stretching
C. Phishing
D. Downgrade
13. Which two cryptographic functions can be combined to authenticate a
sender and prove the integrity of a message?
A. Hashing and symmetric encryption
B. Public key cryptography and digital enveloping
C. Hashing and digital enveloping
D. Public key cryptography and hashing
14. An attacker uses a cryptographic technology to create a covert message
channel in transmission control protocol (TCP) packet data fields. What
cryptographic technique does this attack strategy employ?
A. Homomorphic encryption
B. Blockchain
C. Steganography (訊息 隱寫術)
D. Key stretching
15. An employee works on a small team that shares critical information about
the company's network. When sending emails that have this information,
what would be used to provide the identity of the sender and prove that the
information has not been tampered with?
A. Private key
B. Digital signature
C. Public key
D. RSA algorithm
16. A system administrator downloads and installs software from a vendor website.
Soon after installing the software, the administrator’s computer is taken over
remotely. After closer investigation, the software package was modified, probably
while it was downloading. What action could have prevented this incident from
occurring?
 A. Validate the software using a checksum
B. Validate the software using a private certificate
C. Validate the software using a key signing key
D. Validate the software using Kerberos
17. Which statement best illustrates the importance of a strong true random
number generator (TRNG) or pseudo-random number generator (PRNG)
in a cryptographic implementation?
A. A weak number generator leads to many published keys sharing a common
factor.
B. A weak number generator creates numbers that are never reused.
C. A strong number generator creates numbers that are never reused.
D. A strong number generator adds salt to encryption values.

18.

1.D

Homomorphic encryption is used to share privacy-sensitive data sets. It

allows a recipient to perform statistical calculations on data fields, while
keeping the data set as a whole encrypted, thus preserving patient privacy.

Blockchain uses cryptography to secure an expanding list of transactional

records. Each record, or block, goes through a hash function. Each block’s
hash value links to the hash value of the previous block.

Quantum computing could serve as a secure foundation for secure

cryptosystems and tamper-evident communication systems that would allow
secure key agreement.
Perfect forward security (PFS) mitigates the risks from RSA key exchanges
through the use of ephemeral session keys to maintain confidentiality.

2.B

While more secure, asymmetric encryption involves substantially more computing

overhead than symmetric encryption, making it inefficient when encrypting large
amounts of data on a disk or transporting it over a network.

Option A is incorrect because it mistakenly suggests that asymmetric encryption is a

hashing algorithm and produces longer and more secure digests than symmetric
encryption, which is not entirely accurate.

Option C is incorrect because it mistakenly suggests that symmetric encryption is

inefficient when transferring or encrypting large amounts of data, which is inaccurate.

Option D is only partially correct in stating that symmetric encryption is not as safe as
asymmetric encryption, but it also mentions compatibility, which isn't a direct trade-
off between the two types of encryption.

3.A

Symmetric encryption is efficient and used when large amounts of data need to be
encrypted. It uses the same key for both encryption and decryption.

This statement describes asymmetric encryption, not symmetric encryption. In

asymmetric encryption, different keys are used for encryption and decryption.

Non-repudiation is not a primary use case for symmetric encryption. Non-repudiation,

which ensures a party cannot deny the authenticity of their signature, is a feature more
associated with asymmetric encryption.

Symmetric encryption is more efficient compared to asymmetric encryption,

particularly when dealing with large amounts of data. Asymmetric encryption is
computationally expensive and generally used for smaller data payloads or for secure
key exchange.

4.A

Presently, the most powerful quantum computers have about 50 qubits. A

quantum computer will need about a million qubits to run useful applications.

Quantum computing could put the strength of current cryptographic ciphers at

risk, but it also has the promise of underpinning more secure cryptosystems in
the future.

Cryptographic agility refers to an organization's ability to update the specific

algorithms used in security products without affecting the business workflows
that those products support. Quantum computing could pose a threat to
cryptographic agility.

Steganography obscures the presence of a message and can be used for

data exfiltration. The quantum computing properties of entanglement,
superposition, and collapse suit the design of a tamper-evident
communication system that would allow secure key agreement.

