CompTIA SY0-401 - Topic 6, Cryptography

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

QUESTION NO: 1115 Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure? A. Trust Model B. Recovery Agent C. Public Key D. Private Key

Answer: A Explanation: In a bridge trust model allows lower level domains to access resources in a separate PKI through the root CA. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a bridge trust model, a peer-to-peer relationship exists among the root CAs. The root CAs can communicate with one another, allowing cross certification. This arrangement allows a certification process to be established between organizations or departments. Each intermediate CA trusts only the CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.

QUESTION NO: 1116 A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements? A. Trust model B. Key escrow C. OCSP D. PKI

Answer: A Explanation: In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree.

QUESTION NO: 1003 A company uses PGP to ensure that sensitive email is protected. Which of the following types of cryptography is being used here for the key exchange? A. Symmetric B. Session-based C. Hashing D. Asymmetric

Answer: A Explanation: PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.

QUESTION NO: 1040 Which of the following cryptographic algorithms is MOST often used with IPSec? A. Blowfish B. Twofish C. RC4 D. HMAC

Answer: D Explanation: The HMAC-MD5-96 (also known as HMAC-MD5) encryption technique is used by IPSec to make sure that a message has not been altered.

QUESTION NO: 1107 Which of the following explains the difference between a public key and a private key? A. The public key is only used by the client while the private key is available to all. Both keys are mathematically related. B. The private key only decrypts the data while the public key only encrypts the data. Both keys are mathematically related. C. The private key is commonly used in symmetric key decryption while the public key is used in asymmetric key decryption. D. The private key is only used by the client and kept secret while the public key is available to all.

Answer: D Explanation: The private key must be kept secret at all time. The private key is only by the client. The public key is available to anybody.

QUESTION NO: 1112 Which of the following must be kept secret for a public key infrastructure to remain secure? A. Certificate Authority B. Certificate revocation list C. Public key ring D. Private key

Answer: D Explanation: The private key, which is also called the secret key, must be kept secret.

QUESTION NO: 1109 Which of the following devices is BEST suited for servers that need to store private keys? A. Hardware security module B. Hardened network firewall C. Solid state disk drive D. Hardened host firewall

Answer: A Explanation: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. By adding a HSM to the server and storing the private keys on HSM, the security of the keys would be improved.

QUESTION NO: 1101 Which of the following is true about the recovery agent? A. It can decrypt messages of users who lost their private key. B. It can recover both the private and public key of federated users. C. It can recover and provide users with their lost or private key. D. It can recover and provide users with their lost public key.

Answer: A Explanation: A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.

QUESTION NO: 1103 Which of the following is synonymous with a server's certificate? A. Public key B. CRL C. Private key D. Recovery agent

Answer: A Explanation: A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.

QUESTION NO: 1124 A company is concerned that a compromised certificate may result in a man-in-the-middle attack against backend financial servers. In order to minimize the amount of time a compromised certificate would be accepted by other servers, the company decides to add another validation step to SSL/TLS connections. Which of the following technologies provides the FASTEST revocation capability? A. Online Certificate Status Protocol (OCSP) B. Public Key Cryptography (PKI) C. Certificate Revocation Lists (CRL) D. Intermediate Certificate Authority (CA)

Answer: A Explanation: CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client and network.

QUESTION NO: 1127 A small company wants to employ PKI. The company wants a cost effective solution that must be simple and trusted. They are considering two options: X.509 and PGP. Which of the following would be the BEST option? A. PGP, because it employs a web-of-trust that is the most trusted form of PKI. B. PGP, because it is simple to incorporate into a small environment. C. X.509, because it uses a hierarchical design that is the most trusted form of PKI. D. X.509, because it is simple to incorporate into a small environment.

Answer: B Explanation: PGP easier to use and setup than the corporate PKI model, but it is also less robust when it comes to issues like authentication and trust. However, the full benefits of public key cryptography are used.

QUESTION NO: 1117 In order to use a two-way trust model the security administrator MUST implement which of the following? A. DAC B. PKI C. HTTPS D. TPM

Answer: B Explanation: PKI is a high level concept. Within a PKI you use a trust model to set up trust between Certification Authorities (CAs). A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

QUESTION NO: 1106 Public keys are used for which of the following? A. Decrypting wireless messages B. Decrypting the hash of an electronic signature C. Bulk encryption of IP based email traffic D. Encrypting web browser traffic

Answer: B Explanation: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic.

QUESTION NO: 1129 A new client application developer wants to ensure that the encrypted passwords that are stored in their database are secure from cracking attempts. To implement this, the developer implements a function on the client application that hashes passwords thousands of times prior to being sent to the database. Which of the following did the developer MOST likely implement? A. RIPEMD B. PBKDF2 C. HMAC D. ECDHE

Answer: B Explanation: Password-Based Key Derivation Function 2 (PBKDF2) makes use of a hashing operation, an encryption cipher function, or an HMAC operation) on the input password, which is combined with a salt and is repeated thousands of times.

QUESTION NO: 1104 The security administrator installed a newly generated SSL certificate onto the company web server. Due to a misconfiguration of the website, a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised? A. The file containing the recovery agent's keys. B. The file containing the public key. C. The file containing the private key. D. The file containing the server's encrypted passwords.

Answer: B Explanation: The public key can be made available to everyone. There is no need to reissue the certificate.

QUESTION NO: 1111 Which of the following is true about an email that was signed by User A and sent to User B? A. User A signed with User B's private key and User B verified with their own public key. B. User A signed with their own private key and User B verified with User A's public key. C. User A signed with User B's public key and User B verified with their own private key. D. User A signed with their own public key and User B verified with User A's private key.

Answer: B Explanation: The sender uses his private key, in this case User A's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver (User B) uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender—the public key—to decrypt the message.

QUESTION NO: 1128 Which of the following represents a cryptographic solution where the encrypted stream cannot be captured by a sniffer without the integrity of the stream being compromised? A. Elliptic curve cryptography. B. Perfect forward secrecy. C. Steganography. D. Quantum cryptography.

Answer: D Explanation: Quantum cryptography is a cryptosystem that is completely secure against being compromised without knowledge of the sender or the receiver of the messages.

