Need to change wording on Question #2 for Sec+ exam
ucanbbreached
Member Posts: 30 ■■□□□□□□□□
in Security+
Your answer for ?#2 states that the encryption of the message with the private key is the actual signing for the message.
This is can be true but it is not used b/c asymmetric encryption is not used for large messages and there is no way (currently) for the encryption algorithm to determine a large message from an small message. If it did exist then the encryption algorithm would have to change from asymmetric to symmetric to adjust for the large data load.
Rather the use of an authenticator (small block of bits that is a function of the message.) (pg 72 Network Security Essentials-William Stallings[great book]) is used. this is a secure hash method
this authenticator is then encrypted to provide a secure hash, usually MD5 or SHA-1. this encrypted hash provides a way to verify the signature with the signers public key. No this does not provide data confidentiality but it is the way a digital signature is processed in the industry.
the answer your test gives provides both confidentiality and a signature verification but then it isn't really confidential b/c anyone can access the 'public key' and decrypt the message. the secure hash provides a small block of data to use with the asymmetric algorithm providing verification and integrity while not worrying about confidentiality. This is why we don't use private keys for encryption. We use the public key and only the private key holder can open it.
This isn't the only way to but it is the most practical
So over all the answer to Sec+ ?#2 should be "the encryption of the hash value with someones private key" -- again b/c we are looking at verification and not confidentiality
Thanks,
James
bohlingj@saic.com
This is can be true but it is not used b/c asymmetric encryption is not used for large messages and there is no way (currently) for the encryption algorithm to determine a large message from an small message. If it did exist then the encryption algorithm would have to change from asymmetric to symmetric to adjust for the large data load.
Rather the use of an authenticator (small block of bits that is a function of the message.) (pg 72 Network Security Essentials-William Stallings[great book]) is used. this is a secure hash method
this authenticator is then encrypted to provide a secure hash, usually MD5 or SHA-1. this encrypted hash provides a way to verify the signature with the signers public key. No this does not provide data confidentiality but it is the way a digital signature is processed in the industry.
the answer your test gives provides both confidentiality and a signature verification but then it isn't really confidential b/c anyone can access the 'public key' and decrypt the message. the secure hash provides a small block of data to use with the asymmetric algorithm providing verification and integrity while not worrying about confidentiality. This is why we don't use private keys for encryption. We use the public key and only the private key holder can open it.
This isn't the only way to but it is the most practical
So over all the answer to Sec+ ?#2 should be "the encryption of the hash value with someones private key" -- again b/c we are looking at verification and not confidentiality
Thanks,
James
bohlingj@saic.com
Comments
-
ucanbbreached Member Posts: 30 ■■□□□□□□□□Your test was superb though. The question had great content and the Front end is so much better than any of the other online practice tests. Better yet it is free
-
RussS Member Posts: 2,068 ■■■□□□□□□□Thank you for your comments
I will look at that question and review it as necessary and pass the results on to Webmaster so he can alter the onlne test. These questions were written while I was doing my initial study, were written to assist with the lack of quizzers available at the time and were based on the very limited resources available. Given all that I am very pleased with the many favourable comments I have recieved and may extend the question pool as time permits.
I agree with you about the test engine - far superior to many I have seen.www.supercross.com
FIM website of the year 2007 -
RussS Member Posts: 2,068 ■■■□□□□□□□Hey James
After reviewing the question I am happy enough to let it stand as is.
A quick skim through my study material shows a similar train of thought;
Digital Signatures
Digitally sign your emails to prove that you are not an imposter. Digital signatures are based on a secret passkey which only you know. They cannot be faked.
Now in the question we are asking ... What is the signing part of the process? The answer is correct in that context.
A visit to .... http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211953,00.html should clear this up for you
However, if you think there is cause to review the question again I would be more than happy to do so.
Russwww.supercross.com
FIM website of the year 2007 -
ucanbbreached Member Posts: 30 ■■□□□□□□□□RussS,
Thanks for the research, However, if you use your link you will find what I explained and concluded to in my statement.
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211953,00.html
Take a look at the first set of bullets: #3 under "How it works" on the page
3. You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash
You are encrypting a hash not the message with a private key
RussS how do I get my email listed on my profile. I don't recieve updates to the message board b/c my email is not listed or input or something.
Thanks for your time
James -
RussS Member Posts: 2,068 ■■■□□□□□□□Hi James
We have to go back to the Question - What is the signing part of the process?
The answer is correct in that context. One must remember that we are talking in simple terms here and looking at this in context of how the various authors write and how Comptia would ask a question.
I overstudied in areas that I believed Comptia would be heavy on and unfortunately missed first time around. Mainly being blown away by questions I should have answered, but couldn't decipher what they required as the answer.
As far as your email and notices - you can put your email in the signature box and can check to recieve the updates newsletter by editing your profile..... webmaster can correct me if I am wrongwww.supercross.com
FIM website of the year 2007 -
Webmaster Admin Posts: 10,292 AdminRussS wrote:As far as your email and notices - you can put your email in the signature box and can check to recieve the updates newsletter by editing your profile..... webmaster can correct me if I am wrong
Personally I wouldn't post my email address in the signature. There are always people looking for addresses on webpage so they can add it to another spam list...
If you want to get notifications of new posts to a certain topic you can watch it by clicking the link just below the New and Reply button on the bottom of each topic. If it's your own post you can enable the option "Notify me when a reply is posted" when you post the post
Important: If you get notified and click the link in the message that will take you to the new reply, be sure you login, otherwise when another new reply is posted you won't get notified (again).
If you want to receive site updates once or twice a month (new stuff at TechExams.Net) you can join our newsletter by updating your forum profile here: www.techexams.net/forums/profile.php?mode=editprofile
Johan -
POPdevil Member Posts: 3 ■□□□□□□□□□This is why we are scared to take the test. It doesn't seem like its a clear cut KNOW IT, PASS IT...its know what I think it is.
-
RussS Member Posts: 2,068 ■■■□□□□□□□That does seem to sum it up nicely ... lol. I guess because I am a little older I have a different way of looking at things, but in my past experience in many other fields when one takes an official exam you have the right to expect sensible on-topic questions with correct answers.
There really should not be any place for subjective or considered questions in an exam that is supposed to be a world wide certification.
Personally I have huge issues with Comptia and if I was based in the states they would be hearing from my lawyer - it seems they are the only people who can get a straight answer from comptia ... lol
The Security+ certification is something that I am very passionate about as there is so much subject matter that should be compulsary for a Network Administrator. Consider for a moment .... if every Network Admin had studied for this and knew the importance of hardening their mail servers we would not have the problem with spam that we have. A secondary email account I have has had a minimum of 30 spam email every day for the past month or so. Stopping email servers from being open SMPT relays would just about stop this completely.www.supercross.com
FIM website of the year 2007