Chapter 32 Quiz: Cryptography Applied¶

B — AES-256-GCM, because GCM provides both confidentiality and authenticated encryption (AEAD), detecting tampering

AES-GCM is an Authenticated Encryption with Associated Data (AEAD) mode — it simultaneously encrypts and produces an authentication tag, protecting against both eavesdropping and tampering/bit-flipping. AES-CBC provides only confidentiality; without a separate MAC, it is vulnerable to padding oracle attacks (POODLE) and undetected modification. GCM is the modern standard for both data at rest and in transit.

B — Ephemeral Diffie-Hellman key exchange (DHE or ECDHE) — session keys are generated fresh for each connection and never transmitted

TLS 1.3 mandates ephemeral Diffie-Hellman (DHE/ECDHE) for all key exchanges, eliminating RSA key transport entirely. ECDHE generates a fresh key pair per session — the session key is derived from both parties' ephemeral keys but never transmitted. Forward secrecy means that compromising the server's long-term private key does not decrypt past sessions (since past session keys were ephemeral and discarded).

A — Only certificates signed by that intermediate become invalid; the Root CA and other intermediates are unaffected

A three-tier PKI hierarchy (Root CA → Intermediate CA → Leaf) provides compartmentalization. When an intermediate CA certificate expires, only the leaf certificates it signed (and those signed by subordinate CAs under it) fail chain validation. The Root CA and certificates signed by other intermediates are unaffected. This is why intermediate CAs are used — to protect the offline Root CA and contain scope of failure.

B — OCSP provides real-time, per-certificate revocation status without downloading a large revocation list

CRL (Certificate Revocation List): a periodically published file listing all revoked certificates — grows large over time and may be hours to days stale. OCSP (Online Certificate Status Protocol): a real-time query to an OCSP responder that returns the status of a specific certificate. OCSP Stapling further improves performance by having the server attach a pre-fetched, signed OCSP response to the TLS handshake.

C — BEAST (Browser Exploit Against SSL/TLS)

BEAST (2011) exploited a weakness in TLS 1.0's CBC mode implementation — the initialization vector (IV) for each record was the last ciphertext block of the previous record (predictable IVs). This allowed a network attacker with JavaScript injection capability to perform adaptive chosen-plaintext attacks and recover HTTPS session cookies. The fix: upgrade to TLS 1.1+, which uses random IVs, or use RC4 (now also deprecated).

B — A memory over-read bug in OpenSSL's heartbeat extension that could expose private keys, session keys, and memory contents

Heartbleed was not a cryptographic algorithm failure — it was an implementation bug. The TLS heartbeat extension in OpenSSL failed to validate that the response payload length matched the actual data sent. An attacker could request up to 64KB of server memory per heartbeat, potentially recovering TLS private keys, session tokens, and credentials. The fix was updating OpenSSL and revoking/reissuing all server certificates.

B — Private keys in an HSM never leave the hardware boundary — cryptographic operations are performed inside the tamper-resistant device

The core security property of an HSM is key non-exportability. The private key is generated inside the HSM, never exported in plaintext, and all cryptographic operations (signing, decryption) are performed within the hardware's tamper-resistant boundary. If the HSM is physically attacked, it self-destructs key material. Software key stores (files, databases) can be exfiltrated; HSM-protected keys cannot.

B — CRYSTALS-Kyber (ML-KEM)

NIST's Post-Quantum Cryptography (PQC) standardization (FIPS 203–205) finalized in 2024 selected: CRYSTALS-Kyber (FIPS 203, renamed ML-KEM) for key encapsulation (replacing RSA/ECDH in TLS key exchange), CRYSTALS-Dilithium (FIPS 204, ML-DSA) for digital signatures, SPHINCS+ (FIPS 205, SLH-DSA) as a hash-based signature backup. FALCON (FN-DSA) is a secondary signature scheme. Kyber is the key exchange replacement.

B — Envelope Encryption (Key Wrapping)

Envelope encryption (also called key wrapping) is a two-tier model: a Data Encryption Key (DEK) encrypts the actual data, and a Key Encryption Key (KEK) encrypts (wraps) the DEK. The KEK is stored in a protected location (HSM or KMS). This allows rotating data encryption without re-encrypting all data (only the DEK wrapper needs re-encryption with a new KEK), and provides centralized key lifecycle control.

B — Disable NULL cipher suites first (they provide no encryption), then disable RC4 and TLS 1.0 with a migration timeline for legacy clients

NULL cipher suites transmit data in plaintext — there is no encryption whatsoever. This is always an immediate critical fix regardless of client compatibility. RC4 is broken (multiple statistical biases, BEAST-variant attacks) and TLS 1.0 has known vulnerabilities (POODLE, BEAST). These should be disabled on a structured migration plan that considers legacy client impact. Certificate pinning (D) does not fix weak cipher suites.