QUESTION NO: 1130 Joe must send Ann a message and provide Ann with assurance that he was the actual sender. Which of the following will Joe need to use to BEST accomplish the objective? A. A pre-shared private key B. His private key C. Ann's public key D. His public key

Answer: B Explanation: To achieve both authentication and confidentiality, Joe should include Ann's name in the message, sign it using his private key, and then encrypt both the message and the signature using Ann's public key.

QUESTION NO: 1132 Protecting the confidentiality of a message is accomplished by encrypting the message with which of the following? A. Sender's private key B. Recipient's public key C. Sender's public key D. Recipient's private key

Answer: B Explanation: To achieve both authentication and confidentiality, the sender should include the recipient's name in the message, sign it using his private key, and then encrypt both the message and the signature using the recipient's public key.

QUESTION NO: 1105 The public key is used to perform which of the following? (Select THREE). A. Validate the CRL B. Validate the identity of an email sender C. Encrypt messages D. Perform key recovery E. Decrypt messages F. Perform key escrow

Answer: B,C,E Explanation: B: The sender uses the private key to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. C: The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message. E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.

QUESTION NO: 1126 When confidentiality is the primary concern, and a secure channel for key exchange is not available, which of the following should be used for transmitting company documents? A. Digital Signature B. Symmetric C. Asymmetric D. Hashing

Answer: C Explanation: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. Asymmetric algorithms do not require a secure channel for the initial exchange of secret keys between the parties.

QUESTION NO: 1120 A security administrator must implement a secure key exchange protocol that will allow company clients to autonomously exchange symmetric encryption keys over an unencrypted channel. Which of the following MUST be implemented? A. SHA-256 B. AES C. Diffie-Hellman D. 3DES

Answer: C Explanation: Diffie-Hellman key exchange (D-H) is a means of securely generating symmetric encryption keys across an insecure medium.

QUESTION NO: 1121 A security administrator at a company which implements key escrow and symmetric encryption only, needs to decrypt an employee's file. The employee refuses to provide the decryption key to the file. Which of the following can the administrator do to decrypt the file? A. Use the employee's private key B. Use the CA private key C. Retrieve the encryption key D. Use the recovery agent

Answer: C Explanation: Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

QUESTION NO: 1114 Which of the following is a requirement when implementing PKI if data loss is unacceptable? A. Web of trust B. Non-repudiation C. Key escrow D. Certificate revocation list

Answer: C Explanation: Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

QUESTION NO: 1119 RC4 is a strong encryption protocol that is generally used with which of the following? A. WPA2 CCMP B. PEAP C. WEP D. EAP-TLS

Answer: C Explanation: Rivest Cipher 4 (RC4) is a 128-bit stream cipher used WEP and WPA encryption.

QUESTION NO: 1125 A technician wants to verify the authenticity of the system files of a potentially compromised system. Which of the following can the technician use to verify if a system file was compromised? (Select TWO). A. AES B. PGP C. SHA D. MD5 E. ECDHE

Answer: C,D Explanation: Hashing is used to prove the integrity of data to prove that it hasn't been modified. Hashing algorithms are used to derive a key mathematically from a message. The most common hashing standards for cryptographic applications are the SHA and MD algorithms.

QUESTION NO: 1123 Joe, a user, wants to protect sensitive information stored on his hard drive. He uses a program that encrypted the whole hard drive. Once the hard drive is fully encrypted, he uses the same program to create a hidden volume within the encrypted hard drive and stores the sensitive information within the hidden volume. This is an example of which of the following? (Select TWO). A. Multi-pass encryption B. Transport encryption C. Plausible deniability D. Steganography E. Transitive encryption F. Trust models

Answer: C,D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. In this case, it is a hidden volume within the encrypted hard drive. In cryptography, deniable encryption may be used to describe steganographic techniques, where the very existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that an encrypted message exists. This then provides you with plausible deniability.

QUESTION NO: 1108 Ann wants to send a file to Joe using PKI. Which of the following should Ann use in order to sign the file? A. Joe's public key B. Joe's private key C. Ann's public key D. Ann's private key

Answer: D Explanation: The sender uses his private key, in this case Ann's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender—the public key—to decrypt the message. Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.

QUESTION NO: 1102 The recovery agent is used to recover the: A. Root certificate B. Key in escrow C. Public key D. Private key

Answer: D Explanation: A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.

QUESTION NO: 1118 Which of the following types of trust models is used by a PKI? A. Transitive B. Open source C. Decentralized D. Centralized

Answer: D Explanation: PKI uses a centralized trust model. In a simple PKI a single centralized certification authority (CA). In a hierarchical trust model the root CA is the center of the model, with subordinate CAs lower in the hierarchy. Note: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.

QUESTION NO: 1110 Company A sends a PGP encrypted file to company B. If company A used company B's public key to encrypt the file, which of the following should be used to decrypt data at company B? A. Registration B. Public key C. CRLs D. Private key

Answer: D Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him. Jordan uses his private key to decrypt the message.

QUESTION NO: 1113 Which of the following allows an organization to store a sensitive PKI component with a trusted third party? A. Trust model B. Public Key Infrastructure C. Private key D. Key escrow

Answer: D Explanation: Sensitive PKI data, such as private keys, can be put into key escrow data. The key escrow data can be kept at a trusted third party. Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' private communications, or governments, who may wish to be able to view the contents of encrypted communications.

QUESTION NO: 1131 A system administrator wants to confidentially send a user name and password list to an individual outside the company without the information being detected by security controls. Which of the following would BEST meet this security goal? A. Digital signatures B. Hashing C. Full-disk encryption D. Steganography

Answer: D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

QUESTION NO: 1122 A system administrator is setting up a file transfer server. The goal is to encrypt the user authentication and the files the user is sending using only a user ID and a key pair. Which of the following methods would achieve this goal? A. AES B. IPSec C. PGP D. SSH

Answer: D Explanation: With SSH you can use automatically generated public-private key pairs to encrypt a network connection, and then use password authentication to log on. Or you can use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password.

QUESTION NO: 1045 A security administrator must implement a wireless encryption system to secure mobile devices' communication. Some users have mobile devices which only support 56-bit encryption. Which of the following wireless encryption methods should be implemented? A. RC4 B. AES C. MD5 D. TKIP

Answer: A Explanation: RC4 is popular with wireless and WEP/WPA encryption. It is a streaming cipher that works with key sizes between 40 and 2048 bits, and it is used in SSL and TLS.

