1、CISSP 认证考试(密码学)-试卷 1 及答案解析(总分:60.00,做题时间:90 分钟)1.There are several components involved with steganography. Which of the following refers to a file that has hidden information in it?(分数:2.00)A.Stego-mediumB.Concealment cipherC.CarrierD.Payload2.Which of the following correctly describes the relations
2、hip between SSL and TLS?(分数:2.00)A.TLS is the open-community version of SSL.B.SSL can be modified by developers to expand the protocols capabilities.C.TLS is a proprietary protocol, while SSL is an open-community protocol.D.SSL is more extensible and backward compatible with TLS.3.Which of the follo
3、wing incorrectly describes steganography?(分数:2.00)A.It is a type of security through obscurity.B.Modifying the most significant bit is the most common method used.C.Steganography does not draw attention to itself like encryption does.D.Media files are ideal for steganographic transmission because of
4、 their large size.4.Which of the following correctly describes a drawback of symmetric key systems?(分数:2.00)A.Computationally less intensive than asymmetric systemsB.Work much more slowly than asymmetric systemsC.Carry out mathematically intensive tasksD.Key must be delivered via secure courier5.Whi
5、ch of the following occurs in a PK.I environment?(分数:2.00)A.The RA creates the certificate, and the CA signs it.B.The CA signs the certificate.C.The RA signs the certificate.D.The user signs the certificate.6.Encryption can happen at different layers of an operating system and network stack. Where d
6、oes PPTP encryption take place?(分数:2.00)A.Data link layerB.Within applicationsC.Transport layerD.Data link and physical layers7.Which of the following correctly describes the difference between public key cryptography and public key infrastructure?(分数:2.00)A.Public key cryptography is the use of an
7、asymmetric algorithm, while public key infrastructure is the use of a symmetric algorithm.B.Public key cryptography is used to create public/private key pairs, and public key infrastructure is used to perform key exchange and agreement.C.Public key cryptography provides authentication and nonrepudia
8、tion, while public key infrastructure provides confidentiality and integrity.D.Public key cryptography is another name for asymmetric cryptography, while public key infrastructure consists of public key cryptographic mechanisms.8.Which of the following best describes Key Derivation Functions (KDFs)?
9、(分数:2.00)A.Keys are generated from a master key.B.Session keys are generated from each other.C.Asymmetric cryptography is used to encrypt symmetric keys.D.A master key is generated from a session key.9.An elliptic curve cryptosystem is an asymmetric algorithm. What sets it apart from other asymmetri
10、c algorithms?(分数:2.00)A.It provides digital signatures, secure key distribution, and encryption.B.It computes discrete logarithms in a finite field.C.It uses a larger percentage of resources to carry out encryption.D.It is more efficient.10.If implemented properly, a one-time pad is a perfect encryp
11、tion scheme. Which of the following incorrectly describes a requirement for implementation?(分数:2.00)A.The pad must be securely distributed and protected at its destination.B.The pad must be made up of truly random values.C.The pad must always be the same length.D.The pad must be used only one time.1
12、1.Sally is responsible for key management within her organization. Which of the following incorrectly describes a principle of secure key management?(分数:2.00)A.Keys should be backed up or escrowed in case of emergencies.B.The more a key is used, the shorter its lifetime should be.C.Less secure data
