Q1. List out Critical API Security Risks.

Ans: I am listing out the ten most critical security risks as mentioned in OWASP API Security Top 10 2019:

1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring

Q2. What types of security issues come under the category of Injection?

Ans: All types of Web Injection flaws such as SQL, NoSQL, Command Injection, etc., come under the category of Injection issues of API. Similar to the web, hackers execute the commands by tricking the interpreter and accessing unauthorized data.

Q3. What are the methods available to prevent Injection flaws of API?

Ans: Below is the list of methods available to mitigate the risk of Injection flaws while implementing API:

• Validate any user input data and accepts the only permissible type of user input data
• Use safe API
• Implement brute force mitigation techniques
• Limit the number of output entries while accessing data via API.
• Escape and Sanitize user-provided special characters if not required.

Q4. What types of security issues come under the category of Broken User Authentication?

Ans: Incorrectly and insecure way of implemented authentication mechanisms comes under the category of Broken User Authentication. Examples are allowing usage of weak passwords, allowing unsigned/weakly signed JWT tokens, usage of weak encryption keys, no implemented technique to mitigate brute force attacks, usage of auth tokens and passwords in the URL, etc.

Check Application Security Interview Questions

Q5. What is Mass Assignment security risk?

Ans: This type of risk allows hackers to edit details that are not allowed by the system in normal scenarios if implemented incorrectly manner. For example, an e-commerce application allows changing the address of delivery. If somehow the hacker is able to change the wallet balance in-app, that is allowed only to the administrator.

Q6. List out mitigation techniques of Mass Assignment.

Ans: Mitigation techniques such as the correct implementation of least privilege i.e. allowing the user to edit only those fields that are allowed by the administrator, usage of built-in features to blacklist properties, etc.

Q7. What type of security issues comes under security misconfigurations?

Ans: This issue is similar to web application security. I am listing out possible security issues that come under the category of security misconfigurations.

• Non-implementation of Transport Layer Security (TLS)
• Missing security headers
• Missing Cross-Origin Resource Sharing (CORS) policy
• Missing latest security patches
• Errors providing excessive information
• lack of security hardening

Q8. List out security issues related to Insufficient Logging & Monitoring.

Ans:

• Log integrity is not guaranteed by the network administrator
• Monitoring of logs not happening periodically
• Logs are not available
• API-related infrastructure not monitored

Network Security Interview Question and Answers

Q9. What is Improper Assets Management?

Ans: This category address issues related to the usage of old versions/unpatched API.

Q10. How can we mitigate the risks of Insufficient Logging & Monitoring?

Ans: I am listing out the list of security events that must be logged:

• Log all failed authentication attempts.
• Logs should be defined using a correct format and based on input, the information should be provided
• A central log server should be available.
• Periodic backup of logs is mandatory.
• Check to handle logs and ensure integrity.
• Check the mechanism of monitoring the infrastructure, network, and API functioning.

Q11. What tools are required to test the security of web API?

Ans: Postman and Fiddler, both tools are used to check the security vulnerabilities of web API.

The post Most Asked API Security Interview Questions & Answers first appeared on All About Testing.

Q. List out IoT OWASP Top 10 2018 vulnerabilities.

Ans: Below is the list of IoT OWASP Top 10 vulnerabilities:

1. Weak, Guessable, or Hardcoded Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanism
5. Use of Insecure or Outdated Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening

Q. How can we find vulnerabilities of the most prevalent vulnerability of weak, guessable, or hardcoded passwords?

Ans: While configuring IoT devices, administrators/users tend not to change the default or easily guessable password for convenience. Also, most of IoT devices have backdoors to access them via root passwords.

Most of the attacks happen because the administrator/user has not changed the default password.

Attackers easily brute force to guess the correct password of the IoT device if the account lockout mechanism is not implemented.

Q. What type of issues comes under Insecure Ecosystem Interfaces?

Ans: Any vulnerable web interface, mobile, cloud interface, or API may be a component of insecure ecosystem interfaces. Below is the list of issues that may be found under this category:

• Authentication issue while accessing sensitive data
• Server certificates not validated by the device
• Security updates not installed
• Leaking API keys

Q. What are the possible test cases of the secure update mechanism of IoT devices?

Ans: I am listing out possible test cases to test the update mechanisms of IoT devices:

• Check for firmware validation while updating
• Check for mechanisms to prevent rollback to the previous version
• Check for delivery of firmware is encrypted or not
• Check for vulnerabilities in the updated firmware

Q. What are the possible attacks on IoT devices?

Ans: I am listing out possible attacks on IoT devices:

Physical attacks: These types of attacks are possible only after compromising the physical security of IoT devices. Attackers can temper IoT devices and extract different components, data, and code that reside in them.

