1. Right Answer: C
Explanation: In identification mode the system performs a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown individual.The system will succeed in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold.Identification mode can be used either for 'positive recognition' (so that the user does not have to provide any information about the template to be used) or for'negative recognition' of the person 'where the system establishes whether the person is who she (implicitly or explicitly) denies to be'In verification (or authentication) mode the system performs a one-to-one comparison of a captured biometric with a specific template stored in a biometric database in order to verify the individual is the person they claim to be.Management of Biometrics -Management of biometrics should address effective security for the collection, distribution and processing of biometrics data encompassing:Data integrity, authenticity and non-repudiationManagement of biometric data across its life cycle '' compromised of the enrollment, transmission and storage, verification, identification, and termination processUsage of biometric technology, including one-to-one and one-to-many matching, for identification and authenticationApplication of biometric technology for internal and external, as well as logical and physical access controlEncapsulation of biometric data -Security of the physical hardware used throughout the biometric data life cycleTechniques for integrity and privacy protection of biometric data.The following were incorrect answers:All other choices presented were incorrectly describing identification and authentication mapping.The following reference(s) were/was used to create this question:CISA review manual 2014 Page number 331http://en.wikipedia.org/wiki/Biometrics

2. Right Answer: D
Explanation: The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender's private key is used to encrypt the message digest of the message. Encrypting the message digest is the act of Signing the message. The receiver will use the matching public key of the sender to decrypt theDigital Signature using the sender's public key.A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures cannot be forged by someone else who does not possess the private key, it can also be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real and has not been modified since the day it was issued.How Digital Signature Works -Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.You copy-and-paste the contract (it's a short one!) into an e-mail note.Using special software, you obtain a message hash (mathematical summary) of the contract.You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)At the other end, your lawyer receives the message.To make sure it's intact and from you, your lawyer makes a hash of the received message.Your lawyer then uses your public key to decrypt the message hash or summary.If the hashes match, the received message is valid.Below are some common reasons for applying a digital signature to communications:Authentication -Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. The importance of high assurance in the sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a serious mistake.Integrity -In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it.(Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after the signature has been applied would invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).Non-repudiation -Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.Note that authentication, non-repudiation, and other properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an 'online' check, e.g. checking a 'Certificate Revocation List' or via the 'Online Certificate Status Protocol'. This is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen.Tip for the exam -Digital Signature does not provide confidentiality. It provides only authenticity and integrity. The sender's private key is used to encrypt the message digest to calculate the digital signatureEncryption provides only confidentiality. The receiver's public key or symmetric key is used for encryptionThe following were incorrect answers:Encrypt the message digest using symmetric key and then send the encrypted digest to receiver along with original message - Symmetric key encryption does not provide non-repudiation as symmetric key is shared between usersEncrypt the message digest using receiver's public key and then send the encrypted digest to receiver along with original message. The receiver can decrypt the message digest using his own private key - Receiver's public key is known to everyone. This will not address non-repudiationEncrypt the message digest using sender's public key and then send the encrypted digest to the receiver along with original message. The receiver can decrypt using his own private key -The sender public key is known to everyone. If sender's key is used for encryption, then sender's private key is required to decrypt data.The receiver will not be able to decrypt the digest as receiver will not have sender's private key.The following reference(s) were/was used to create this question:CISA review manual 2014 Page number 331http://upload.wikimedia.org/wikipedia/commons/2/2b/Digital_Signature_diagram.svg http://en.wikipedia.org/wiki/Digital_signature http://searchsecurity.techtarget.com/definition/digital-signature

