A one-way hash is a cryptographic function that meets all the criteria described. It takes an input of arbitrary length (a string of characters) and produces a fixed-length string, known as a hash value or message digest. The core properties of a cryptographic hash function are that it is deterministic (the same input always produces the same output), fast to compute, and, crucially, "one-way." This one-way property, also known as preimage resistance, makes it computationally infeasible to determine the original input string from its hash value, meaning the transformation cannot be reversed.

B. DES: This is a symmetric-key encryption algorithm. It is a two-way, reversible process used for confidentiality, not a one-way transformation.

C. Transposition: A classical encryption cipher that rearranges the order of characters. It is reversible and does not produce a fixed-length output.

D. Substitution: A classical encryption cipher that replaces characters with other characters. It is also reversible and does not produce a fixed-length output.

1. National Institute of Standards and Technology (NIST). (2015). FIPS PUB 180-4

Secure Hash Standard (SHS). Section 1

"Introduction

" states

"A hash algorithm is used to compute a condensed representation of a message or a data file... For a given algorithm

the message digests are of a fixed length..."

2. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). CRC Press. In Chapter 5

Section 5.1

a hash function is defined as a function that maps arbitrary-length strings to a fixed-length output. The property of being "one-way" is formally defined as preimage resistance.

3. Stallings

W. (2017). Cryptography and Network Security: Principles and Practice (7th ed.). Pearson. Chapter 11

Section 11.1

"Secure Hash Algorithms

" describes the fundamental requirements for a cryptographic hash function

including the one-way property (preimage resistance) and the production of a fixed-length hash value.

A compromised hypervisor represents a complete failure of the virtualization security boundary, granting the attacker potential control over all hosted virtual machines (VMs) and a powerful pivot point for lateral movement. The most critical immediate step, according to established incident response principles, is containment. Disconnecting the hypervisor from the network immediately severs the attacker's command and control (C2) channel and prevents them from exfiltrating data or attacking other systems on the network. This action isolates the threat, limiting the scope of the damage, which is the primary objective in the initial phase of handling a critical security incident.

A. Increase the monitoring frequency of virtual machine logs.

This is a detective, not a mitigative, action. It does not stop the active attack, and the attacker could potentially alter the logs from the compromised hypervisor.

B. Restart all virtual machines hosted by the hypervisor.

This is ineffective because the compromise is at the hypervisor level. The attacker would retain control of the hypervisor and could simply re-compromise the VMs upon restart.

D. Apply the latest hypervisor patches and updates.

Patching is a preventative and recovery measure, not an immediate containment step for an active breach. It will not eject an attacker who is already in the system.

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 3.3.2

"Containment

" states that a major decision is "how much to disconnect the affected systems from the network." For a severe compromise

complete disconnection is a primary strategy to prevent the attacker from causing further damage.

2. NIST Special Publication 800-125

Guide to Security for Full Virtualization Technologies. Section 5.3

"Hypervisor

" describes the hypervisor as the most critical component. A compromise at this level is catastrophic

implicitly requiring immediate and decisive containment actions like network isolation to prevent the compromise from spreading.

3. Souppaya

M.

& Scarfone

K. (2011). NIST Special Publication 800-146

Cloud Computing Synopsis and Recommendations. Section 5.2.2

"Network Security

" discusses the risk of a compromised hypervisor allowing an attacker to "gain access to the underlying physical infrastructure and from there to other tenants." This highlights the urgency of preventing lateral movement

which is best achieved by network isolation.

4. Garfinkel

T.

& Rosenblum

M. (2005). When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing. Proceedings of the 10th conference on Hot Topics in Operating Systems

Vol. 10. This foundational academic paper discusses the severe implications of a Virtual Machine Monitor (hypervisor) compromise

noting that it "subverts the security of every guest OS running above it

" reinforcing the need for immediate

drastic containment measures.

The primary role of a smartcard within a Public Key Infrastructure (PKI) is to provide a secure, hardware-based environment for the user's private key. Smartcards are designed to be tamper-resistant, preventing unauthorized physical or logical access to the key. Critically, the private key is generated on and never leaves the card. All cryptographic operations requiring the private key, such as digital signing or decrypting a session key, are performed by the processor on the card itself. This protects the key from being compromised by malware on the host computer and provides strong non-repudiation, as the user must physically possess the card and typically provide a PIN to authorize its use.

A. Key renewal is a PKI management process; the smartcard is a secure endpoint for this process, not the primary enabler of renewal itself.

B. Public certificates are distributed by Certificate Authorities (CAs) and directories, not primarily by users exchanging smartcards.

C. While smartcards perform cryptographic operations, they are not designed for high-speed bulk data encryption; dedicated Hardware Security Modules (HSMs) serve that role.

