Cryptography

Your organization plans to implement multiple simultaneous VPN connections over IPSec. Which component provides support for this capability?

A) ESP
B) IPComp
C) SKEME
D) ISAKMP

Answer: D) ISAKMP

• Rationale: ISAKMP (Internet Security Association and Key Management Protocol) handles key exchange and negotiation for multiple VPNs simultaneously.

• Why not others:

  • ESP = provides confidentiality and authentication, not VPN setup.

  • IPComp = compression protocol for IP packets.

  • SKEME = key exchange protocol, but not full support for multiple VPN sessions.
    Exam Tip: If the question emphasizes multiple VPNs or key management, ISAKMP is your cue.

Two parties need to exchange a symmetric key over an insecure channel, but neither has pre-shared key pairs. Which method allows secure exchange?

A) RSA
B) Digital envelopes
C) Digital signatures
D) Diffie-Hellman

Answer: D) Diffie-Hellman

• Rationale: Diffie-Hellman enables secure key agreement without pre-shared secrets by using mathematical properties of modular exponentiation.

• Why not others:

  • RSA = asymmetric encryption; requires existing key pairs.

  • Digital envelopes = encrypting with recipient’s public key (requires key).

  • Digital signatures = ensures integrity/authenticity, not key exchange.
    Exam Tip: “No prior key pairs” → think Diffie-Hellman key exchange.

Which two stages make up IPsec implementation?

A) Internet Key Exchange (IKE) and ESP
B) ISAKMP and IPComp
C) SKEME and ESP
D) ESP and TPM

Answer: A) IKE and ESP

• Rationale: IKE negotiates security associations and keys; ESP provides encryption and authentication for data transfer.

• Exam Tip: Look for “key negotiation + encryption/authentication” → IKE + ESP.

An organization wants to implement comprehensive protection for sensitive data. Which types of data benefit most from strong access controls, encryption, awareness training, and DLP? (Choose all that apply.)

A) Trade secrets
B) Intellectual property
C) Legal information
D) Private data

All of the Above

Rationale: All listed data types are sensitive and require layered protection to prevent loss, theft, or misuse.
Exam Tip: When the question says “sensitive data,” think all types that carry legal, financial, or operational risk.

In public key cryptography, which model allows individuals to verify each other’s keys based on mutual trust rather than a centralized authority?

A) Certificate Authority
B) Web of Trust
C) PKI Hierarchy
D) Key Escrow

Answer: B) Web of Trust

• Rationale: Users vouch for each other’s keys, establishing trust in a decentralized way.

• Why not others:

  • Certificate Authority = centralized trust model.

  • PKI Hierarchy = hierarchical, not peer-to-peer.

  • Key Escrow = key storage for recovery, not trust verification.
    Exam Tip: “Decentralized trust among peers” → Web of Trust.

Why are initialization vectors commonly used in encryption algorithms?

A) They start the encryption process at a common point.
B) They determine the range of values into which a block can resolve.
C) They set the speed of the encryption process.
D) They increase the chaos in encrypted output

Answer: D) They increase the chaos in encrypted output

• Rationale: IVs ensure that repeated plaintext blocks encrypt to unique ciphertext, improving security.

• Exam Tip: Look for “prevent identical ciphertext for identical plaintext” → IV.

When creating a digital signature, what is the correct initial step performed by the sender?

A) Encrypt the message with a symmetric key
B) Hash the message, then encrypt the digest with the private key
C) Sign with recipient’s public key
D) Hash message, then encrypt full message with private key

Answer: B) Hash the message, then encrypt the digest with the private key

• Rationale: Hashing creates a digest; encrypting it ensures integrity and authenticity.

• Exam Tip: Digital signature = hash → encrypt digest with private key → verification with public key.

Which cryptography concept relies on trap-door, one-way functions?

A) Symmetric
B) Hashing
C) Steganography
D) Asymmetric

Answer: D) Asymmetric

• Rationale: Asymmetric encryption uses functions easy to compute one way but hard to reverse without the private key.

