Cryptography for SSCP

Sample Practice Questions

1. Question 1

   Which of the following is true about Kerberos?
   1. A. It utilizes public key cryptography.
   2. B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
   3. C. It depends upon symmetric ciphers.
   4. D. It is a second party authentication system.
   Explanation

   The correct answer is: C. It depends upon symmetric ciphers..

   Kerberos depends upon symmetric ciphers — each principal (user, service, KDC) shares a secret key with the Key Distribution Center, and tickets and session keys are encrypted using these symmetric keys. The symmetric design is what gives Kerberos its speed but also its key-management challenges. Saying Kerberos uses public-key cryptography is wrong for the core protocol (extensions such as PKINIT add public-key features, but the base protocol is purely symmetric). Saying Kerberos encrypts data only after a ticket is granted while passwords are exchanged in plaintext is wrong; the password is hashed into the user's secret key on the client and never sent over the wire as plaintext. Saying Kerberos is second-party authentication is wrong; Kerberos is third-party authentication where the KDC stands as the trusted third party between client and service. Treat Kerberos as a symmetric-key, third-party, mutually-authenticating ticket-granting system.

2. Question 2

   Controls to keep password sniffing attacks from compromising computer systems include which of the following?
   1. A. static and recurring passwords.
   2. B. encryption and recurring passwords.
   3. C. one-time passwords and encryption.
   4. D. static and one-time passwords.
   Explanation

   The correct answer is: C. one-time passwords and encryption..

   Controls that defeat password sniffing combine one-time passwords (which lose value the moment they are used and so cannot be replayed even if captured) with encryption (which prevents the password from being read in transit at all). The pairing covers both prevention and resilience. Static passwords plus recurring passwords would still expose authentication credentials on the wire and to attackers between rotations. Encryption plus recurring passwords improves transit security but allows replay if the encryption is broken or bypassed and the password is still valid. Static plus one-time passwords is internally contradictory; you cannot have both at once for the same credential. Modern access systems pair one-time codes (TOTP, push approval) with end-to-end encrypted channels (TLS) for the strongest sniffing resistance.

3. Question 3

   The Computer Security Policy Model the Orange Book is based on is which of the following?
   1. A. Bell-LaPadula
   2. B. Data Encryption Standard
   3. C. Kerberos
   4. D. Tempest
   Explanation

   The correct answer is: A. Bell-LaPadula.

   The Orange Book (US DoD TCSEC) is based on the Bell-LaPadula computer security policy model, which formalises mandatory access control over confidentiality using two main rules: no read up (simple security property) and no write down (* property). Bell-LaPadula was the foundational confidentiality model for the multilevel-secure systems the Orange Book sought to evaluate. Data Encryption Standard is a symmetric block cipher, not a security policy model. Kerberos is a network authentication protocol, again not a security policy model. Tempest is a US programme addressing emanations security (compromising radio-frequency leakage from electronic devices), unrelated to access control models. Pair Bell-LaPadula for confidentiality with Biba for integrity to cover both dimensions in formal MAC modelling.

4. Question 4

   The primary service provided by Kerberos is which of the following?
   1. A. non-repudiation
   2. B. confidentiality
   3. C. authentication
   4. D. authorization
   Explanation

   The correct answer is: C. authentication.

   The primary service provided by Kerberos is authentication — verifying the identities of clients and services within a trusted realm and issuing tickets that can be presented to access protected services without sending passwords across the network. The third-party model with the KDC is what makes the authentication scalable. Non-repudiation is not a Kerberos service because Kerberos relies on symmetric (shared) keys, which cannot uniquely bind an action to a single party. Confidentiality is a useful byproduct of the session keys Kerberos issues, but the primary purpose is authentication, not confidentiality itself. Authorization is typically performed by the service after Kerberos has authenticated the user; Kerberos delivers identity, the service decides what that identity may do. Treat Kerberos as the authentication primitive in a broader identity stack.

5. Question 5

   There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?
   1. A. public keys
   2. B. private keys
   3. C. public-key certificates
   4. D. private-key certificates
   Explanation

   The correct answer is: C. public-key certificates.

   Kerberos tickets correspond most closely to public-key certificates in a side-by-side comparison of trust models. Both are credentials issued by a trusted third party (KDC for Kerberos, CA for PKI) that prove identity to a relying party. Both have validity periods, contain bound identifiers, and are presented by the bearer to access services. Public keys themselves are bare cryptographic material, not credentials; a public key alone does not establish identity. Private keys are also raw cryptographic material that the holder keeps secret; they are not credentials presented to others. "Private-key certificates" is not a recognised PKI term. The Kerberos ticket = X.509 certificate analogy is useful for thinking about how the two ecosystems express trust through credentials and bearer presentation.

Other SSCP domains

• Access Controls (203 questions)
• Incident Response and Recovery (112 questions)
• Network and Communications Security (252 questions)
• Risk Identification, Monitoring, and Analysis (59 questions)
• Security Concepts and Practices (237 questions)
• Systems and Application Security (26 questions)