1. National Institute of Standards and Technology (NIST) FIPS 201-3

Personal Identity Verification (PIV) of Federal Employees and Contractors

January 2022. Section 6.2

"PIV Cryptographic Keys

" states

"Private keys are generated on the PIV card and are not exportable." This highlights the card's role as a secure

non-exportable container for private keys.

2. National Institute of Standards and Technology (NIST) SP 800-73-4

Interfaces for Personal Identity Verification - Part 1: PIV Card Application Namespace

Data Model

and Representation

January 2015. Section 3.1.1

"PIV Card

" specifies

"The PIV Card is used to store PIV identity credentials and to perform cryptographic computations." This directly supports the role of secure storage and application of keys.

3. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. Chapter 22

"Public-Key Cryptography and Message Authentication

" discusses the critical need to protect private keys

stating that hardware tokens like smartcards "provide tamper-resistant storage of private keys."

4. Microsoft Documentation

Smart Card Architecture. The documentation explains that a smart card's Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) ensures that "authentication and other private key operations are performed on the smart card and not on the host computer

" reinforcing the principle of secure application and storage.

The Digital Signature Standard (DSS), specified in FIPS 186-4, defines algorithms for generating and verifying digital signatures. The primary security services provided by a digital signature are authentication (verifying the sender's identity), data integrity (ensuring the message has not been altered), and non-repudiation (preventing the sender from denying the message). DSS is not designed to provide confidentiality. While the underlying algorithms like RSA can be used for encryption, the standard itself is exclusively for creating signatures, not for encrypting data to keep it secret.

B. Integrity: DSS provides integrity by using a secure hash function on the message before signing. Any change to the message results in a different hash, causing signature verification to fail.

C. Digital signature: This is the core function of the standard. DSS explicitly defines the methods and algorithms (DSA, RSA, ECDSA) for creating and verifying digital signatures.

D. Authentication: DSS authenticates the origin of a message. Since the signature is created with the signer's private key, successful verification with the public key proves the message came from the claimed sender.

1. National Institute of Standards and Technology (NIST). (2013

July). FIPS PUB 186-4: Digital Signature Standard (DSS). U.S. Department of Commerce. In Section 1

"Specification

" the document states its purpose is for applications requiring a digital signature to "detect unauthorized modifications to data and to authenticate the identity of the signatory." It makes no mention of providing encryption or confidentiality. (Page 1

Section 1).

2. Purdue University. (n.d.). CS 555: Introduction to Cryptography - Lecture 20: Digital Signatures. "The main goal of digital signatures is to provide authenticity

including data integrity and origin authentication. It also provides non-repudiation... Digital signatures do not provide confidentiality." (Slide 3).

3. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). CRC Press. In Chapter 12

the text clearly distinguishes the security goals of digital signatures (integrity and authentication) from those of encryption schemes (confidentiality). DSS is presented as a standard for the former. (Chapter 12

Section 12.1

"Definition of Secure Signatures").

Statistical multiplexing, also known as statistical time-division multiplexing (STDM), is a communication channel sharing method that allocates bandwidth dynamically. Unlike traditional time-division multiplexing (TDM) which uses fixed time slots, statistical multiplexing allocates time slots on an as-needed basis to users who have data to transmit. This approach is highly efficient for bursty data traffic from variable bit-rate sources, as it leverages the statistical probability that not all users will transmit simultaneously, thereby accommodating more users on a shared channel. This directly matches the question's description of dynamic allocation for an arbitrary number of variable bit-rate streams.

A. Time-division multiplexing: This method allocates a fixed, pre-determined time slot to each channel in a round-robin fashion, regardless of whether the channel has data to send. It is a static, not dynamic, allocation method.

B. Asynchronous time-division multiplexing: While often used synonymously with statistical multiplexing, "statistical multiplexing" is the more precise and fundamental term describing the method based on traffic statistics. ATDM is a specific implementation of this principle.

D. Frequency division multiplexing: This method divides the channel's bandwidth into distinct, non-overlapping frequency bands, with each channel assigned a dedicated band. This allocation is static and based on frequency, not time.

1. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson.

Page 33

Section 1.3.2: "Packet switching also makes use of statistical multiplexing... In a TDM link

each host gets a dedicated rate of R/N bps during every time frame... With statistical multiplexing... there is no a priori reservation of a link’s capacity." This source distinguishes statistical multiplexing's dynamic

on-demand nature from TDM's fixed allocation.

2. Tanenbaum

A. S.

& Wetherall

D. J. (2011). Computer Networks (5th ed.). Prentice Hall.

Page 135

Section 2.5.2: "A variation of TDM is statistical TDM

in which slots are allocated to lines dynamically... The statistical TDM scans the input lines and collects data until a frame is full

and then it sends the frame." This directly describes the dynamic allocation method for channels with data.

