1、CISSP认证考试(密码学)模拟试卷 1及答案与解析 1 There are several components involved with steganography. Which of the following refers to a file that has hidden information in it? ( A) Stego-medium ( B) Concealment cipher ( C) Carrier ( D) Payload 2 Which of the following correctly describes the relationship between
2、SSL and TLS? ( A) TLS is the open-community version of SSL. ( B) SSL can be modified by developers to expand the protocols capabilities. ( C) TLS is a proprietary protocol, while SSL is an open-community protocol. ( D) SSL is more extensible and backward compatible with TLS. 3 Which of the following
3、 incorrectly describes steganography? ( A) It is a type of security through obscurity. ( B) Modifying the most significant bit is the most common method used. ( C) Steganography does not draw attention to itself like encryption does. ( D) Media files are ideal for steganographic transmission because
4、 of their large size. 4 Which of the following correctly describes a drawback of symmetric key systems? ( A) Computationally less intensive than asymmetric systems ( B) Work much more slowly than asymmetric systems ( C) Carry out mathematically intensive tasks ( D) Key must be delivered via secure c
5、ourier 5 Which of the following occurs in a PK.I environment? ( A) The RA creates the certificate, and the CA signs it. ( B) The CA signs the certificate. ( C) The RA signs the certificate. ( D) The user signs the certificate. 6 Encryption can happen at different layers of an operating system and ne
6、twork stack. Where does PPTP encryption take place? ( A) Data link layer ( B) Within applications ( C) Transport layer ( D) Data link and physical layers 7 Which of the following correctly describes the difference between public key cryptography and public key infrastructure? ( A) Public key cryptog
7、raphy is the use of an asymmetric algorithm, while public key infrastructure is the use of a symmetric algorithm. ( B) Public key cryptography is used to create public/private key pairs, and public key infrastructure is used to perform key exchange and agreement. ( C) Public key cryptography provide
8、s authentication and nonrepudiation, while public key infrastructure provides confidentiality and integrity. ( D) Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms. 8 Which of the following best descri
9、bes Key Derivation Functions (KDFs)? ( A) Keys are generated from a master key. ( B) Session keys are generated from each other. ( C) Asymmetric cryptography is used to encrypt symmetric keys. ( D) A master key is generated from a session key. 9 An elliptic curve cryptosystem is an asymmetric algori
10、thm. What sets it apart from other asymmetric algorithms? ( A) It provides digital signatures, secure key distribution, and encryption. ( B) It computes discrete logarithms in a finite field. ( C) It uses a larger percentage of resources to carry out encryption. ( D) It is more efficient. 10 If impl
