Was :
$81
Today :
$45
Was :
$99
Today :
$55
Was :
$117
Today :
$65
Why Should You Prepare For Your Systems Security Certified Practitioner With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic ISC2 SSCP Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual Systems Security Certified Practitioner test. Whether you’re targeting ISC2 certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified SSCP Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the SSCP Systems Security Certified Practitioner , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The SSCP
You can instantly access downloadable PDFs of SSCP practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the ISC2 Exam with confidence.
Smart Learning With Exam Guides
Our structured SSCP exam guide focuses on the Systems Security Certified Practitioner's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the SSCP Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the Systems Security Certified Practitioner exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the SSCP exam dumps.
MyCertsHub – Your Trusted Partner For ISC2 Exams
Whether you’re preparing for Systems Security Certified Practitioner or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your SSCP exam has never been easier thanks to our tried-and-true resources.
ISC2 SSCP Sample Question Answers
Question # 1
Which type of encryption is considered to be unbreakable if the stream is truly random and is aslarge as the plaintext and never reused in whole or part?
A. One Time Pad (OTP) B. One time Cryptopad (OTC) C. Cryptanalysis D. Pretty Good Privacy (PGP)
Answer: A
Explanation:
OTP or One Time Pad is considered unbreakable if the key is truly random and is as large as the
plaintext and never reused in whole or part AND kept secret.
In cryptography, a one-time pad is a system in which a key generated randomly is used only once
to encrypt a message that is then decrypted by the receiver using the matching one-time pad and
key. Messages encrypted with keys based on randomness have the advantage that there is
theoretically no way to "break the code" by analyzing a succession of messages. Each encryption
is unique and bears no relation to the next encryption so that some pattern can be detected.
With a one-time pad, however, the decrypting party must have access to the same key used to
encrypt the message and this raises the problem of how to get the key to the decrypting party
safely or how to keep both keys secure. One-time pads have sometimes been used when the both
parties started out at the same physical location and then separated, each with knowledge of the
keys in the one-time pad. The key used in a one-time pad is called a secret key because if it is
revealed, the messages encrypted with it can easily be deciphered.
One-time pads figured prominently in secret message transmission and espionage before and
during World War II and in the Cold War era. On the Internet, the difficulty of securely controlling
secret keys led to the invention of public key cryptography.
The biggest challenge with OTP was to get the pad security to the person or entity you wanted to
communicate with. It had to be done in person or using a trusted courrier or custodian. It certainly
did not scale up very well and it would not be usable for large quantity of data that needs to be
encrypted as we often time have today.
The following answers are incorrect:
- One time Cryptopad: Almost but this isn't correct. Cryptopad isn't a valid term in cryptography.
- Cryptanalysis: Sorry, incorrect. Cryptanalysis is the process of analyzing information in an effort
to breach the cryptographic security systems.
- PGP - Pretty Good Privacy: PGP, written by Phil Zimmermann is a data encryption and
decryption program that provides cryptographic privacy and authentication for data. Still isn't the
right answer though. Read more here about PGP.
The following reference(s) was used to create this question:
To get more info on this QUESTION NO: s or any QUESTION NO: s of Security+, subscribe to the
Which protocol makes USE of an electronic wallet on a customer's PC and sends encrypted credi card information to merchant's Web server, which digitally signs it and sends it on to its processing bank?
A. SSH ( Secure Shell) B. S/MIME (Secure MIME) C. SET (Secure Electronic Transaction) D. SSL (Secure Sockets Layer)
Answer: C
Explanation:
As protocol was introduced by Visa and Mastercard to allow for more credit card transaction
possibilities. It is comprised of three different pieces of software, running on the customer's PC (an
electronic wallet), on the merchant's Web server and on the payment server of the merchant's
bank. The credit card information is sent by the customer to the merchant's Web server, but it
does not open it and instead digitally signs it and sends it to its bank's payment server for
processing.
The following answers are incorrect because :
SSH (Secure Shell) is incorrect as it functions as a type of tunneling mechanism that provides
terminal like access to remote computers.
S/MIME is incorrect as it is a standard for encrypting and digitally signing electronic mail and for
providing secure data transmissions.
SSL is incorrect as it uses public key encryption and provides data encryption, server
authentication, message integrity, and optional client authentication.
When we encrypt or decrypt data there is a basic operation involving ones and zeros where theyare compared in a process that looks something like this:0101 0001 Plain text0111 0011 Key stream0010 0010 OutputWhat is this cryptographic operation called?
A. Exclusive-OR B. Bit Swapping C. Logical-NOR D. Decryption
Answer: A
Explanation:
When we encrypt data we are basically taking the plaintext information and applying some key
material or keystream and conducting something called an XOR or Exclusive-OR operation.
