CISSP PRACTICE QUESTIONS – 20200228

Posted on by

Effective CISSP Questions

Your company sells toys online and ships globally. The cryptographic implementation of the shopping website follows FIPS (Federal Information Processing Standards). The customer service representatives (CSR) report a serious workload issue that customer complaints flock in from all service channels about the inconvenience of the website password reset procedure. If retrieving passwords is technically impossible, which of the following cryptographic algorithms is most likely to cause this problem?
A. DES (Data Encryption Algorithm)
B. SHA (Secure Hash Algorithms)
C. MD5 (Message Digest)
D. Advanced Encryption Standard (AES)


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. SHA (Secure Hash Algorithms).

Case Study for Cryptography

It’s a significant decision on how to persist the user passwords when developing a software solution, that is, a decision to encrypt or hash passwords at rest.

  • To encrypt passwords at rest supports the software feature, “retrieve password.” Users can “retrieve” or query the original password if they forgot the password. Why supporting users to retrieve passwords? It’s because resetting passwords is more cumbersome and costly than retrieving passwords. If your target users are not tech-savvy, resetting passwords may be a nightmare. Supporting password reset requests may frustrate your customer support team. Besides, DBAs have access to the credentials; they may be “technically” capable of decrypting them even if they are not authorized to do so.
  • To hash passwords at rest requires the feature, “reset password.” The hashed password can not be “decrypted” or can not be “retrieved” because the password is not stored but its “hash.”

Since retrieving passwords is technically impossible, it implies the passwords at rest are hashed by either MD5 or SHA. However, MD5 is not FIPS compliant.

 

 

您的公司在線銷售玩具並在全球範圍內發貨。 購物網站的實施遵循FIPS(聯邦信息處理標準)。 客戶服務代表(CSR)回報了嚴重的工作負載問題,主要是客戶從所有服務管道湧入投訴網站密碼重置程序很不方便。 如果從技術上來說檢索密碼是不可能的,以下哪種加密算法最有可能導致此問題?
A. DES (Data Encryption Algorithm)
B. SHA (Secure Hash Algorithms)
C. MD5 (Message Digest)
D. Advanced Encryption Standard (AES)

1 thought on “CISSP PRACTICE QUESTIONS – 20200228

Leave a Reply