Authentication and Encryption 2

Here you will find answers to Authentication and Encryption – Part 2

Question 1

What two statements are true about AES-CCMP? (Choose two)

A. It is an encryption algorithm used in the 802.11i security protocol.
B. It is defined in 802.1X.
C. It is the encryption algorithm used in TKIP implementations.
D. It is required in WPA.
E. It is required in WPA2.

 

Answer: A E

Explanation

Advanced Encryption Standard (AES) is the cipher system used by RSN. It is the equivalent of the RC4 algorithm used by WPA. However the encryption mechanism is much more complex and does not suffer from the problems associated with WEP. AES is a block cipher, operating on blocks of data 128bits long.

CCMP is the security protocol used by AES. It is the equivalent of TKIP in WPA. CCMP computes a Message Integrity Check (MIC) using the well known, and proven, Cipher Block Chaining Message Authentication Code (CBC-MAC) method. Changing even one bit in a message produces a totally different result.

The AES-CCMP encryption algorithm used in the 802.11i (WPA2) security protocol. It uses the AES block cipher, but restricts the key length to 128 bits. AES-CCMP incorporates two sophisticated cryptographic techniques (counter mode and CBC-MAC) and adapts them to Ethernet frames to provide a robust security protocol between the mobile client and the access point.

AES itself is a very strong cipher, but counter mode makes it difficult for an eavesdropper to spot patterns, and the CBC-MAC message integrity method ensures that messages have not been tampered with.

Question 2

One of the advantages of implementing EAP-FAST is that there is no need to implement which item as part of your authentication infrastructure?

A. an access control server
B. a Certificate Authority infrastructure
C. a client that supports EAP-FAST
D. a RADIUS server

 

Answer: B

Explanation

EAP-FAST is a solution for organizations that are too small to run a dedicated PKI Certificate Authority infrastructure as this certificate costs much (around $500/year). Instead, EAP-FAST uses a strong shared secret key called a
Protected Access Credential (PAC) that is unique on every client.

Question 3

What is the Default Local Database size for authenticating local users?

A. 512 entries
B. 1024 entries
C. 2048 entries
D. 4096 entries
E. 8192 entries

 

Answer: A

Question 4

When using the Pre-Shared Key authentication method for WPA or WPA2, the pre-shared key is used for which two functions? (Choose two)

A. to act as the Group Transient Key during the bidirectional handshake
B. to act as the Pairwise Master Key during the bidirectional handshake
C. to derive the nonce at each side of the exchange
D. to derive the Pairwise Transient Key

 

Answer: B D

Explanation

Pre-shared key (PSK) is computed based on a shared secret (pass-phrase) which was previously shared between the two parties using some secure channel before it needs to be used. It is used to identify both peers to each other.

The strength of the PSK depends on the strength of the pass-phrase. The strength of the PSK is important, because WPA-Personal (and WPA2-Personal) use the PSK as the Pairwise Master Key (PMK). The PMK, when combined with two random numbers (nonces) and the MAC addresses of the access point and the client, produces a unique Pairwise Transient Key (PTK) that secures the unicast traffic between the access point and the client. A new PTK is produced each time a client connects to the access point.

Question 5

EAP-FAST was first supported where?

A. CCXv1
B. CCXv2
C. CCXv3
D. CCXv4
E. CCXv5

 

Answer: C

Explanation

The Cisco Compatible Extensions (CCX) program ensures that wireless clients are compatible with Cisco WLAN equipment. The following is a brief list of the features supported by each CCX specification:

CCXv1 – Standard 802.11 features, 802.1X with LEAP
CCXv2 – WPA, 802.1X with PEAP
CCXv3 – WPA2, 802.1X with EAP-FAST
CCXv4 – Network Admission Control (NAC), Call Admission Control for VoIP
CCXv5 – Advanced troubleshooting and client reporting functionality

Question 6

Which authentication method best supports a large enterprise deployment where over the air security is a necessity?

A. Open Authentication with Web Authentication
B. PSK with WEP
C. WPA with PSK
D. WPA2 with EAP-FAST
E. WPA2 with PSK

 

Answer: D

Question 7

Which statement applies to TKIP?

A. is part of the initial key exchange used to derive apairwise temporal key
B. is used to encrypt a WEP authenticated session
C. is used to encrypt the data for WPA sessions
D. is used to secure the initial authentication credential exchange between client and authenticator

 

Answer: C

Explanation

The Temporal Key Integrity Protocol (TKIP) was brought into WPA. TKIP encryption replaces WEP’s small 40-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP is a 128-bit per-packet key, meaning that it dynamically generates a new key for each packet.

Question 8

WEP is a mandatory encryption mechanism. True or false?

A. True
B. false

 

Answer: B

Question 9

WPA uses TKIP and is a subset of the 802.11 i standard. True or false?

A. True
B. false

 

Answer: A