Test your basic knowledge |

CCIE Sec Encryption Ipsec

Subjects : cisco, it-skills, ccie
Instructions:
  • Answer 50 questions in 15 minutes.
  • If you are not ready to take this test, you can study here.
  • Match each statement with the correct term.
  • Don't refresh. All questions and answers are randomly picked and ordered every time you load a test.

This is a study tool. The 3 wrong answers for each question are randomly chosen from answers to other questions. So, you might find at times the answers obvious, but you will see it re-enforces your understanding as you take the test each time.
1. 'is a more secure version of MD5 - and hash-based message authentication codes (HMAC) provides further security with the inclusion of a key-based hash.'






2. 'A 56-bit encryption algorithm - meaning the number of possible keys






3. Is a two-phase protocol: The first phase establishes a secure authenticated channel and the second phase is where SAs are negotiated on behalf of the IPsec services.






4. This mode does not support identity protection or protection against clogging attacks and spoofing.






5. 'can be achieved using one of three methods: preshared keys - encrypted nonces - or digital signatures.'






6. 'defines the mode of communication - creation - and management of security associations.'






7. Negotiation of the ISAKMP policy by offering and acceptance of protection suites






8. 'has a Next Protocol field which identifies the next Layer 4 transport protocol in use - TCP or UDP'






9. Has a trailer which identifies IPsec information and ESP integrity-check information.






10. Invented by Ron Rivest of RSA Security (RFC 1321).






11. 'including Internet Security Association and Key Management Protocol (ISAKMP) - Secure Key Exchange Mechanism for the Internet (SKEME) - and Oakley.'






12. Common key size is 1024 bits.






13. 'group 2 identifies a 1024-bit key - group 2 is more secure - but slower to execute.'






14. Origin authentication validates the origin of a message upon receipt; this process is done during initial communications.






15. Provide authentication in Internet Key Exchange (IKE) Phase 2.






16. Integrity checks are done


17. You check it by hashing data and appending the hash value to the data as you send it across the network to a peer.






18. Negotiation of a shared secret key for encryption of the IKE session using the D-H algorithm


19. Hybrid protocol that defines the mechanism to derive authenticated keying material and negotiation of security associations (SA).






20. 'often called public-key algorithms - do not rely on a randomly generated shared encryption key; instead - they create two static keys. These static keys are completely different - but mathematically bound to each other; what one key encrypts - the o






21. 'The sending device decrypts the data with the second key - which is also 56 bits in length.'






22. Verify whether the data has been altered.






23. The DES algorithm that performs 3 times sequentially.






24. ID exchange and authentication of D-H key by using the reply to the received nonce or string of bits


25. RFC 2631 on the workings of the key generation/exchange process.






26. IPSEC Encryption is performed by


27. 'Digital signatures. Peer X encrypts a hash value with his private key and then sends the data to Peer Y. Peer Y obtains Peer X






28. Can be implemented efficiently on a wide range of processors and in hardware.






29. Used in IPsec for two discreet purposes:






30. Main mode establishes ISAKMP security association in six messages and performs authenticated D-H exchange.






31. A






32. ' is defined in RFC 3174. has as output a 160-bit value -'






33. 'in most cases - this mode is preferred with certificates.'






34. IPSec SAs are negotiated and protected by the existing IPsec SA.






35. A variable block- length and key-length cipher.






36. 'key lengths are 128 - 192 - or 256 bits to encrypt blocks of equal length.'






37. Uses protocol number 50.






38. One of the most popular tunneling protocols is






39. 'establishes ISAKMP SA in three messages -because it negotiates a ISAKMP policy and a DJ nonce exchange together.'






40. DoS attacks are more probable with this mode.






41. The receiving device then encrypts the data with the second key.






42. No additional Layer 3 header is created. The original Layer 3 header is used.






43. More CPU intensive






44. You use this encryption method by keeping one key private and giving the other key to anyone in the public Internet. It does not matter who has your public key; it is useless without the private key.






45. Used in government installs and was created to work with the SHA-1 hash algorithm.






46. 'It is not used for encryption or digital signatures; it is used to obtain a shared secret






47. Uses IKE for key exchange.






48. IPSEC performs this function by using a sequence field in the IPsec header combined with integrity checks.






49. 'MACs with hash algorithms -'






50. 'Encryption - where Peer X uses Peer Y