The symbol used for XOR is the following: This is a type of cipher known as a stream cipher.
The operation looks like this:
0101 0001 Plain text
0111 0011 Key stream
0010 0010 Output (ciphertext)
As you can see, it's not simple addition and the XOR Operation uses something called a truth
table that explains why 0+1=1 and 1+1=0.
The rules are simples, if both bits are the same the result is zero, if both bits are not the same the
result is one.
The following answers are incorrect:
- Bit Swapping: Incorrect. This isn't a known cryptographic operations.
- Logical NOR: Sorry, this isn't correct but is where only 0+0=1. All other combinations of 1+1, 1+0
equals 0. More on NOR here.
- Decryption: Sorry, this is the opposite of the process of encryption or, the process of applying the
keystream to the plaintext to get the resulting encrypted text.
The following reference(s) was used to create this question:
For more details on XOR and all other QUESTION NO: s of cryptography. Subscribe to our holistic
The Diffie-Hellman algorithm is primarily used to provide which of the following?
A. Confidentiality B. Key Agreement C. Integrity D. Non-repudiation
Answer: B
Explanation:
Diffie and Hellman describe a means for two parties to agree upon a shared secret in such a way
that the secret will be unavailable to eavesdroppers. This secret may then be converted into
cryptographic keying material for other (symmetric) algorithms. A large number of minor variants of
this process exist. See RFC 2631 Diffie-Hellman Key Agreement Method for more details.
In 1976, Diffie and Hellman were the first to introduce the notion of public key cryptography,
requiring a system allowing the exchange of secret keys over non-secure channels. The DiffieHellman algorithm is used for key exchange between two parties communicating with each other,
it cannot be used for encrypting and decrypting messages, or digital signature.
Diffie and Hellman sought to address the issue of having to exchange keys via courier and other
unsecure means. Their efforts were the FIRST asymmetric key agreement algorithm. Since the
Diffie-Hellman algorithm cannot be used for encrypting and decrypting it cannot provide
confidentiality nor integrity. This algorithm also does not provide for digital signature functionality
and thus non-repudiation is not a choice.
NOTE: The DH algorithm is susceptible to man-in-the-middle attacks.
KEY AGREEMENT VERSUS KEY EXCHANGE
A key exchange can be done multiple way. It can be done in person, I can generate a key and
then encrypt the key to get it securely to you by encrypting it with your public key. A Key
Agreement protocol is done over a public medium such as the internet using a mathematical
formula to come out with a common value on both sides of the communication link, without the
ennemy being able to know what the common agreement is.
The following answers were incorrect:
All of the other choices were not correct choices
Reference(s) used for this question:
Shon Harris, CISSP All In One (AIO), 6th edition . Chapter 7, Cryptography, Page 812.
You work in a police department forensics lab where you examine computers for evidence ofcrimes. Your work is vital to the success of the prosecution of criminals.One day you receive a laptop and are part of a two man team responsible for examining ittogether. However, it is lunch time and after receiving the laptop you leave it on your desk and youboth head out to lunch.What critical step in forensic evidence have you forgotten?
A. Chain of custody B. Locking the laptop in your desk C. Making a disk image for examination D. Cracking the admin password with chntpw
Answer: A
Explanation:
When evidence from a crime is to be used in the prosecution of a criminal it is critical that you
follow the law when handling that evidence. Part of that process is called chain of custody and is
when you maintain proactive and documented control over ALL evidence involved in a crime.
Failure to do this can lead to the dismissal of charges against a criminal because if the evidence is
compromised because you failed to maintain of chain of custody.
A chain of custody is chronological documentation for evidence in a particular case, and is
especially important with electronic evidence due to the possibility of fraudulent data alteration,
deletion, or creation. A fully detailed chain of custody report is necessary to prove the physical
custody of a piece of evidence and show all parties that had access to said evidence at any given
time.
Evidence must be protected from the time it is collected until the time it is presented in court.
The following answers are incorrect:
- Locking the laptop in your desk: Even this wouldn't assure that the defense team would try to
challenge chain of custody handling. It's usually easy to break into a desk drawer and evidence
should be stored in approved safes or other storage facility.
- Making a disk image for examination: This is a key part of system forensics where we make a
disk image of the evidence system and study that as opposed to studying the real disk drive. That
could lead to loss of evidence. However if the original evidence is not secured than the chain of
custoday has not been maintained properly.