11、emented properly, a one-time pad is a perfect encryption scheme. Which of the following incorrectly describes a requirement for implementation? ( A) The pad must be securely distributed and protected at its destination. ( B) The pad must be made up of truly random values. ( C) The pad must always be
12、 the same length. ( D) The pad must be used only one time. 11 Sally is responsible for key management within her organization. Which of the following incorrectly describes a principle of secure key management? ( A) Keys should be backed up or escrowed in case of emergencies. ( B) The more a key is u
13、sed, the shorter its lifetime should be. ( C) Less secure data allows for a shorter key lifetime. ( D) Keys should be stored and transmitted by secure means. 12 Mandy needs to calculate how many keys must be generated for the 260 employees using the companys PKI asymmetric algorithm. How many keys a
14、re required? ( A) 33,670 ( B) 520 ( C) 67340 ( D) 260 13 Which of the following works similarly to stream ciphers? ( A) One-time pad ( B) AES ( C) Block ( D) RSA 14 There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher? (
15、A) Statistically unbiased keystream ( B) Statistically predictable ( C) Long periods of no repeating patterns ( D) Keystream not linearly related to key 15 Which of the following best describes how a digital signature is created? ( A) The sender encrypts a message digest with his private key. ( B) T
16、he sender encrypts a message digest with his public key. ( C) The receiver encrypts a message digest with his private key. ( D) The receiver encrypts a message digest with his public key. 16 In cryptography, different steps and algorithms provide different types of security services. Which of the fo
17、llowing provides only authentication, nonrepudiation, and integrity? ( A) Encryption algorithm ( B) Hash algorithm ( C) Digital signature ( D) Encryption paired with a digital signature 17 Advanced Encryption Standard is an algorithm used for which of the following? ( A) Data integrity ( B) Bulk dat
18、a encryption ( C) Key recovery ( D) Distribution of symmetric keys 18 SSL is a de facto protocol used for securing transactions that occur over untrusted networks. Which of the following best describes what takes place during an SSL connection setup process? ( A) The server creates a session key and
19、 encrypts it with a public key. ( B) The server creates a session key and encrypts it with a private key. ( C) The client creates a session key and encrypts it with a private key. ( D) The client creates a session key and encrypts it with a public key. 19 The CA is responsible for revoking certifica
20、tes when necessary. Which of the following correctly describes a CRL and OSCP? ( A) The CRL was developed as a more streamlined approach to OCSP. ( B) OCSP is a protocol that submits revoked certificates to the CRL. ( C) OCSP is a protocol developed specifically to check the CRL during a certificate
