Effective CISSP Questions

Your company develops web conferencing products. You are the head of the research and development department. You plan to provide end-to-end protection over user sessions based on the symmetric cipher. An open design, work factor of cryptanalysis, and user acceptance are major evaluation criteria. Which of the following is the least appropriate cipher?
A. Rijndael
B. Skipjack
D. Serpent

Wentz’s Book, The Effective CISSP: Security and Risk Management

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Skipjack.


Open Design

Kerckhoffs’s principle states, “a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” (Wikipedia) Cryptographers widely embrace this concept. In contrast, sole reliance on “security through obscurity” and proprietary or in-house algorithms without open review don’t meet the principle.

The selection process of the Advanced Encryption Standard (AES), lasting from 1997 to 2000, is open to public review and held to replace the Data Encryption Standard (DES).

According to Wikipedia, fifteen different designs were created and submitted from several different countries. They were, in alphabetical order: CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish. Five out of the fifteen were selected as the finalists:

  1. Rijndael: 86 positive, 10 negative
  2. Serpent: 59 positive, 7 negative
  3. Twofish: 31 positive, 21 negative
  4. RC6: 23 positive, 37 negative
  5. MARS: 13 positive, 84 negative

Rijndael finally became the Advanced Encryption Standard (AES).

Work Factor

Work Factor is defined as the amount of effort (usually measured in units of time) needed to break a cryptosystem.

The Work Factor of a cryptosystem is related to its key-length and the working mechanism used (encryption and decryption algorithms). For example, if the brute force attack method is used to break the system (trying all possible combinations of the key), then the work factor is directly proportional to the length of the key. For every addition of one bit to the key length, the time needed (work factor) is doubled.

Source: BestInternetSecurity

Work Factor vs Time Factor

Work factor is a more appropriate description because time factor is relative to processing power. Time factor, time complexity, computational complexity, and work factor, are used to describe the same thing. When someone says time complexity, they are probably not talking about actual time, but rather computation.

Work factor would be something like “200 trillion iterations of the block cipher”, which is constant.

Time factor would be something like “20 years”, but if you double the compute power, that is now 10 years. Therefore, time factor is only a good comparison with a fixed level of compute or when you can accurately estimate the amount of computation over a given length of time. Time is easier to explain to someone, and compute power raises at a fairly consistent rate, so using time is acceptable, and thus you can give an expiration date to things like public keys.

That being said, “time complexity” is probably the more common term used to describe computational complexity.

Source: StackExchange


Cryptanalysis (from the Greek kryptós, “hidden”, and analýein, “to loosen” or “to untie”) is the study of analyzing information systems in order to study the hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

Source: Wikipedia

User Acceptance

Clipper chip

The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Diffie–Hellman key exchange-algorithm to distribute the cryptokeys between the peers. Skipjack was invented by the National Security Agency of the U.S. Government; this algorithm was initially classified SECRET, which prevented it from being subjected to peer review from the encryption research community. The government did state that it used an 80-bit key, that the algorithm was symmetric, and that it was similar to the DES algorithm.

Lack of adoption

The Clipper chip was not embraced by consumers or manufacturers and the chip itself was no longer relevant by 1996; the only significant purchaser of phones with the chip was the United States Department of Justice.[11] The U.S. government continued to press for key escrow by offering incentives to manufacturers, allowing more relaxed export controls if key escrow were part of cryptographic software that was exported. These attempts were largely made moot by the widespread use of strong cryptographic technologies, such as PGP, which were not under the control of the U.S. government.

Source: Wikipedia


The acronym RSA is the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman. It may refer to the RSA cryptosystem publicly described in 1977 or the company, RSA Security, founded in 1982.

RSA RC6 here refers to RC6 is a proprietary algorithm owned by RSA.


In cryptography, RC6 (Rivest cipher 6) is a symmetric key block cipher derived from RC5. It was designed by Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin to meet the requirements of the Advanced Encryption Standard (AES) competition. The algorithm was one of the five finalists, and also was submitted to the NESSIE and CRYPTREC projects. It was a proprietary algorithm, patented by RSA Security.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply