| Question 1 | Which of the following are included within a digital certificate? [Choose the three best answers.] |
| A1: | Answers A, C, and D are correct. The user's public key, information about the user, and the digital signature of the issuing CA are all included within a digital certificate. A user's private key should never be contained within the digital certificate and should remain under tight control; therefore, answer B is incorrect. |
| Question 2 | Which of the following are associated with the secure exchange of email? [Choose the two best answers.] -
A. S/MIME -
B. HTTPS -
C. PGP -
D. M of N |
| A2: | Answers A and C are correct. Both S/MIME and PGP are used for the secure transmission of email messages. HTTPS is used on the Web for HTTP over SSL; therefore, answer B is incorrect. M of N describes a mathematical function; therefore, answer D is incorrect. |
| Question 3 | What part of the IPSec protocol provides authentication and integrity but not privacy? |
| A3: | Answer C is correct. The Authentication Header (AH) provides authentication so the receiver can be confident of the source of the data. It does not utilize encryption to scramble the data, so it cannot provide privacy. Encapsulate Security Payload provides for confidentiality of the data being transmitted and also includes authentication capabilities; therefore, answer A is incorrect. Answer B is incorrect because it does not exist. A Virtual Private Network uses the IPSec protocol and secures communications over public networks; therefore, answer D is incorrect. |
| Question 4 | In a decentralized key-management system, the user is responsible for which one of the following functions? -
A. Creation of the private and public keys -
B. Creation of the digital certificate -
C. Creation of the CRL -
D. Revocation of the digital certificate |
| A4: | Answer A is correct. In a decentralized key-management system, the end user will generate his own key pair. The other functions, such as the creation of the certificate and the CRL as well as the revocation of the certificate, are still handled by the Certificate Authority; therefore, answers B, C, and D are incorrect. |
| Question 5 | To check the validity of a digital certificate, which one of the following would be used? |
| A5: | Answer C is correct. A Certificate Revocation List (CRL) provides a detailed list of certificates that are no longer valid. A corporate security policy would not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy also does not provide information on invalid issued certificates; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect. |
| Question 6 | What is the acronym for the de facto cryptographic message standards developed by RSA Laboratories? -
A. PKIX -
B. X.509 -
C. PKCS -
D. Both A and C |
| A6: | Answer C is correct. The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and maintained by RSA Laboratories, a division of the RSA Security Corporation. PKIX describes the development of Internet standards for X.509-based digital certificates; therefore, answers A, B, and D are incorrect. |
| Question 7 | Which one of the following defines APIs for devices such as smartcards that will contain cryptographic information? -
A. PKCS #11 -
B. PKCS #13 -
C. PKCS #4 -
D. PKCS #2 |
| A7: | Answer A is correct. PKCS #11, the Cryptographic Token Interface Standard, defines an application programming interface (API) named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography Standard. Both C and D are incorrect because PKCS #2 and PKCS #4 no longer exist and have been integrated into PKCS #1, the RSA Cryptography Standard. |
| Question 8 | What is the Public Key Cryptography Standard for the Diffie-Hellman Key Agreement Standard? -
A. PKCS #12 -
B. PKCS #5 -
C. PKCS #3 -
D. None of the above |
| A8: | Answer C is correct. PKCS #3, the Diffie-Hellman Key Agreement Standard, describes a method for using the Diffie-Hellman key agreement. Answer A is incorrect, because PKCS #12 is the Personal Information Exchange Syntax Standard. Answer B is incorrect because PKCS #5 is the Password-Based Cryptography Standard. Because answer C is correct, answer D is incorrect. |
| Question 9 | Which of the fields included within a digital certificate identifies the directory name of the entity signing the certificate? |
| A9: | Answer B is correct. The Issuer field identifies the name of the entity signing the certificate, which is usually a Certificate Authority. The Signature Algorithm Identifier identifies the cryptographic algorithm used by the CA to sign the certificate; therefore, answer A is incorrect. The Subject Name is the name of the end entity identified in the public key associated with the certificate; therefore, answer C is incorrect. The Subject Public Key Information field includes the public key of the entity named in the certificate, including a cryptographic algorithm identifier; therefore, answer D is incorrect. |
| Question 10 | Which version of X.509 supports an optional extension field? -
A. Version 1 -
B. Version 2 -
C. Version 3 -
D. Answers B and C |
| A10: | Answer C is correct. Version 3 of X.509, which was introduced in 1996, supports an optional extension field used to provide more informational fields. Version 1 was the most generic version and did not incorporate this feature; therefore, answer A is incorrect. Version 2 introduced the idea of unique identifiers, but not the optional extension field; therefore, answers B and D are incorrect. |
| Question 11 | Which of the following protocols are used to manage secure communication between a client and a server over the Web? [Choose the two best answers.] |
| A11: | Answers A and D are correct. Secure Sockets Layer is the most widely used protocol for managing secure communication between clients and servers on the Web, and the Transport Layer Security protocol is similar, and it is considered the successor to SSL. Answer B is incorrect because ISAKMP is a protocol common to Virtual Private Networks. Answer C is incorrect because Pretty Good Privacy is used for the encryption of email. |
| Question 12 | Which of the following are typically associated with Virtual Private Networks (VPNs)? [Choose the two best answers.] -
A. IPSec -
B. ISAKMP -
C. S/MIME -
D. PGP |
| A12: | Answers A and B are correct. Both IPSec and ISAKMP are used in the creation of VPNs. IPSec provides for the secure exchange of packets at the IP layer, and ISAKMP defines a common framework for the creation, negotiation, modification, and deletion of security associations in VPNs. S/MIME and PGP are used for secure email transfer; therefore, answers C and D are incorrect. |
| Question 13 | Where is ISO 17799 recognized? -
A. In the United States only -
B. In Europe and the United States only -
C. Internationally -
D. In Europe and Southwest Asian countries only |
| A13: | Answer C is correct. ISO 17799 is a detailed and internationally recognized security standard comprising best practices in information security. Because it is internationally recognized, answers A, B, and D are incorrect. |
| Question 14 | Which of the following is not true regarding expiration dates of certificates? -
A. Certificates may be issued for a week. -
B. Certificates are only issued at yearly intervals. -
C. Certificates may be issued for 20 years . -
D. Certificates must always have an expiration date. |
| A14: | Answer B is correct. Digital certificates contain a field indicating the date through which the certificate is valid. This date is mandatory and can be for a very short period of time or for a number of years; therefore, answers A, C and D are incorrect. |
| Question 15 | Which of the following are used to verify the status of a certificate? [Choose the two best answers.] -
A. OCSP -
B. CRL -
C. OSPF -
D. ACL |
| A15: | Answers A and B are correct. The Online Certificate Status Protocol (OCSP) and the Certificate Revocation List (CRL) are used to verify the status of digital certificates. OSPF is a routing protocol; therefore, answer C is incorrect. An ACL is used to define access control; therefore, answer D is incorrect. |