Network Attacks: Distributed Denial of Service (DDoS) attacks are the type of network attacks. This attack starves all the resources of IoT devices.

Cloning: The attacker clone the IoT device by using RFID attacks (due to poor authentication) and replaces it with a genuine device.

Encryption attack: The attacker employed side-channel attacks to extract keys of cryptographic algorithms.

Q. What are the activities involved in the security testing of IoT products?

Ans: List of activities involved in security testing of IoT products:

• Threat modeling of IoT product
• Firmware security
• Review of encryption used in IoT product
• Code review
• Privacy review
• Protocol fuzzing
• Network traffic analysis
• API Testing
• Penetration testing

Q. List out some tools used for IoT security.

Ans: Tools used for IoT security as mentioned below:

The post IoT Security Interview Questions & Answers first appeared on All About Testing.

Q. What is Blowfish in the field of cryptography?

Ans: Blowfish is a symmetric key block cipher of 64-bit size and key length varies from 32 bits to 448 bits. This algorithm is developed in 1993 by Bruce Schneier and is able to replace the DES algorithm. As of now, blowfish is secure against any known vulnerabilities.

Q. What is Skipjack in the field of cryptography?

Ans: Skipjack is an encryption algorithm that uses an 80-bit key to encrypt or decrypt 64-bit block data.

Q. What is Twofish in the field of cryptography?

Ans: Blowfish is a symmetric key block cipher of 128-bit size and key length varies up to 256 bits. Twofish is an improved version of the Blowfish algorithm.

Q. What is the Diffie-Hellman Algorithm?

Ans: Diffie-Hellman algorithm used to secure communication on a public channel. This algorithm is based on Elliptic Curve Cryptography (ECC) and uses the concept of elliptic curves over finite fields.

Q. What are Public and Private keys in the field of Cryptography?

Ans: Public key and Private key both are used as a key pair generated by an asymmetric algorithm.

Q. What is the importance of the Key Length of Encryption Algorithm?

Ans: Key length is a critical aspect to determine the strength of the encryption algorithm.

Q. What is the maximum Key Length of RSA, DSA, and Elliptic Curve Cryptography?

Ans:

Q. Explain the concept of Hash Functions.

Ans: A hash function is a function used to convert arbitrary data to fixed-size values (also called hash values or digest). These functions are used to check the integrity of data.

Q. What is Public Key Infrastructure (PKI)?

Ans: A Public Key Infrastructure (PKI) is a system for the generation, distribution, and revoke of Digital Signature Certificates (DSC).

Q. List out some Cryptographic Attacks.

Ans: Below is some cryptographic attacks:

• Birthday attack
• Hash function security summary
• Rainbow table
• Side Channel attacks

Q. What are the common applications of cryptography to secure networking?

Ans:

• Secure communication
• Authentication of identity
• Password storage
• Reliability of transmission

Q. What is WPA encryption?

Ans: Wi-Fi Protected Access (WPA) is a security standard introduced in 2003 to secure wireless network systems. WPA replaced Wired Equivalent Privacy (WEP) as this protocol offers more security in user authorization and managing security keys. WPA uses Temporal Key Integrity Protocol (TKIP) to secure wireless traffic. WPA is now obsolete as WPA2 provides stronger encryption.

Additional Questions

1. How are digital signatures generated and verified?
2. What is Safer in the field of cryptography?
3. What is a One-time Pad?
4. What is a Birthday Attack?
5. What is the Secure Hash Algorithm?
6. What are Message Authentication Codes (macs)?
7. How do digital timestamps support Digital Signatures?
8. Is private key encryption to verify identity a weakness?
9. Can Hash Length Extension attacks be avoided by changing the data structure?
10. Is it possible to send encrypted data over an unencrypted network while hiding the fact that it is encrypted?
11. How password-based encryption works?
12. Is SHA-256 + Salt still safe for password storage?
13. What are the privacy advantages of a DNS encryption service such as DNScrypt?
14. Why can’t hashes be reversed?
15. How can you encrypt email messages?
16. Can I slow down a brute force attack by encoding password input data?
17. How does a Digital Signature Certificate (DSC) work?
18. What are the different classes of Digital Signature Certificates?
19. What is an electronic document?

