After receiving the bill, Adam insists a hacker logged into an online jewelry store with his credentials and bought a ring using his credit card without his consent. He denied the transaction and refused to pay. Which of the following is the best strategy for the online store to prevent this situation from recurring? (Wentz QOTD)
A. Implement the Digital Signature Algorithm (DSA)
B. Encrypt the hash of the transaction using Adam’s private key
C. Establish a trustworthy enterprise-wide trusted root certification authority
D. Protect Adam’s credentials using hash-based message authentication code (HMAC)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Implement the Digital Signature Algorithm (DSA).
The Digital Signature Algorithm, approved in FISP 186-4, produces the digital signature that enforces non-repudiation. A digital signature can be implemented to enforce non-repudiation using a message digest or hash encrypted by the sender’s private key. To encrypt the hash of the transaction using Adam’s private key is a common implementation of digital signature. However, the concept of this implementation may not be as specific and sufficient to be legally binding as approved in FIPS 186-4.
The public key infrastructure (PKI) is one of the most common and foundational implementations to enforce non-repudiation. However, well-known trusted CAs play a crucial role. Proprietary enterprise-wide implementation of the PKI is technically feasible, but establishing a trustworthy enterprise-wide trusted root certification authority is cumbersome in distributing the root CA certificate. Moreover, a certificate is issued for various purposes. Implementations of non-repudiation should be technically strong and legally binding; the PKI is technically strong/reliable but may not be legally binding. In other words, implementing the Digital Signature Algorithm (DSA) typically involves the PKI, but a PKI may not implement a legitimate digital signature.
Integrity: Authenticity and Non-repudiation
Data integrity and data origin authentication are not equal to non-repudiation. Data integrity means the recipient believes that the received data is not modified. Data origin authentication means the recipient believes the identity of the sender who delivered the data is genuine. The Hash-based Message Authentication Codes (HMAC) relies on a hash function and a shared key to calculate the message authentication code to validate authenticity. Protecting Adam’s credentials typically entails encryption and may involve using hash-based message authentication code (HMAC).
- Non-repudiation is the “protection against an individual falsely denying having performed a particular action.” (NIST SP 800-53 R4) In a context of communication, the individual refers to either the sender or the recipient.
- Non-repudiation also refers to the “assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.” (NIST SP 800-60 Vol. 1 R1)
The Digital Signature Algorithm (DSA) is a legitimate digital signature algorithm approved by FIPS 186-4. It means ECDSA is technically strong enough and legally binding. FIPS 186-4 approves three techniques: DSA, RSA DSA, and ECDSA, as the following screenshot shows:
- FIPS PUB 186-4
- CISSP PRACTICE QUESTIONS – 20210409
- CISSP PRACTICE QUESTIONS – 20210403
- CISSP PRACTICE QUESTIONS – 20200725
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的公司為全球大品牌生產運動鞋，並啟動業務持續計畫(business continuity program)以
收到賬單後，亞當堅持認為黑客使用他的憑據登錄了一家在線珠寶店，並在未經他同意的情況下使用他的信用卡購買了一枚戒指。 他否認了這筆交易並拒絕付款。 以下哪項是在線防止
收到賬單後，亞當堅持黑客使用他的帳號及密碼登入了一家在線珠寶店，並在未經他同意的情況下使用他的信用卡購買了一枚戒指。 他否認了這筆交易並拒絕付款。 以下哪項是在線商店防止這種情況再次發生的最佳策略？ (Wentz QOTD)
A. 實施數字簽名算法 (DSA)
C. 建立值得信賴的企業級可信根證書頒發機構(Trusted Root CA)
D. 使用基於哈希的消息身份驗證代碼 (HMAC) 保護 Adam 的帳號及密碼