CCT 109: Practice CISSP Questions - Essential Cryptography Algorithms and Concepts (Domain 3.5)

Unlock the mysteries of modern cryptography and quantum computing's future impact on security protocols with your guide, Sean Gerber. Our CISSP Cyber Training Podcast takes you through an intricate journey, ensuring you're armed with the expertise needed to conquer the CISSP exam and remain ahead in the ever-evolving landscape of cybersecurity. We promise to transform your understanding of cryptographic concepts, from the supremacy of AES in symmetric encryption to the vulnerabilities plaguing older algorithms like MD5 and DES. Prepare to grasp the significance of ECC for devices with limited resources, and the pivotal roles of RSA and hashing algorithms in maintaining the integrity and authenticity of digital communications.

Step up your career with the guidance and insight offered in our dedicated mentoring program chapter, a treasure trove for those navigating the complex paths of cybersecurity. Through CISSPcybertraining.com, we celebrate real success stories—like the one who aced the CISSP exam on their first attempt—attributing triumphs to the tailored mentoring and coaching strategies drawn from years of security experience. You'll get exclusive access to comprehensive CISSP training resources and one-on-one conversations with me, all designed to steer you towards a successful and fulfilling cybersecurity career. Embrace this episode as your beacon to a quantum-safe future and a robust understanding of digital security's best practices.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning, it's Sean Gerber with CISSP Cyber Training and I hope you guys are all having a wonderful day today. Today is CISSP Exam Question Thursday. So, yes, today we're going to go over CISSP exam questions from the previous podcast that this is again on Thursday and the podcast we have on Monday. This is to follow up on those specific the content that was there. These are the specific questions that you may see on the CISSP exam. Again, what I've stressed this before, as we've done before multiple times, is that these are not the questions that are word for word that you will see on the CISSP. These are questions that are similar that you might see on the exam, but the ultimate goal of these questions is not to teach you the test. It's to teach you the overall concept so that you understand what the question is actually asking you of. They are not designed to give you hey, if you know this question, you will pass the exam. No, they are not designed for that at all. They are designed just to give you a good understanding of what you can anticipate and what you might see on the exam. So this is the overall. This is Question Thursday, so we're going to go over questions 15 various questions that are considered that are over. The last podcast focused on cryptography, but before we get started, we want to talk about an article that I saw as it relates to these actual topic that we're dealing with when it comes to cryptography. Now, security intelligence has a product out there, or a blog post that's the CISOS guide to accelerating quantum safe readiness, and this is a great article around quantum and what you should be doing as a security professional, what you should be looking at Now. I don't know if you all are aware that there's been a lot of hubbub up there that quantum will both have, obviously, promises and challenges as it relates to the encryption piece of this, and many people feel that there is a public risk to the public key encryption that's out there and available and they feel that it's the store later kind of concept. I had heard this where, because they don't have the ability to crack the hashing algorithms at this point, they feel that what they can do is bad guys or gals can then steal all the content, store it for later and then be able to use quantum to crack the code and be able to break the encryption that's tied to it. Now they're saying that future cryptography events obviously can, plot terms, might be able to break the public key algorithms such as we talked about Rivest, shamir, alderman, the RSA and also the elliptic curve, diffie-helman options that are available out there, and it potentially could leave it for being able to be decrypted. They have this concept called the harvest now, decrypt later. I, yeah, I just probably butcher that within the beginning, but you, basically, you take it now, you steal it now, you decrypt it later, and I know the I shouldn't say no I'm aware of the NSA has done this. I believe the other government entities are probably doing this as well, because their goal is that they've been able to get gobs of data amongst each of their other countries and they've been able to steal it over the years, and so, therefore, but it's encrypted, but rather than having to try to brute force that now, they will then turn around and store it for later, with the goal that they'll be able to utilize it. Once the encryption keys are crackable, they'll be able to go and get access to it. So what a SISO should do and what a security professional should do is wanna understand what is the cryptography within your environment, observe the cryptography and then transform the cryptography. When they talk about discovering it, you just you need to understand where it all resides within your organization, and they talk about having a cryptography bill of materials. This is your C-bomb, right, and I know a bomb. I hear people talk about bill of materials a lot. They're talking about understanding the overall cryptography within your environment so that you know where it's at, and this would include the parts that are embedded within your organization, to also include third party products that might be doing that same type of aspect, those that you're used to create and validate digital signatures, all of those pieces, how the applications are using crypto all of that you should be able to try to have some level of understanding on. Then the next part is observing it and then knowing how is it working within your organization, as we talked about in the last podcast, just putting in an IPsec tunnel that would be between two endpoints. You would need to observe how is it being used? No, so, one, you would know that you have these IPsec tunnels in place. Two, you'd observe where it's, how it's being used and where what data is transferring between it. And the ultimate goal, then, is that to ensure that you understand it so that now, when they do this harvest, now, decrypt