Module 6: Secure Coding Practices for Cryptography
1.Which of the following constitutes the .NET Framework?
A.ASP.NET Applications
B.CLR
C.Framework Class Library
D.Windows Services
The Common Language Runtime (CLR) is the virtual machine component of Microsoft's .NET framework and is responsible for managing the execution of .NET programs.
It provides a language-neutral development and execution environment, allowing developers to write code using any supported .NET language and have it execute in the same manner.
The CLR also provides services such as memory management, type safety, exception handling, garbage collection, security, and thread management.
2.Which encryption alogorithum should we use in the decrption attribute of the settings to enhance the level of security?
A.DES
B.3DES
C.AES
D.Non of them
Option A is INCORRECT because DES (Data Encryption Standard) is an older encryption algorithm that has known vulnerabilities and has been deemed not secure for most applications.
Option B is INCORRECT because 3DES (Triple Data Encryption Standard), while stronger than DES, is still considered outdated and relatively less secure compared to modern encryption algorithms.
Option C is CORRECT because AES (Advanced Encryption Standard) is currently the most widely used and accepted symmetric encryption standard and is considered very secure for protecting sensitive data.
3.Which object is not the part of Symmetric Algorithum?
A.DSA
B.AES
C.DES
D.Rijndael
Option A is CORRECT because DSA stands for Digital Signature Algorithm. It is not part of symmetric encryption algorithms as it is actually an asymmetric key encryption method used for digital signatures.
4.Which cipher mode does create the the cipher text by breaking the plain text into some bock of the same size and encrypt them individually ?
A.ECB
B.CBC
C.OFB
D.CFB
建議用CBC來取代ECB,ECB每次都會是一樣的,會是可預測、決定的。
5.Which is the most reliable model of padding?
A.Zero Padding
B.PKC# 7b Padding
C.ISO10126 Padding
D.ANSIX923 Padding
PKC# 7b Padding is a symmetric encryption algorithm that is used to add extra data to a message before it is encrypted. It is a secure form of padding that is resistant to attacks such as chosen-plaintext attacks.
It is also known as "block cipher padding" because it is used to pad out a block of data to a specific length before it is encrypted.
PKC# 7b Padding is the most reliable model of padding because it is the most secure and resistant to attack. It is also the most widely used form of padding, making it the most reliable choice for encryption.
6.Which class does porivde keyless symmetric encryption?
A.Rijndael
B.AES
C.3DES
D.DPAPI
Option D is CORRECT because, DPAPI (Data Protection API) is a set of cryptography services provided by Windows. This provides keyless encryption, as keys are automatically generated, managed and disposed by the operating system.
7.Which of the following statements is correct about Managed Code?
A.Managed code is the code that runs on top of Windows
B.Managed code is the code that is written to target the services of the CLR.
C.Managed code is the code where resources are Garbage Collected.
D.Managed code is the code that is compiled by the JIT compilers.
Option A is INCORRECT because managed code does not run on top of Windows. It runs inside the framework provided by Common Language Runtime (CLR), which is a component of the .NET ecosystem irrespective of the operating system.
Option B is CORRECT because managed code is indeed code written to target the services of the CLR. This code is directly managed by the CLR via .NET Framework library and can take advantage of services like security, memory management, and exception handling.
Option C is INCORRECT because while it's true that resources used by managed code are garbage collected, this is just one of the features provided by CLR and does not wholly define what managed code is.
Option D is INCORRECT because while managed code is indeed compiled by JIT (Just-In-Time) compilers, it's not the only defining characteristic of managed code. The fundamental aspect is that it targets the CLR.
8.Which scenario is most appropriate for using asymmetric encryption?
Response:
A. Encrypting all user passwords in a database
B. Securely exchanging keys over an unsecured network
C. Bulk encryption of large files for data at rest
D. Performing quick encryption of data in transit for a real-time application
非對稱式加密(如 RSA)最典型的用途就是在不安全的網路上安全地交換金鑰,例如 SSL/TLS 建立時就會用到。
A.使用者密碼通常是雜湊(hash)而不是加密,若加密也通常用對稱式加密,不是非對稱。
C.大量檔案加密通常用對稱加密(如 AES),因為非對稱加密速度慢,不適合大量資料。
D.即時傳輸加密要求速度快,通常會用對稱式加密(例如 HTTPS 在交換完金鑰後,用對稱加密進行資料傳輸)。
9.What role do digital certificates play in network security?
Response:
A. They indicate the memory capacity required to store cryptographic keys.
B. They are used exclusively to encrypt data at rest.
C. They establish a secure channel for transferring symmetric keys.
D. They authenticate the identity of parties and enable secure data exchanges.
D.數位憑證(像是 SSL/TLS 憑證)主要功能就是認證雙方身分,並且建立安全的資料交換通道。
A.憑證跟記憶體容量無關,數位憑證的目的是身分認證和安全通信,不是在計算記憶體大小。
B.憑證的主要用途是認證和建立安全連線,不是單純拿來加密靜態資料(Data at Rest)。加密靜態資料通常用對稱加密。
C.部分正確但不完整。憑證是用來驗證身分,然後才可用公鑰建立加密連線,交換對稱金鑰,但憑證本身重點是認證身分,不是只做金鑰交換。
數位憑證(Digital Certificate) 主要用途是:
✅ 認證身分(證明你是你)
✅ 建立安全連線(如 HTTPS)
✅ 保護資料傳輸(透過加密交換金鑰,之後用對稱加密高速傳輸)
通常由 憑證授權中心(CA, Certificate Authority) 簽發,保證憑證的合法性。
"憑證驗身分,安全傳資料"
"先認證(Certificate),再加密傳輸(Secure Channel)"
10.What should be considered when implementing encryption in an application?