- Cracking the admin password with chntpw: This isn't correct. Your first mistake was to
compromise the chain of custody of the laptop. The chntpw program is a Linux utility to (re)set the
password of any user that has a valid (local) account on a Windows system, by modifying the
crypted password in the registry's SAM file. You do not need to know the old password to set a
new one. It works offline which means you must have physical access (i.e., you have to shutdown
your computer and boot off a linux floppy disk). The bootdisk includes stuff to access NTFS
partitions and scripts to glue the whole thing together. This utility works with SYSKEY and includes
the option to turn it off. A bootdisk image is provided on their website at
What is NOT true about a one-way hashing function?
A. It provides authentication of the message B. A hash cannot be reverse to get the message used to create the hash C. The results of a one-way hash is a message digest D. It provides integrity of the message
Answer: A
Explanation:
A one way hashing function can only be use for the integrity of a message and not for
authentication or confidentiality. Because the hash creates just a fingerprint of the message which
cannot be reversed and it is also very difficult to create a second message with the same hash.
A hash by itself does not provide Authentication. It only provides a weak form or integrity. It would
be possible for an attacker to perform a Man-In-The-Middle attack where both the hash and the
digest could be changed without the receiver knowing it.
A hash combined with your session key will produce a Message Authentication Code (MAC) which
will provide you with both authentication of the source and integrity. It is sometimes referred to as
a Keyed Hash.
A hash encrypted with the sender private key produce a Digital Signature which provide
authentication, but not the hash by itself.
Hashing functions by themselves such as MD5, SHA1, SHA2, SHA-3 does not provide
This type of attack is generally most applicable to public-key cryptosystems, what type of attackam I ?
A. Chosen-Ciphertext attack B. Ciphertext-only attack C. Plaintext Only Attack D. Adaptive-Chosen-Plaintext attack
Answer: A
Explanation:
A chosen-ciphertext attack is one in which cryptanalyst may choose a piece of ciphertext and
attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most
applicable to public-key cryptosystems.
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst
gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an
unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts
into the system and obtain the resulting plaintexts. From these pieces of information the adversary
can attempt to recover the hidden secret key used for decryption.
A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For
example, the El Gamal cryptosystem is semantically secure under chosen-plaintext attack, but this
semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of RSA
padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosen-ciphertext
attack which revealed SSL session keys. Chosen-ciphertext attacks have implications for some
self-synchronizing stream ciphers as well. Designers of tamper-resistant cryptographic smart
cards must be particularly cognizant of these attacks, as these devices may be completely under
the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to
recover the hidden secret key.
According to RSA:
Cryptanalytic attacks are generally classified into six categories that distinguish the kind of
information the cryptanalyst has available to mount an attack. The categories of attack are listed
here roughly in increasing order of the quality of information available to the cryptanalyst, or,
equivalently, in decreasing order of the level of difficulty to the cryptanalyst. The objective of the
cryptanalyst in all cases is to be able to decrypt new pieces of ciphertext without additional
information. The ideal for a cryptanalyst is to extract the secret key.
A ciphertext-only attack is one in which the cryptanalyst obtains a sample of ciphertext, without the
plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a
successful ciphertext-only attack is generally difficult, and requires a very large ciphertext sample.
Such attack was possible on cipher using Code Book Mode where frequency analysis was being
used and even thou only the ciphertext was available, it was still possible to eventually collect
enough data and decipher it without having the key.
A known-plaintext attack is one in which the cryptanalyst obtains a sample of ciphertext and the
corresponding plaintext as well. The known-plaintext attack (KPA) or crib is an attack model for
cryptanalysis where the attacker has samples of both the plaintext and its encrypted version
(ciphertext), and is at liberty to make use of them to reveal further secret information such as
secret keys and code books.
A chosen-plaintext attack is one in which the cryptanalyst is able to choose a quantity of plaintext
and then obtain the corresponding encrypted ciphertext. A chosen-plaintext attack (CPA) is an
attack model for cryptanalysis which presumes that the attacker has the capability to choose
arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the
attack is to gain some further information which reduces the security of the encryption scheme. In
the worst case, a chosen-plaintext attack could reveal the scheme's secret key.
This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an
attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the
attacker's choosing. Modern cryptography, on the other hand, is implemented in software or
hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext
attack is often very feasible. Chosen-plaintext attacks become extremely important in the context
of public key cryptography, where the encryption key is public and attackers can encrypt any
plaintext they choose.
Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against
known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
Two forms of chosen-plaintext attack can be distinguished:
Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them
are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
Adaptive chosen-plaintext attack, is a special case of chosen-plaintext attack in which the
cryptanalyst is able to choose plaintext samples dynamically, and alter his or her choices based on
the results of previous encryptions. The cryptanalyst makes a series of interactive queries,
choosing subsequent plaintexts based on the information from the previous encryptions.