5.C

In a block cipher, if there is not enough data in the plaintext, it's padded to the
correct size. Padding is not an issue with streaming, where each byte or bit of
data in the plaintext is encrypted one at a time, but it is problematic in dealing
with block size.

A block cipher is not suitable to communications, but a stream cipher is, since
each byte or bit of data in the plaintext is encrypted one at a time.

Based on the value of the key used, a stream cipher is not subjected to
complex transposition and substitution operations.

In a stream cipher, the plaintext is not divided into equal-size blocks.

6.A

A digital envelope is a type of key exchange system that utilizes symmetric

encryption for speed and asymmetric encryption for convenience and security.
A digital certificate is an electronic document that associates credentials with
a public key. This only involves asymmetric encryption.

Digital evidence or Electronically Stored Information (ESI) is evidence that

cannot be seen with the naked eye; rather, it must be interpreted using a
machine or process. There is no encryption involved.

A digital signature is a message digest encrypted with a user's private key. It

uses only asymmetric encryption to prove the identity of the sender of a
message and to show a message has not been tampered with.

7.A

Perfect forward secrecy (PFS) mitigates the risk from RSA key exchange,
using Diffie-Hellman (D-H) key agreement to create ephemeral session keys
without using the server's private key.

Modes of operation refer to AES use in a cipher suite. Cipher Block Chaining
(CBC) mode applies an initialization vector (IV) to a chain of plaintext data
and uses padding to fill out blocks of data.

Counter mode makes the AES algorithm work as a stream cipher. Each block
of data can be processed individually and in parallel, improving performance.

A certificate authority (CA), validates the owner of a public key, issuing a

signed certificate. The process of issuing and verifying certificates is called
public key infrastructure (PKI).

8.B

Counter Mode (CTM) combines each block with a counter value, allowing each block
to be processed individually and in parallel, improving performance. This parallel
processing is similar to how stream ciphers operate.

While ECB and CBC modes are both modes of operation for block ciphers, they do
not allow block ciphers to behave like stream ciphers.

ECB mode does not allow block ciphers to behave like stream ciphers. As mentioned
earlier, ECB mode applies the same key to each plaintext block, resulting in identical
plaintext blocks producing identical ciphertexts, which is not how a stream cipher
operates.

While CTM mode does allow block ciphers to behave like stream ciphers, CBC mode
does not. As mentioned earlier, CBC mode applies an Initialization Vector (IV) to the
first plaintext block to ensure that the key produces a unique ciphertext from any
given plaintext, which is not how a stream cipher behaves.

9.C

Some technologies or ciphers configured with longer keys require more

processing cycles and memory space, which makes them slower and
consume more power. This makes them unsuitable for handheld devices and
embedded systems that work on battery power.

Speed is most impactful when processing large amounts of data.

For some use cases, the time required to obtain a result is more important
than a data rate. Latency issues may negatively affect performance when an
operation or application times out before the authentication handshake.

Cost issues may arise in any decision-making process, but for mobile device
cryptography, computing overhead is a primary limiting factor.

10.B

The blockchain ledger is decentralized and distributed across a peer-to-peer

(P2P) network to mitigate the risks of a single point of failure or compromise.
Each block in a blockchain validates the hash of the previous block, all the
way through to the beginning of the chain, ensuring that each historical
transaction has not been tampered with.

Blockchain is open. It may ensure the integrity and transparency of financial

transactions, among other potential applications.

Each block typically includes a timestamp of transactions, as well as the data

involved in the transactions themselves, helping ensure data integrity.
One of the most important characteristics of a blockchain is decentralization.
Being distributed across a peer-to-peer (P2P) network ensures availability, but
integrity is achieved through cryptographic hashing and timestamping.

11.AD

When used to conceal information, steganography amounts to "security by

obscurity," which is usually deprecated.

A message can be encrypted by some mechanism before embedding it in a

covertext, providing confidentiality.

Integrity allows two parties to derive the same checksum and show that a
message or data is unaltered. However, since an adversary is using the
image with a hidden message, it can be assumed that its purpose is not
integrity between the two parties.

A phishing or hoax email can be made more convincing by using prepending.

