GW- Ch 10-CompTIA Security SYO-501
D. Encrypt it with Anns public key The document is confidential and is to be read by Ann only. Since Ann is the only person who knows her private key, any message or document encrypted with Ann's public key ensures that only be decrypted by Ann. https://www.youtube.com/watch?v=AQDCe585Lnc
137. Joe, a user, wants to send Ann, another user, a confidential document electronically. Which of the following should Joe do to ensure the document is protected from eavesdropping? A. Encrypt it with Joes private key B. Encrypt it with Joes public key C. Encrypt it with Anns private key D. Encrypt it with Anns public key
C. CRL (Certificate Revocation List) CRL - offline check. Download list file to check Online Certificate Status Protocol (OCSP) is used to automate certificate validation, making checking the status of certificates seamless and transparent to the user. Most modern browsers and other applications that use digital certificates can use OCSP to check CRLs automatically for certificate validity. whenever you connect to internet the update CRL gets downloaded to local machine. CRL check can be done without internet. A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.
189. A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable. Which of the following MUST be implemented to support this requirement? A. CSR B. OCSP C. CRL D. SSH
D. CSR ( Certificate Signing Request) You request a certificate with a certificate signing request (CSR). You first create a private/ public key pair and include the public key in the CSR. A certificate revocation list (CRL) is a list of certificates that a Certificate Authority (CA) has revoked. The CA stores a database repository of revoked certificates and issues the CRL to anyone who requests it. The Online Certificate Status Protocol (OCSP) validates trust with certificates, but only returns short responses such as good, unknown, or revoked. A certificate signing request (CSR) is used to request certificates.
235. A security administrator receives notice that a third-party certificate authority has been compromised, and new certificates will need to be issued. Which of the following should the administrator submit to receive a new certificate? A. CRL B. OSCP C. PFX D. CSR E. CA
A. Verify the certificate has not expired on the server. C. Update the root certificate into the client computer certificate store.
30. Users report the following message appears when browsing to the company's secure site: This website cannot be trusted. Which of the following actions should a security analyst take to resolve these messages? (Select two.) A. Verify the certificate has not expired on the server. B. Ensure the certificate has a .pfx extension on the server. C. Update the root certificate into the client computer certificate store. D. Install the updated private key on the web server. E. Have users clear their browsing history and relaunch the session.
C. Symmetric algorithm Stream ciphers encrypt data 1 bit at a time. Block ciphers encrypt data in blocks. Most symmetric algorithms use either a block cipher or a stream cipher. They are both symmetric, so they both use the same key to encrypt or decrypt data.
357. A security analyst is working on a project that requires the implementation of a stream cipher. Which of the following should the analyst use? A. Hash function B. Elliptic curve C. Symmetric algorithm D. Public key cryptography
C. Asymmetric Asymmetric encryption uses two keys (public and private) created as a matched pair.Both SSL and TLS provide certificate-based authentication and they encrypt data with a combination of both symmetric and asymmetric encryption during a session. They use asymmetric encryption for the key exchange (to privately share a session key) and symmetric encryption to encrypt data displayed on the web page and transmitted during the session. TLS uses asymmetric encryption to securely share the symmetric key. • TLS uses symmetric encryption to encrypt the session data.
38. Which of the following encryption methods does PKI typically use to securely protect keys? A. Elliptic curve B. Digital signatures C. Asymmetric D. Obfuscation
*** B. Provide the public key to the internal CA. B. Self signed = internal CA. Internal certificates don't need to be signed by public CA. Your company will be the only one using the certificate. No need to purchase trust for the devices that already trust you. Issue your own certificate signed by your own CA. Request certificates using a certificate signing request (CSR). Create a public and private key pair. The first step is to create the RSA-based private key, which is used to create the public key. You then include the public key in the CSR and the CA will embed the public key in the certificate. The private key is not sent to the CA. The CSR includes the public key, but not the private key.
422. A systems administrator wants to generate a self-signed certificate for an internal website. Which of the following steps should the systems administrator complete prior to installing the certificate on the server? A. Provide the private key to a public CA. B. Provide the public key to the internal CA. C. Provide the public key to a public CA. D. Provide the private key to the internal CA. E. Provide the public/private key pair to the internal CA F. Provide the public/private key pair to a public CA.