QUESTION NO: 1009 A network stream needs to be encrypted. Sara, the network administrator, has selected a cipher which will encrypt 8 bits at a time before sending the data across the network. Which of the following has Sara selected? A. Block cipher B. Stream cipher C. CRC D. Hashing algorithm

Answer: A Explanation: With a block cipher the algorithm works on chunks of data—encrypting one and then moving to the next. Example: Blowfish is an encryption system that performs a 64-bit block cipher at very fast speeds.

QUESTION NO: 1002 Which of the following protocols uses an asymmetric key to open a session and then establishes a symmetric key for the remainder of the session? A. SFTP B. HTTPS C. TFTP D. TLS

Answer: D Explanation: SSL establishes a session using asymmetric encryption and maintains the session using symmetric encryption.

QUESTION NO: 1059 Which of the following cryptographic related browser settings allows an organization to communicate securely? A. SSL 3.0/TLS 1.0 B. 3DES C. Trusted Sites D. HMAC

Answer: A Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.

QUESTION NO: 1073 Pete, an employee, needs a certificate to encrypt data. Which of the following would issue Pete a certificate? A. Certification authority B. Key escrow C. Certificate revocation list D. Registration authority

Answer: A Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

QUESTION NO: 1076 A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network? A. A CRL B. Make the RA available C. A verification authority D. A redundant CA

Answer: A Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.

QUESTION NO: 1033 Which of the following can be implemented with multiple bit strength? A. AES B. DES C. SHA-1 D. MD5 E. MD4

Answer: A Explanation: AES (a symmetric algorithm) uses key sizes of 128, 192, or 256 bits.

QUESTION NO: 1051 Jane, a VPN administrator, was asked to implement an encryption cipher with a MINIMUM effective security of 128-bits. Which of the following should Jane select for the tunnel encryption? A. Blowfish B. DES C. SHA256 D. HMAC

Answer: A Explanation: Blowfish is an encryption system that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits). Among the alternatives listed above, it is the only cipher that can use a 128-bit key and which does provide additional security through a symmetric key.

QUESTION NO: 1084 Which of the following identifies certificates that have been compromised or suspected of being compromised? A. Certificate revocation list B. Access control list C. Key escrow registry D. Certificate authority

Answer: A Explanation: Certificates that have been compromised or are suspected of being compromised are revoked. A CRL is a locally stored record containing revoked certificates and revoked keys.

QUESTION NO: 1098 Which of the following allows a company to maintain access to encrypted resources when employee turnover is high? A. Recovery agent B. Certificate authority C. Trust model D. Key escrow

Answer: A Explanation: If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.

QUESTION NO: 1095 Which of the following is the MOST likely cause of users being unable to verify a single user's email signature and that user being unable to decrypt sent messages? A. Unmatched key pairs B. Corrupt key escrow C. Weak public key D. Weak private key

Answer: A Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The sender and receiver must have a matching key in order for the receiver to decrypt the data.

QUESTION NO: 1090 An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA? A. CSR B. Recovery agent C. Private key D. CRL

Answer: A Explanation: In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. When you renew a certificate you send a CSR to the CA to get the certificate resigned.

QUESTION NO: 1047 Which of the following would provide the STRONGEST encryption? A. Random one-time pad B. DES with a 56-bit key C. AES with a 256-bit key D. RSA with a 1024-bit key

Answer: A Explanation: One-time pads are the only truly completely secure cryptographic implementations. They are so secure for two reasons. First, they use a key that is as long as a plaintext message. That means there is no pattern in the key application for an attacker to use. Also, one-time pad keys are used only once and then discarded. So even if you could break a one-time pad cipher, that same key would never be used again, so knowledge of the key would be useless.

QUESTION NO: 1032 Which of the following is used to verify data integrity? A. SHA B. 3DES C. AES D. RSA

Answer: A Explanation: SHA stands for "secure hash algorithm". SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity. Note: A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity.

QUESTION NO: 1064 Which of the following would be used as a secure substitute for Telnet? A. SSH B. SFTP C. SSL D. HTTPS

Answer: A Explanation: Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, security- equivalent programs for such Unix standards as Telnet, FTP, and many other communications- oriented applications. SSH is available for use on Windows systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.

QUESTION NO: 1087 Which of the following is true about the CRL? A. It should be kept public B. It signs other keys C. It must be kept secret D. It must be encrypted

Answer: A Explanation: The CRL must be public so that it can be known which keys and certificates have been revoked. In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.

QUESTION NO: 1042 Which of the following uses both a public and private key? A. RSA B. AES C. MD5 D. SHA

Answer: A Explanation: The RSA algorithm is an early public-key encryption system that uses large integers as the basis for the process. RSA uses both a public key and a secret. RSA key generation process: 1. Generate two large random primes, p and q, of approximately equal size such that their product, n = pq, is of the required bit length (such as 2048 bits, 4096 bits, and so forth). Let n = pq Let m = (p-1)(q-1) 2. Choose a small number e, co-prime to m (note: Two numbers are co-prime if they have no common factors). 3. Find d, such that de % m = 1 4. Publish e and n as the public key. Keep d and n as the secret key.

QUESTION NO: 1081 The finance department works with a bank which has recently had a number of cyber attacks. The finance department is concerned that the banking website certificates have been compromised. Which of the following can the finance department check to see if any of the bank's certificates are still valid? A. Bank's CRL B. Bank's private key C. Bank's key escrow D. Bank's recovery agent

Answer: A Explanation: The finance department can check if any of the bank's certificates are in the CRL or not. If a certificate is not in the CRL then it is still valid. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

QUESTION NO: 1069 Which of the following is used to certify intermediate authorities in a large PKI deployment? A. Root CA B. Recovery agent C. Root user D. Key escrow

Answer: A Explanation: The root CA certifies other certification authorities to publish and manage certificates within the organization. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree. .

QUESTION NO: 1100 After encrypting all laptop hard drives, an executive officer's laptop has trouble booting to the operating system. Now that it is successfully encrypted the helpdesk cannot retrieve the data. Which of the following can be used to decrypt the information for retrieval? A. Recovery agent B. Private key C. Trust models D. Public key

Answer: A Explanation: To access the data the hard drive need to be decrypted. To decrypt the hard drive you would need the proper private key. The key recovery agent can retrieve the required key. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed.