13、allows for a shorter key lifetime.D.Keys should be stored and transmitted by secure means.12.Mandy needs to calculate how many keys must be generated for the 260 employees using the companys PKI asymmetric algorithm. How many keys are required?(分数:2.00)A.33,670B.520C.67340D.26013.Which of the follow
14、ing works similarly to stream ciphers?(分数:2.00)A.One-time padB.AESC.BlockD.RSA14.There are two main types of symmetric ciphers: stream and block. Which of the following is not an attribute of a good stream cipher?(分数:2.00)A.Statistically unbiased keystreamB.Statistically predictableC.Long periods of
15、 no repeating patternsD.Keystream not linearly related to key15.Which of the following best describes how a digital signature is created?(分数:2.00)A.The sender encrypts a message digest with his private key.B.The sender encrypts a message digest with his public key.C.The receiver encrypts a message d
16、igest with his private key.D.The receiver encrypts a message digest with his public key.16.In cryptography, different steps and algorithms provide different types of security services. Which of the following provides only authentication, nonrepudiation, and integrity?(分数:2.00)A.Encryption algorithmB
17、.Hash algorithmC.Digital signatureD.Encryption paired with a digital signature17.Advanced Encryption Standard is an algorithm used for which of the following?(分数:2.00)A.Data integrityB.Bulk data encryptionC.Key recoveryD.Distribution of symmetric keys18.SSL is a de facto protocol used for securing t
18、ransactions that occur over untrusted networks. Which of the following best describes what takes place during an SSL connection setup process?(分数:2.00)A.The server creates a session key and encrypts it with a public key.B.The server creates a session key and encrypts it with a private key.C.The clie
19、nt creates a session key and encrypts it with a private key.D.The client creates a session key and encrypts it with a public key.19.The CA is responsible for revoking certificates when necessary. Which of the following correctly describes a CRL and OSCP?(分数:2.00)A.The CRL was developed as a more str
20、eamlined approach to OCSP.B.OCSP is a protocol that submits revoked certificates to the CRL.C.OCSP is a protocol developed specifically to check the CRL during a certificate validation process.D.CRL carries out real-time validation of a certificate and reports to the OCSP.20.End-to-end encryption is
21、 used by users, and link encryption is used by service providers. Which of the following correctly describes these technologies?(分数:2.00)A.Link encryption does not encrypt headers and trailers.B.Link encryption encrypts everything but data link messaging.C.End-io-end encryption requires headers to b
22、e decrypted at each hop.D.End-to-end encryption encrypts all headers and trailers.21.What do the SA values in the graphic of IPSec that follows represent? (分数:2.00)A.Security parameter indexB.Security abilityC.Security associationD.Security assistant22.There are several different types of technologi
23、es within cryptography that provide confidentiality. What is represented in the graphic that follows? (分数:2.00)A.Running key cipherB.Concealment cipherC.SteganographyD.One-time pad23.There are several different types of important architectures within public key infrastructures. Which architecture do
24、es the graphic that follows represent? (分数:2.00)A.Cross-certificationB.Cross-revocation listC.Online Certificate Status ProtocolD.Registration authority24.There are different ways of providing integrity and authentication within cryptography. What type of technology is shown in the graphic that foll
25、ows? (分数:2.00)A.One-way hashB.Digital signatureC.Birthday attackD.Collision25.There are several different modes that block ciphers can work in. Which mode does the graphic that follows portray? (分数:2.00)A.Electronic Code Book ModeB.Cipher Block ChainingC.Output Feedback ModeD.Counter Mode26.If Marge
