Chapter 14 Β· Quiz

Encryption Technologies Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: A company must comply with PCI-DSS requirements for protecting payment card encryption keys. Which technology satisfies this requirement?

Correct answer: C. PCI-DSS explicitly requires HSM-backed key management for cryptographic keys protecting cardholder data. An HSM provides tamper resistance, access controls, and audit logging at the enterprise scale required for payment processing. A TPM is device-scoped (not enterprise), and a config file (even encrypted) is not a compliant key storage solution.

Question 2: A laptop with BitLocker and TPM is stolen. The attacker removes the hard drive and connects it to their own machine. What will they encounter?

Correct answer: C. BitLocker with TPM seals the drive encryption key to the specific TPM chip on the original laptop, tied to specific PCR measurements. The attacker's machine has a different TPM with no record of the sealed key. The drive is cryptographically unreadable without the original TPM's cooperation or the BitLocker recovery key.

Question 3: What feature allows a TPM to detect if the system's boot process has been tampered with by malware?

Correct answer: C. Measured boot records cryptographic hash measurements of each boot component into the TPM's Platform Configuration Registers (PCRs). Keys can be sealed to specific PCR values. If boot-path malware modifies the bootloader or OS, the measurements change, the sealed PCR values no longer match, and the TPM refuses to release the keys.

Question 4: What is the primary advantage of a Key Management System over applications storing encryption keys in their own configuration?

Correct answer: B. The KMS's value is operational: centralized management, automated rotation without downtime, policy-based access control (only authorized applications can use specific keys), audit logging of all access, and immediate revocation capability. Applications never store raw keys β€” they call the KMS API. This removes a major attack surface (keys in config files) and gives security teams visibility and control over key usage.

Question 5: An iPhone user's device is seized by authorities. Even with Apple's cooperation, the data cannot be decrypted. What explains this?

Correct answer: B. The Secure Enclave derives the device's file system encryption key from a unique identifier (UID) fused into the enclave hardware during manufacturing. Apple does not record this UID during manufacturing. The key exists only inside that specific device's Secure Enclave. Reconstruction is physically impossible without that specific hardware β€” it is a hardware architectural limitation, not a policy choice.

Matching: Hardware Security Technologies

Match each technology to its primary use case.

TECHNOLOGY

TPM
HSM
KMS
Secure Enclave

PRIMARY USE CASE

Motherboard chip for device-level encryption and boot integrity (BitLocker)
Enterprise appliance for CA keys and PCI-DSS payment key protection
Software service for key rotation, audit logging, and lifecycle management
Hardware-isolated coprocessor protecting biometrics and device keys on mobile

Performance Task

A healthcare organization is building a new system to protect patient records. Requirements: (1) database encryption keys must be managed centrally and rotated annually, (2) the CA that issues internal certificates must have its private key hardware-protected with tamper response, (3) employee laptops must be protected if stolen, (4) an audit log of all key access must be maintained. Map each requirement to the correct technology and justify your choices.

Model Answer:

Requirement 1 β€” Database key management (centralized, annual rotation):
β†’ KMS (Key Management System). The KMS manages the database encryption key lifecycle, automates rotation without downtime, controls which applications can access the key, and maintains a full audit log of every access. The database application calls the KMS API rather than storing the key in its configuration.

Requirement 2 β€” CA private key hardware-protected with tamper response:
β†’ HSM. The CA private key should be generated inside the HSM and never exported. All certificate signing operations happen inside the HSM. The HSM detects physical attacks and destroys keys (tamper-responsive). This meets both the hardware protection and tamper response requirements. The KMS can use the HSM as its backend for the CA key specifically.

Requirement 3 β€” Laptop protection if stolen:
β†’ TPM + BitLocker. The TPM seals the BitLocker drive encryption key to the specific laptop hardware and expected boot state. A stolen drive attached to another machine is unreadable. This is the standard and cost-effective solution for laptop fleet protection.

Requirement 4 β€” Audit log of all key access:
β†’ KMS. A properly configured KMS logs every key access request: which application, which key, what operation, at what time. This is one of the core value propositions of a KMS over distributed key storage. The HSM also logs all CA signing operations separately.