Cryptographic Implementation Resilience - Exam CAS-003: CompTIA CASP+

Improve Resilience to Attacks on Cryptographic Implementation

Question

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries' arms trafficking laws.

There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites.

The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites.

Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

C.

This scenario involves an enterprise that processes and exchanges highly sensitive information across geographically disparate sites, which are protected under several countries' arms trafficking laws. There is evidence of malicious nation-state-sponsored activities targeting the organization's use of encryption. The enterprise currently uses ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites.

The question is asking which of the following techniques would most likely improve the resilience of the enterprise to attacks on cryptographic implementation. Let's examine each answer choice:

A. Add a second-layer VPN from a different vendor between sites. This option would add another layer of VPN protection, but it would not necessarily address the issue of attacks on cryptographic implementation. It might increase the complexity of the system and introduce potential compatibility issues, but it would not necessarily improve the enterprise's resilience to attacks on encryption.

B. Upgrade the cipher suite to use an authenticated AES mode of operation. This option would enhance the enterprise's encryption by using a more secure AES mode of operation. The authenticated mode would ensure that the encryption is not compromised during transit. This option would likely improve the enterprise's resilience to attacks on cryptographic implementation.

C. Use a stronger elliptic curve cryptography algorithm. This option would involve replacing the current elliptic curve cryptography algorithm with a stronger one. However, it is unlikely to improve the enterprise's resilience to attacks on cryptographic implementation since the current algorithm (P-384) is already considered strong.

D. Implement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel between sites. This option would involve implementing an intrusion detection system (IDS) with sensors inside and outside of each VPN tunnel. This would help detect any attempts to compromise the encryption, whether they occur inside or outside the VPN tunnel. This option would likely improve the enterprise's resilience to attacks on cryptographic implementation.

E. Ensure cryptography modules are kept up to date from the vendor supplying them. This option would involve ensuring that the enterprise's cryptography modules are kept up to date. While keeping the modules up to date is important, it is unlikely to improve the enterprise's resilience to attacks on cryptographic implementation directly.

In conclusion, the answer that would most likely improve the resilience of the enterprise to attacks on cryptographic implementation is either B or D. Upgrading the cipher suite to use an authenticated AES mode of operation would enhance the enterprise's encryption, while implementing an IDS with sensors inside and outside of each VPN tunnel would help detect attempts to compromise the encryption.