later you know the data that potentially is encrypted and you know that what they could be stealing from you. So I've had it happen to me as a CISO where there's been data that's been stolen, when, in the past, many years ago, I've had data that was stolen from us, and in the case of doing that, you just assume that all that data is encrypted. But when it's encrypted, the goal is that it will be in a situation where it won't be able to be re-established, right? So, as you said now this is about, in a previous life, with the military, I had seen data that had been stolen, and as that data had been stolen, then you go okay, now, once they have it, will they be able to decrypt it? And the ultimate goal of this is that they hope they won't. But yeah, we'll see how that plays out in the future. I know that MIT came up with new quantum crypto guidelines on how you should work to make your environment more quantum protected, and I would recommend you go check that out as well, and that would help you understand it. I've just looked at it. I haven't actually dug deep into it myself, but it would help your organization to understand how to ensure that you have some level of quantum safe solutions in place as we go into the future, because it's a matter of time, especially, as we talked about in the last podcast, around some of these older systems like DES, for an example. It's got 56-bit encryption which it already can be cracked now, but now you throw quantum into the mix, all of those things can be cracked relatively quickly, and I know the key pair that the MIT is recommending, I believe, is 2048 versus when we talked about SHA-256,. They feel confident that the quantum will have the ability to wreak havoc on these lower-bit encryption technologies. So then the transform it again. Once you transform, you want to build out quantum safe solutions and it's important that you think about this from a long-term perspective. How would you do that? And you have time right now, but now is the time, as a security professional, to start considering how is quantum gonna play a factor within your organization? All right, so let's go and get into the CISSP questions that we have planned for today. Question one which symmetric key encryption algorithm is current gold standard considered for applications? A, des, b, triple DES, c, blowfish or D AES? Okay, so do you have what is the gold standard DES, triple DES, blowfish or AES? And the answer is D AES. Aes offers the robust security and efficient performance that you're looking for as it relates to various pieces of security, and this was one that would be highly recommended. Question two which hashing algorithm is considered insecure due to the collision of vulnerability due to collision vulnerabilities? Okay, which hashing algorithm is considered insecure due to collision vulnerabilities? A SHA-256,. B MD5. C both SHA and MD5, or D neither SHA or MD5. And the answer is B MD5. Md5 suffers from weaknesses that allow attackers to create colliding message pairs, thus compromising the integrity of its verification abilities. Sha-256 does remain secure and therefore it is recommended for hashing. Question three what key size does RSA commonly use for encryption? A 128 bits. B, 256 bits. C varies depending upon application. Or D. Rsa is not typically used for encryption. Which key size does RSA commonly use for encryption? That's the question, and the answer is D? Rsa is not typically used for encryption. It employs key sizes up to 2048 or higher for stronger encryption and it is capable of encryption, but technically it's commonly used for key exchange and digital signatures, so it is not typically used for encryption. What type of cryptography algorithm is best suited for securing communications on resource constrained devices such as wearables? Okay, again, if you're looking at a wearable, obviously that's like an IoT device. It would have a. You'd want something with a low bit or a low key, right? So a low bit, a low amount of bits, a reduced amount of bits. I can't even say it, but you want less bits, so you want that. If you're dealing with a wearable, a, aes, b, rsa, c, ecc or D, three DES Okay, so AES, rsa, ecc or three DES. Again, which algorithm is best suited for securing communications on resource constrained devices such as wearables? And that would be ECC. It offers comparable security to RSA, but with a smaller key size, making it much more efficient for these smaller type devices. Question five which protocol allows secure key exchange over an insecure channel without pre-shared secrets? So, which protocol allows secure key exchange over an insecure channel without pre-shared secrets? A AES, b, diffie-helman, c Digital Signature Algorithm, d Al-Gamal. Which protocol allows secure key exchange over an insecure channel without a pre-shared secret? A AES, b, diffie-helman, c. Digital Signature or Al-Gamal? And the answer is B. Diffie-helman enables two parties to establish a shared secret key even if their communication is intercepted, making it crucial for secure communication protocols such as TLS and SSH. Which advantage does asymmetric cryptography offer over symmetric cryptography? A faster encryption decryption speeds. B non-repudiation and digital signatures. C smaller key sizes or D more readily available hardware and acceleration Hardware acceleration Okay. Which advantage does asymmetric cryptography have over symmetric? And the answer is B non-repudiation and digital signatures Okay. Asymmetric cryptography allows digital signatures ensuring non-repudiation obviously proof of ownership which is not achievable with symmetric algorithms. Question seven which of the following is a common application used for hashing algorithms? A password storage. B software download integrity verification. C data encryption or D blockchain technology. Which of the following is a common application used for hashing algorithms? And the answer is B software download integrity verification. So when you're doing integrity verification of downloads, a hashing algorithm is typically used. Why? Because you want to ensure that what is downloaded is actually what you're getting. So you'll see, often when you go to do a download, you'll have the hashing algorithm off to the side and then you can compare hashes on what you're downloading to ensure that you're getting what you are wanting. Which algorithm? Question eight which algorithm is most vulnerable to brute force attacks due to its small key size? A, aes, 256. B, sha, 512. C, ecc, d, dez. Okay, so