Non-randomized (deterministic) public key encryption algorithms are vulnerable to simple
"dictionary"-type attacks, where the attacker builds a table of likely messages and their
corresponding ciphertexts. To find the decryption of some observed ciphertext, the attacker simply
looks the ciphertext up in the table. As a result, public-key definitions of security under chosenplaintext attack require probabilistic encryption (i.e., randomized encryption). Conventional
symmetric ciphers, in which the same key is used to encrypt and decrypt a text, may also be
vulnerable to other forms of chosen-plaintext attack, for example, differential cryptanalysis of block
ciphers.
An adaptive-chosen-ciphertext is the adaptive version of the above attack. A cryptanalyst can
mount an attack of this type in a scenario in which he has free use of a piece of decryption
hardware, but is unable to extract the decryption key from it.
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosenciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses
the results of these decryptions to select subsequent ciphertexts. It is to be distinguished from an
indifferent chosen-ciphertext attack (CCA1).
The goal of this attack is to gradually reveal information about an encrypted message, or about the
decryption key itself. For public-key systems, adaptive-chosen-ciphertexts are generally applicable
only when they have the property of ciphertext malleability — that is, a ciphertext can be modified
in specific ways that will have a predictable effect on the decryption of that message.
A Plaintext Only Attack is simply a bogus detractor. If you have the plaintext only then there is no
need to perform any attack.
References:
RSA Laboratories FAQs about today's cryptography: What are some of the basic types of
Which of the following concerning the Rijndael block cipher algorithm is false?
A. The design of Rijndael was strongly influenced by the design of the block cipher Square. B. A total of 25 combinations of key length and block length are possible C. Both block size and key length can be extended to multiples of 64 bits. D. The cipher has a variable block length and key length.
Answer: C
Explanation:
The answer above is the correct answer because it is FALSE. Rijndael does not support multiples
of 64 bits but multiples of 32 bits in the range of 128 bits to 256 bits. Key length could be 128, 160,
192, 224, and 256.
Both block length and key length can be extended very easily to multiples of 32 bits. For a total
combination of 25 different block and key size that are possible.
The Rijndael Cipher
Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate
algorithm for the Advanced Encryption Standard (AES) in the United States of America. The cipher
has a variable block length and key length.
Rijndael can be implemented very efficiently on a wide range of processors and in hardware.
The design of Rijndael was strongly influenced by the design of the block cipher Square.
The Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) keys are defined to be either 128, 192, or 256 bits in
accordance with the requirements of the AES.
The number of rounds, or iterations of the main algorithm, can vary from 10 to 14 within the
Advanced Encryption Standard (AES) and is dependent on the block size and key length. 128 bits
keys uses 10 rounds or encryptions, 192 bits keys uses 12 rounds of encryption, and 256 bits keys
uses 14 rounds of encryption.
The low number of rounds has been one of the main criticisms of Rijndael, but if this ever
becomes a problem the number of rounds can easily be increased at little extra cost performance
wise by increasing the block size and key length.
Range of key and block lengths in Rijndael and AES
Rijndael and AES differ only in the range of supported values for the block length and cipher key
length.
For Rijndael, the block length and the key length can be independently specified to any multiple of
32 bits, with a minimum of 128 bits, and a maximum of 256 bits. The support for block and key
lengths 160 and 224 bits was introduced in Joan Daemen and Vincent Rijmen, AES submission
document on Rijndael, Version 2, September 1999 available at
FIPS PUB 197, Advanced Encryption Standard (AES), National Institute of Standards and
Technology, U.S. Department of Commerce, November 2001.
Question # 11
What is the name of a one way transformation of a string of characters into a usually shorter fixedlength value or key that represents the original string? Such a transformation cannot be reversed?
A. One-way hash B. DES C. Transposition D. Substitution
Answer: A
Explanation:
A cryptographic hash function is a transformation that takes an input (or 'message') and returns a
fixed-size string, which is called the hash value (sometimes termed a message digest, a digital
fingerprint, a digest or a checksum).
The ideal hash function has three main properties - it is extremely easy to calculate a hash for any
given data, it is extremely difficult or almost impossible in a practical sense to calculate a text that
has a given hash, and it is extremely unlikely that two different messages, however close, will
have the same hash.
Functions with these properties are used as hash functions for a variety of purposes, both within
and outside cryptography. Practical applications include message integrity checks, digital
signatures, authentication, and various information security applications. A hash can also act as a
concise representation of the message or document from which it was computed, and allows easy
indexing of duplicate or unique data files.
