CISA Examination Question Analysis - Encryption
In preparing for the CISA exam, one important area of review, which many auditors and exam takers find challenging is encryption. While no one knows exactly the concentration nor the number of questions in any exam, which may be dedicated to this subject, one can be very certain that questions on encryption, given the topic’s role in security and internal control, will be on the exam in some form.
It is essential in reviewing encryption, as a topic for examination, that the test taker has a complete and confident understanding and working knowledge of not only the basics of encryption i.e., the theory or concepts, the terminology of the various component pieces of an encryption process but, also “HOW” encryption works.
The questions that focus on the “HOW” are usually the most challenging and yes, tricky. These questions tend to stump the CISA candidate because a correct answer requires a thorough understanding of how all of the various elements of encryption work and fit together to accomplish encryption’s mission of protecting data at rest or in transit.
Given the various “elements” of an encryption scheme/process, it is very easy to write an exam question that combines many of these elements, in varying sequences, with obviously only one correct combination and thus only one correct answer.
In an attempt to demonstrate the breadth of information a CISA candidate should be familiar with when reviewing and studying encryption as a topic covered on the CISA exam, we will examine a question which addresses developing a hardened encryption scheme to solve a real world problem.
Understandably, the questions that you will face on the actual CISA examination will be shorter and typically address only one aspect of the concept or methodology being tested, unlike the question below. However, this question brings together all of the essential elements one would expect to encounter in the area of encryption and asks the test candidate to think through the problem, to select and apply encryption techniques effectively, to solve an actual end-user request.
Although the answer to this “test” question is provided, I challenge you to hold off rushing to the answer and to instead, write out your response, then compare your response to the answer which is provided.
Again, while the CISA exam will require only an answer of “A,” “B,” “C,” OR “D,” getting there will require you to work through the question presented and the answer options by truly understanding how encryption works and how the parts and pieces of the encryption process work together to accomplish encryption’s overall objective.
I am attempting to achieve the perfect storm in data and transactional security.
I want to insure that four security “components” will be achieved in any message that I send from my location at point “A” to an intended recipient, as well as any message sent to me, from any sender, across a communications medium.
My communications MUST achieve the following:
Provide a recommended solution identifying all necessary elements, in their proper order/sequence/relationship that will allow me to achieve my objective.
While an extensive user request, certainly not exceptional nor out of the ordinary, a pretty straight forward request especially in today’s hyper-exposed security environment.
In order to successfully answer this question, the CISA candidate must understand the basic components of encryption and their function. Let’s take a quick definition review of the basic components found in encryption. It should be noted that there are many more components and their related definitions to be found in the field and study of encryption.
The definitions presented here are of the concepts associated with encryption that an exam taker will most typically encounter when preparing for the CISA exam.
- Certificate Authority
- Digital Certificate
- Digital Signature
- Hashing (or Hash)
- Private Key
- Public Key
- Registration Authority
Authentication - Assuring that a message has not been modified in transit or while stored on a computer. It is one of the objectives of cryptography. (This is referred to as message authentication or message integrity.)
Certificate - A certificate is a data file that identifies an individual, organization, or business. Certificates are obtained from specialized certificate-issuing companies and can be used to encrypt data and/or confirm the certificate owner's identity.
Certificate authority (CA) - is an authority in a network that issues and manages security credentials and public keys for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Depending on the public key infrastructure implementation, the certificate includes the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
Confidentiality - assurance that only owners of a shared secret key can decrypt a computer file that has been encrypted with the shared secret key.
Digital Certificate - a specialized document signed by a trusted third party which are the preferred way to securely deliver public keys. The top part of a digital certificate contains plaintext identifying the issuer (signer), subject (whose public key is attached), the subject's public key and the expiration date of the certificate. The bottom part of a digital certificate contains the issuer's signed hash of the top part.
Digital Signature - a small piece of code that is used to authenticate the sender of data. Digital signatures are created with encryption software for verification purposes. A private key is used to create a digital signature, and a corresponding public key can be used to verify that the signature was really generated by the holder of the private key.
Hashing - is used to encrypt and decrypt digital signatures. The digital signature is transformed with the hash function and then both the hashed value (known as a message-digest) and the signature are sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derives a message-digest from the signature and compares it with the message-digest it also received. (They should be the same.)
Integrity - assurance that a file was not changed during transit; also called message authentication.
Key - is simply a special piece of data used for encryption and/or decryption. Keys are not human readable and typically look like alphanumeric gibberish.
Non-repudiation - assurance that the sender cannot deny a file was sent. This cannot be done with secret key alone.
