You are developing a client/server-based application in which the client shall communicate with the server through a trusted channel supported by symmetric encryption. Which of the following is least likely employed to exchange or distribute the predefined secret key? (Source: Wentz QOTD)
A. Human brain
B. Diffie-Hellman
C. Public Key Encryption
D. USB flash drive dongle
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Diffie-Hellman.
Out-of-band
When configuring site-to-site VPN with preshared key, the system administrator may choose a simple preshared key, memorize it, and type into all the VPN servers. It is the human brain used to distribute the key.
Another example is the wireless network. When you connect your PCs, laptops, tablets, mobile phones, or other devices to the wireless AP, you must type in the key recalled from your memory without much effort.
The secret key shared between clients, and the server can be configured statically through memorization or USB flash drives. In other words, it can be set or distributed out of the band.
In-band
The secret key can be generated before it is exchanged or negotiated dynamically during the key agreement process.
- The public key encryption means the secret is produced or determined, and then it is encrypted by the recipient’s public key.
- The secret key doesn’t have to be generated in advance. It is determined during the Diffie-Hellman key agreement process. It is produced dynamically and agreed by both parties.
Reference
您正在開發一個主從架構的應用程式,其中客戶端須透過AES加密的可信任通道與伺服器進行通訊。 以下哪項最不可能用來交換或分發事先定義的AES密鑰?
A. 人腦
B. 迪菲·赫爾曼 (Diffie-Hellman)
C. 公開金鑰加密 (Public Key Encryption)
D. USB隨身碟
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
