Effective CISSP Questions

You are evaluating cryptographic algorithms to secure your order processing. Three block-ciphers, RC6, Rijndael, and Twofish, are on the final list after the first round of evaluation. Which of the following terminologies is least likely used in the evaluation process? (Source: Wentz QOTD)
B. Salt
C. Nonce
D. Entropy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Salt.



In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user’s password against being read from the system. A salt is one of those methods.

Source: Wikipedia

Nonce (Number used ONCE)

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication.

Source: Wikipedia

IV (Initialization Vector)

An IV is a unique fixed-size value used in cryptography to avoid repeating patterns. The property of uniqueness means that no IV may be reused under the same key.

An IV should be random (unpredictable) to avoid an attacker to infer relationships between segments of the encrypted message. If an IV is predictable, it is a nonce.

In cipher-block chaining mode (CBC mode), the IV must, in addition to being unique, be unpredictable at encryption time. In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the BEAST attack.

Source: Wikipedia


In cryptanalysis, entropy is often roughly used as a measure of the unpredictability of a cryptographic key, though its real uncertainty is unmeasurable. For example, a 128-bit key that is uniformly and randomly generated has 128 bits of entropy. It also takes (on average) {\displaystyle 2^{128-1}}2^{128-1} guesses to break by brute force. Entropy fails to capture the number of guesses required if the possible keys are not chosen uniformly.[12][13] Instead, a measure called guesswork can be used to measure the effort required for a brute force attack.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.


Leave a Reply