• Exam Tip: “One-way mathematical function” = asymmetric encryption.

What term describes the range of values that control the symmetric encryption function converting plaintext into ciphertext?

A) Block size
B) Rounds
C) Key length
D) Key space

Answer: C) Key length

• Rationale: Key length determines how many possible keys can be used to encrypt/decrypt; longer keys = stronger security.

• Why not others:

  • Block size = size of data blocks processed.

  • Rounds = number of iterations in algorithm.

  • Key space = total number of possible keys (related but not the controlling parameter).

• Exam Tip: “Range of values controlling encryption” = key length.

Protocol within IPSec that supports multiple simultaneous VPNs by handling key exchange and negotiation. Like a traffic controller coordinating multiple highways simultaneously. Keywords: “VPN key management,” “multiple sessions,” “security associations.”

ISAKMP

A method for securely exchanging symmetric keys over an insecure channel when neither party has pre-shared keys. Like two people agreeing on a secret handshake through a public window without anyone else seeing it. Keywords: “key agreement,” “no prior key pairs,” “secure exchange.”

Diffie-Hellman

Protocol that provides IP packet compression in IPSec to improve efficiency. Like packing a suitcase tighter to carry more items. Keywords: “packet compression,” “network efficiency,” “reduces overhead.”

IPComp

IPSec component providing encryption and authentication for transmitted data. Like a sealed and signed envelope ensuring both privacy and integrity. Keywords: “encryption,” “authentication,” “data protection.”

ESP (Encapsulating Security Payload)

Protocol used in IPSec to negotiate security associations and keys. Like two diplomats agreeing on a secret code before exchanging messages. Keywords: “key negotiation,” “security associations,” “phase one/phase two in IPSec.”

Internet Key Exchange (IKE)

Any information requiring protection via access controls, encryption, training, and DLP, including trade secrets, intellectual property, legal info, and private data. Like valuables stored in a safe with guards and alarms. Keywords: “data protection,” “high-risk info,” “layered security.”

Sensitive Data

A decentralized trust model in public key cryptography where users verify each other’s keys instead of relying on a central authority. Like a community where neighbors vouch for each other’s identities. Keywords: “peer verification,” “decentralized,” “key authenticity.”

Web of Trust

Simple network authentication protocol that transmits passwords in plaintext. Like showing your ID to a receptionist without any verification. Keywords: “network login,” “plaintext password,” “basic authentication.”

PAP (Password Authentication Protocol)

Hardware-based root of trust providing secure key storage and cryptographic functions. Like a secure safe inside a building that stores all keys and valuables. Keywords: “hardware security,” “root of trust,” “encryption support.”

TPM (Trusted Platform Module)

Tools for encrypting emails/files using public/private key pairs and digital signatures. Like sending a locked box with a unique key only the recipient can open. Keywords: “secure communication,” “digital signatures,” “asymmetric encryption.”

PGP/GPG

Random value used in encryption to ensure identical plaintexts encrypt to different ciphertexts, increasing randomness/chaos. Like shuffling a deck before dealing cards to prevent predictable outcomes. Keywords: “randomization,” “prevents identical ciphertext,” “encryption security.”

Initialization Vector (IV)

Process where the sender hashes a message and encrypts the digest with a private key to guarantee integrity and authenticity. Like signing a letter with your unique signature to prove authorship. Keywords: “message digest,” “private key encryption,” “verification by recipient.”

Digital Signature

Encryption method based on trap-door, one-way functions using public/private key pairs. Like a mailbox where anyone can drop mail (public key) but only the owner can open it (private key). Keywords: “one-way function,” “key pair,” “public/private encryption.”

Asymmetric Cryptography

The range of possible values used to control symmetric encryption functions converting plaintext into ciphertext. Longer keys = stronger security. Like using a longer combination on a lock for increased protection. Keywords: “encryption strength,” “control parameter,” “symmetric encryption.”

Key Length