21、 validation process. ( D) CRL carries out real-time validation of a certificate and reports to the OCSP. 20 End-to-end encryption is used by users, and link encryption is used by service providers. Which of the following correctly describes these technologies? ( A) Link encryption does not encrypt h
22、eaders and trailers. ( B) Link encryption encrypts everything but data link messaging. ( C) End-io-end encryption requires headers to be decrypted at each hop. ( D) End-to-end encryption encrypts all headers and trailers. 21 What do the SA values in the graphic of IPSec that follows represent? ( A)
23、Security parameter index ( B) Security ability ( C) Security association ( D) Security assistant 22 There are several different types of technologies within cryptography that provide confidentiality. What is represented in the graphic that follows? ( A) Running key cipher ( B) Concealment cipher ( C
24、) Steganography ( D) One-time pad 23 There are several different types of important architectures within public key infrastructures. Which architecture does the graphic that follows represent? ( A) Cross-certification ( B) Cross-revocation list ( C) Online Certificate Status Protocol ( D) Registrati
25、on authority 24 There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that follows? ( A) One-way hash ( B) Digital signature ( C) Birthday attack ( D) Collision 25 There are several different modes that block ciphers c
26、an work in. Which mode does the graphic that follows portray?( A) Electronic Code Book Mode ( B) Cipher Block Chaining ( C) Output Feedback Mode ( D) Counter Mode 26 If Marge uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her
27、private key with George, what is it an example of? ( A) Key clustering ( B) Avoiding a birthday attack ( C) Providing data confidentiality ( D) Zero-knowledge proof 27 There are two main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best descri
28、bes these two functions? ( A) Sealing a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Binding is when data pertaining to the systems state are hashed and stored on the TPM. ( B) Binding a hard disk drive is when whole-disk encryption i
29、s enabled through the use of the TPM. Sealing is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated. ( C) Sealing a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Binding is when a digital cer
30、tificate is sealed within a TPM and the system cannot boot up without this certificate being validated. ( D) Binding a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Sealing is when data pertaining to the systems state are hashed and st
31、ored on the TPM. 27 The following scenario will be used for questions 28 and 29. Jack has been told that successful attacks have been taking place and data that have been encrypted by his companys software systems have leaked to the companys competitors. Through Jacks investigation he has discovered