Private Key – a concealed key held by only one person in public key cryptography. It is never shared.
Public Key - used in asymmetric cryptography. One of their primary purposes is to enable someone to encrypt messages intended for the owner of the public key. Public keys are meant for distribution, so anyone who wants to send an encrypted message to the owner of the public key can do so, but only the owner of the corresponding private key can decrypt the message.
Registration authority (RA) - is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely. The digital certificate contains a public key that is used to encrypt and decrypt messages and digital signatures.
Well, that should cover most of the necessary encryption component definitions required for the CISA exam. Knowledge of definitions alone is not sufficient in getting encryption exam questions correct, you must also know how to apply the concepts to achieve specific encryption and control objectives.
What follows is the suggested answer to the question of achieving the perfect storm in data and transactional security, that being Confidentiality, Integrity, Authentication, and Non-repudiation in transmitted messages.
To properly answer this question, you must consider several essential elements of encryption, as described above, specifically:
- Digital signatures
- Private and public keys
In order to achieve my objective of communications Confidentiality, Integrity, Authentication, and Non-repudiation, I would need to
Outbound message…(my side)
- Create an initial message.
- Calculate a hash value for the message.
- Encrypt the hash with my private key.
- Attach the hash to the message.
- Sign the message with my digital signature.
- Encrypt the message with the recipient’s public key.
- Send the message to the recipient.
Inbound message…(recipient’s side, once message is received)
- Opens the message by decrypting the message using recipient’s private key.
- Calculates a new hash value.
- Decrypts my hash using my public key.
- Compares the hashes (any discrepancies in the hash values and recipient cannot rely upon the message’s integrity).
- Has my digital signature attached to the message, thus “binding” me as the sender of the message.
- Has assurance that the message came from me, as my signature is on the file.
To reverse the “sending sequence” one would simply need to reverse the steps taken by the receiver and sender.
OK, for those readers who have made it this far and are wishing for a more traditional exam question and exam question format, here are five “typical” (read multiple choice format, NOT these questions are on the CISA exam) questions on encryption. The correct answers can be found at the end of this post.
- Which of the following encrypt/decrypt steps provides the greatest assurance of achieving confidentiality, message integrity and non-repudiation by either the sender or recipient?
- The recipient uses their private key to decrypt the secret key.
- The encrypted prehash code and the message are encrypted using a secret key.
- The encrypted prehash code is derived mathematically from the message to be sent.
- The recipient uses the sender's public key, verified with a certificate authority, to decrypt the prehash code.
- To ensure confidentiality, authentication, and integrity of a message, the sender should encrypt the hash of the message with the sender's:
- Public key and then encrypt the message with the receiver's private key.
- Private key and then encrypt the message with the receiver's public key.
- Public key and then encrypt the message with the receiver's public key.
- Private key and then encrypt the message with the receiver's private key.
- Which of the following provides the greatest assurance of message authenticity?
- The prehash code is derived mathematically from the message being sent.
- The prehash code is encrypted using the sender's private key.
- The prehash code and the message are encrypted using the secret key.
- The sender attains the recipient's public key and verifies the authenticity of its digital certificate with a certificate authority.
- To ensure message integrity, confidentiality and non-repudiation between two parties, the most effective method would be to create a message digest by applying a cryptographic hashing algorithm against:
- The entire message, encrypting the message hash using the sender's private key, encrypting the message using the receiver's public key.
- Any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key.
- The entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key.
- The entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key.
- Which of the following ensures a sender's authenticity and an e-mail's confidentiality?
- Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key.
- The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key.
- Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key.
- Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key.
To learn more about encryption and the application of these concepts in the preparation for the CISA exam, schedule a CISA examination Boot Camp course for your company or Chapter exam candidates. Encryption along with the full complement of security, audit, and internal control concepts are covered during our five-day boot camp course.
For further information on scheduling a Boot Camp, please contact:
Al Marcella, Ph.D., CISA, CISM
Multiple choice answers: 1. D 2. B 3. B 4. A 5. C
Encryption definitions that were used in preparing this CISA exam question analysis came from the following sources:
“Guide to Using Encryption Software,” NetAction, www.netaction.org/encrypt/terms.html.
Mel, H. X., and Baker, D. Cryptography Decrypted, 2000.
NIST, Special Publication 800-111, Guide to Storage Encryption, Technologies for End User Devices, http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf.
“Overcoming the Two Big Obstacles to Deploying Email Encryption: Cost and Complexity,” WatchGuard Technologies, www.techdata.ca/%28S%28omsw2l55boujw4455rjmsbjc%29%29/watchguard/files/W....