In various standards and applications, the two most commonly used hash functions are MD5 and
SHA-1. In 2005, security flaws were identified in both of these, namely that a possible
mathematical weakness might exist, indicating that a stronger hash function would be desirable. In
2007 the National Institute of Standards and Technology announced a contest to design a hash
function which will be given the name SHA-3 and be the subject of a FIPS standard.
A hash function takes a string of any length as input and produces a fixed length string which acts
as a kind of "signature" for the data provided. In this way, a person knowing the hash is unable to
work out the original message, but someone knowing the original message can prove the hash is
created from that message, and none other. A cryptographic hash function should behave as
much as possible like a random function while still being deterministic and efficiently computable.
A cryptographic hash function is considered "insecure" from a cryptographic point of view, if either
of the following is computationally feasible:
finding a (previously unseen) message that matches a given digest
finding "collisions", wherein two different messages have the same message digest.
An attacker who can do either of these things might, for example, use them to substitute an
authorized message with an unauthorized one.
Ideally, it should not even be feasible to find two messages whose digests are substantially
similar; nor would one want an attacker to be able to learn anything useful about a message given
only its digest. Of course the attacker learns at least one piece of information, the digest itself,
which for instance gives the attacker the ability to recognise the same message should it occur
again.
REFERENCES:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Pages 40-41.
What kind of Encryption technology does SSL utilize?
A. Secret or Symmetric key B. Hybrid (both Symmetric and Asymmetric) C. Public Key D. Private key
Answer: B
Explanation:
SSL use public-key cryptography to secure session key, while the session key (secret key) is used
to secure the whole session taking place between both parties communicating with each other.
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released;
version 2.0 was released in February 1995 but "contained a number of security flaws which
ultimately led to the design of SSL version 3.0." SSL version 3.0, released in 1996, was a
complete redesign of the protocol produced by Paul Kocher working with Netscape engineers Phil
Karlton and Alan Freier.
All of the other answers are incorrect
Question # 13
The computations involved in selecting keys and in enciphering data are complex, and are notpractical for manual use. However, using mathematical properties of modular arithmetic and amethod known as "_________________," RSA is quite feasible for computer use.
A. computing in Galois fields B. computing in Gladden fields C. computing in Gallipoli fields D. computing in Galbraith fields
Answer: A
Explanation:
The computations involved in selecting keys and in enciphering data are complex, and are not
practical for manual use. However, using mathematical properties of modular arithmetic and a
method known as computing in Galois fields, RSA is quite feasible for computer use.
Source: FITES, Philip E., KRATZ, Martin P., Information Systems Security: A Practitioner's
Reference, 1993, Van Nostrand Reinhold, page 44.
Question # 14
Which of the following is true about digital certificate?
A. It is the same as digital signature proving Integrity and Authenticity of the data B. Electronic credential proving that the person the certificate was issued to is who they claim to be C. You can only get digital certificate from Verisign, RSA if you wish to prove the key belong to a specific user. D. Can't contain geography data such as country for example.
Answer: B
Explanation:
Digital certificate helps others verify that the public keys presented by users are genuine and valid.
It is a form of Electronic credential proving that the person the certificate was issued to is who they
claim to be.
The certificate is used to identify the certificate holder when conducting electronic transactions.
It is issued by a certification authority (CA). It contains the name of an organization or individual,
the business address, a serial number, expiration dates, a copy of the certificate holder's public
key (used for encrypting messages), and the digital signature of the certificate-issuing authority so
that a recipient can verify that the certificate is real. Some digital certificates conform to a
standard, X.509. Digital certificates can be kept in registries so that authenticating users can look
up other users' public keys.
Digital certificates are key to the PKI process. The digital certificate serves two roles. First, it
ensures the integrity of the public key and makes sure that the key remains unchanged and in a
valid state. Second, it validates that the public key is tied to the stated owner and that all
associated information is true and correct. The information needed to accomplish these goals is
added into the digital certificate.
A Certificate Authority (CA) is an entity trusted by one or more users as an authority in a network
that issues, revokes, and manages digital certificates.
A Registration Authority (RA) performs certificate registration services on behalf of a CA. The RA,
a single purpose server, is responsible for the accuracy of the information contained in a certificate
request. The RA is also expected to perform user validation before issuing a certificate request.
A Digital Certificate is not like same as a digital signature, they are two different things, a digital
Signature is created by using your Private key to encrypt a message digest and a Digital
Certificate is issued by a trusted third party who vouch for your identity.
There are many other third parties which are providing Digital Certifictes and not just Verisign,
RSA.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
Which of the following statements is most accurate regarding a digital signature?