The post Advanced Cryptography Interview Questions first appeared on All About Testing.

Q1. What is Cryptography?

Ans: Cryptography is a process of hiding or securing information/data while transmitting, storing, and processing data by using different complex algorithms and methods.

Q2. What is the goal of Cryptography?

Ans: The goal of Cryptography is Confidentiality, Integrity, Availability, and Non-Repudiation of sensitive data flowing and stored in the IT system.

Q3. What is the importance of Cryptography?

Ans: As we move towards the digital economy, cryptography plays a crucial role in securing your digital assets from hackers by encrypting them.

Q4. What are Ciphers?

Ans: Cipher is a process of creating data in a non-readable form. In other words, you can say it is an algorithm responsible for the encryption and decryption of data.

Q5. What are the different types of Ciphers?

Ans: I am listing some ciphers below:

• Mono-alphabetic Ciphers
• Polyalphabetic Ciphers
• Transpositions and Grills
• Steganography
• Codes
• Voice Scramblers
• Modern Ciphers

Q6. What is RSA in the field of Cryptography?

Ans: RSA (Rivest–Shamir–Adleman) is an asymmetric cryptographic algorithm. It consists of two keys: Public and Private keys. The Private key holds only by the owner of that key, and the corresponding public key is available to different persons. If encryption is happening with the private key, decryption can be done with the public key, and vice versa depending on the usage of asymmetric encryption.

Q7. How fast is RSA?

Ans: RSA is asymmetric encryption, so it is definitely slow compared to symmetric encryption, such as DES. On average, DES is approximately 100 times faster than RSA.

Q8. What is the major difference between the Symmetric and Asymmetric Key Algorithm?

Ans: The major difference between the Symmetric and Asymmetric Key algorithms is using the same key in the case of the Symmetric Key algorithm while using different keys (public and private key) in the case of the Asymmetric Key Algorithm.

Q9. What are Transposition Ciphers?

Ans: Transpositional ciphers is an encryption algorithm based on rearranging letters of the original message and converting it into a non-readable form.

Q10. What are the advantages of the Symmetric Key Algorithm?

Ans: The main advantage of the Symmetric Key Algorithm is the fast speed of encryption in comparison with the Asymmetric Key Algorithm. Another important advantage of this algorithm is the property of extreme security that makes it unbreakable.

Q11. What is a Running Key Cipher?

Ans: Running key cipher is also called book cipher. In this cipher, the cipher’s length is of the same length as of the original message. Here, both the sender and receiver agree to use the same chapter of the same book to encrypt and decrypt the message.

Q12. What is Block Cipher?

Ans: Block cipher is a method of encrypting data using cryptographic keys and algorithms to apply to a block or chunks of the message simultaneously rather than individually. The transposition cipher, AES, DES, 3DES, Twofish are examples of a Block cipher.

Q13. What is Stream Cipher?

Ans: In this cipher, the cryptographic algorithm is used to encrypt or decrypt a message one bit or character at a time. Here, stream ciphers encrypt data byte by byte. The Caesar cipher is an example of the stream cipher.

Q14. List out different types of encryption algorithms.

Ans: Currently many cryptographic algorithms are available to secure data. Some of them I am listed below:

• DES/3DES
• Blowfish
• AES
• MD5
• RSA

Q15. List down some Hashing Algorithms.

Ans: Hashing algorithms are used to convert data of any length into fixed-size hash values. I am listing some hash algorithms:

• Message Digest (MD)
• Secure Hash Function (SHA)
• RIPEMD
• Whirlpool

Q16. What is the Data Encryption Standard (DES)?

Ans: DES or Data Encryption Standard is a symmetric-key algorithm to encrypt data into a non-readable form. DES uses the same key of size 56 bits to encrypt and decrypt data.

Q17. What is Triple DES (3DES)?

Ans: Triple-DES is a type of symmetric-key algorithm and uses 168 bits keys (three 56 bits keys) to encrypt or decrypt a message. It is considered a strong algorithm than DES.

