Exam CAS-004 topic 1 question 178 discussion

After extensive research, I have changed my answer to B. Key Revocation. This is a great question — and this is a classic scenario in security. Let’s break it down quickly: Situation Summary: Keys were leaked publicly. Data was decrypted using those keys. So now, anyone can decrypt that data if they have the keys. The main issue? Compromised keys. B. Key revocation (Best Choice) Revokes the current keys — marks them as untrusted/invalid. This is what you do when keys are compromised or exposed. It ensures no one should use them anymore. BUT A. Key rotation Means replacing old keys with new ones periodically. Good practice, but doesn’t directly respond to already-compromised keys. It's a future-facing action. Final Answer: B. Key revocation

What good is it to rotate your keys if you don't revoke your old ones?

"Key rotation" refers to the practice of periodically replacing an old cryptographic key with a new one at a planned interval, while "key revocation" means immediately invalidating a key, typically done when there is a suspicion of compromise, meaning it should no longer be used even if it's still within its normal lifespan; essentially, rotation is a proactive measure, whereas revocation is a reactive response to a potential security breach.

Key rotation involves replacing old keys with new ones ensuring continued security of encrypted data. Revocation alone does not protect historical data; it merely prevents the key from being used in the future. Any data already encrypted with that compromised key can still be decrypted by anyone who has access to the key.

Key rotation involves replacing old keys with new ones ensuring continued security of encrypted data. Revocation alone does not protect historical data; it merely prevents the key from being used in the future. Any data already encrypted with that compromised key can still be decrypted by anyone who has access to the key.

Ans A. key Rotation. The security analyst has discovered that the keys have been compromised and are being made publicly available. Since these keys can now be used by unauthorized parties to decrypt the affected data, the first and most effective action would be to rotate the keys. Key rotation involves generating new keys to replace the compromised ones, which ensures that the attacker can no longer use the old keys to decrypt the data. Key rotation is a standard security practice to maintain confidentiality and protect data when keys have been exposed or compromised. While Key revocation refers to the process of invalidating a key, usually through a public key infrastructure (PKI) or certificate authority. However, revocation alone does not necessarily prevent the use of previously compromised keys. It is often used in conjunction with key rotation, but it is not sufficient by itself to secure the data.

Key rotation is generally considered a best practice, while key revocation is typically only done if a key is suspected to be compromised. The Key has been compromised. Therefore, key revocation is warranted.

key rotation involves revoking the old key after creating a new one

Key rotation gets people to accept and use a new key; key revocation gets them to not accept the old one. Of course if you revoke the current key you generally want people to rotate into using a new one, but you can want people to rotate into a new key without any particular revocation of the old one.

This is also a repeat of 201 which does not have key revocation as a possible answer.

I agree with everyone saying there is no way it's E as the data is already obfuscated but I'm not clear on why to choose key revocation over key rotation? Wouldn't they both accomplish the same thing?

Discovered your key was compromised? Better revoke and THEN distribute a new key. First step is always to revoke keys.

a hacker has a key stored on a public website, most like private key cuae who cares about the public key, it's shared. Said analyst uses key to decrypt data on website. Most likey his website, So the private key has be stolen and is able to decrypt the data encrypted with the public key of the website. Time for new keys. A.

in this specific scenario, "Cryptographic obfuscation" (option E) might not be the most effective solution. Cryptographic obfuscation typically involves adding complexity to cryptographic algorithms to make them more resistant to attacks. However, in this case, the keys themselves have already been compromised and are available on a public website. This means that the attacker can still use the keys to decrypt the data, regardless of how complex the algorithm is. The best course of action is to invalidate the compromised keys through key revocation (option B), which prevents the attacker from using them to decrypt sensitive data. This is a more direct and effective response to the situation at hand.

Going against the grain and saying key rotation. The question is how to protect the data that has an exposed key. Obviously, C and D are non-applicable. Cryptographic obfuscation is also not applicable. The data is already encrypted i.e. cryptographically obfuscated. Key revocation is defined as "a process whereby a notice is made available to affected entities that the key should be removed from operational use prior to the end of the established cryptoperiod of that key." In other words, revocation is a notice that this key is no longer valid, not removing the ability for a key to decrypt something it encrypted. A key rotation on the other hand, would re-encrypt the data on the website with new keys, protecting it and preventing the use of the old keys. This is also a repeat of 201 which does not have key revocation as a possible answer. https://csrc.nist.gov/glossary/term/key_revocation https://www.gnupg.org/gph/en/manual/c14.html https://cpl.thalesgroup.com/blog/data-protection/encryption-key-rotation-data-security

Going with E. DATA is the question. rest is fluff. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

yea; its a special question. I am going with B. but yes, it could be E as well