32、 that the lack of randomness in the seeding values used by the encryption algorithms in the companys software uncovered patterns and allowed for successful reverse engineering. 28 Which of the following is most likely the item that is the root of the problem when it comes to the necessary randomness
33、 explained in the scenario? ( A) Asymmetric algorithm ( B) Out-of-band communication compromise ( C) Number generator ( D) Symmetric algorithm 29 Which of the following best describes the role of the values that is allowing for patterns as described in the scenario? ( A) Initialization vector ( B) O
34、ne-time password ( C) Master symmetric key ( D) Subkey 30 What cryptographic attack type carries out a mathematical analysis by trying to break a math problem from the beginning and the end of the mathematical formula simultaneously? ( A) Known plaintext ( B) Adaptive ciphertext ( C) Known ciphertex
35、t ( D) Meet-in-the-middle CISSP认证考试(密码学)模拟试卷 1答案与解析 1 【正确答案】 C 【试题解析】 C正确。隐写术 (steganography)是把数据藏于另外一类媒介中,从而达到隐藏该数据的真实存在的方法。应该只有发送者和接收者才能够看见这个消息,因为这个消息被秘密地藏于图形、波形文件、文档和其他类型的媒介中。这个消息并不一定要求被加密,而只是被隐藏起来。 加密后的消息会引起坏人的注意,因为它向坏人昭示着 “这是敏感信息 ”。而隐藏于一幅图画中的消息却不会引起这样的注意,即使嵌入这张图片的是完全相同的密信。隐写术是一种利用隐匿的安全类型。它所包含的组
36、成部分有载体 (carrier)、隐秘媒介 (stego-medium)和有效载荷 (payload)。载体是指隐藏信息的信号、数据流或者文件。换句话说,载体负载着有效载荷。 A不正确。因为隐秘媒介是隐写术用以隐藏信息的媒介。如果这个消息藏于一个图形中,那么隐秘媒介便可能是 JPEG或者 TIFF格式的文件。如果这个消息被嵌入到 一个 Word文档中,那么隐秘媒介便是 Word文档。隐秘媒介可以是图形、波形文件、文档或其他类型的媒介。 B不正确。因为隐藏密码是在信息中放置信息,它是隐写术方法的一种。隐藏密码是一种把密码信息隐藏于我们周围所熟悉的事物中的方法。这个答案并没有说明隐写术的特定组成部
37、分,只是说出了隐写术的一个具体类型。 D不正确。因为载荷是指通过隐写术进行隐藏和传输的信息。载荷是发送者希望保密的实际信息。 【知识模块】 密码学 2 【正确答案】 A 【试题解析】 A正确。安全套接字层 (Secure Sockets Layer, SSL)和传输层安全(Transport LayerSecurity, TLS)是通过加密网络连接段而保证通信安全的加密协议。这两个协议都作用于传输层。 TLS是 SSL的开放社区版。由于 TLS是一个开放社区协议,因此这个社区内部的供应商可以修改 TLS的规格从而拓展它的工作内容和工作所使用的技术。 SSL是一个专有协议,而 TLS是由一个标准
38、组织开发的,所以是一个开放社区协议。 B不正确。因为 SSL是由 Netscape开发的专有协议。这意味着技术社区不能轻易扩展 SSL来实现互操作,或扩展它原本的功能。 如果某个协议是专有协议,就像SSL一样,技术社区便不能直接修改它的规范和功能。开发 TLs的原因是标准化(standardize)通过协议安全传输数据的方式,以及供应商修改协议并且仍旧保证其互操作性的方式。 C不正确。因为这个答案正好说反了。 TLS不是专有协议。它是 SSL(SSL是专有协议 )的开放社区版。 SSL的最新版 (3 0)和 TLS之间的差异很小,但开发人员可以修改 TLS,以便提高它的功能性和与其他技术的兼容
39、性。但 SSL只能由Netscape修改。它的编码并不对其他人开放。 D不正确。因为 TLS实际上比 SSL更具扩展性,并且不与 SSL向后兼容。 TLS和SSL提供的功能相同,两者非常相似;但它们还没有相似到可以直接兼容的程度。如果两个设备需要展开安全通信,它们要么使用 TLS,要么使用 SSL。如果混合使用两种方法则不能进行通信。 【知识模块】 密码学 3 【正确答案】 B 【试题解析】 B正确。隐写术 (steganography)是把数据藏于另外一类媒介中,从而隐藏该数据的真实存在的方法。将信息嵌入某类媒体的最常见方法之一就是使用最低有效位 (Least Significant Bit
40、, LSB)而 不是最高有效位。许多类型的文件都具有一些可以修改但又不影响该文件的位,这些位也是既能够隐藏秘密数据又不会明显地改变文件的地方。在 LSB方法中,拥有极高分辨率的图片或者拥有许多不同类型的声音 (高位率 )的音频文件是最容易成功隐藏信息的地方。这里通常不会有明显地失真,文件大小的改变通常也不会被检测出来。一个 24位的位图文件中的每 8个位,分别代表着 3种色值,即红、绿和蓝。这些 8位的组合存在于每个像素中。如果我们考虑的只是蓝色,那么将有 28个不同的蓝色值。 11111111和 11111110之间蓝色强度值的差异一般很难 用肉眼分辨出来。 A不正确。因为隐写术是一种通过利