B. OCSP stapling (Online Certificate Status Protocol) OCSP stapling is a method for quickly and safely determining whether or not an SSL certificate is valid. It allows a web server to provide information on the validity of its own certificates rather than having to request the information from the certificate's vendor. OCSP stapling is an enhancement to the standard OCSP protocol that delivers OCSP responses from the server with the certificate, eliminating the need for relying parties (web users) to check OCSP responses with the issuing CA. This has the effect of reducing bandwidth, improving perceived site performance, and increasing security for everyone involved in establishing the secure session. MITM Attack (Man In The Middle)
424. Attackers have been using revoked certificates for MITM attacks to steal credentials from employees of Company.com. Which of the following options should Company.com implement to mitigate these attacks? A. Captive portal B. OCSP stapling C. Object identifiers D. Key escrow E. Extended validation certificate
C. MD5 ( Message Digest 5 ) IT professionals use several hashing algorithms to ensure the integrity of data and source. ...• MD5 • SHA • RIPEMD • HMAC Message Digest 5 (MD5) is a common hashing algorithm that produces a 128-bithash. MD5 has been in use since 1992. Experts discovered significant vulnerabilities in MD5 in 2004 and later years. As processing power of computers increased, it became easier and easier to exploit these vulnerabilities. Security experts now consider it cracked and discourage its use. However, it is still widely used to verify the integrity of files. This includes email, files stored on disks, files downloaded from the Internet, executable files, and more
441. Which of the following is used to validate the integrity of data? A. CBC B. Blowfish C. MD5 D. RSA
A. Trust model To help ensure trust, a PKI relies on a standard trust model that assigns to a third party the responsibility of establishing a trust relationship between any two communicating entities. The model used by a PKI is a strict hierarchical model. At the top is a publicly (or privately) recognized source (authority) that everyone using the PKI recognizes and trusts to validate (authorize and certify) the identities that are part of the PKI. Under this authority might exist subordinate authorities that rely on the top (root) authority as the ultimate source of authorization and certification.
472. User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of the following would allow the users of the separate PKIs to work together without connection errors? A. Trust model B. Stapling C. Intermediate CA D. Key escrow
A. BCRYPT D. PBKDF2 Two commonly used key stretching techniques are bcrypt and Password-Based Key Derivation Function 2 (PBKDF2). They protect passwords against brute force and rainbow table attacks.Both salt the password with additional random bits.
568. Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.) A. BCRYPT B. Substitution cipher C. ECDHE D. PBKDF2 E. Diffie-Hellman
A. .pfx certificate (Personal Information Exchange) CER (Canonical Encoding Rule) is a binary format for certificates and DER ( Distinguished Encoding Rules) is an ASCII format. PEM (Privacy Enhanced Mail) is the most commonly used certificate format and can be used for just about any certificate type. P7B certificates are commonly used to share public keys. P12 and PFX (Personal Information Exchange) certificates are commonly used to hold the private key. It may contain single certificates, certificate chains, or private keys, although in most cases it is used to store public/private key pairs. Fully encrypt all the data in the file and require a password to open them. Essentially it is everything that any server will need to import a certificate and private key from a single file
593. A security analyst is implementing PKI-based functionality to a web application that has the following requirements: - File contains certificate information - Certificate chains - Root authority certificates - Private key All of these components will be part of one file and cryptographically protected with a password. Given this scenario, which of the following certificate types should the analyst implement to BEST meet these requirements? A. .pfx certificate B. .cer certificate C. .der certificate D. .crt certificate
A. AES (Advanced Encryption Standards) AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key. Used in WPA2- powerful wireless encryption. AES has been adopted by the U.S. government and is now used worldwide. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. The encryption of data at rest should only include strong encryption methods such as AES or RSA. The U.S. National Security Agency (NSC) uses it to protect the country's "top secret" information.In fact, AES has never been cracked, and based on current technological trends, is expected to remain secure for years to come. RSA is more computationally intensive than AES, and much slower. It's normally used to encrypt only small amounts of data. RSA is widely used to protect data such as email and other data transmitted over the Internet. It uses both a public key and a private key in a matched pair.
593. Which of the following encryption algorithms is used primarily to secure data at rest? A. AES B. SSL C. TLS D. RSA
B. 3DES 3DES. Data Encryption Standard (DES), Triple DES - Triple Digital Encryption Standard. A symmetric algorithm used to encrypt data and provide confidentiality. It is a block cipher that encrypts data in 64-bit blocks. No longer used- superseded by AES. RSA = Asymmetric Algorithm DSA = Asymmetric Algorithm SHA-2 = Hashing Algorithm
623. If two employees are encrypting traffic between them using a single encryption key, which of the following algorithms are they using? A. RSA B. 3DES C. DSA D. SHA-2
B. AES (Advanced Encryption Standards) AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits for the key. Used in WPA2- powerful wireless encryption. MD5, SHA: Hashing algorithms DHA- Diffie-Hellman Algorithm is a key exchange algorithm used to privately share a symmetric key between two parties. DH itself does not encrypt or authenticate.
634. Which of the following is used to encrypt web application data? A. MD5 B. AES C. SHA D. DHA
A. AES (Advanced Encryption Standards) A. AES is one of the the most advanced encryption protocols available - good for encrypting large amounts of data. Not B. SHA-2 is a hashing algorithm. Not C. SSL is deprecated. Not D.RSA is widely used to protect data such as email and other data transmitted over the Internet. It uses both a public key and a private key in a matched pair.
