CISSP PRACTICE QUESTIONS – 20210917

Posted on by
Effective CISSP Questions

Alice wants to send a contract with a digital signature that enforces nonrepudiation to Bob. Which of the following best describes the process of generating the digital signature? (Wentz QOTD)
A. Generate a message authentication code of the contract using SHA
B. Generate the contract digest encrypted by Bob’s public key
C. Encrypt the hash value of the contract using Alice’s private key
D. Produce a ciphertext of the contract digest using a secret key agreed by Diffie-Hellman

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Encrypt the hash value of the contract using Alice’s private key.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Digital Signature
Digital Signature

Encrypting the fingerprint of the code using your private key or hashing the code and encrypt the result using your private key are the rewording of generating a digital signature.

  • Generating a message authentication code of the contract using SHA ensures authenticity of data origin.
  • The contract digest encrypted by Bob’s public key is not a digital signautre of Alice.
  • Producing a ciphertext of the contract digest using a secret key agreed by Diffie-Hellman is a distractor. Diffie-Hellman is used for key agreement/exchange instead of encryption.

A digital signature ensures non-repudiation, data integrity, and authenticity. Technically, a digital signature is nothing more than the hash of an object signed by a subject’s private key.

Integrity in FISMA
Integrity in FISMA
FISMA CIA
FISMA CIA

FIPS 186-4 approves three techniques: DSA, RSA DSA, and ECDSA, as the following screenshot shows:

Non-repudiation

Non-repudiation
  • Non-repudiation has both technical and legal significance. Technical non-repudiation can be realized through digital signature, while legal non-repudiation is legally binding.
  • Digital signature with the legal binding is one form of Electronic Signature. However, not all digital signatures are legally binding.

Reference

Alice 希望向 Bob 發送具有不可否認性的數位簽章之合同。 以下哪一項最能描述生成數位簽章的過程? (Wentz QOTD)
A. 使用SHA生成合約的訊息認證代碼(MAC)
B. 生成由 Bob 的公鑰加密的合約摘要(digest)
C. 使用 Alice 的私鑰加密合約的哈希值
D. 使用 Diffie-Hellman 協議出的密鑰來生成合約摘要的密文



Leave a Reply