3. Right Answer: B
Explanation: Key management is better in asymmetric key encryption as compare to symmetric key encryption. In fact, there is no key management built within SymmetricCrypto systems. You must use the sneaker net or a trusted courier to exchange the key securely with the person you wish to communicate with.Key management is the major issue and challenge in symmetric key encryption.In symmetric key encryption, a symmetric key is shared between two users who wish to communicate together. As the number of users grows, the number of keys required also increases very rapidly.For example, if a user wants to communicate with 5 different users then total number of different keys required by the user are 10. The formula for calculating total number of key required is n(n-1)/2Or total number of users times total of users minus one divided by 2.Where n is number of users communicating with each others securely.In an asymmetric key encryption, every user will have only two keys, also referred to as a Key Pair.Private Key '' Only known to the user who initially generated the key pairPublic key '' Known to everyone, can be distributed at largeThe following were incorrect answers:Performance '' Symmetric key encryption performance is better than asymmetric key encryptionBulk encryption '' As symmetric key encryption gives better performance, symmetric key should be used for bulk data encryptionNumber of keys grows very quickly - The number of keys under asymmetric grows very nicely.1000 users would need a total of only 2000 keys, or a private and a public key for each user. Under symmetric encryption, one thousand users would need 495,000 keys to communicate securely with each others.The following reference(s) were/was used to create this question:CISA review manual 2014 Page number 348

4. Right Answer: B
Explanation: The sender private key is used to calculate the digital signatureThe digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender's private key is used to encrypt the message digest (signing) of the message and receiver need to decrypt the same using sender's public key to validate the signature.A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.How It Works -Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.You copy-and-paste the contract (it's a short one!) into an e-mail note.Using special software, you obtain a message hash (mathematical summary) of the contract.You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)At the other end, your lawyer receives the message:To make sure it's intact and from you, your lawyer makes a hash of the received message.Your lawyer then uses your public key to decrypt the message hash or summary.If the hashes match, the received message is valid.Below are some common reasons for applying a digital signature to communications:Authentication -Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.Integrity -In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature invalidates the signature.Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).Non-repudiation -Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.Note that these authentication, non-repudiation etc. properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an 'online' check, e.g. checking a 'Certificate Revocation List' or via the 'Online Certificate Status Protocol'. Very roughly this is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen. Of course, with stolen key pairs, the theft is often discovered only after the secret key's use, e.g., to sign a bogus certificate for espionage purposes.Tip for the exam:Digital Signature does not provide confidentiality. The sender's private key is used for calculating digital signatureEncryption provides only confidentiality. The receiver's public key or symmetric key is used for encryptionThe following were incorrect answers:Sender's Public key '' This is incorrect as receiver will require sender's private key to verify digital signature.Receiver's Public Key '' The digital signature provides non-repudiation. The receiver's public key is known to every one. So it can not be used for digital-signature.Receiver's public key can be used for encryption.Receiver's Private Key '' The sender does not know the receiver's private key. So this option is incorrect.The following reference(s) were/was used to create this question:CISA review manual 2014 Page number 348http://upload.wikimedia.org/wikipedia/commons/2/2b/Digital_Signature_diagram.svg http://en.wikipedia.org/wiki/Digital_signature http://searchsecurity.techtarget.com/definition/digital-signature

5. Right Answer: A
Explanation: Quantum cryptography is based on a practical application of the characteristics of the smallest 'grain' of light, photons and on physical laws governing their generation, propagation and detection.Quantum cryptography is the next generation of cryptography that may solve some of the existing problem associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. Initial commercial usage has already started now that the laboratory research phase has been completed.Quantum cryptography is based on a practical application of the characteristics of the smallest 'grain' of light, photons and on physical laws governing their generation, propagation and detection.Quantum cryptography is the next generation of cryptography that may solve some of the existing problem associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. Initial commercial usage has already started now that the laboratory research phase has been completed.The following were incorrect answers: Elliptic Key Cryptography(ECC) - A variant and more efficient form of a public key cryptography (how to manage more security out of minimum resources) gaining prominence is the ECC. ECC works well on a network computer requires strong cryptography but have some limitation such as bandwidth and processing power. This is even more important with devices such as smart cards, wireless phones and other mobile devices. It is believed that ECC demands less computational power and, therefore offers more security per bit. For example, an ECC with a 160-bit key offer the same security as anRSA based system with a 1024-bit key.Symmetric Encryption- Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message.Asymmetric encryption -In which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.The following reference(s) were/was used to create this question:CISA review manual 2014 Page number 349 and 350http://support.microsoft.com/kb/246071