CISSP PRACTICE QUESTIONS – 20210602

Your company sells toys online through a large-scale web-based E-commerce system. To comply with the Payment Card Industry Data Security Standard (PCI DSS), you decide to rotate secret keys on a regular schedule. Which of the following is the primary purpose? (Wentz QOTD)
A. Increase the number of round keys of the key schedule.
B. Increase the entropy of the random number generator and work factor.
C. Decrease the probability of the loss of confidentiality.
D. Decrease the impact of the secret key being cracked.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Decrease the impact of the secret key being cracked.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

If a secret key can be cracked in 60 days using brute force, any keys can be broken in 60 days. So, key rotation doesn’t increase the work factor or decrease the probability of the loss of confidentiality. It primarily decreases the impact if the secret key is cracked. For example, if we rotate keys every 30 days, we lose only 30 days of data once a key is compromised.

Round keys are used in a cipher; the key schedule is the algorithm that produces round keys. It’s not related to the key rotation task.

Key rotation doesn’t change the entropy and alter the work factor to crack a key.

• Entropy is a measure of uncertainty or randomness. Cryptographic keys and a nonce (number only used once, e.g., IV) rely on the randomness to the entropy of the random number generator. A fair six-sided dice has higher entropy than a fair two-sided coin; a fair six-sided dice also produces higher entropy than a biased dice that renders one, two, three only.
• Work factor is the “estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure.” (CNSSI 4009-2015)

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 增加密鑰表(key schedule)的輪密鑰(round keys)數。
B. 增加亂數產生器的熵(entropy)和工作因子(work factor)。
C. 降低機密性喪失的可能性。
D. 降低秘鑰被破解的影響。