CISSP PRACTICE QUESTIONS – 20200827

Posted on by

Effective CISSP Questions

According to ISO/IEC 29192-1:2012, a side-channel attack is an “attack based on information gained from the physical implementation of a cryptosystem.” Which of the following is not one of the information sources exploited to initiate side-channel attacks?
A. Timing information
B. Power consumption
C. Electromagnetic and acoustic emissions
D. Theoretical weaknesses of ciphers


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Theoretical weaknesses of ciphers.

Side-Channel Monitoring

Side-channel attacks are attacks to physical cryptosystems by collecting and exploiting physical-level information, such as:

However, attacks based on brute force or theoretical weaknesses in the underlying algorithms don’t belong to side-channel attacks.

Timing Information

In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms.

Source: Wikipedia

Electromagnetic Emissions

Electromagnetic noise emitted from running computer displays modulates information about the picture frames being displayed on screen. Attacks have been demonstrated on eavesdropping computer displays by utilising these emissions as a side-channel vector.

Spectrograms-of-AM-demodulated-EM-emissions-acquired-from-an-Arduino-device-that-were

Source: Accuracy Enhancement of Electromagnetic Side-Channel Attacks on Computer Monitors

Fault Injection

The following video, made by the Center for Information Technology Policy (CITP) at Princeton University, “describes the attacks that result from the remanence of encryption keys in DRAM after power loss.”

TEMPEST and EMSEC

TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).

While much of TEMPEST is about leaking electromagnetic emanations, it also encompasses sounds and mechanical vibrations. For example, it is possible to log a user’s keystrokes using the motion sensor inside smartphones.

Compromising emissions are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed (side-channel attack), may disclose the information transmitted, received, handled, or otherwise processed by any information-processing equipment.

Source: Wikipedia

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

根據ISO/IEC 29192-1:2012的定義,側通道(side-channel)攻擊是“從實體加密系統的實作中獲取信息所發起的攻擊”。 以下哪個不是被用來發起側通道攻擊的信息來源之一?
A.時序(timing)信息
B.耗電量
C.電磁和聲波的訊號溢出
D.密碼學的理論弱點

1 thought on “CISSP PRACTICE QUESTIONS – 20200827

  1. Pingback: Side-Channel Attack by Wentz Wu, CISSP-ISSMP,ISSAP,ISSEP/CCSP/CSSLP/CISM/CISA/CEH/PMP/CBAPWentz Wu

Leave a Reply