QUESTION NO: 1023 A security technician is attempting to access a wireless network protected with WEP. The technician does not know any information about the network. Which of the following should the technician do to gather information about the configuration of the wireless network? A. Spoof the MAC address of an observed wireless network client B. Ping the access point to discover the SSID of the network C. Perform a dictionary attack on the access point to enumerate the WEP key D. Capture client to access point disassociation packets to replay on the local PC's loopback

Answer: A Explanation: With ARP spoofing (also known as ARP poisoning), the MAC (Media Access Control) address of the data is faked. By faking this value, it is possible to make it look as if the data came from a network that it did not. This can be used to gain access to the network, to fool the router into sending data here that was intended for another host, or to launch a DoS attack. In all cases, the address being faked is an address of a legitimate user, and that makes it possible to get around such measures as allow/deny lists. Note: As an example, the initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.

QUESTION NO: 1008 In order to securely communicate using PGP, the sender of an email must do which of the following when sending an email to a recipient for the first time? A. Import the recipient's public key B. Import the recipient's private key C. Export the sender's private key D. Export the sender's public key

Answer: A Explanation: See step 4 below. 1. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. 2. PGP then creates a session key, which is a one-time-only secret key. 3. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. 4. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

QUESTION NO: 1052 When using PGP, which of the following should the end user protect from compromise? (Select TWO). A. Private key B. CRL details C. Public key D. Key password E. Key escrow F. Recovery agent

Answer: A,D Explanation: A: In PGP only the private key belonging to the receiver can decrypt the session key. PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. D: PGP uses a passphrase to encrypt your private key on your machine. Your private key is encrypted on your disk using a hash of your passphrase as the secret key. You use the passphrase to decrypt and use your private key.

QUESTION NO: 1066 A security engineer is asked by the company's development team to recommend the most secure method for password storage. Which of the following provide the BEST protection against brute forcing stored passwords? (Select TWO). A. PBKDF2 B. MD5 C. SHA2 D. Bcrypt E. AES F. CHAP

Answer: A,D Explanation: A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key. D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. The bcrypt function is the default password hash algorithm for BSD and many other systems. References: Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256

QUESTION NO: 1088 A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user's digital certificate. Which of the following will help resolve the issue? (Select TWO). A. Revoke the digital certificate B. Mark the key as private and import it C. Restore the certificate using a CRL D. Issue a new digital certificate E. Restore the certificate using a recovery agent

Answer: A,D Explanation: The user's certificate must be revoked to ensure that the stolen computer cannot access resources the user has had access to. To grant the user access to the resources he must be issued a new certificate.

QUESTION NO: 1049 Which of the following should be used when a business needs a block cipher with minimal key size for internal encryption? A. AES B. Blowfish C. RC5 D. 3DES

Answer: B Explanation: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).

QUESTION NO: 1035 Which of the following provides additional encryption strength by repeating the encryption process with additional keys? A. AES B. 3DES C. TwoFish D. Blowfish

Answer: B Explanation: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

QUESTION NO: 1037 A bank has a fleet of aging payment terminals used by merchants for transactional processing. The terminals currently support single DES but require an upgrade in order to be compliant with security standards. Which of the following is likely to be the simplest upgrade to the aging terminals which will improve in-transit protection of transactional data? A. AES B. 3DES C. RC4 D. WPA2

Answer: B Explanation: 3DES (Triple DES) is based on DES. In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The electronic payment industry uses Triple DES and continues to develop and promulgate standards based upon it (e.g. EMV). Microsoft OneNote, Microsoft Outlook 2007, and Microsoft System Center Configuration Manager 2012, use Triple DES to password protect user content and system data.

QUESTION NO: 1070 Which of the following components MUST be trusted by all parties in PKI? A. Key escrow B. CA C. Private key D. Recovery key

Answer: B Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. In a simple trust model all parties must trust the CA. In a more complicated trust model all parties must trust the Root CA.

QUESTION NO: 1062 Which of the following protocols encapsulates an IP packet with an additional IP header? A. SFTP B. IPSec C. HTTPS D. SSL

Answer: B Explanation: Authentication Header (AH) is a member of the IPsec protocol suite. AH operates directly on top of IP, using IP protocol number 51.

QUESTION NO: 1050 Sara, a security engineer, is testing encryption ciphers for performance. Which of the following ciphers offers strong encryption with the FASTEST speed? A. 3DES B. Blowfish C. Serpent D. AES256

Answer: B Explanation: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64-bit block cipher at very fast speeds. Blowfish is a fast, except when changing keys. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits).

QUESTION NO: 1043 Which of the following ciphers would be BEST used to encrypt streaming video? A. RSA B. RC4 C. SHA1 D. 3DES

Answer: B Explanation: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP. Because RC4 is a stream cipher, it is more malleable than common block ciphers. If not used together with a strong message authentication code (MAC), then encryption is vulnerable to a bit- flipping attack. The cipher is also vulnerable to a stream cipher attack if not implemented correctly. Furthermore, inadvertent double encryption of a message with the same key may accidentally output plaintext rather than ciphertext because the involutory nature of the XOR function would result in the second operation reversing the first. It is noteworthy, however, that RC4, being a stream cipher, was for a period of time the only common cipher that was immune to the 2011 BEAST attack on TLS 1.0. The attack exploits a known weakness in the way cipher block chaining mode is used with all of the other ciphers supported by TLS 1.0, which are all block ciphers.

QUESTION NO: 1015 Which of the following concepts is used by digital signatures to ensure integrity of the data? A. Non-repudiation B. Hashing C. Transport encryption D. Key escrow

Answer: B Explanation: Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.

QUESTION NO: 1056 Which of the following offers the LEAST secure encryption capabilities? A. TwoFish B. PAP C. NTLM D. CHAP

Answer: B Explanation: PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It is used as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.

QUESTION NO: 1014 All of the following are valid cryptographic hash functions EXCEPT: A. RIPEMD. B. RC4. C. SHA-512. D. MD4.

Answer: B Explanation: RC4 is not a hash function. RC4 is popular with wireless and WEP/WPA encryption.