Response:
A. Encryption should only be used for non-sensitive data
B. The choice of encryption algorithm and key size should be appropriate for the data sensitivity
C. Using a single encryption key for all data and applications
D. Avoiding encryption to improve performance
11.What role does encryption play in securing applications?
Response:
A. Slowing down the application to deter attackers
B. Preventing users from accessing the application
C. Securing data in transit and at rest from unauthorized access
D. Reducing the functionality of the application for security
12.What is the purpose of a digital signature in cryptography?
Response:
A. To ensure that a message or document is not altered in transit
B. To increase the speed of encrypted data transmission
C. To provide a symmetric key for data encryption
D. To encrypt data in a way that only the sender can decrypt it
B.數位簽章不是為了提升傳輸速度,速度提升與否跟簽章沒關係。
C.對稱金鑰(Symmetric Key)是用來加解密資料的,不是數位簽章的功能。
D.加密資料是用來保密(Confidentiality),而簽章主要是確保完整性與驗證來源,不是做加密解密。
"簽章是防篡改,不是拿來加密。"
"驗證資料來源(確保真的是某個人/某個系統發出的)"
"私鑰簽名,公鑰驗證。"
13.Which of the following is true about cryptographic hash functions?
Response:
A. They are reversible
B. They can be used for secure password storage
C. They ensure data integrity and non-repudiation only
D. They can encrypt user data in a way that allows decryption
B.雜湊常用來安全儲存密碼,例如 SHA-256 加上 Salt。
A.雜湊是不可逆的(irreversible),不能從輸出推回原始資料。
C.雜湊主要是確保完整性(Integrity),非直接提供不可否認性(Non-repudiation),那是數位簽章做的。
D.雜湊是不可逆的,不能解密。
14.What are the primary characteristics of a secure hashing function?
(Select two)
Response:
A. It produces the same output length regardless of the input size.
B. It allows the original input to be easily derived from the hash output.
C. It is computationally infeasible to find two different inputs that produce the same output.
D. It enables the hash to be decrypted back to the original message when necessary.
A.無論輸入多大,輸出長度固定(例如 SHA-256 永遠是 256 bits)。
C.抗碰撞性(Collision Resistance),安全雜湊的重要特性。
15.What is a characteristic of symmetric encryption?
Response:
A. It uses different keys for encryption and decryption.
B. It is generally slower than asymmetric encryption for the same key size.
C. It requires the sharing of a secret key between the sender and receiver.
D. It is primarily used for establishing secure communication channels, not for encryption of data at rest.
C.對稱加密就是共享同一把密鑰,需要安全傳遞。
A.對稱式加密使用同一把金鑰加密和解密。
B.對稱式加密通常比非對稱加密快很多。
D.對稱加密非常常用來加密靜態資料(data at rest)。
16.When using asymmetric encryption, what is a key security practice?
Response:
A. Distributing the private key widely to ensure it can be accessed when needed
B. Using the public key for decryption and the private key for encryption
C. Protecting the private key with strong access controls and not exposing it unnecessarily
D. Encrypting all data, regardless of sensitivity, with the public key to ensure confidentiality
C.保護私鑰是非對稱加密的核心。
A.私鑰必須嚴格保護,不能隨便散佈。
B.通常用公鑰加密,私鑰解密;數位簽章則是相反。
D.不是所有資料都需要用非對稱加密,因為效率低且耗資源。
17.Which are considered best practices when implementing symmetric encryption?
(Select two)
Response:
A. Reusing encryption keys across different applications to reduce complexity
B. Encrypting data at rest using industry-standard algorithms like AES
C. Storing encryption keys hard-coded within the application's source code
D. Regularly rotating encryption keys and using secure key management systems
B.使用業界標準(如 AES)加密靜態資料是正確做法。
D.定期更換金鑰、使用安全的金鑰管理(KMS)是標準安全策略。
18.Which namespace in .NET provides cryptographic services?
Response:
A. System.Security.Cryptography
B. System.Cryptography
C. System.Security.Encryption
D. System.Encryption
19.Which practice is recommended for securing cryptographic keys?
Response:
A. Storing keys openly in the database
B. Hardcoding keys into the application code
C. Using a secure key vault or hardware security module
D. Sharing keys via email with team members
20.Which method enhances security in storing user credentials?
Response:
A. Storing passwords in unencrypted format
B. Using salted hashes for storing passwords
C. Implementing a single sign-on with no additional security
D. Using common passwords for all users
留言
張貼留言