CISSP PRACTICE QUESTIONS – 20220319

Posted on by
Effective CISSP Questions

You are configuring the cipher suites of a web server to support secure transmission. Which of the following best enforces confidentiality? (Wentz QOTD)
A. Secure Hash Algorithm-384 (SHA-384)
B. Rivest-Shamir-Adleman (RSA) key exchange
C. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
D. Elliptic Curve Digital Signature Algorithm (ECDSA)


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

TLS handshake protocol
TLS handshake protocol (Credit: Wazen Shbair)

A cipher suite is a set of cryptographic algorithms, e.g., SHA, ECDSA, RSA, ECDHE, etc., that help secure a network connection.

  • Secure Hash Algorithm-384 (SHA-384) enforces data integrity, while Elliptic Curve Digital Signature Algorithm (ECDSA) enforces non-repudiation.
  • Both Rivest-Shamir-Adleman (RSA) key exchange and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) are key exchange/agreement algorithms to support encryption and enforce confidentiality.

DH Key Agreement vs RSA Key Exchange

Ron Rivest, Adi Shamir and Leonard Adleman
Ron Rivest, Adi Shamir, and Leonard Adleman (Credit: National Inventors Hall of Fame)

The Diffie-Hellman (DH) key agreement method is an alternative to the traditional way of negotiating encryption keys during the SSL handshaking process that uses RSA. However, RSA uses long-term keys (e.g., the public key in a certificate is typically valid for around one year) to encrypt the session key used in secure transmission; an attacker can decrypt a recorded session if the server’s private key is compromised.

The main advantage of the DH key agreement over the RSA key exchange is that a session key is never sent over the network, providing “perfect forward secrecy” (PFS). PFS ensures that an attacker cannot decrypt a recorded SSL session even if the server’s private key is compromised.

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.

Source: Wikipedia

Variants of Diffie-Hellman

Whitfield Diffie and Martin Hellman (Credit: Nick Sullivan)
Whitfield Diffie and Martin Hellman

The following description about variants of Diffie-Hellman is an excerpt from IBM:

  • Anonymous mode
    Anonymous mode does not use authentication and is therefore vulnerable to man-in-the-middle attacks. You should not use anonymous Diffie-Hellman.
  • Static mode
    Static Diffie-Hellman reuses at least one of the two DH private keys unchanged for all connections. If both DH private keys are reused, the term “static-static” is used. If only one side uses the same key, the term is “ephemeral-static”. In some implementations, it might make sense to have one static DH private key, especially on the server side, for performance reasons.
  • Ephemeral mode
    Ephemeral Diffie-Hellman generates a new temporary DH private key for every connection, which enables PFS. When both sides always create new DH private keys for new connections, this is called “ephemeral-ephemeral”.

Reference

您正在配置 Web 服務器的密碼套件(cihper suites)以支持安全傳輸。 以下哪項最能確保機密性? (Wentz QOTD)
A. 安全散列算法 384 (SHA-384)
B. Rivest-Shamir-Adleman (RSA) 密鑰交換
C. 橢圓曲線 Diffie-Hellman Ephemeral (ECDHE)
D. 橢圓曲線數字簽名算法(ECDSA)





Leave a Reply