Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Question 374

A security assessor identified an internet-facing web service API provider that was deemed vulnerable. Execution of testssl provided the following insight:

Which of the following configuration changes would BEST mitigate chosen ciphertext attacks?

Enable 3DES ciphers IDEA.

Enable export ciphers.

Enable PFS ciphers.

Enable AEAD.

Correct Answer: C

To best mitigate chosen ciphertext attacks, enabling Perfect Forward Secrecy (PFS) ciphers is the optimal configuration change. PFS ensures that even if the primary keys are compromised, the session keys remain secure, effectively protecting past communication data from chosen ciphertext attacks. This creates an ephemeral session key for each session, independent of any other session keys, thereby making it much harder for attackers to decrypt past or future sessions with the knowledge of one session key.

Discussion

ElDirecOption: D

The BEST configuration change to mitigate chosen ciphertext attacks would be D. Enable AEAD (Authenticated Encryption with Associated Data). AEAD is a form of encryption which simultaneously provides confidentiality, integrity, and authenticity assurances on the data. This means that the data is not only encrypted, but the system can also verify who created the data and whether or not it has been tampered with. This can help protect against chosen ciphertext attacks, which involve an attacker attempting to decrypt a ciphertext by exploiting the properties of the encryption scheme. While the other options (Enable 3DES ciphers IDEA, Enable export ciphers, Enable PFS ciphers) can provide some level of security, they do not directly address the issue of chosen ciphertext attacks.

OdinAtlasSteelOption: C

C. Enable PFS ciphers. Perfect Forward Secrecy (PFS) ensures that even if a long-term secret key is compromised, past communications remain secure because the session keys are ephemeral and are not derived from the compromised key. Enabling PFS ciphers enhances the security of the encrypted connections and provides better protection against various cryptographic attacks, including chosen ciphertext attacks. Options A (3DES ciphers IDEA) and B (export ciphers) are not recommended due to the weaknesses and vulnerabilities associated with these cipher suites. Option D (AEAD) is also beneficial for security but is not directly related to mitigating chosen ciphertext attacks in this context.

041ba31Option: D

The best configuration change to mitigate chosen ciphertext attacks is: D. Enable AEAD (Authenticated Encryption with Associated Data). Enabling AEAD ciphers, such as AES-GCM or ChaCha20-Poly1305, provides both encryption and authentication, which helps protect against chosen ciphertext attacks by ensuring data integrity and confidentiality.

saucehozzOption: C

The BEST answer is PFS

AnarckiiOption: C

Which of the following configuration changes would BEST mitigate chosen ciphertext attacks? start 2021-02-02 18:24:24 --> 192.168.44.61:443 rDNS (192.168.44.61): wsapi.ext.coomptia.org Service Detected:HTTP Testing Cipher Categories NULL ciphers not offered Anonymous NULL ciphers not offered Export Ciphers (W/O export) not offered LowL 64 bit + DES, RC [2.4] (w/o export) not offered Triple DES ciphers / IDEA not offered Obsoleted CBC Ciphers (AES, ARIA etc.) not offered AEAD ciphers not offered (P)FS ciphers not offered ... Has server cipher order? no negotiated Cipher AES256-SHA (limited sense as client will pick) negotiated cipher per photo (limited sense as client will pick) ... C. Enable PFS (Perfect Forward Secrecy) ciphers.

weaponxcelOption: D

D. Enable AEAD: AEAD (Authenticated Encryption with Associated Data) ciphers provide both encryption and authentication in a single step. This makes them more resistant to chosen ciphertext attacks than other types of ciphers. AEAD ciphers, like AES-GCM and ChaCha20-Poly1305, provide strong encryption and authentication.

23169fdOption: D

Given the focus on mitigating chosen ciphertext attacks, the primary concern is to ensure that the data is not only encrypted but also authenticated to prevent such attacks. AEAD specifically addresses this by providing encryption and authentication.

HappyGOption: C

In the context of mitigating chosen ciphertext attacks, both PFS and AEAD can be effective measures. However, since the question specifically mentions mitigating chosen ciphertext attacks, PFS directly addresses this concern by preventing the compromise of long-term keys from compromising past session keys. Therefore, enabling PFS ciphers would likely be the better choice for mitigating chosen ciphertext attacks based on the provided information.