1. If you are using corporate e-mail for external communications that contain confidential information, what other security countermeasures can you employ to maximize the confidentiality of e-mail transmissions through the Internet? Encrypt email, email policy, security software, content checking tool, anti-spam tool, and secure firewall configurations. 2. Explain the role of a Certificate Authority and its obligations in authenticating the person or organization and issuing digital certificates. Certificate Authority or Certification Authority (CA) is an entity, which is core to many PKI (Public Key Infrastructure) schemes, whose purpose is to issue digital certificates to use by other parties. It exemplifies a trusted third party. 3. What would a successful Subversion Attack of a CA result in? An attacker can create a certificate for any domain. This certificate will appear to be signed by a trusted CA. Thus, you will see that the site's cert is trusted and you will never get any notification to the contrary. Normally, a trusted CA will issue and sign a certificate and then if the browser trusts the signing CA, you will see a padlock in the GUI and you will often times see a message that lets you know that the certificate of the web site is trusted. If the CA is not trusted, you are shown a message that the certificate is not signed by a trusted party and you are given the option to leave or continue. This is PKI in a nutshell. The entire system relies on trust of the CAs and the CAs in turn provides reputable and responsible operation. This works very well, until you can subvert that trust. 4. What encryption mechanisms are built into Microsoft Windows XP Professional? EFS. 5. Could you add user’s access to view your EFS encrypted files and folders? Yes. If so how? Once a file has been initially encrypted, file sharing is enabled through a new button in the user interface (UI). A file must be encrypted first and then saved before additional users may be added. After selecting the Advanced Properties of an encrypted file, a user may be added by selecting the Details button. Individual users may add other users (not groups) from the local machine or from the Active Directory, provided the user has a valid certificate for EFS. 6. What would be needed by any Law Enforcement agency to decrypt encrypted messages easily? DES Data Encryption Standard. 7. What is SHA1, and what is it used for? The Secure Hash Algorithm 1 (SHA-1) is a well-known and currently secure cryptographic hash function designed by the NSA. Is it used similarly to TripleDES or are they different? They are the same, they both use algorithms. 8. Provide and explanation for the difference between symmetric keys and asymmetric keys in a PKI? symmetric-key: It only needs one key to encrypt the message. And both user only need the same key to decode the message. And the in order to create the key is by moving the bit. asymmetric-key: It needs two different keys- public key and private key. Everyone can see the public key and only the person who has private key can decode the message. 9. What is a common drawback to Encrypting using enterprise level tools such as PGP? Complexity, cost, lack of scalability, and lack of interoperability with VoIP systems. So even though implementing encryption is appealing, many businesses may balk at the potential obstacles. 10. What is the difference between PGB and GPG? “PGP” stands for “Pretty Good Privacy.” It was developed by Phil Zimmermann. At first it was written as copyrighted freeware under the Gnu Public License. Later, PGP was upgraded and made into a propriety program. The rights for this program are traded around. The reason for this upgrade was legal defense costs and royalty issues related to the export laws of the USA. Now the PGP program is owned by PGP Corporation. Only the command line version is not owned by PGP Corporation which is also not for sale. PGP uses the RSA algorithm and the IDEA encryption algorithm. The PGP is considered to have Windows interface which is more polished.
“GPG” stands for “Gnu Privacy Guard.” GPG is a re-write or upgrade of PGP. It does not use the IDEA encryption algorithm. This is to make it completely free. It uses the NIST AES, Advanced Encryption Standard. All the algorithm data is stored and documented publicly by OpenPGP Alliance. The main reason for this change is that AES costs less than IDEA and is considered more secure. Moreover, it is royalty free because it is not patented. GPG is more compatible than the original PGP with OpenPGP. GPG is also based on a command line. Windows frontends are also available for GPG other than the command line.