26、 uses her private key to create a digital signature on a message she is sending to George, but she does not show or share her private key with George, what is it an example of?(分数:2.00)A.Key clusteringB.Avoiding a birthday attackC.Providing data confidentialityD.Zero-knowledge proof27.There are two
27、main functions that Trusted Platform Modules (TPMs) carry out within systems today. Which of the following best describes these two functions?(分数:2.00)A.Sealing a hard disk drive is when the decryption key that can be used to decrypt data on the drive is stored on the TPM. Binding is when data perta
28、ining to the systems state are hashed and stored on the TPM.B.Binding a hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Sealing is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated.C.Sealing a
29、 hard disk drive is when whole-disk encryption is enabled through the use of the TPM. Binding is when a digital certificate is sealed within a TPM and the system cannot boot up without this certificate being validated.D.Binding a hard disk drive is when the decryption key that can be used to decrypt
30、 data on the drive is stored on the TPM. Sealing is when data pertaining to the systems state are hashed and stored on the TPM.The following scenario will be used for questions 28 and 29.Jack has been told that successful attacks have been taking place and data that have been encrypted by his compan
31、ys software systems have leaked to the companys competitors. Through Jacks investigation he has discovered that the lack of randomness in the seeding values used by the encryption algorithms in the companys software uncovered patterns and allowed for successful reverse engineering.(分数:4.00)(1).Which
32、 of the following is most likely the item that is the root of the problem when it comes to the necessary randomness explained in the scenario?(分数:2.00)A.Asymmetric algorithmB.Out-of-band communication compromiseC.Number generatorD.Symmetric algorithm(2).Which of the following best describes the role
33、 of the values that is allowing for patterns as described in the scenario?(分数:2.00)A.Initialization vectorB.One-time passwordC.Master symmetric keyD.Subkey28.What cryptographic attack type carries out a mathematical analysis by trying to break a math problem from the beginning and the end of the mat
34、hematical formula simultaneously?(分数:2.00)A.Known plaintextB.Adaptive ciphertextC.Known ciphertextD.Meet-in-the-middleCISSP 认证考试(密码学)-试卷 1 答案解析(总分:60.00,做题时间:90 分钟)1.There are several components involved with steganography. Which of the following refers to a file that has hidden information in it?(分
35、数:2.00)A.Stego-mediumB.Concealment cipherC.Carrier D.Payload解析:解析:C 正确。隐写术(steganography)是把数据藏于另外一类媒介中,从而达到隐藏该数据的真实存在的方法。应该只有发送者和接收者才能够看见这个消息,因为这个消息被秘密地藏于图形、波形文件、文档和其他类型的媒介中。这个消息并不一定要求被加密,而只是被隐藏起来。加密后的消息会引起坏人的注意,因为它向坏人昭示着“这是敏感信息”。而隐藏于一幅图画中的消息却不会引起这样的注意,即使嵌入这张图片的是完全相同的密信。隐写术是一种利用隐匿的安全类型。它所包含的组成部分有载体(
36、carrier)、隐秘媒介(stego-medium)和有效载荷(payload)。载体是指隐藏信息的信号、数据流或者文件。换句话说,载体负载着有效载荷。 A 不正确。因为隐秘媒介是隐写术用以隐藏信息的媒介。如果这个消息藏于一个图形中,那么隐秘媒介便可能是 JPEG 或者 TIFF 格式的文件。如果这个消息被嵌入到一个Word 文档中,那么隐秘媒介便是 Word 文档。隐秘媒介可以是图形、波形文件、文档或其他类型的媒介。 B 不正确。因为隐藏密码是在信息中放置信息,它是隐写术方法的一种。隐藏密码是一种把密码信息隐藏于我们周围所熟悉的事物中的方法。这个答案并没有说明隐写术的特定组成部分,只是说出
37、了隐写术的一个具体类型。 D 不正确。因为载荷是指通过隐写术进行隐藏和传输的信息。载荷是发送者希望保密的实际信息。2.Which of the following correctly describes the relationship between SSL and TLS?(分数:2.00)A.TLS is the open-community version of SSL. B.SSL can be modified by developers to expand the protocols capabilities.C.TLS is a proprietary protocol, wh
38、ile SSL is an open-community protocol.D.SSL is more extensible and backward compatible with TLS.解析:解析:A 正确。安全套接字层(Secure Sockets Layer,SSL)和传输层安全(Transport LayerSecurity,TLS)是通过加密网络连接段而保证通信安全的加密协议。这两个协议都作用于传输层。TLS 是 SSL 的开放社区版。由于 TLS 是一个开放社区协议,因此这个社区内部的供应商可以修改 TLS 的规格从而拓展它的工作内容和工作所使用的技术。SSL 是一个专有协议,