QUESTION NO: 1013 Which of the following concepts is enforced by certifying that email communications have been sent by who the message says it has been sent by? A. Key escrow B. Non-repudiation C. Multifactor authentication D. Hashing

Answer: B Explanation: Regarding digital security, the cryptological meaning and application of non-repudiation shifts to mean: A service that provides proof of the integrity and origin of data. An authentication that can be asserted to be genuine with high assurance.

QUESTION NO: 1022 Which of the following types of cryptography should be used when minimal overhead is necessary for a mobile device? A. Block cipher B. Elliptical curve cryptography C. Diffie-Hellman algorithm D. Stream cipher

Answer: B Explanation: Regarding the performance of ECC applications on various mobile devices, ECC is the most suitable PKC (Public-key cryptography) scheme for use in a constrained environment. Note: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size. Using smaller key size would be faster.

QUESTION NO: 1058 Which of the following protocols is the security administrator observing in this packet capture? 12:33:43, SRC 192.168.4.3:3389, DST 10.67.33.20:8080, SYN/ACK A. HTTPS B. RDP C. HTTP D. SFTP

Answer: B Explanation: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. Example of RDP tracing output: No. Time Delta Source Destination Protocol Length Info 5782, 2013-01-06 09:52:15.407, 0.000, SRC 10.7.3.187, DST 10.0.107.58, TCP, 62, 3389 > 59193 [SYN, ACK]

QUESTION NO: 1065 Which of the following protocols provides transport security for virtual terminal emulation? A. TLS B. SSH C. SCP D. S/MIME

Answer: B Explanation: Secure Shell (SSH) is a tunneling protocol originally designed for Unix systems. It uses encryption to establish a secure connection between two systems. SSH also provides alternative, security- equivalent programs for such Unix standards as Telnet, FTP, and many other communications- oriented applications. SSH is available for use on Windows systems as well. This makes it the preferred method of security for Telnet and other cleartext oriented programs in the Unix environment.

QUESTION NO: 1019 Which of the following must a user implement if they want to send a secret message to a coworker by embedding it within an image? A. Transport encryption B. Steganography C. Hashing D. Digital signature

Answer: B Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

QUESTION NO: 1026 Which of the following provides the strongest authentication security on a wireless network? A. MAC filter B. WPA2 C. WEP D. Disable SSID broadcast

Answer: B Explanation: The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP.

QUESTION NO: 1027 Which of the following is a concern when encrypting wireless data with WEP? A. WEP displays the plain text entire key when wireless packet captures are reassembled B. WEP implements weak initialization vectors for key transmission C. WEP uses a very weak encryption algorithm D. WEP allows for only four pre-shared keys to be configured

Answer: B Explanation: The initialization vector (IV) that WEP uses for encryption is 24-bit, which is quite weak and means that IVs are reused with the same key. By examining the repeating result, it was easy for attackers to crack the WEP secret key. This is known as an IV attack.

QUESTION NO: 1060 Recent data loss on financial servers due to security breaches forced the system administrator to harden their systems. Which of the following algorithms with transport encryption would be implemented to provide the MOST secure web connections to manage and access these servers? A. SSL B. TLS C. HTTP D. FTP

Answer: B Explanation: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the future. TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As of February 2015, the latest versions of all major web browsers support TLS 1.0, 1.1, and 1.2, have them enabled by default.

QUESTION NO: 1010 The concept of rendering data passing between two points over an IP based network impervious to all but the most sophisticated advanced persistent threats is BEST categorized as which of the following? A. Stream ciphers B. Transport encryption C. Key escrow D. Block ciphers

Answer: B Explanation: Transport encryption is the process of encrypting data ready to be transmitted over an insecure network. A common example of this would be online banking or online purchases where sensitive information such as account numbers or credit card numbers is transmitted. Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

QUESTION NO: 1055 Connections using point-to-point protocol authenticate using which of the following? (Select TWO). A. RIPEMD B. PAP C. CHAP D. RC4 E. Kerberos

Answer: B,C B: A password authentication protocol (PAP) is an authentication protocol that uses a password. PAP is used by Point to Point Protocol to validate users before allowing them access to server resources. C: CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three- way handshake.

QUESTION NO: 1046 Which of the following can use RC4 for encryption? (Select TWO). A. CHAP B. SSL C. WEP D. AES E. 3DES

Answer: B,C Explanation: B: In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular Internet protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). C: WEP also uses RC4, however WEP is still unsecure.

QUESTION NO: 1012 Which of the following ports should be opened on a firewall to allow for NetBIOS communication? (Select TWO). A. 110 B. 137 C. 139 D. 143 E. 161 F. 443

Answer: B,C Explanation: NetBIOS provides four distinct services: Name service for name registration and resolution (port: 137/udp) Name service for name registration and resolution (port: 137/tcp) Datagram distribution service for connectionless communication (port: 138/udp) Session service for connection-oriented communication (port: 139/tcp)

QUESTION NO: 1057 Which of the following algorithms has well documented collisions? (Select TWO). A. AES B. MD5 C. SHA D. SHA-256 E. RSA

Answer: B,C Explanation: B: MD5 biggest weakness is that it does not have strong collision resistance, and thus it is no longer recommended for use. C: SHA-1 (also known as SHA) is being retired from most government uses; the U.S. National Institute of Standards and Technology said, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010", though that was later relaxed. Note: The hashing algorithm must have few or no collisions. This means that hashing two different inputs does not give the same output. Cryptographic hash functions are usually designed to be collision resistant. But many hash functions that were once thought to be collision resistant were later broken. MD5 and SHA-1 in particular both have published techniques more efficient than brute force for finding collisions.

QUESTION NO: 1096 In PKI, a key pair consists of: (Select TWO). A. A key ring B. A public key C. A private key D. Key escrow E. A passphrase

Answer: B,C Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The key pair consists of these two keys.

QUESTION NO: 1048 Which of the following symmetric key algorithms are examples of block ciphers? (Select THREE). A. RC4 B. 3DES C. AES D. MD5 E. PGP F. Blowfish

Answer: B,C,F Explanation: B: Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. C: Advanced Encryption Standard (AES) is a block cipher that has replaced DES as the current standard, and it uses the Rijndael algorithm. It was developed by Joan Daemen and Vincent Rijmen. AES is the current product used by U.S. governmental agencies. F: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64- bit block cipher at very fast speeds.