A. It is a method used to encrypt confidential data. B. It is the art of transferring handwritten signature to electronic media. C. It allows the recipient of data to prove the source and integrity of data. D. It can be used as a signature system and a cryptosystem.
Answer: C
Explanation:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Question # 16
The Data Encryption Algorithm performs how many rounds of substitution and permutation?
A. 4 B. 16 C. 54 D. 64
Answer: B
Explanation:
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Question # 17
Which of the following is NOT a property of a one-way hash function?
A. It converts a message of a fixed length into a message digest of arbitrary length. B. It is computationally infeasible to construct two different messages with the same digest. C. It converts a message of arbitrary length into a message digest of a fixed length. D. Given a digest value, it is computationally infeasible to find the corresponding message.
Answer: A
Explanation:
An algorithm that turns messages or text into a fixed string of digits, usually for security or data
management purposes. The "one way" means that it's nearly impossible to derive the original text
from the string.
A one-way hash function is used to create digital signatures, which in turn identify and
authenticate the sender and message of a digitally distributed message.
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and
returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional
change to the data will change the hash value. The data to be encoded is often called the
"message," and the hash value is sometimes called the message digest or simply digest.
The ideal cryptographic hash function has four main or significant properties:
it is easy (but not necessarily quick) to compute the hash value for any given message
it is infeasible to generate a message that has a given hash
it is infeasible to modify a message without changing the hash
it is infeasible to find two different messages with the same hash
Cryptographic hash functions have many information security applications, notably in digital
signatures, message authentication codes (MACs), and other forms of authentication. They can
also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect
duplicate data or uniquely identify files, and as checksums to detect accidental data corruption.
Indeed, in information security contexts, cryptographic hash values are sometimes called (digital)
fingerprints, checksums, or just hash values, even though all these terms stand for functions with
rather different properties and purposes.
Source:
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Which of the following can best be defined as a cryptanalysis technique in which the analyst triesto determine the key from knowledge of some plaintext-ciphertext pairs?
A. A known-plaintext attack B. A known-algorithm attack C. A chosen-ciphertext attack D. A chosen-plaintext attack
Answer: A
Explanation:
RFC2828 (Internet Security Glossary) defines a known-plaintext attack as a cryptanalysis
technique in which the analyst tries to determine the key from knowledge of some plaintextciphertext pairs (although the analyst may also have other clues, such as the knowing the
cryptographic algorithm). A chosen-ciphertext attack is defined as a cryptanalysis technique in
which the analyst tries to determine the key from knowledge of plaintext that corresponds to
ciphertext selected (i.e., dictated) by the analyst. A chosen-plaintext attack is a cryptanalysis
technique in which the analyst tries to determine the key from knowledge of ciphertext that
corresponds to plaintext selected (i.e., dictated) by the analyst. The other choice is a distracter.
The following are incorrect answers:
A chosen-plaintext attacks
The attacker has the plaintext and ciphertext, but can choose the plaintext that gets encrypted to
see the corresponding ciphertext. This gives her more power and possibly a deeper understanding
of the way the encryption process works so she can gather more information about the key being
used. Once the key is discovered, other messages encrypted with that key can be decrypted.
A chosen-ciphertext attack
In chosen-ciphertext attacks, the attacker can choose the ciphertext to be decrypted and has
access to the resulting decrypted plaintext. Again, the goal is to figure out the key. This is a harder
attack to carry out compared to the previously mentioned attacks, and the attacker may need to
have control of the system that contains the cryptosystem.
A known-algorithm attack
Knowing the algorithm does not give you much advantage without knowing the key. This is a
bogus detractor. The algorithm should be public, which is the Kerckhoffs's Principle . The only
secret should be the key.
Reference(s) used for this question:
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Which of the following can best be defined as a key distribution protocol that uses hybridencryption to convey session keys. This protocol establishes a long-term key once, and thenrequires no prior communication in order to establish or exchange keys on a session-by-sessionbasis?
A. Internet Security Association and Key Management Protocol (ISAKMP) B. Simple Key-management for Internet Protocols (SKIP) C. Diffie-Hellman Key Distribution Protocol D. IPsec Key exchange (IKE)
Answer: B
Explanation:
RFC 2828 (Internet Security Glossary) defines Simple Key Management for Internet Protocols
(SKIP) as:
A key distribution protocol that uses hybrid encryption to convey session keys that are used to
encrypt data in IP packets.
SKIP is an hybrid Key distribution protocol similar to SSL, except that it establishes a long-term
key once, and then requires no prior communication in order to establish or exchange keys on a
session-by-session basis. Therefore, no connection setup overhead exists and new keys values
are not continually generated. SKIP uses the knowledge of its own secret key or private
component and the destination's public component to calculate a unique key that can only be used
between them.