Q18. What is the International Data Encryption Algorithm (IDEA)?

Ans: International Data Encryption Algorithm (IDEA) algorithm is a symmetric-key block cipher that operates on 64-bit blocks using a 128-bit key.

Q19. What is the Cryptographic Life Cycle?

Ans: Cryptographic Life Cycle suggests an idea of the lifespan of any cryptography algorithm. As the enhancement of computing power increases day by day, it is easy for processors to guess cryptographic keys. Security professionals are working diligently to identify these algorithms’ life cycles and suggest suitable replacements when needed by an organization.

Q20. What is the Advanced Encryption Standard (AES)?

Ans: Advanced Encryption Standard (AES) is a symmetric key block cipher used to encrypt and decrypt messages.

Q21. What boolean logical operator played is a critical role in cryptography?

Ans: XOR played a critical role and is widely used in cryptography. It is also used in generating parity bits for error checking and fault tolerance.

Q22. What is a One-Time Pad?

Ans: One-Time Pad is a secret key that is used to encrypt and decrypt a message. Here, a secret key is used only once.

Q23. What is ECB mode?

Ans: ECB stands for Electronic CodeBook. It is the simplest mode of operation in the block cipher. Here, each plain block is encrypted independently to produce a ciphertext block. For the same plain block, the ciphertext block will remain the same.

Q24. What are MACs?

Ans: MACs stands for Message Authentication Codes. It helps in ensuring the integrity of data.

Q25. How do passwords store securely on the server?

Ans: It is recommended to use the BCrypt package to store passwords on the server. In addition, MD5 is strongly discouraged the use of storing passwords on database servers.

The post Cryptography Interview Questions & Answers first appeared on All About Testing.

Q1. Explain what is the role of an information security analyst.

Ans: As an information security analyst,  you need to perform many tasks to secure an organization from any cyber attack. I am listing some of them:

• Conducting regular Vulnerability Assessment (VA)/Penetration Testing(PT) of IT infrastructure
• Prepare the plan to secure the assets of an organization
• Updates deployed software regularly
• Implement IDS/IPS in the network for monitoring traffic
• Recommending purchases of security infrastructure such as firewall, load balancer, antivirus, etc.
• Analyze the root cause of any security breach in past
• Conduct sessions to impart training to  employees of an organization
• Suggest tools and techniques to enhance the security of an organization
• Responsible for conducting security audits
• Responsible for creating security policies for an organization
• Plan and implement recovery of organization data in case of any network disaster

Q2. Mention what is data leakage. What are the factors that can cause data leakage?

Ans: In simple terms, data leakage is defined as the availability of confidential data to unauthorized persons. There can be many reasons for data leakage such as security breach by the hacker, security misconfiguration of servers, backup stored at a less secure place, logical flow in a web application that results in the data leak, etc.

Q3. List out the steps to successful data loss prevention controls.

Ans: I am listing some data loss prevention controls. Although this list is not exhaustive, by going through you have a clear idea regarding possible steps for data prevention controls.

• create an information risk profile for every data stored in the data center
• create impact severity and response chart which helps an organization to categorize data
• based on severity, plan to prioritize the breach incidents
• assign and document the roles and responsibilities of the network administrator, incident analyst, auditor, and forensic investigator
• implement data loss prevention controls
• monitor and review the results of techniques you deployed for data loss prevention weekly or monthly based on criticality.

Q4. Explain what is the 80/20 rule of networking.

Ans: 80/20 is a rule used for describing IP networks. According to this rule,  80% of network traffic should remain local while only 20% should be routed towards a remote network. This rule is more applicable to small-medium-sized network environments.

Q5. Mention what personal traits you should consider protecting data.

Ans: If you want to protect data on your personal computer, I am listing some measures:

• Always use genuine software
• Install antivirus/anti-spyware
• Never share your password with anyone
• If possible, always encrypt your personal data
• Ensure the operating system is updated with security patches
• plan to back up your data

Q6. What is WEP cracking? 

Ans: WEP stands for Wired Equivalent Privacy (WEP) and it is a security algorithm for wireless networks. Now, as the name suggests, WEP cracking signifies the exploitation of vulnerabilities present in the wireless network and access to confidential information.

Q7. Explain what is phishing. How can it be prevented?

Ans: Phishing is a technique to fool users to submit confidential information such as passwords and credit card numbers on fake web pages.