QUESTION NO: 1099 Pete, an employee, is terminated from the company and the legal department needs documents from his encrypted hard drive. Which of the following should be used to accomplish this task? (Select TWO). A. Private hash B. Recovery agent C. Public key D. Key escrow E. CRL

Answer: B,D Explanation: B: If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys. D: If a key need to be recovered for legal purposes the key escrow can be used. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

QUESTION NO: 1036 Which of the following are restricted to 64-bit block sizes? (Select TWO). A. PGP B. DES C. AES256 D. RSA E. 3DES F. AES

Answer: B,E Explanation: B: The Data Encryption Standard (DES) has been used since the mid-1970s. It was the primary standard used in government and industry until it was replaced by AES. It's based on a 56-bit key and has several modes that offer security and integrity. It is now considered insecure because of the small key size. E: Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

QUESTION NO: 1030 Joe, an employee, was escorted from the company premises due to suspicion of revealing trade secrets to a competitor. Joe had already been working for two hours before leaving the premises. A security technician was asked to prepare a report of files that had changed since last night's integrity scan. Which of the following could the technician use to prepare the report? (Select TWO). A. PGP B. MD5 C. ECC D. AES E. Blowfish F. HMAC

Answer: B,F Explanation: B: MD5 can be used to locate the data which has changed. The Message Digest Algorithm (MD) creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2. F: A common method of verifying integrity involves adding a message authentication code (MAC) to the message. HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key.

QUESTION NO: 1020 Digital Signatures provide which of the following? A. Confidentiality B. Authorization C. Integrity D. Authentication E. Availability

Answer: C Explanation: A digital signature is similar in function to a standard signature on a document. It validates the integrity of the message and the sender.

QUESTION NO: 1085 When employees that use certificates leave the company they should be added to which of the following? A. PKI B. CA C. CRL D. TKIP

Answer: C Explanation: The certificates of the leaving employees must be made unusable. This is done by revoking them. The revoke certificates end up in the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

QUESTION NO: 1063 A new MPLS network link has been established between a company and its business partner. The link provides logical isolation in order to prevent access from other business partners. Which of the following should be applied in order to achieve confidentiality and integrity of all data across the link? A. MPLS should be run in IPVPN mode. B. SSL/TLS for all application flows. C. IPSec VPN tunnels on top of the MPLS link. D. HTTPS and SSH for all application flows.

Answer: C IPSec can very well be used with MPLS. IPSec could provide VPN tunnels on top if the MPLS link. Internet Protocol Security (IPSec) isn't a tunneling protocol, but it's used in conjunction with tunneling protocols. IPSec is oriented primarily toward LAN-to-LAN connections, but it can also be used with dial-up connections. IPSec provides secure authentication and encryption of data and headers; this makes it a good choice for security.

QUESTION NO: 1074 When reviewing a digital certificate for accuracy, which of the following would Matt, a security administrator, focus on to determine who affirms the identity of the certificate owner? A. Trust models B. CRL C. CA D. Recovery agent

Answer: C Explanation: A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. The CA affirms the identity of the certificate owner.

QUESTION NO: 1092 In which of the following scenarios is PKI LEAST hardened? A. The CRL is posted to a publicly accessible location. B. The recorded time offsets are developed with symmetric keys. C. A malicious CA certificate is loaded on all the clients. D. All public keys are accessed by an unauthorized user.

Answer: C Explanation: A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default. A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.

QUESTION NO: 1078 Which of the following MUST be updated immediately when an employee is terminated to prevent unauthorized access? A. Registration B. CA C. CRL D. Recovery agent

Answer: C Explanation: Certificates or keys for the terminated employee should be put in the CRL. A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.

QUESTION NO: 1021 Matt, a security analyst, needs to select an asymmetric encryption method that allows for the same level of encryption strength with a lower key length than is typically necessary. Which of the following encryption methods offers this capability? A. Twofish B. Diffie-Hellman C. ECC D. RSA

Answer: C Explanation: Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits in comparison with non-ECC cryptography (with plain Galois fields as a basis) is the same level of security provided by keys of smaller size.

QUESTION NO: 1072 A company's security administrator wants to manage PKI for internal systems to help reduce costs. Which of the following is the FIRST step the security administrator should take? A. Install a registration server. B. Generate shared public and private keys. C. Install a CA D. Establish a key escrow policy.

Answer: C Explanation: PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. When you implement a PKI you should start by installing a CA.

QUESTION NO: 1016 A security administrator discovers an image file that has several plain text documents hidden in the file. Which of the following security goals is met by camouflaging data inside of other files? A. Integrity B. Confidentiality C. Steganography D. Availability

Answer: C Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

QUESTION NO: 1017 A security analyst discovered data such as images and word documents hidden within different types of files. Which of the following cryptographic concepts describes what was discovered? A. Symmetric encryption B. Non-repudiation C. Steganography D. Hashing

Answer: C Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

QUESTION NO: 1007 Users need to exchange a shared secret to begin communicating securely. Which of the following is another name for this symmetric key? A. Session Key B. Public Key C. Private Key D. Digital Signature

Answer: C Explanation: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system.

QUESTION NO: 1079 Which of the following provides a static record of all certificates that are no longer valid? A. Private key B. Recovery agent C. CRLs D. CA

Answer: C Explanation: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.

QUESTION NO: 1089 Which of the following protocols is used to validate whether trust is in place and accurate by returning responses of either "good", "unknown", or "revoked"? A. CRL B. PKI C. OCSP D. RA

Answer: C Explanation: The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

QUESTION NO: 1028 Which of the following provides the HIGHEST level of confidentiality on a wireless network? A. Disabling SSID broadcast B. MAC filtering C. WPA2 D. Packet switching

Answer: C Explanation: The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) authentication protocols were designed to address the core, easy-to-crack problems of WEP.

QUESTION NO: 1071 Company employees are required to have workstation client certificates to access a bank website. These certificates were backed up as a precautionary step before the new computer upgrade. After the upgrade and restoration, users state they can access the bank's website, but not login. Which is the following is MOST likely the issue? A. The IP addresses of the clients have change B. The client certificate passwords have expired on the server C. The certificates have not been installed on the workstations D. The certificates have been installed on the CA

Answer: C Explanation: The computer certificates must be installed on the upgraded client computers.

QUESTION NO: 1086 Which of the following should a security technician implement to identify untrusted certificates? A. CA B. PKI C. CRL D. Recovery agent

Answer: C Explanation: Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.

