Effective CISSP Questionsjpg

  1. A server generates a number randomly, sends it to the client in clear text, and waits for the client to encrypt it using the subject’s private key and send it back. The server then decrypts it using the subject’s public key registered previously. What is the most possible purpose of this process?
    A. Identification
    B. Confidentiality of data in motion
    C. Key agreement
    D. Authentication
  2. A client generates a session key randomly, encrypts it using a server’s public key, and sends it to the server which decrypts the session key using its private key to initiate a secure channel. Which of the following best describes this process?
    A. Diffie-Hellman
    B. Key agreement
    C. Key exchange
    D. Authentication

I designed the second question as the extension to the first question. I’d like to thank Rahul Kamath for reminding me of the public key usage. I got focused on the main idea to be tested in this question and overlooked the basic principle of public key usage. The question has been revised as above. Thanks again, Rahul!

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Authentication for Q1 and C. Key exchange for Q2.

Asymmetric Key Usage

The public key and private key are generated as a key pair. The public key is available publicly while the private key must be highly protected. Ciphertext encrypted by the public key can only be decrypted by the private key and vice versa. 

Based on the security property stated above, the server authenticates the subject by decrypting the message encrypted by the subject’s private key. The result of authentication is a success if the decrypted number matches the one sent by the server so that the server assures the subject is the one registered previously.

Key Exchange

  • Determined. One party generate the key, and simply send that key to the other party; The other party has no influence on the key. e.g. Public Key Encryption
  • Agreed. Both of the two parties can agree on a key in such a way that both influence the outcome. e.g. Diffie-Hellman

Key Management

Leave a Reply