A security analyst must ensure that the company’s web server will not negotiate weak ciphers with
connecting web browsers. Which of the following supported list of ciphers MUST the security
analyst disable? (Select THREE)
A.
SHA
B.
AES
C.
RIPMED
D.
NULL
E.
DES
F.
MD5
G.
TWOFISH
I am skeptical about the three answers of this question are all correct.
A. SHA is definitely need disable.
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
B. AES is what our government is currently using. It means it is safe and enabled.
C. The RACE Integrity Primitives Evaluation Message Digest (RIPEMD) algorithm was based on MD4. There were questions regarding its security, and it has been replaced by RIPEMD-160, which uses 160 bits. The original RIPEMD was structured as a variation on MD4; actually two MD4 instances in parallel, exchanging data elements at some places. RIPEMD was somewhat less efficient than MD5. Also, since it is based on MD4, there were some concerns that it shared some of the weaknesses of MD4.
I think it must be one of the disabled option. At least, it is weaker than MD5.
D. NULL
https://en.wikipedia.org/wiki/Null_cipher
E. DES, Data Encryption Standard is based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size. It must be disabled.
F. MD5 is a hash function not a block cipher. It is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. It biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use.
Although it is not recommend to use, it is still considered better than RIPEMD.
G. TWOFISH is quite similar as Blowfish and works on 128-bit blocks.
The BEST answers are disable SHA, RIPEMD, and DES (A, C, E), not SHA, DES, and MD5 (A, E, F) because MD5 is more safe than RIPEMD.
https://en.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functions
0
0
Buddy. RIPEMD is kind of replacement for SHA but for European countries. Because they never trust something that NSA invented that’s why they created their own and it’s same as secure as SHA. Not to mention that we have RIPEMD 128, 160 256 AND 320
1
0
It’s funny if you choose A, C, E, because SHA is better than MD5.
1
0
A, E, F works if you assume they are referring to SHA-0 or SHA-1. Question is a bit too vague.
0
0
How about D,E,F. because their is something called “null cipher”
“In modern cryptology, null cipher (or NONE cipher) is also defined as choosing not to use encryption in a system where various encryption options are offered, such as for testing/debugging, or authentication-only communication.”
http://cryptography.wikia.com/wiki/Null_cipher
0
0
I agree with DEF unless RIPMED is not a typo. If it is RIPMED which does not exist, then CDE is a better set of answers.
0
0
OK. The question says disable “supported list of ciphers”, so we can rule out RIPEMD and TWOFISH. Again for me, final answer is D,E,F.
correct me if I’m wrong.
1
0
I agree.
0
0
I think it is A, D, E
0
0