CISA Certified Information Systems Auditor – Question2169

How does the digital envelop work? What are the correct steps to follow?

A.
You encrypt the data using a session key and then encrypt session key using private key of a sender
B. You encrypt the data using the session key and then you encrypt the session key using sender's public key
C. You encrypt the data using the session key and then you encrypt the session key using the receiver's public key
D. You encrypt the data using the session key and then you encrypt the session key using the receiver's private key

Correct Answer: C

Explanation:

Explanation:
The process of encrypting bulk data using symmetric key cryptography and then encrypting the session key using public key algorithm is referred as a digital envelope.
A Digital Envelope is used to send encrypted information using symmetric crypto cipher and then key session along with it. It is secure method to send electronic document without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of symmetric keys.
A Digital envelope mechanism works as follows:
The symmetric key used to encrypt the message can be referred to as session key. The bulk of the message would take advantage of the high speed provided by Symmetric Cipher.
The session key must then be communicated to the receiver in a secure way to allow the receiver to decrypt the message.
If the session key is sent to receiver in the plain text, it could be captured in clear text over the network and anyone could access the session key which would lead to confidentiality being compromised.
Therefore it is critical to encrypt the session key with the receiver public key before sending it to the receiver. The receiver’s will use their matching private key to decrypt the session key which then allow them to decrypt the message using the session key.
The encrypted message and the encrypted session key are sent to the receiver who, in turn decrypts the session key with the receiver’s private key. The session key is then applied to the message cipher text to get the plain text.
The following were incorrect answers:
You encrypt the data using a session key and then encrypt session key using private key of a sender – If the session key is encrypted using sender’s private key, it can be decrypted only using sender’s public key. The sender’s public key is known to everyone so anyone can decrypt session key and message.
You encrypt the data using the session key and then you encrypt the session key using sender’s public key – If the session key is encrypted by using sender’s public key then only sender can decrypt the session key using his/her own private key and receiver will not be able to decrypt the same.
You encrypt the data using the session key and then you encrypt the session key using the receiver’s private key – Sender should not have access to receiver’s private key. This is not a valid option.
Reference:
CISA review manual 2014 Page number 350 and 351