3. Stallings

W. (2014). Data and Computer Communications (10th ed.). Pearson.

Page 243

Section 8.2: "In statistical time-division multiplexing

time slots are allocated dynamically on the basis of need... The statistical multiplexer can absorb peak rates of a number of the attached devices

providing a better response time than a synchronous TDM system." This confirms the dynamic

on-demand allocation for variable traffic.

Reverse Address Resolution Protocol (RARP) is a network protocol used by a client device on a Local Area Network (LAN) to request its Internet Protocol (IP) address from a server. The client broadcasts a RARP request packet, which contains its own unique Media Access Control (MAC) address. A designated RARP server on the network receives this request, looks up the MAC address in its configuration table, and replies with the corresponding IP address. This mechanism was historically used by diskless workstations or other devices at boot time to discover their IP address when they only knew their hardware address.

B. Address resolution protocol (ARP): ARP performs the opposite function; it resolves a known IP address to an unknown MAC address (IP -> MAC).

C. Data link layer: This is Layer 2 of the OSI model. It is a conceptual layer, not a specific protocol that resolves a MAC address to an IP address.

D. Network address translation (NAT): NAT is a method for remapping IP addresses, typically between a private LAN and a public network (like the Internet), not for local address discovery.

1. Finlayson

R.

Mann

T.

Mogul

J.

& Theimer

M. (1984). RFC 903: A Reverse Address Resolution Protocol. IETF. The abstract states

"This RFC describes a protocol for allowing a host to discover its Internet address when it knows only its hardware address."

2. Comer

D. E. (2018). Internetworking with TCP/IP Volume 1: Principles

Protocols

and Architecture (6th ed.). Pearson. In Chapter 6

"Mapping Internet Addresses To Physical Addresses (ARP)

" the text contrasts ARP with RARP

explicitly stating RARP's purpose: "A host uses RARP to find its IP address when it knows its hardware address" (Section 6.10

RARP).

3. Tanenbaum

A. S.

& Wetherall

D. J. (2011). Computer Networks (5th ed.). Prentice Hall. In Chapter 5

"The Network Layer

" Section 5.6.3

the text describes ARP and its inverse

RARP

noting that RARP allows a host to broadcast its Ethernet address and ask for someone to tell it the corresponding IP address.

The foundational step in any information classification program is to establish the framework upon which all other activities will be based. This involves specifying the criteria that define the classification levels (e.g., Public, Internal, Confidential, Restricted). These criteria determine how data is categorized based on its sensitivity, criticality, and impact if disclosed. All subsequent steps, such as assigning security controls, appointing custodians, and establishing review procedures, are dependent on this initial, fundamental definition. Without clear criteria, the classification process would be arbitrary, inconsistent, and ultimately ineffective.

A. Establishing review procedures is a governance and maintenance step that occurs after the initial classification program has been defined and implemented.

B. Specifying security controls for each level can only be done logically after the classification levels and their corresponding criteria have been established.

C. Identifying a data custodian is an operational step to assign responsibility, which follows the creation of the classification framework that the custodian will manage.

---

1. Official (ISC)² Guide to the SSCP CBK

5th Edition. Chapter 2

"Security Operations and Administration

" in the section "Implement and Support Data-Labeling Policies

" explains that the creation of a data classification policy begins with defining the objectives and criteria for classification before assigning roles or controls.

2. NIST Special Publication 800-60 Vol. 1 Rev. 1

Guide for Mapping Types of Information and Information Systems to Security Categories. Section 2.1

"The Security Categorization Process

" outlines the initial step as identifying the types of information to be protected. This act of identification and understanding is integral to defining the criteria for how they will be classified based on impact.

3. University of California

Berkeley

Data Classification Standard. This official university document exemplifies the correct process. The standard begins by defining the "Protection Levels" (PLs) and "Availability Levels" (ALs)

which constitute the criteria for classification

before it proceeds to detail any roles

responsibilities

or specific controls. (See Section III

"UC Berkeley Data Classification

" and Section IV

"UC Berkeley Data Availability Classification").

A full mesh topology offers the highest availability and fault tolerance. In this configuration, every node is directly connected to every other node in the network. This design creates the maximum number of redundant paths for data to travel between any two points. If a link or a node fails, traffic can be immediately rerouted through numerous alternative paths, ensuring that network communication remains uninterrupted. While costly and complex to implement, its inherent redundancy makes it the most resilient and available LAN topology.

A. Bus topology: This topology has a single point of failure; a break in the shared central cable will cause the entire network to fail.

B. Tree topology: A failure of a central hub or the main backbone cable can disconnect entire segments or all of the network.