IKE stand for Internet Key Exchange, it makes use of ISAKMP and OAKLEY internally.
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in
the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509
certificates for authentication and a Diffie–Hellman key exchange to set up a shared session
secret from which cryptographic keys are derived.
The following are incorrect answers:
ISAKMP is an Internet IPsec protocol to negotiate, establish, modify, and delete security
associations, and to exchange key generation and authentication data, independent of the details
of any specific key generation technique, key establishment protocol, encryption algorithm, or
authentication mechanism.
IKE is an Internet, IPsec, key-establishment protocol (partly based on OAKLEY) that is intended
for putting in place authenticated keying material for use with ISAKMP and for other security
associations, such as in AH and ESP.
IPsec Key exchange (IKE) is only a detracto.
Reference(s) used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Which of the following can best define the "revocation request grace period"?
A. The period of time allotted within which the user must make a revocation request upon a revocation reason B. Minimum response time for performing a revocation by the CA C. Maximum response time for performing a revocation by the CA D. Time period between the arrival of a revocation request and the publication of the revocation information
Answer: D
Explanation:
The length of time between the Issuer’s receipt of a revocation request and the time the Issuer is
required to revoke the certificate should bear a reasonable relationship to the amount of risk the
participants are willing to assume that someone may rely on a certificate for which a proper
evocation request has been given but has not yet been acted upon.
How quickly revocation requests need to be processed (and CRLs or certificate status databases
need to be updated) depends upon the specific application for which the Policy Authority is rafting
the Certificate Policy.
A Policy Authority should recognize that there may be risk and lost tradeoffs with respect to grace
periods for revocation notices.
If the Policy Authority determines that its PKI participants are willing to accept a grace period of a
few hours in exchange for a lower implementation cost, the Certificate Policy may reflect that
decision.
Question # 22
Which of the following is defined as an Internet, IPsec, key-establishment protocol, partly based onOAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMPand for other security associations?
A. Internet Key exchange (IKE) B. Security Association Authentication Protocol (SAAP) C. Simple Key-management for Internet Protocols (SKIP) D. Key Exchange Algorithm (KEA)
Answer: A
Explanation:
RFC 2828 (Internet Security Glossary) defines IKE as an Internet, IPsec, key-establishment
protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying
material for use with ISAKMP and for other security associations, such as in AH and ESP.
The following are incorrect answers:
SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are
used to encrypt data in IP packets.
The Key Exchange Algorithm (KEA) is defined as a key agreement algorithm that is similar to the
Diffie-Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly
classified at the secret level by the NSA.
Security Association Authentication Protocol (SAAP) is a distracter.
Reference(s) used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Question # 23
Which of the following is defined as a key establishment protocol based on the Diffie-Hellmanalgorithm proposed for IPsec but superseded by IKE?
A. Diffie-Hellman Key Exchange Protocol B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. OAKLEY
Answer: D
Explanation:
RFC 2828 (Internet Security Glossary) defines OAKLEY as a key establishment protocol
(proposed for IPsec but superseded by IKE) based on the Diffie-Hellman algorithm and designed
to be a compatible component of ISAKMP.
ISAKMP is an Internet IPsec protocol to negotiate, establish, modify, and delete security
associations, and to exchange key generation and authentication data, independent of the details
of any specific key generation technique, key establishment protocol, encryption algorithm, or
authentication mechanism.
SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are
used to encrypt data in IP packets.
ISAKMP provides a framework for authentication and key exchange but does not define them.
ISAKMP is designed to be key exchange independant; that is, it is designed to support many
different key exchanges.
Oakley and SKEME each define a method to establish an authenticated key exchange. This
includes payloads construction, the information payloads carry, the order in which they are
processed and how they are used.
Oakley describes a series of key exchanges-- called modes and details the services provided by
each (e.g. perfect forward secrecy for keys, identity protection, and authentication).
SKEME describes a versatile key exchange technique which provides anonymity, repudiability,
and quick key refreshment.
RFC 2049 describes the IKE protocol using part of Oakley and part of SKEME in conjunction with
ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security
associations such as AH and ESP for the IETF IPsec DOI.
While Oakley defines "modes", ISAKMP defines "phases". The relationship between the two is
very straightforward and IKE presents different exchanges as modes which operate in one of two
phases.
Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to
communicate. This is called the ISAKMP Security Association (SA). "Main Mode" and "Aggressive
Mode" each accomplish a phase 1 exchange. "Main Mode" and "Aggressive Mode" MUST ONLY
be used in phase 1.
Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any
other service which needs key material and/or parameter negotiation. "Quick Mode" accomplishes
a phase 2 exchange. "Quick Mode" MUST ONLY be used in phase 2.
References:
CISSP: Certified Information Systems Security Professional Study Guide By James Michael
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
The All-in-one CISSP Exam Guide, 3rd Edition, by Shon Harris, page 674
The CISSP and CAP Prep Guide, Platinum Edition, by Krutz and Vines
Question # 24
Which of the following is an Internet IPsec protocol to negotiate, establish, modify, and deletesecurity associations, and to exchange key generation and authentication data, independent of thedetails of any specific key generation technique, key establishment protocol, encryption algorithm,or authentication mechanism?
A. OAKLEY B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. IPsec Key exchange (IKE)
Answer: B
Explanation:
RFC 2828 (Internet Security Glossary) defines the Internet Security Association and Key
Management Protocol (ISAKMP) as an Internet IPsec protocol to negotiate, establish, modify, and
delete security associations, and to exchange key generation and authentication data,
independent of the details of any specific key generation technique, key establishment protocol,
encryption algorithm, or authentication mechanism.
Let's clear up some confusion here first. Internet Key Exchange (IKE) is a hybrid protocol, it
consists of 3 "protocols"
ISAKMP: It's not a key exchange protocol per se, it's a framework on which key exchange
protocols operate. ISAKMP is part of IKE. IKE establishs the shared security policy and
authenticated keys. ISAKMP is the protocol that specifies the mechanics of the key exchange.
Oakley: Describes the "modes" of key exchange (e.g. perfect forward secrecy for keys, identity
protection, and authentication). Oakley describes a series of key exchanges and services.
SKEME: Provides support for public-key-based key exchange, key distribution centres, and
manual installation, it also outlines methods of secure and fast key refreshment.
So yes, IPSec does use IKE, but ISAKMP is part of IKE.
The questions did not ask for the actual key negotiation being done but only for the "exchange of
key generation and authentication data" being done. Under Oakly it would be Diffie Hellman (DH)
that would be used for the actual key nogotiation.
The following are incorrect answers:
Simple Key-management for Internet Protocols (SKIP) is a key distribution protocol that uses
hybrid encryption to convey session keys that are used to encrypt data in IP packets.
OAKLEY is a key establishment protocol (proposed for IPsec but superseded by IKE) based on
the Diffie-Hellman algorithm and designed to be a compatible component of ISAKMP.
IPsec Key Exchange (IKE) is an Internet, IPsec, key-establishment protocol [R2409] (partly based
on OAKLEY) that is intended for putting in place authenticated keying material for use with
ISAKMP and for other security associations, such as in AH and ESP.
Reference used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Question # 25
Which of the following can be best defined as computing techniques for inseparably embeddingunobtrusive marks or labels as bits in digital data and for detecting or extracting the marks later?
A. Steganography B. Digital watermarking C. Digital enveloping D. Digital signature
Answer: B
Explanation:
RFC 2828 (Internet Security Glossary) defines digital watermarking as computing techniques for
inseparably embedding unobtrusive marks or labels as bits in digital data-text, graphics, images,
video, or audio#and for detecting or extracting the marks later. The set of embedded bits (the
digital watermark) is sometimes hidden, usually imperceptible, and always intended to be
unobtrusive. It is used as a measure to protect intellectual property rights. Steganography involves
hiding the very existence of a message. A digital signature is a value computed with a
cryptographic algorithm and appended to a data object in such a way that any recipient of the data
can use the signature to verify the data's origin and integrity. A digital envelope is a combination of
encrypted data and its encryption key in an encrypted form that has been prepared for use of the
recipient.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Feedback That Matters: Reviews of Our ISC2 SSCP Dumps
Brantley JohnstonApr 19, 2026
I recently passed the ISC2 SSCP and what helped me most was drilling into the core security operations topics instead of memorizing everything. Once I understood access control models, incident response, and risk management in depth, the exam questions started making sense instead of feeling confusing.
Grayson DavisApr 18, 2026
For anyone preparing for SSCP, my advice is to focus heavily on real-world examples rather than definitions. I built small notes from my daily work experience—logging, authentication, and network security—and that alignment with practical scenarios turned out to be exactly what the exam demanded.
Preet SomanApr 18, 2026
Just cleared SSCP and couldn’t be happier with the prep approach I followed. I simulated timed practice sessions to build speed and accuracy, especially on cryptography and systems hardening. That training paid off on exam day because I didn’t get stuck overthinking questions.
Brantley Johnston
Grayson Davis
Preet Soman