Prevention:

• If possible, only interact with secure websites
• Never download an attachment from an unknown person
• Never email your financial information

Q8. Mention what are web server vulnerabilities.

Ans: There is a list of web server vulnerabilities :

• Default settings
• Default username and password
• Security Patches not installed regularly
• Misconfiguration
• vulnerabilities in the operating system

Q9. List the techniques used to prevent web server attacks.

Ans: There is a list of techniques used to prevent web server attacks:

• Secure installation and configuration of the OS
• Safe installation and configuration of the webserver software
• Scanning system vulnerability
• Remote administration disabling
• Removing unused and default account
• Changing default ports and settings to customs port and settings
• Anti-virus and firewalls

Q10. For security analysts what are the useful certification?

Ans: 

Security Essentials (GSEC):  Good for systems security administration.

Certified Security Leadership: Enhancing knowledge of how to lead the security team.

CISSP: Good for mid-level management people in Information Security.

Certified Forensic Analyst:  It helps in enhancing knowledge to collect and analyze data from Windows and Linux computer systems.

Certified Firewall Analyst: It helps in enhancing knowledge in configuring routers, firewalls, and perimeter defense systems.

Offensive Security Certified Professional (OSCP): Concentrate on the deep technical knowledge required for penetration testing.

Q11. What is the goal of information security within an organization?

Ans: The goal of Information Security is to address the CIA triad. CIA stands for Confidentiality, Integrity, and Availability.
Confidentiality: It limits access to information. It is implemented by Encryption, Access control, and other security measures.
Integrity: It is the assurance that the information is not altered. It is implemented by using Hashing, Digital signatures, Certificates, and Non-repudiation.
Availability: It is a guarantee of reliable access to information by authorized people. It is implemented by creating redundancy (like a DR site) and fault tolerance.

Q12. How would you harden user authentication?

Ans: By using two-factor authentication, we can harden user authentication.
Two-factor authentication use “what they have” AND “what they know”.
“what they have” AND “what they know” generally refer to security tokens and passwords.

Q13. What are the steps to secure a server?

Ans: Steps to secure a server :

1. Implementation of SSH Keys.
2. Update patches and regular vulnerability assessment of Routers, Firewalls, and other network devices.
3. Implement VPNs and Private Networking to create secure connections between remote computers and servers.
4. Public Key Infrastructure and SSL/TLS Encryption
5. Service Auditing helps in knowing services running on systems, which ports are used for communication, and what protocols are accepted. This data helps the network administrator to configure the Firewall.
6. File Auditing and Intrusion Detection Systems

File auditing helps in comparing the current system against a record of the files
An Intrusion Detection System (IDS), helps in monitoring a system or network for unauthorized activity.

Q14. List out some important encryption techniques.

Ans: Encryption techniques are:

1. Triple DES
2. RSA
3. Blowfish
4. Twofish
5. AES

Q15. How do you determine a vulnerability’s severity?

Ans: Generally link severity with business risk. If you think vulnerability is not actually exploitable, but fixing also takes not much effort, it is good to fix those vulnerabilities. Try to find risks associated with the business, if you found the business may get hurt because of vulnerability, the severity will be high and vice versa.

Q16. How do you find security flaws in source code – manual analysis, automated tools, or both? 

Ans: It is very difficult to analyze thousands of lines of source code without using any automated tools. To find security flaws in source code, generally, both manual analysis and automated tools are used by a security analyst.

Q17. List the top 10 Web security vulnerabilities as per OWASP.

Ans: OWASP Top 10:2021 List

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server Side Request Forgery (SSRF)

Q18. What is DDoS and what tools are used for DDoS attacks?

Ans: DDoS stands for Distributed Denial of Service.
DDoS is a type of DOS attack where multiple compromised system attacks on the application-hosted servers exhaust all resources.
Tools use for DDoS are LOIC, hyenae, HULK, etc.

Q19. What’s more secure, SSL, or TLS?

Ans: SSL and TLS are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications operating over a network. Both use similar ciphers and message digests.

SSL v3.0
Was exploited by the POODLE attack and is now obsolete. Must not be used

TLS v1.3
The newest TLS protocol and most secured

Enables better use of more secure ciphers
Features enhanced negotiation of the encrypted connections

Q20. What is DNS monitoring?