QUESTION NO: 1029 While setting up a secure wireless corporate network, which of the following should Pete, an administrator, avoid implementing? A. EAP-TLS B. PEAP C. WEP D. WPA

Answer: C Explanation: WEP is one of the more vulnerable security protocols. The only time to use WEP is when you must have compatibility with older devices that do not support new encryption.

QUESTION NO: 1044 Due to hardware limitation, a technician must implement a wireless encryption algorithm that uses the RC4 protocol. Which of the following is a wireless encryption solution that the technician should implement while ensuring the STRONGEST level of security? A. WPA2-AES B. 802.11ac C. WPA-TKIP D. WEP

Answer: C Explanation: WPA-TKIP uses the RC4 cipher. TKIP and the related WPA standard implement three new security features to address security problems encountered in WEP protected networks. First, TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP related key attacks. Second, WPA implements a sequence counter to protect against replay attacks. Packets received out of order will be rejected by the access point. Finally, TKIP implements a 64-bit Message Integrity Check (MIC) To be able to run on legacy WEP hardware with minor upgrades, TKIP uses RC4 as its cipher. TKIP also provides a rekeying mechanism. TKIP ensures that every data packet is sent with a unique encryption key.

QUESTION NO: 1061 A security administrator has been tasked with setting up a new internal wireless network that must use end to end TLS. Which of the following may be used to meet this objective? A. WPA B. HTTPS C. WEP D. WPA 2

Answer: D Explanation: Wi-Fi Protected Access 2 (WPA2) was intended to provide security that's equivalent to that on a wired network, and it implements elements of the 802.11i standard. In April 2010, the Wi-Fi Alliance announced the inclusion of additional Extensible Authentication Protocol (EAP) types to its certification programs for WPA- and WPA2- Enterprise certification programs. EAP-TLS is included in this certification program. Note: Although WPA mandates the use of TKIP, WPA2 requires Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP uses 128-bit AES encryption with a 48-bit initialization vector. With the larger initialization vector, it increases the difficulty in cracking and minimizes the risk of a replay attack.

QUESTION NO: 1038 Which of the following would Matt, a security administrator, use to encrypt transmissions from an internal database to an internal server, keeping in mind that the encryption process must add as little latency to the process as possible? A. ECC B. RSA C. SHA D. 3DES

Answer: D Explanation: 3DES would be less secure compared to ECC, but 3DES would require less computational power. Triple-DES (3DES) is a technological upgrade of DES. 3DES is still used, even though AES is the preferred choice for government applications. 3DES is considerably harder to break than many other systems, and it's more secure than DES. It increases the key length to 168 bits (using three 56-bit DES keys).

QUESTION NO: 1082 A security administrator needs a locally stored record to remove the certificates of a terminated employee. Which of the following describes a service that could meet these requirements? A. OCSP B. PKI C. CA D. CRL

Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys.

QUESTION NO: 1083 Public key certificates and keys that are compromised or were issued fraudulently are listed on which of the following? A. PKI B. ACL C. CA D. CRL

Answer: D Explanation: A CRL is a locally stored record containing revoked certificates and revoked keys.

QUESTION NO: 1068 A certificate authority takes which of the following actions in PKI? A. Signs and verifies all infrastructure messages B. Issues and signs all private keys C. Publishes key escrow lists to CRLs D. Issues and signs all root certificates

Answer: D Explanation: A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is part of a public key infrastructure (PKI) scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA). Note: In cryptography and computer security, a root certificate is an unsigned public key certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA).

QUESTION NO: 1075 Joe, a user, reports to the system administrator that he is receiving an error stating his certificate has been revoked. Which of the following is the name of the database repository for these certificates? A. CSR B. OCSP C. CA D. CRL

Answer: D Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.

QUESTION NO: 1077 A CRL is comprised of. A. Malicious IP addresses. B. Trusted CA's. C. Untrusted private keys. D. Public keys.

Answer: D Explanation: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked. The certificates for which a CRL should be maintained are often X.509/public key certificates, as this format is commonly used by PKI schemes.

QUESTION NO: 1067 Deploying a wildcard certificate is one strategy to: A. Secure the certificate's private key. B. Increase the certificate's encryption key length. C. Extend the renewal date of the certificate. D. Reduce the certificate management burden.

Answer: D Explanation: A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. This saves money and reduces the management burden of managing multiple certificates, one for each subdomain. A single Wildcard certificate for *.example.com, will secure all these domains: payment.example.com contact.example.com login-secure.example.com www.example.com Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificate: test.login.example.com

QUESTION NO: 1034 To ensure compatibility with their flagship product, the security engineer is tasked to recommend an encryption cipher that will be compatible with the majority of third party software and hardware vendors. Which of the following should be recommended? A. SHA B. MD5 C. Blowfish D. AES

Answer: D Explanation: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is used to encrypt data, not to verify data integrity.

QUESTION NO: 1004 Which of the following is true about asymmetric encryption? A. A message encrypted with the private key can be decrypted by the same key B. A message encrypted with the public key can be decrypted with a shared key. C. A message encrypted with a shared key, can be decrypted by the same key. D. A message encrypted with the public key can be decrypted with the private key.

Answer: D Explanation: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.

QUESTION NO: 1018 Which of the following can hide confidential or malicious data in the whitespace of other files (e.g. JPEGs)? A. Hashing B. Transport encryption C. Digital signatures D. Steganography

Answer: D Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

QUESTION NO: 1091 An administrator needs to submit a new CSR to a CA. Which of the following is a valid FIRST step? A. Generate a new private key based on AES. B. Generate a new public key based on RSA. C. Generate a new public key based on AES. D. Generate a new private key based on RSA.

Answer: D Explanation: Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The private key is needed to produce, but it is not part of, the CSR. The private key is an RSA key. The private encryption key that will be used to protect sensitive information. Note: A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

QUESTION NO: 1054 An administrator has two servers and wants them to communicate with each other using a secure algorithm. Which of the following choose to provide both CRC integrity checks and RCA encryption? A. NTLM B. RSA C. CHAP D. ECDHE

Answer: D Explanation: ECDHE provides both CRC integrity checks and RCA encryption. Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE. It is the ephemeral component of each of these that provides the perfect forward secrecy. Forward secrecy is a property of any key exchange system, which ensures that if one key is compromised, subsequent keys will not also be compromised. Perfect forward secrecy occurs when this process is unbreakable.

