CHAP is not used within IPSEC or IKE. CHAP is an authentication scheme
used by Point to Point Protocol (PPP) servers to validate the identity of remote clients.
CHAP periodically verifies the identity of the client by using a three-way handshake. This
happens at the time of establishing the initial link (LCP), and may happen again at any time
afterwards. The verification is based on a shared secret (such as the client user's
password).
After the completion of the link establishment phase, the authenticator sends a "challenge"
message to the peer.
The peer responds with a value calculated using a one-way hash function on the challenge
and the secret combined.
The authenticator checks the response against its own calculation of the expected hash
value. If the values match, the authenticator acknowledges the authentication; otherwise it
should terminate the connection.
At random intervals the authenticator sends a new challenge to the peer and repeats steps
1 through 3.
The following were incorrect answers:
Pre Shared Keys
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared
between the two parties using some secure channel before it needs to be used. To build a
key from shared secret, the key derivation function should be used. Such systems almost
always use symmetric key cryptographic algorithms. The term PSK is used in WiFi
encryption such as WEP or WPA, where both the wireless access points (AP) and all
clients share the same key.
The characteristics of this secret or key are determined by the system which uses it; some
system designs require that such keys be in a particular format. It can be a password like
'bret13i', a passphrase like 'Idaho hung gear id gene', or a hexadecimal string like '65E4
E556 8622 EEE1'. The secret is used by all systems involved in the cryptographic
processes used to secure the traffic between the systems.
Certificat Based Authentication
The most common form of trusted authentication between parties in the wide world of Web
commerce is the exchange of certificates. A certificate is a digital document that at a
minimum includes a Distinguished Name (DN) and an associated public key.
The certificate is digitally signed by a trusted third party known as the Certificate Authority
(CA). The CA vouches for the authenticity of the certificate holder. Each principal in the
transaction presents certificate as its credentials. The recipient then validates the
certificate's signature against its cache of known and trusted CA certificates. A "personal
certificate" identifies an end user in a transaction; a "server certificate" identifies the service
provider.
Generally, certificate formats follow the X.509 Version 3 standard. X.509 is part of the
Open Systems Interconnect
(OSI) X.500 specification.
Public Key Authentication
Public key authentication is an alternative means of identifying yourself to a login server,
instead of typing a password. It is more secure and more flexible, but more difficult to set
up.
In conventional password authentication, you prove you are who you claim to be by proving
that you know the correct password. The only way to prove you know the password is to
tell the server what you think the password is. This means that if the server has been
hacked, or spoofed an attacker can learn your password.
Public key authentication solves this problem. You generate a key pair, consisting of a
public key (which everybody is allowed to know) and a private key (which you keep secret
and do not give to anybody). The private key is able to generate signatures. A signature
created using your private key cannot be forged by anybody who does not have a copy of
that private key; but anybody who has your public key can verify that a particular signature
is genuine.
So you generate a key pair on your own computer, and you copy the public key to the
server. Then, when the server asks you to prove who you are, you can generate a
signature using your private key. The server can verify that signature (since it has your
public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker
does not gain your private key or password; they only gain one signature. And signatures
cannot be re-used, so they have gained nothing.
There is a problem with this: if your private key is stored unprotected on your own
computer, then anybody who gains access to your computer will be able to generate
signatures as if they were you. So they will be able to log in to your server under your
account. For this reason, your private key is usually encrypted when it is stored on your
local machine, using a passphrase of your choice. In order to generate a signature, you
must decrypt the key, so you have to type your passphrase.
References:
RFC 2409: The Internet Key Exchange (IKE); DORASWAMY, Naganand & HARKINS, Dan
Ipsec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks,
1999, Prentice Hall PTR; SMITH, Richard E.
Internet Cryptography, 1997, Addison-Wesley Pub Co.; HARRIS, Shon, All-In-One CISSP
Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 467.
http://en.wikipedia.org/wiki/Pre-shared_key
http://www.home.umk.pl/~mgw/LDAP/RS.C4.JUN.97.pdf
http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.1

depcrypting

Explanation/Reference:
A prolonged power outage is a blackout.
From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 3rd. Edition McGraw-Hill/Osborne,
2005, page 368.

Section: Cryptography
Explanation/Reference:
RFC2828 (Internet Security Glossary) defines a known-plaintext attack as a cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs (although the analyst may also have other clues, such as the knowing the cryptographic algorithm). A chosen-ciphertext attack is defined as a cryptanalysis technique in which the analyst tries to determine the key from knowledge of plaintext that corresponds to ciphertext selected (i.e., dictated) by the analyst. A chosen-plaintext attack is a cryptanalysis technique in which the analyst tries to determine the key from knowledge of ciphertext that corresponds to plaintext selected (i.e., dictated) by the analyst. The other choice is a distracter.
The following are incorrect answers:
A chosen-plaintext attacks
The attacker has the plaintext and ciphertext, but can choose the plaintext that gets encrypted to see the corresponding ciphertext. This gives her more power and possibly a deeper understanding of the way the encryption process works so she can gather more information about the key being used. Once the key is discovered, other messages encrypted with that key can be decrypted.
A chosen-ciphertext attack
In chosen-ciphertext attacks, the attacker can choose the ciphertext to be decrypted and has access to the resulting decrypted plaintext. Again, the goal is to figure out the key. This is a harder attack to carry out compared to the previously mentioned attacks, and the attacker may need to have control of the system that contains the cryptosystem.
A known-algorithm attack
Knowing the algorithm does not give you much advantage without knowing the key. This is a bogus detractor.
The algorithm should be public, which is the Kerckhoffs's Principle . The only secret should be the key.
Reference(s) used for this question:
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 866). McGraw-Hill. Kindle Edition.
and
Kerckhoffs's Principle

Section: Risk, Response and Recovery
Explanation/Reference:
These are core functions of the incident response process.
"Incident Evaluation" is incorrect. Evaluation of the extent and cause of the incident is a component of the incident response process.
"Incident Recognition" is incorrect. Recognition that an incident has occurred is the precursor to the initiation of the incident response process.
"Incident Protection" is incorrect. This is an almost-right-sounding nonsense answer to distract the unwary.
References
CBK, pp. 698 - 703