WGU Introduction-to-Cryptography - WGU Introduction to Cryptography HNO1

IPsec’s initial key exchange is commonly performed using IKE (Internet Key Exchange), which negotiates Security Associations (SAs), authenticates peers, and establishes shared keys for ESP/AH protection. The traditional and default transport for IKEv1 and IKEv2 is UDP port 500. During negotiation, peers exchange proposals (crypto suites), perform Diffie–Hellman to derive key material, and authenticate using pre-shared keys, certificates, or EAP methods. If a firewall blocks UDP 500, the IKE negotiation cannot begin, preventing IPsec tunnels from forming. In many real deployments, NAT traversal is also used; in that case, traffic typically shifts to UDP 4500 (NAT-T) after detection of NAT, but UDP 500 is still required for the initial exchange and NAT detection in many configurations. TCP 500 is not standard for IKE. Port 443 is associated with HTTPS/TLS and some SSL VPNs, not IPsec IKE. Therefore, among the options provided, the firewall must allow UDP 500 for IPsec key exchange to succeed.

Bit-flipping exploits target encryption modes or protocols that do not provide strong integrity, allowing attackers to modify ciphertext so that predictable changes occur in plaintext after decryption. To defend against this, protocols add an integrity mechanism that detects tampering. In WPA (including enterprise deployments), TKIP introduced a Message Integrity Check (MIC) called “Michael.” The MIC is computed over the frame contents (with additional fields) and verified by the receiver; if an attacker flips bits in transit, the MIC verification fails, and the frame is rejected. While AES (used by WPA2’s CCMP) also provides integrity via authenticated encryption, the option presented that directly names the tamper-detection mechanism associated with guarding against bit-flipping is MIC. A pre-shared key is an authentication/keying method (and not enterprise-mode anyway), and a “global encryption key” would be the opposite of what you want—global/static keys worsen security. Therefore, the intended mechanism that mitigates bit-flipping by detecting unauthorized modifications is the Message Integrity Check.

Digital signatures provide integrity, authenticity, and typically non-repudiation by using an asymmetric key pair. The signer uses the private key to create a signature over a message (usually over a hash/digest of the message). Because the private key is kept secret, only the legitimate signer should be able to produce a valid signature. Anyone who has the corresponding public key can then validate the signature: they verify that the signature matches the message digest under the public key and that the signed data has not been altered. This is why the public key can be widely distributed (often inside an X.509 certificate) while the private key must be protected by the signer. If a public key were used to sign, anyone could forge signatures; if a private key were required for validation, only the signer could validate, defeating the purpose of public verifiability. Therefore, the correct key roles are private key for signing and public key for signature validation.

A rainbow table attack uses large, precomputed tables that link hash outputs back to likely original inputs (typically passwords). Instead of storing every password→hash pair directly (which would be huge), rainbow tables store chains created by alternating hash operations with reduction functions, allowing attackers to reconstruct candidate plaintexts that produce a given hash. This makes cracking fast,ifthe target hashes are unsalted and use a known, fast hash function. Salt defeats rainbow tables because the attacker would need separate tables for each salt value, which becomes infeasible when salts are unique and sufficiently large. A dictionary attack is related but typically computes hashes on the fly from a wordlist rather than using precomputed chain structures. A birthday attack targets collisions, not mapping to original data. Brute-force tries all candidates without precomputation. Because the question explicitly describes mapping hashed values back to original data via a precomputed approach, the correct choice is Rainbow table.

The string format $2a$08$... is a well-known identifier for the bcrypt password hashing scheme. In common password-hash notation, the prefix indicates the algorithm and parameters: “$2a$” denotes bcrypt (version 2a), and “08” indicates the cost factor (work factor) controlling how computationally expensive hashing is. bcrypt is designed specifically for password storage: it includes a built-in salt and is intentionally slow and adaptive, making brute-force and GPU attacks far more expensive than fast general-purpose hashes like MD5 or SHA-512. NTLM and MD5 are obsolete for secure password storage due to speed and known weaknesses. SHA-512, while cryptographically strong as a hash, is still too fast for password hashing unless used in a dedicated password-hashing construction (e.g., PBKDF2, scrypt, Argon2) with appropriate parameters and salts. Since the given hash clearly matches bcrypt’s encoding, the correct algorithm is bcrypt, which incorporates salting and cost-based key stretching as part of its design.

802.1X is a port-based network access control framework that enables centralized authentication using an authentication server (commonly RADIUS). EAP (Extensible Authentication Protocol) runs within 802.1X to support many credential types (password-based methods like PEAP, certificate-based methods like EAP-TLS, and others). WPA-Enterprise is the wireless security mode that explicitly uses 802.1X + EAP with an authentication server to perform per-user/per-device authentication and to derive dynamic session keys. By contrast, WPA-PSK uses a pre-shared key without an external authentication server; all users share the same PSK, which is weaker for enterprise identity management. WEP is an older mechanism using static keys and does not provide modern 802.1X/EAP enterprise authentication in the WPA-Enterprise sense. TKIP is an encryption/integrity protocol used under WPA, not the full authentication “standard” involving an authentication server. Therefore, the correct choice is WPA-Enterprise.

A birthday attack targets hash functions by exploiting the birthday paradox: collisions (two different inputs producing the same hash output) can be found much faster than brute-forcing a specific preimage. For an n-bit hash, the expected work to findanycollision is on the order of 2^(n/2), not 2^n. The attack is relevant because many security constructions rely on collision resistance—digital signatures, certificate fingerprints, integrity checks, and some commitment schemes. If an attacker can generate two different documents with the same hash, they may trick a signer into signing one version while later presenting the other as “signed,” depending on the protocol. Linear cryptanalysis and differential cryptanalysis are primarily techniques against block ciphers, analyzing relationships between plaintext/ciphertext differences or linear approximations across rounds. Algebraic attacks treat the cipher as a system of equations. The description “looking for different inputs that generate the same hash” is the hallmark of collision-finding, and the classic framing for that is the birthday attack.

A true random number generator (TRNG) draws randomness from physical phenomena that are inherently unpredictable and not algorithmically reproducible. Because of this, it is nondeterministic: you cannot feed it the same “input” and expect the same output stream. TRNGs are often slower than PRNGs because they depend on collecting entropy from hardware sources and may require conditioning to remove bias. This aligns with option B: slow and nondeterministic, producing different results even under similar or repeated conditions. Option A describes a deterministic PRNG, where identical seeds yield identical sequences. Option C is unrelated; factorization is a hard math problem used in cryptography (e.g., RSA security assumptions), not a randomness generator definition. Option D describes a counter, which is deterministic and not random. In secure systems, TRNG output may seed a cryptographically secure PRNG to provide both unpredictability and high throughput; but the defining characteristic of a TRNG is nondeterminism from physical entropy. Therefore, option B is correct.