D. Partial mesh topology: It provides redundancy but less than a full mesh, as not all nodes are connected to each other, creating fewer alternative paths.

1. Stallings

W. (2016). Data and Computer Communications (10th ed.). Pearson. In Chapter 11.2

"Topologies

" it is stated

"In a mesh topology

each station is connected to every other station... The primary advantage of the mesh topology is that it is very reliable or robust." The text implicitly supports that a full mesh is more reliable than a partial mesh.

2. Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. Chapter 1

Section 1.3

"The Network Edge

" discusses various access network types. The principles described illustrate that direct

multiple paths (a characteristic of full mesh) increase fault tolerance

a key component of availability.

3. Tanenbaum

A. S.

& Wetherall

D. J. (2011). Computer Networks (5th ed.). Prentice Hall. Chapter 1

Section 1.3.2

"Local Area Networks

" describes mesh networks as having high reliability due to the existence of multiple paths between nodes. It notes

"If one link becomes unusable

the network can often find a second path and work around it."

The RSA (Rivest-Shamir-Adleman) algorithm is a widely used asymmetric cryptosystem. Its security is fundamentally based on the computational difficulty of the integer factorization problem. The public key consists of a modulus n (the product of two large, secret prime numbers) and a public exponent e. To derive the corresponding private key, an attacker would need to determine the original prime factors of n. For sufficiently large numbers, factoring n is computationally infeasible with current technology, which ensures the security of the private key.

A. El Gamal: Its security is based on the difficulty of solving the Discrete Logarithm Problem (DLP) over a finite field.

B. Elliptic Curve Cryptosystems (ECCs): Security relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP), a more complex variant of the DLP.

D. International Data Encryption Algorithm (IDEA): This is a symmetric-key block cipher and does not use the principles of asymmetric cryptography like factoring or discrete logarithms.

1. Paar

C.

& Pelzl

J. (2010). Understanding Cryptography: A Textbook for Students and Practitioners. Springer. In Chapter 6

Section 6.2

"The RSA Cryptosystem

" it is stated: "The security of RSA relies on the fact that it is difficult to factor large integers." (p. 161).

2. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). CRC Press. Chapter 11

Section 11.3

"The RSA Assumption

" directly connects the security of the RSA cryptosystem to the hardness of the factoring problem. (p. 378).

3. National Institute of Standards and Technology (NIST). (2013). FIPS PUB 186-4: Digital Signature Standard (DSS). Section 5.1.1

"RSA Key Pair Generation

" details the process where the modulus n is the product of two secret primes

p and q

establishing that the security relies on the secrecy of these factors. (DOI: https://doi.org/10.6028/NIST.FIPS.186-4).

4. Boneh

D. (1999). Twenty Years of Attacks on the RSA Cryptosystem. Notices of the American Mathematical Society

46(2)

203-213. The paper's introduction states

"The security of the RSA system is based on the assumption that factoring a large number is difficult." (p. 203).

The Data Encryption Standard (DES) algorithm specifies a key of 64 bits in length. However, within this 64-bit block, every eighth bit (bits 8, 16, 24, 32, 40, 48, 56, and 64) is designated as a parity bit for error detection. These parity bits are discarded before the key-scheduling process begins. Consequently, only 56 of the 64 bits are actually used to generate the subkeys for the encryption rounds. This makes the effective key size 56 bits, which defines the algorithm's cryptographic strength against brute-force attacks.

B. 64 bits: This is the nominal key size, including the 8 parity bits, not the effective key size used in the cryptographic operations.

C. 128 bits: This is a common key size for modern symmetric algorithms like the Advanced Encryption Standard (AES), not for the legacy DES algorithm.

D. 1024 bits: This key length is characteristic of asymmetric cryptographic algorithms, such as RSA, not symmetric block ciphers like DES.

1. National Institute of Standards and Technology (NIST). (1999). FIPS PUB 46-3

Data Encryption Standard (DES). U.S. Department of Commerce. In Section 3

"THE ALGORITHM

" it states

"The 64 bits of the key are denoted by K1

K2

...

K64. The bits K8

K16

...

K64 are for error detection... The 56 bits used in the algorithm are selected from the 64-bit key." (Page 4).

2. Boneh

D. (n.d.). CS255 Introduction to Cryptography

Lecture 5: DES. Stanford University. The lecture notes state

"DES uses a 64-bit key

but 8 of these bits are parity bits. So the effective key length is 56 bits." (Slide 10

"DES: The Data Encryption Standard").

3. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). CRC Press. In Chapter 6

"The Data Encryption Standard (DES)

" Section 6.2

"A High-Level Description of DES

" it is explained that the initial 64-bit key is subjected to a permutation (PC-1) that discards the parity bits

resulting in a 56-bit key for the key-scheduling algorithm. (Page 178).