41、用模糊来实现安全的方法。利用模糊来实现安全意味着不是通过采取某一对策来保证安全,而是人们使用保密手段来保护资产。网络管理员把他的 HTTP端口从 80改为 8080,希望没有人会识别出米就是利用模糊的一个例子。利用模糊获得安全意味着你试图迷惑潜在攻击者,并且假设该攻击者不会识别你的把戏。 C不正确。因为隐写术的确不像加密那样吸引人们的注意。加密后的信息之所以能引起注意是因为它会告诉坏人被加密的信息是敏感信息 (否则它不会被加密 )。于是,攻击者可能会好奇地想破解该密码 进而了解这个信息。隐写术的目的是使攻击者甚至不知道敏感信息的存在,因此他也不会企图获取这个信息。 D不正确。因为较大的媒体文件
42、的确更适合隐写术传输,因为其中可操作的位会非常多,引起别人注意的几率更小。举个简单例子,发送者从一个安全的图片文件着手,调整每第 100个像素的颜色,使之与字母表中的一个字母相对应。这个变化很微小,如果不是专门寻找,一般看不出来。文件越大,达到的模糊度越大,因为可供操作的位会更多。 【知识模块】 密码学 4 【正确答案】 D 【试题解析】 D正确。如果两个用户想要交换使 用对称算法加密的信息,他们必须首先搞清楚应该如何分发密钥。如果密钥泄露了,那么所有使用该密钥加密的信息都会被入侵者解密并读取。仅仅通过电子邮件发送密钥是不安全的,因为这个密钥没有受到保护,因而能轻易地被攻击者拦截、利用。因此,
43、用户必须采用离线方法发送这个密钥。用户可以把这个密钥存在一个 U盘上,然后亲自走过去放到另外一个人的桌子上,或者找一个安全可靠的人送过去。这是对称密码学的一个缺点,因为密钥派分发很麻烦、笨拙且不安全。 A不正确。因为该答案描述的是对称算法的优点。由于对称算法的计算不像非对称算法那样密集, 所以对称算法的速度往往要快得多。对称算法加密和解密大数量数据的速度相对很快,比用非对称算法加密和解密所花费的时间更容易被人们接受。 B不正确。因为非对称系统比对称系统的运算速度慢得多。对称算法的运算速度是一个优势。非对称算法之所以比对称算法的速度慢是因为使用了非常复杂的数学方法来进行计算,因而需要更多的处理时
44、间。然而。非对称算法能够提供身份验证和不可否认性,而对称算法却不能。因为对称算法中的两个用户都是用相同的密钥来加密和解密消息的,对称密码系统能够提供机密性,但不能提供身份验证和不可否认性。如果两个人使用 同一密钥的话,便没有办法证明究竟是谁发出了加密消息。 C不正确。因为非对称算法执行密集的数学任务。而对称算法在加密和解密过程中对位进行相对简单的数学计算。对称算法只是替代并颠倒 (交换 )位,这相对来讲并不难也不需要密集的处理。这种加密方法之所以难以破解是因为对称算法会一遍又一遍地执行这类功能。因此,一组位将会经历一个漫长的替代和交换过程。 【知识模块】 密码学 5 【正确答案】 B 【试题解
45、析】 B正确。认证中心 (Certificate Authority, CA)是一个维护和颁发数字证书的可信 组织 (或服务者 )。当有人请求证书时,注册中心 (Registration Authority, RA)核实这个人的身份,并把它申领证书的要求传递给 CA。 CA创建证书并进行数字签名,然后把它发送给请求者,并在该证书的生命周期内维护该证书。 CA对这个证书进行数字签名,所以接收者能够确认这个证书来自于那个特定的 CA。 CA用它的私钥对这个证书进行数字签名,接收者用 CA的公钥来验证这个签名。 A不正确。因为注册中心 (RA)并不创建证书,而是认证中心 (CA)创建证书并对它进行签
46、名。 RA执行证书注册职能。它建立并核实请求申领 证书的个人身份,代表终端用户启动认证中心的认证流程,并履行证书整个生命周期的管理职能。 RA不能颁发证书,但可以作为用户和 CA之间的经纪人。当用户需要新的证书时,他们向 RA提出请求, RA在核实了所有必要的身份信息后,再向 CA提出请求。 C不正确。因为注册中心 (RA)并不对证书进行签名。认证中心 (CA)给证书签名。RA验证用户的身份,然后向 CA发送申领证书的请求。 D不正确。因为用户并不对证书签名。在 PKI环境中,用户的证书是由认证中心(CA)创建并签名的。 CA是一个可信的第三方组织,负责生成和维护拥有它们的公共密钥的用户证书。
47、经过了数字签名的证书可以向其他人证明这个证书是由那个特定的 CA创建的。 【知识模块】 密码学 6 【正确答案】 A 【试题解析】 A正确。点对点隧道协议 (Pointto-Point Tunneling Protocol,PPTP)是一种实现虚拟专用网络 (Virtual Private Network, VPN)的技术。它是Microsoft公司专属的 VPN协议,并工作于 OSI模型的数据链路层。 PPTP仅能提供单一连接,并且仅能够通过 PPP连接工作。 B不正确。因为端到端加密 发生在应用程序内。端到端加密意味着仅有数据负荷是被加密的。如果加密想要发生在 OSI模型的任意层,那么头和
48、尾也都需要被加密。由于 PPTP作用于数据链路层,那么来自上面层级的头和尾可以和数据负荷一起被加密和保护。 C不正确。因为 SSL是工作在传输层的加密技术的一个例子,而不是 PPTP。 SSL使用公开密钥加密,提供数据加密、服务器认证、消息完整性和可选的客户端认证,把网站的安全部分呈现给用户。如果 HTTP运行在 SSL之上,则可拥有超文本传输协议安全 (HTTP Secure, HTTPS)。 HTTP作用于应用层,而 SSL仍然作用于传输层。 D不正确。因为 PPTP作用于数据链路层,而不是物理层。物理层技术把来自数据链路层的位转换成某种传输格式。如果数据传输发生在 UTP连接上,那么这个
49、数据会在物理层被转换成电压。如果数据传输发生在光纤线路上,那么这个数据将被转换成光子。物理层的规范包括电压变化的时间,电压级别,电子学、光学和机械学传输的物理连接。 【知识模块】 密码学 7 【正确答案】 D 【试题解析】 D正确。公钥密码学是非对称密码学,这两个术语可以交替使用。公钥密码学是公钥基础设施 (Public Key Infrastructure, PKI)众多组成部分中的一部分。公钥基础设施是由认证中心、注册中心、证书、密钥、程序和用户组成的。公钥基础设施包含识别用户、创建和分发证书、维护和撤销证书、发送和维护加密密钥这些组成部分,并促进所有技术之间的通信和合作从而进行加密通信和身份验证。 A不正确。因为 PKI使用对称和非对称密钥算法和方法的混合系统。公钥密码学使用非对称算法。因此,术语非对称密码学和公钥密码学的意思相同,可以交替使用。非对称算法的例子有 RSA、椭圆曲线密码系统 (Elliptic Curve Cryptosystem, ECC)、 Diffie-Hellman和 El Gamal。 B不正确。因为公钥密码学使用非对称算法,该算法创建公钥私钥对、执行密钥交换或协议、生成并验证数字签名。而公钥基础设施并非一个算法、一个协议或一个应用程序;它是一个基于对称和非对称密码学的基础设施。 C不正确。因为 PKI并不直接提供身份验证、