39、而 TLS 是由一个标准组织开发的,所以是一个开放社区协议。 B 不正确。因为 SSL 是由 Netscape 开发的专有协议。这意味着技术社区不能轻易扩展 SSL 来实现互操作,或扩展它原本的功能。如果某个协议是专有协议,就像 SSL 一样,技术社区便不能直接修改它的规范和功能。开发 TLs 的原因是标准化(standardize)通过协议安全传输数据的方式,以及供应商修改协议并且仍旧保证其互操作性的方式。 C 不正确。因为这个答案正好说反了。TLS 不是专有协议。它是 SSL(SSL 是专有协议)的开放社区版。SSL 的最新版(30)和 TLS 之间的差异很小,但开发人员可以修改 TLS,
40、以便提高它的功能性和与其他技术的兼容性。但 SSL 只能由 Netscape 修改。它的编码并不对其他人开放。 D 不正确。因为 TLS 实际上比 SSL 更具扩展性,并且不与 SSL 向后兼容。TLS 和SSL 提供的功能相同,两者非常相似;但它们还没有相似到可以直接兼容的程度。如果两个设备需要展开安全通信,它们要么使用 TLS,要么使用 SSL。如果混合使用两种方法则不能进行通信。3.Which of the following incorrectly describes steganography?(分数:2.00)A.It is a type of security through o
41、bscurity.B.Modifying the most significant bit is the most common method used. C.Steganography does not draw attention to itself like encryption does.D.Media files are ideal for steganographic transmission because of their large size.解析:解析:B 正确。隐写术(steganography)是把数据藏于另外一类媒介中,从而隐藏该数据的真实存在的方法。将信息嵌入某类媒
42、体的最常见方法之一就是使用最低有效位(Least Significant Bit,LSB)而不是最高有效位。许多类型的文件都具有一些可以修改但又不影响该文件的位,这些位也是既能够隐藏秘密数据又不会明显地改变文件的地方。在 LSB 方法中,拥有极高分辨率的图片或者拥有许多不同类型的声音(高位率)的音频文件是最容易成功隐藏信息的地方。这里通常不会有明显地失真,文件大小的改变通常也不会被检测出来。一个 24 位的位图文件中的每 8 个位,分别代表着 3 种色值,即红、绿和蓝。这些 8 位的组合存在于每个像素中。如果我们考虑的只是蓝色,那么将有 2 8 个不同的蓝色值。11111111和 111111
43、10 之间蓝色强度值的差异一般很难用肉眼分辨出来。 A 不正确。因为隐写术是一种通过利用模糊来实现安全的方法。利用模糊来实现安全意味着不是通过采取某一对策来保证安全,而是人们使用保密手段来保护资产。网络管理员把他的 HTTP 端口从 80 改为 8080,希望没有人会识别出米就是利用模糊的一个例子。利用模糊获得安全意味着你试图迷惑潜在攻击者,并且假设该攻击者不会识别你的把戏。 C不正确。因为隐写术的确不像加密那样吸引人们的注意。加密后的信息之所以能引起注意是因为它会告诉坏人被加密的信息是敏感信息(否则它不会被加密)。于是,攻击者可能会好奇地想破解该密码进而了解这个信息。隐写术的目的是使攻击者甚
44、至不知道敏感信息的存在,因此他也不会企图获取这个信息。 D 不正确。因为较大的媒体文件的确更适合隐写术传输,因为其中可操作的位会非常多,引起别人注意的几率更小。举个简单例子,发送者从一个安全的图片文件着手,调整每第 100 个像素的颜色,使之与字母表中的一个字母相对应。这个变化很微小,如果不是专门寻找,一般看不出来。文件越大,达到的模糊度越大,因为可供操作的位会更多。4.Which of the following correctly describes a drawback of symmetric key systems?(分数:2.00)A.Computationally less in
45、tensive than asymmetric systemsB.Work much more slowly than asymmetric systemsC.Carry out mathematically intensive tasksD.Key must be delivered via secure courier 解析:解析:D 正确。如果两个用户想要交换使用对称算法加密的信息,他们必须首先搞清楚应该如何分发密钥。如果密钥泄露了,那么所有使用该密钥加密的信息都会被入侵者解密并读取。仅仅通过电子邮件发送密钥是不安全的,因为这个密钥没有受到保护,因而能轻易地被攻击者拦截、利用。因此,用户
46、必须采用离线方法发送这个密钥。用户可以把这个密钥存在一个 U 盘上,然后亲自走过去放到另外一个人的桌子上,或者找一个安全可靠的人送过去。这是对称密码学的一个缺点,因为密钥派分发很麻烦、笨拙且不安全。 A 不正确。因为该答案描述的是对称算法的优点。由于对称算法的计算不像非对称算法那样密集,所以对称算法的速度往往要快得多。对称算法加密和解密大数量数据的速度相对很快,比用非对称算法加密和解密所花费的时间更容易被人们接受。 B 不正确。因为非对称系统比对称系统的运算速度慢得多。对称算法的运算速度是一个优势。非对称算法之所以比对称算法的速度慢是因为使用了非常复杂的数学方法来进行计算,因而需要更多的处理时
47、间。然而。非对称算法能够提供身份验证和不可否认性,而对称算法却不能。因为对称算法中的两个用户都是用相同的密钥来加密和解密消息的,对称密码系统能够提供机密性,但不能提供身份验证和不可否认性。如果两个人使用同一密钥的话,便没有办法证明究竟是谁发出了加密消息。 C 不正确。因为非对称算法执行密集的数学任务。而对称算法在加密和解密过程中对位进行相对简单的数学计算。对称算法只是替代并颠倒(交换)位,这相对来讲并不难也不需要密集的处理。这种加密方法之所以难以破解是因为对称算法会一遍又一遍地执行这类功能。因此,一组位将会经历一个漫长的替代和交换过程。5.Which of the following occu
48、rs in a PK.I environment?(分数:2.00)A.The RA creates the certificate, and the CA signs it.B.The CA signs the certificate. C.The RA signs the certificate.D.The user signs the certificate.解析:解析:B 正确。认证中心(Certificate Authority,CA)是一个维护和颁发数字证书的可信组织(或服务者)。当有人请求证书时,注册中心(Registration Authority,RA)核实这个人的身份,并把
49、它申领证书的要求传递给 CA。CA 创建证书并进行数字签名,然后把它发送给请求者,并在该证书的生命周期内维护该证书。CA 对这个证书进行数字签名,所以接收者能够确认这个证书来自于那个特定的 CA。CA 用它的私钥对这个证书进行数字签名,接收者用 CA 的公钥来验证这个签名。 A 不正确。因为注册中心(RA)并不创建证书,而是认证中心(CA)创建证书并对它进行签名。RA 执行证书注册职能。它建立并核实请求申领证书的个人身份,代表终端用户启动认证中心的认证流程,并履行证书整个生命周期的管理职能。RA不能颁发证书,但可以作为用户和 CA 之间的经纪人。当用户需要新的证书时,他们向 RA 提出请求,RA在核实了所有必要的身份信息后,再向 CA 提出请求。 C 不正确。因为注册中心(RA)并不对证书进行签名。认证中心(CA)给证书签名。RA 验证用户的身份,然后向 CA 发送申领证书的请求。 D 不正确。因为用户并不对证书签名。在 PKI 环境中,用户的证书是由认证中心(CA)创建并签名的。CA 是一个可信的第三方组织,负责生成和维护拥有它们的公共密钥的用户证书。经过了数字签名的证书可以向其他人证明这个证书是由那个特定的 CA 创建的。6.Encryption can happen at different layers of an operating sy