QUESTION NO: 1039 Which of the following MUST Matt, a security administrator, implement to verify both the integrity and authenticity of a message while requiring a shared secret? A. RIPEMD B. MD5 C. SHA D. HMAC

Answer: D Explanation: HMAC (Hash-Based Message Authentication Code) uses a hashing algorithm along with a symmetric key. The hashing function provides data integrity, while the symmetric key provides authenticity.

QUESTION NO: 1011 Which of the following transportation encryption protocols should be used to ensure maximum security between a web browser and a web server? A. SSLv2 B. SSHv1 C. RSA D. TLS

Answer: D Explanation: HTTP Secure HTTP Secure (HTTPS) is the protocol used for "secure" web pages that users should see when they must enter personal information such as credit card numbers, passwords, and other identifiers. It combines HTTP with SSL/TLS to provide encrypted communication. Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL, and it is also referred to as SSL 3.1.

QUESTION NO: 1025 Joe, the systems administrator, is setting up a wireless network for his team's laptops only and needs to prevent other employees from accessing it. Which of the following would BEST address this? A. Disable default SSID broadcasting. B. Use WPA instead of WEP encryption. C. Lower the access point's power settings. D. Implement MAC filtering on the access point.

Answer: D Explanation: If MAC filtering is turned off, any wireless client that knows the values looked for (MAC addresses) can join the network. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with users' computers and enters those addresses. When a client attempts to connect and other values have been correctly entered, an additional check of the MAC address is done. If the address appears in the list, the client is allowed to join; otherwise, it is forbidden from doing so.

QUESTION NO: 1080 A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity? A. Key escrow B. Private key verification C. Public key verification D. Certificate revocation list

Answer: D Explanation: If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the certificates that it has issued) no longer can be trusted. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

QUESTION NO: 1093 Which of the following BEST describes part of the PKI process? A. User1 decrypts data with User2's private key B. User1 hashes data with User2's public key C. User1 hashes data with User2's private key D. User1 encrypts data with User2's public key

Answer: D Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him.

QUESTION NO: 1031 Users report that after downloading several applications, their systems' performance has noticeably decreased. Which of the following would be used to validate programs prior to installing them? A. Whole disk encryption B. SSH C. Telnet D. MD5

Answer: D Explanation: MD5 can be used to locate the data which has changed. The Message Digest Algorithm (MD) creates a hash value and uses a one-way hash. The hash value is used to help maintain integrity. There are several versions of MD; the most common are MD5, MD4, and MD2.

QUESTION NO: 1024 The IT department has installed new wireless access points but discovers that the signal extends far into the parking lot. Which of the following actions should be taken to correct this? A. Disable the SSID broadcasting B. Configure the access points so that MAC filtering is not used C. Implement WEP encryption on the access points D. Lower the power for office coverage only

Answer: D Explanation: On the chance that the signal is actually traveling too far, some access points include power level controls, which allow you to reduce the amount of output provided.

QUESTION NO: 1041 When creating a public / private key pair, for which of the following ciphers would a user need to specify the key strength? A. SHA B. AES C. DES D. RSA

Answer: D Explanation: RSA (an asymmetric algorithm) uses keys of a minimum length of 2048 bits.

QUESTION NO: 1006 Symmetric encryption utilizes , while asymmetric encryption utilizes . A. Public keys, one time B. Shared keys, private keys C. Private keys, session keys D. Private keys, public keys

Answer: D Explanation: Symmetrical systems require the key to be private between the two parties. With asymmetric systems, each circuit has one key. In more detail: * Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected. A symmetric key, sometimes referred to as a secret key or private key, is a key that isn't disclosed to people who aren't authorized to use the encryption system. * Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes.

QUESTION NO: 1094 A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights? A. Transport encryption B. IPsec C. Non-repudiation D. Public key infrastructure

Answer: D Explanation: The Public-Key Infrastructure (PKI) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support e-commerce, secure transactions, and information privacy is one aspect of the issues being addressed with PKI. A PKI can be used to protect software.

QUESTION NO: 1005 Encryption used by RADIUS is BEST described as: A. Quantum B. Elliptical curve C. Asymmetric D. Symmetric

Answer: D Explanation: The RADIUS server uses a symmetric encryption method. Note: Symmetric algorithms require both ends of an encrypted message to have the same key and processing algorithms. Symmetric algorithms generate a secret key that must be protected.

QUESTION NO: 1097 Which of the following is true about PKI? (Select TWO). A. When encrypting a message with the public key, only the public key can decrypt it. B. When encrypting a message with the private key, only the private key can decrypt it. C. When encrypting a message with the public key, only the CA can decrypt it. D. When encrypting a message with the public key, only the private key can decrypt it. E. When encrypting a message with the private key, only the public key can decrypt it.

Answer: D,E Explanation: E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. D: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key. A PKI example: You want to send an encrypted message to Jordan, so you request his public key. Jordan responds by sending you that key. You use the public key he sends you to encrypt the message. You send the message to him.

QUESTION NO: 1053 A security administrator must implement a system to allow clients to securely negotiate encryption keys with the company's server over a public unencrypted communication channel. Which of the following implements the required secure key negotiation? (Select TWO). A. PBKDF2 B. Symmetric encryption C. Steganography D. ECDHE E. Diffie-Hellman

Answer: D,E Explanation: Elliptic curve Diffie-Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie-Hellman protocol using elliptic curve cryptography. Note: Adding an ephemeral key to Diffie-Hellman turns it into DHE (which, despite the order of the acronym, stands for Ephemeral Diffie-Hellman). Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE (again, overlook the order of the acronym letters; it is called Ephemeral Elliptic Curve Diffie-Hellman). It is the ephemeral component of each of these that provides the perfect forward secrecy.


Kaugnay na mga set ng pag-aaral

CH 14: Communication in the Nurse-Patient relationship

View Set

NUR 205 EAQ - Chapter 9: Cultural Awareness

View Set

Abeka Vocabulary Spelling Poetry V Quiz 11A

View Set

Mercantilism, Capitalism, Ideologies, and the Industrial Revolution

View Set

Astronomy Chapter 8-13 Review Questions

View Set

NIH Principles and Practices of Clinical Research

View Set