which algorithm is most vulnerable to brute force attacks due to its small key size? And that is DEZ. Dez uses a 56-bit key, making it susceptible to being cracked with various attackers. So that's why you want to use stronger algorithms, such as AES and Shaw. Question 9. Which potential drawback does the key exchange in asymmetric cryptography have compared to symmetric cryptography? A Lower performance due to complex calculations. B Subceptibility to man in the middle attacks. C Increased key management complexity or D All of the above? And the answer is D All of the above. A symmetric cryptography can be slower than symmetric due to intricate mathematical operations. It also requires careful management of public and private keys, increasing its complexity. Question 10. D is using a combination of different cryptography algorithms recommended for secure systems. A To avoid vendor lock-in. B To leverage the strengths of each algorithm for specific tasks. C To comply with industry regulations, or D To make system debugging easier. Why is a combination of different cryptography algorithms recommended in secure systems? And the answer would be B To leverage the strengths of each algorithm for the specific tasks that are at hand. So, if you're dealing with RSA, you're dealing with AES, you're dealing with SHA-256, each of those will have different uses within your organization and therefore they can be used in a layered approach. Question 11. Which organization publishes recommendations for secure cryptography use in the industry? A FBI, b NIST, c ISC, squared, cissp or D NSA? And the answer is B NIST, see the National Institute of Standards and Technology does publish special publications, such as SP857, which provides guidance on cryptography or cryptographic algorithms and their potential applications. Question 12. What is the primary purpose of a digital signature in the context of cryptography? A To encrypt data for secure storage. B To guarantee data confidentiality. C To ensure data integrity and non-repudiation, or D To compress data for efficient transmission. What is the primary purpose of a digital signature in the context of cryptography? And the answer is C To ensure data integrity and non-repudiation. Digital signatures primarily offer data integrity and non-repudiation. They, by binding the message to the sender's private key, anyone can verify the message hasn't been tampered with and identifying the origin. This is all through the public key infrastructure, pki. Question 13. When choosing cryptographic algorithm for cryptography, what is the primary purpose of and application? What factors should be considered? A cost of implementation. B vendor support, availability. C security, strength and maturity of the algorithm. Again, the question is when choosing a cryptographic algorithm for an application, what factors should be considered? And the answer is D all of the above. I don't think I forgot to mention that one. It's all of the above Cost of implementation, vendor support, availability and security, strength and maturity of the algorithm. All of those should be considered as factors. Question 14, what best practice should be followed to secure cryptographic keys in an environment? A store the keys in plain text for easy access. B use the same key for multiple purposes. C implement strong key generation, storage and rotation mechanisms. Or. D rely solely on software-based key management. What is the best practice should be followed in secure cryptographic keys in your environment? And the answer is C implement strong key generation, storage and rotation mechanisms. You wanna have all of that in place when you're dealing with keys and that's really a big factor as soon as you possibly can if you have some level of password management and you have keys in your environment. You wanna look at rotating them as much as you possibly can Within practice, right Within practical. You wanna make sure that you're not just creating more work for yourself. But key rotation is an important factor in security. Which statement is true regarding forward security in cryptography? What does so? Basically, what does forward security do? A it guarantees complete protection against decryption, even with compromised keys. B it ensures past sessions cannot be decrypted if future sessions, future session keys are compromised. C it provides perfect security against all cryptographic attacks. Or D it is not relevant for modern, secure communication protocols. So, which statement is true regarding the forward secrecy in cryptography, and what is forward secrecy? Well, basically, forward secrecy is it ensures past sessions cannot be decrypted if future sessions keys are compromised. That's the ultimate goal. Is that it's mitigating damage from key exposure. Now, it's obviously not completely 100% gonna fix everything, but it will allow you to have some level of protection. And again, all of this comes down to layering it right. We cannot guarantee that one thing is going to fix everything. You have to ensure that you have layers in place to ensure your protection is adequate. Okay, that's all I've got for you today. Again, this was CISSP Question Thursday. Head on over to CISSPcybertrainingcom. Check out some of the great products I've got there. I've got some awesome stuff to help you pass the CISSP exam. The first time had another one come in. Today an individual just passed their CISSP and they're on their way to doing what they wanna do. So life is good. Catch out. I've got a mentoring and coaching program as well. It's available for you. If you don't know what you wanna do with your life as far as cybersecurity and how to make the next step, check out my mentoring program. It is amazing. Because I say that not because I'm amazing no, I'm not amazing at all but I'm saying that because the one thing I struggled with when it came to the CISSP and even cybersecurity in general is I didn't know what to do. I didn't know what was my best career. I'll tell you that I've done I've been done it all, but I've done a lot of different things in security and I can give you some guidance and some direction around that. So go check out my mentoring program. It's definitely well worth it. You get all of my CISSP training plus. You get access directly to me and I will set aside time specifically for you and we will have conversations and make sure that we get you on the right path for success. All right, I hope you have a wonderful day and we will catch you on the flip side, see you.