CISSP PRACTICE QUESTIONS – 20190903

Effective CISSP Questions

Alice generated a public/private key pair for asymmetric cryptography. She sent to Bob a document with a message digest encrypted by her private key. Bob then validated the document by computing a new message digest from the document and comparing it with the decrypted message digest. If the comparison matches, Bob can assure that the document comes from Alice while she can not deny it. Which of the following best describes the process or security property when taking technical and legal aspects into account?
A. Electronic Signature
B. Authenticity
C. Digital signature
D. Non-repudiation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Digital signature.

Summary

  • Non-repudiation has both technical and legal significance. Technical non-repudiation can be realized through digital signature, while legal non-repudiation is legally binding.
  • Digital signature with the legal binding is one form of Electronic Signature. However, not all digital signatures are legally binding.
  • Alice implemented digital signature (technical non-repudiation) without legal binding (legal non-repudiation).

Non-repudiation

Authenticity

  • The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See Authentication.
  • The property that data originated from its purported source.
  • Source: NIST SP 800-137

Non-repudiation

  • Assurance
    • that the sender is provided with proof of delivery and
    • that the recipient is provided with proof of the sender’s identity
    • so that neither can later deny having processed the data.
  • Technical non-repudiation refers to the assurance a Relying Party has that if a public key is used to validate a digital signature, that signature had to have been made by the corresponding private signature key. (Digital signature)
  • Legal non-repudiation refers to how well possession or control of the private signature key can be established. (Electronic Signature)
  • Source: NIST SP 800-32

Digital Signature

  • A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).
  • An asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature.
  • Digital signatures provide authenticity protection, integrity protection, and non-repudiation.

Electronic Signature

  • Electronic signatures have legal significance.
  • Digital signatures are often used to implement electronic signatures, which includes any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures.
  • Source: Wikipedia

Are Electronic Signatures Legal?

An electronic signature, or e-signature, refers to accepting an agreement or contract in digital form. This type of digital signature provides the same legal standing as a handwritten signature as long as it adheres to the necessary requirements.

In the United States, there are a number of laws that inform the requirements that make e-signatures legally binding:

  • The Electronic Signatures in Global and National Commerce (E-SIGN) Act (15 U.S.C. §§7001-7031)
  • The Uniform Electronic Transactions Act (UETA) (7A Pt. 1 U.LA. 211, 211-99 (2002))
  • Additionally many states have adopted some form of the UETA
  • PactSafe’s Signature Acceleration Platform has been designed with compliance of electronic signature law in mind.

Use this checklist to ensure your e-signatures are ironclad.

  • Intent to Sign – The signer must show clear intention to sign the document. This intent is shown through the action of somehow drawing their signatures electronically, typing their name or clicking an accept box.
  • Consent to Do Business Electronically Clause – Some portion of the agreement must include a clause that indicates all parties involved are consenting to have the transaction occur electronically.
  • Opt-out Clause – The signer must always have the option to decline signing electronically. If the signer declines to sign electronically, a physical copy to sign and return must be provided.
  • Associated Record Retention – The agreement must remain accessible to both parties for reference and must be retained in the form in which it was signed.
  • Signed Copies – Both parties should receive a copy of the signed document for their personal records. A digital file sent via email is acceptable.

References

 

 

One thought on “CISSP PRACTICE QUESTIONS – 20190903

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s