In an offensive sense, prepending means adding text that appears legitimate
and to have been generated by the mail system such as
"MAILSAFE:PASSED."

12.D

A downgrade attack can be used to facilitate a man-in-the-middle attack by

requesting that the server use a lower specification protocol with weaker
ciphers and key lengths, making it easier for a malicious actor to forge the
trusted certificate authority’s signature.

Credential harvesting is a campaign specifically designed to steal account

credentials.

Key stretching takes a key that is generated from a user password and
repeatedly converts it to a longer and more random key, adding extra layers
of processing to a potential attacker’s task.

Phishing is a combination of social engineering and spoofing. It persuades or

tricks the target into interacting with a malicious resource disguised as a
trusted one, traditionally using email as the vector.
13.D

Public key cryptography (public and private keys) can be used to authenticate
a sender. Combine this with a hash output of the message and a secret (or
private) key to create a message authentication code (MAC) to validate the
integrity of the message.

A key exchange system known as a digital envelope or hybrid encryption

combines the bulk encryption capabilities of symmetric encryption with the
authentication capability of public key cryptography.

Asymmetric encryption is also called public key cryptography. A digital

envelope allows the sender and recipient to exchange a symmetric encryption
key securely by using public key cryptography.

Hashing proves integrity by computing a unique checksum from input. Digital

envelope is another term for the hybrid encryption that combines public key
encryption and symmetric encryption.

14.C

Steganography obscures the presence of a message and can be used to

encode messages within TCP packet data fields to create a covert message
channel for data exfiltration.

Homomorphic encryption is used to share privacy-sensitive data sets. It

allows a recipient to perform statistical calculations on data fields while
keeping the data set as a whole encrypted.

Blockchain uses cryptography to secure an expanding list of transactional

records. Each record, or block, goes through a hash function. Each block’s
hash value links to the hash value of the previous block.

Key stretching takes a key that is generated from a user password and
repeatedly converts it to a longer and more random key, through thousands of
rounds of hashing.

15.B
A digital signature proves the identity of the sender of a message and to show
that a message has not been tampered with since the sender posted it. This
provides authentication, integrity, and non-repudiation.

A private key will encrypt the message. Encrypting the message will scramble
the data to protect it during transmission.

The public key is what the recipient will use to decrypt the message. The
decryption will allow the recipient to read the data upon receipt.

An RSA Algorithm is what many of the public key cryptography products are
based on.

16.A

The administrator should have validated the software with a checksum, which
uses a cryptographic algorithm to generate a unique hash value based on the
file contents. If the file is changed, the checksum of the modified file will not
match the original.

A private certificate does not validate software.

A key signing key is associated with Domain Name System Security

Extensions (DNSSEC), which validates DNS responses to help mitigate
spoofing and poisoning attacks. It does not apply to software.

Kerberos is an authentication service based on a time-sensitive ticket-granting

system. It is used to validate users, not software.

17.A

A cryptanalyst(密碼破解者) can test for the presence of common factors and

derive the whole key much more easily. The TRNG or PRNG module in the
cryptographic implementation is critical to its strength.

Predictability is a weakness in either the cipher operation or within particular

key values that make a ciphertext more vulnerable to cryptanalysis. Reuse of
the same key within the same session can cause this weakness.
The principal characteristic of a nonce is that it is never reused ("number used
once") within the same key value. A nonce can be a random, pseudo-random,
or counter value.

Salt is a random or pseudo-random number or string. The term salt is used

specifically in conjunction with hashing password values.

18.C

Security through obscurity involves keeping something a secret by hiding it,

but not necessarily encrypting it. While this can fool the unwitting observer, it
is easily detectable by those involved in cybersecurity and their tools.

Non-repudiation is when the sender cannot deny sending the message. If the
message has been encrypted in a way known only to the sender, logic follows
the sender must have composed it.

Obfuscation is the art of making a message difficult to understand.

Cryptography is a very effective way of obfuscating a message by encrypting
it.

Resiliency occurs when the compromise of a small part of the system is

prevented from allowing compromise of the whole system. Cryptography
ensures the authentication and integrity of messages delivered over the
control system.