CAS-005 · Question #196
CAS-005 Question #196: Real Exam Question with Answer & Explanation
The correct answer is B: Removing support for CBC-based key exchange and signing AIgorithms. Removing support for CBC-based key exchange and signing algorithms: Cipher suites using CBC (Cipher Block Chaining) are vulnerable to attacks like BEAST. Removing these weak cipher suites eliminates this potential for on-path decryption attacks. Adding TLS_ECDHE_ECDSA_WITH_AES_25
Question
A vulnerability scan on a web server identified the following: Which of the following actions would most likely eliminate on-path decryption attacks? (Choose two.)
Options
- ADisallowing cipher suites that use ephemeral modes of operation for key agreement
- BRemoving support for CBC-based key exchange and signing AIgorithms
- CAdding TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256
- DImplementing HIPS rules to identify and block BEAST attack attempts
- ERestricting cipher suites to only allow TLS_RSA_WITH_AES_128_CBC_SHA
- FIncreasing the key length to 256 for TLS_RSA_WITH_AES_128_CBC_SHA
Explanation
Removing support for CBC-based key exchange and signing algorithms: Cipher suites using CBC (Cipher Block Chaining) are vulnerable to attacks like BEAST. Removing these weak cipher suites eliminates this potential for on-path decryption attacks. Adding TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA256: This cipher suite uses ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange, providing forward secrecy and better protection against on-path decryption attacks compared to static RSA-based cipher suites.
Community Discussion
No community discussion yet for this question.