The process of scrambling, mixing up or changing data in a way that makes it unreadable to anyone but the owner or intended recipient. (pg. 354)

A. Authentication

B. Nonrepudiation

C. Encryption

D. Ciphering

C. The encrypted data is scrambled and unscrambled with cryptographic keys.

Authentication verifies that the right person is accessing the data.

Nonrepudiation traces actions back to specific users.

A cipher is a way to encrypt data, but not necessarily the process.

The process that guarantees that the data received is the same as originally sent. (pg. 354)

A. Encryption

B. Authentication

C. Algorithm

D. Integrity

D. Integrity is designed to cover situations in which someone intercepts your data on-the-fly and makes changes.

Encryption makes data unreadable to unintended viewers.

An algorithm is the mathematical formula that underlies the cipher.

Not being able to deny having taken a specific action. (pg. 354)

A. Event tracking

B. Integrity

C. Activity monitoring

D. Nonrepudiation

D. Non repudiation

 Integrity guarantees that the data received is the same as originally sent.

Event tracking and activity monitoring are concepts that exist, but weren't the specific terms that applied.

When it comes to TCP/IP security, ___ combine encryption, integrity, non-repudiation, authentication and authorization to create complete security solutions in a way that makes sense for their specific purpose. (pg. 354)

A. Anti-malware applications

B. Protocols

C. Security suites

D. Policies

B. Protocols

Anti-malware apps and security suites may have features to help secure TCP/IP but are usually designed for an entire OS.

Policies is almost a synonym for protocols, but the latter is the more commonly used term.

What is the difference between cleartext, plaintext and ciphertext? (pg. 355)

Any encryption that uses the same key for both encryption and decryption is called ___ encryption. Any encryption that uses different keys for encryption and decryption is called ____ encryption. (pg. 358)

A. uniform, diverse

B. symmetric, asymmetric

C. unicode, multicode

D. static, dynamic

A method of cryptography that uses two different keys. (pg. 359)

A. stream cipher

B. checksum

C. AES

D. public-key

D. Public-key cryptography uses a public-key for encryption and a private key for decryption. This key pair is generated at the same time and is designed to work together.

Stream cipher and AES (Advanced Encryption Standard) are both symmetric-key encryption methods.

A checksum is an error-detection method that enables the receiver to detect the corruption of network packets.

A mathematical function ran on a string of binary digits of any length that results in a value of some fixed length. (pg. 361)

A. message digest

B. stream cipher

C. hash

D. checksum

C. A cryptographic hash function will always be the same length no matter how long or short the input and is a irreversible, meaning the original data from the hash can't be recreated.

A message digest and checksum are the same thing: the fixed-length value created from the hash after its run.

A stream cipher is a form of symmetric encryption in which each bit is encrypted one at a time on the fly.

A digitally signed electronic document issued by a trusted third party attesting to the identity of the holder of a specific cryptographic public key. (pg. 366)

A. Key Distribution Center

B. certificate

C. digital signature

D. Access Control List

B. A certificate includes a public key, some info about the file, and the digital signature of the trusted third party.

The other options are either a system in Kerberos (Key Distribution Center), secure part of message (digital signature) or list (Access Control List). Their names hint that they aren't documents.

The system for creating and distributing digital certificates issued by trusted third parties such as Let's Encrypt, Go Daddy, or Sectigo. (pg. 370)

A. digital authority

B. DigiCert

C. public-key authority

D. certificate authority

C.  A public-key authority is a hierarchy that consists of a root certificate authority (CA), with intermediate CAs between the root and the issued certificates.

DigiCert is a well-known CA that can act as the root and issue certificates.

The ACL access model where every resource is assigned a label that defines its security level. (pg. 372)

A. MAC

B. TCAC

C. DAC

D. RBAC

A. If the user lacks the security level in a mandatory access control (MAC) security model, he or she does not get access.

DAC and RBAC are also ACL access models, but TCAC is not.

The ACL access model that defines a user's access to a resource based on the roles the user plays in the network environment. (pg. 372)

A. Mandatory Access Control (MAC)

B. User account control (UAC)

C. Discretionary access control (DAC)

D. Role-based access control (RBAC)

D. RBAC leads to the idea of placing user accounts into various security groups that have clearly defined access to different resources on a network.

MAC and DAC are also ACL models, but UAC is specifically a Windows security feature used within a specific device.

___ protocol enables two devices to connect, authenticate with a username and password, and negotiate the network protocol the devices will use. (pg. 373)

A. Point-to-Point (PPP)

B. Peer-to-Peer (P2P)

C. Ad-hoc

D. Challenge Handshake Authentication (CHAP)

A. PPP handles authentication for point-to-point connections.

P2P is a networking architecture that distributes tasks or workloads between different nodes on a network, made popular in file sharing sites and services.

An ad hoc network is a temporary LAN.

CHAP is a protocol that PPP uses to securely establish a connection between two devices.

The AAA philosophy is designed for the idea of port authentication - the concept of allowing remote users authentication to a port on another network. What are the three As? (pg. 376-377)

A. Authorization

B. Authenticaton

C. Access

D.Accounting

A., B. and D.

Authentication - a computer tring to connect to the network must present some form of credential for access to the network.

Authorization - once authenticated, the computer determines what it can or can't do on the network.

Accounting - the authenticating server should log events, such as logins, session action, and so on.

The AAA standard that was created to support ISPs with hundreds if not thousands of modems in hundreds of computers to connect to a single central database. (pg. 377)

A. TACACS+

B. NAS

C. RADIUS

D. Kerberos

C. RADIUS (Remote Authentication Dial-In User Service) consists of three devices: the RADIUS server, a number of network access servers (NASs), and a group of systems that connect to the network in some way.

TACACS+ is a AAA protocol developed to support a network with many routers and switches.

Kerberos is an authentication protocol for TCP/IP networks with many clients all connected to a single authentication server.

The protocol developed by Cisco to support AAA in a network with many routers and switches. (pg. 378)

A. RADIUS

B. KDC

C. NAS

D. TACACS+

D. Terminal Access Controller Access Control System Plus (TACACS+) is very similar to RADIUS in function, but uses TCP port 49 by default and seperates authorization, authentication and accounting into different parts.

TACACS+ uses PPP hashes like RADIUS, but can also use Kerberos as part of the authentication scheme.

An authentication protocol for TCP/IP networks with many clients all connected to a single authenticating server. (pg. 378)

A. TACACS+

B. RADIUS

C. Kerberos

D. PPP

C. Kerberos has no connection to PPP; whereas the latter is about connecting two devices, the former is about having many clients all connected to a single authenticating server.

RADIUS and TACACS+ are protocols that PPP use.

The Kerberos___ service supplies both session tickets and session keys in an Active Directory domain. (pg. 379)

A. Ticket-Granting Ticket (TGT)

B. Key Distribution Center (KDC)

C. Ticket-Granting Service (TGS)

D. Authentication Server (AS)

When a client logs onto the domain, it sends a request that includes a hash of the username and password to the (1)___. The (2)___ compares the results of that hash to its own hash, and should they match, sends a (3)___ and a timestamp. The client is now authenticated but not yet authorized.

The client then sends the timestamped (4)___ to the (5)___ for authorization. The (6)___ sends a timestamped service ticket back to the client. This token is the key that the client uses to access any single resource on the entire domain. (pg. 379)

A. Ticket-Granting Ticket

B. Ticket-Granting Service

C. Authentication Server

D. Key Distribution Center

(1) and (2) = Authentication Server

(3) and (4)= Ticket-Granting Ticket

(5) and (6) = Ticket-Granting Service