Ans: DNS monitoring uses network monitoring tools to test connectivity between your authoritative name servers and local recursive servers.
DNS monitoring allows you to test that:

• Your DNS server resolves correctly the URL that you have provided to the expected IPs.
• Your provided URL is resolved correctly to the expected IPs by your specified common DNS server.

The post Interview Questions & Answers | Information Security first appeared on All About Testing.

Q1. What is a Digital Signature Certificate (DSC)?

Ans: Digital Signature Certificate (DSC) is an electronic equivalent of a physical signature. It proves your identity like an id card and proves your authentication. It is also used to access information or services on the internet. In other words, DSC is a method to validate the authenticity and integrity of electronic messages or data.

Q2. How does a Digital Signature Certificate (DSC) work?

Ans: This we can understand with help of the example. Assume Tom wants to send electronic documents to Eric digitally. Tom and Eric have acquired digital signatures. The digital signature has two attributes related to the subscriber: public and private keys.  First, both have shared public key with each other. Now, Tom encrypts the message with his private key and sends it to Eric. Upon receiving, Eric will use the shared public key of Tom to decrypt the message and assures the integrity of the message. In this way, Tom is able to exchange messages securely by using DSC.

Q3. What is an electronic document?

Ans: Electronic document is any data that needs the computer to access, interpret and process it. It can be an image, a drawing, or any other message which needs a computing system.

Q4. What is the difference between Electronic Signature and a Digital Signature?

Ans: Electronic signature is similar to your physical signature in digitized form by attaching a sound or symbol to the document. The digital signature is the more secure form that assures confidentiality, integrity, authentication, and non-repudiation.

Q5. What are the different classes of Digital Signature Certificates?

Ans: Different classes of Digital Signature Certificates:

Class 1 Certificate: These certificates are issued to individuals or private subscribers. Certifying Authorities assures the user’s name (or alias) and E-mail address of the subscriber in consumer databases.

Class 2 Certificate: These certificates are issued for both business personnel and private individuals’ use. Certifying Authorities assures the information in the application provided by the subscriber is consistent with the information in consumer databases.

Class 3 Certificate: This certificate is issued to individuals as well as organizations. As these are high assurance certificates, Certifying Authorities issue certificates only on the subscriber’s physical appearance before them and assures the information in the application provided by the subscriber is consistent with the information in consumer databases.

Q6. How is Digital Signature Validated and Secured?

Ans: Digital signature is mainly used for assurance of authentication and integrity of received data. If data is encrypted using the public key, data can be decrypted using the private key and vice-versa. In this way, the digital signature is validated and it ensures authentication, confidentiality, integrity, and non-repudiation.

Q7. What is the Certificate Revocation List (CRL)?

Ans: Certificate Revocation List (CRL) is a list of digital certificates issued by Certifying Authority (CA) and it contains revoked digital signatures before their scheduled expiry date. Certificates available in this list should no longer be trusted.

Q8. What does X.509 refer to as it relates to digital certificates?

Ans:  X.509 is a standard that defines the format of public key certificates. TLS/SSL also uses the same standard for defining certificates.

Q9. How Are Certifying Authorities Susceptible of Attack?

Ans: Although it is very difficult to attack Certifying Authorities, there are still some ways as mentioned below:

• Find out the private keys of CAs by reverse engineering the device
• If CAs use short-length keys, it is susceptible to attack.

Q10. Can a digital signature be forged?

Ans: It is very difficult to forge a digital signature. Highly complex algorithms are implemented which makes it nearly impossible to forge the signature.

Q11. What is a one-time signature scheme?

Ans: In cryptography, a one-time signature scheme is a method for creating a digital signature. This type of signature can be built from any cryptographically secure one-way function and is generally used to sign a single message.

Q12. What is an Undeniable Signature Scheme?

Ans: Undeniable signature schemes, also called non-self-authenticating signature schemes, where signatures can only be verified with the consent of the signer.

Q13. What are the types of Certificates issued by CAs?

Ans: As per X.509 Certificate Policy PKI published by the Controller of Certifying Authorities, there are five types of certificates:

• Signature Certificate,
• Encryption Certificate
• SSL Server Certificate
• Code Signing Certificate
• Document Signer Certificate

The post Interview Questions: Digital Signature Certificate (DSC) | PKI first appeared on All About Testing.