638. A user needs to transmit confidential information to a third party. Which of the following should be used to encrypt the message? A. AES B. SHA-2 C. SSL D. RSA
B. Configure server-based PKI certificates. Hardening systems increases their basic configuration to prevent incidents. Server-base PKI certificates perform encryption on data-in-transit to assure data confidentiality.
667. A security administrator is creating a risk assessment with regard to how to harden internal communications in transit between servers. Which of the following should the administrator recommend in the report? A. Configure IPSec in transport mode. B. Configure server-based PKI certificates. C. Configure the GRE tunnel. D. Configure a site-to-site tunnel.
A. S/MIME-uses PKI - digital signature: Secure/Multipurpose Internet Mail Extensions(S/MIME) is one of the most popular standards used to digitally sign and encrypt email. Most email applications that support encryption and digital signatures use S/MIME. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption. It can encrypt email at rest (stored on a drive) and in transit (data sent over the network). Because S/MIME uses RSA for asymmetric encryption, it requires a PKI to distribute and manage certificates. . B. TLS : Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are encryption protocols that have been commonly used to encrypt data-in-transit. It is common to encrypt HTTPS with either SSL or TLS to ensure confidentiality of data transmitted over the Internet. Both SSL and TLS provide certificate-based authentication and they encrypt data with a combination of both symmetric and asymmetric encryption during a session. They use asymmetric encryption for the key exchange (to privately share a session key) and symmetric encryption to encrypt data displayed on the web page and transmitted during the session. The next section shows this process. They can also be used to encrypt other transmissions such as File Transfer Protocol Secure (FTPS). C. SFTP SSH Secure File Transfer Protocol.
668. A company is executing a strategy to encrypt and sign all proprietary data in transit. The company recently deployed PKI services to support this strategy. Which of the following protocols supports the strategy and employs certificates generated by the PKI? (Choose three.) A. S/MIME B. TLS C. SFTP D. SAML E. SIP F. IPSec G. Kerberos
D. SAN Subject Alternative Name (SAN) is used for multiple domains that have different names, but are owned by the same organization. For example, Google uses SANs of *.google.com, *.android.com, *.cloud.google.com, and more. It is most commonly used for systems with the same base domain names, but different top-level domains. For example, if Google used names such as google.com and google.net, it could use a single SAN certificate for both domain names. Similarly, a SAN certificate can be used for google.com We're often asked if an IP address can be used in an SSL certificate in place of a fully qualified domain name . The short answer is yes, but we don't recommend it. If your IP address changes your SSL certificate can become useless. You would just add the hostname or FQDN to the SAN field and you should be good. Browser can use with the CN field or the SAN field to verify
669. A security specialist is notified about a certificate warning that users receive when using a new internal website. After being given the URL from one of the users and seeing the warning, the security specialist inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach the site . Which of the following would BEST resolve the issue? A. OCSP B. OID C. PEM D. SAN
B. Salt Salt—A random set of data added to a password when creating the hash.
689. Which of the following is a random value appended to a credential that makes the credential less susceptible to compromise when hashed? A. Nonce B. Salt C. OTP D. Block cipher E. IV
D. Data in transit
701. Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented? A. Perfect forward secrecy B. Ephemeral keys C. Domain validation D. Data in transit
D. SHA-1 3DES and AES are block ciphers for encrypting data, where MD5 and SHA-1 are hashing functions. MD5 and SHA-1 aren't considered secure anymore, but SHA-1 is the stronger of the two. The only way to protect against brute force attacks is to use a slow hashing algorithm
723. A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? A. MD5 B. 3DES C. AES D. SHA-1
A. Encrypt and sign the email using S/MIME.
730. A security analyst is emailing PII in a spreadsheet file to an audit validator for after-action related to a security assessment. The analyst must make sure the PII data is protected with the following minimum requirements: ✑ Ensure confidentiality at rest. ✑ Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out? A. Encrypt and sign the email using S/MIME. B. Encrypt the email and send it using TLS. C. Hash the email using SHA-1. D. Sign the email using MD5.
B. Collision D. Hashing same has number for two different value
749. Given the information below: MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883 MD5HASH image.jpg 049eab40fd36caadlfab10b3cdf4a883 Which of the following concepts are described above? (Choose two.) A. Salting B. Collision C. Steganography D. Hashing E. Key stretching
E. OCSP D. CRL Most probably the certificate has expired. B2B--> Business to Business. Thus, the solution has to be (OCSP) Online Certificate Status Protocol of which is a browser protocol that checks the validity of an SSL certificate with the help of a whitelist and (CRL) Certificate Revocation List which assist in terms of checking whether certificate has been revoked or still valid from Certificate Authority.
752. A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to question certain PKI components. Which of the following should the technician use to validate this assumption? (Choose two.) A. PEM B. CER C. SCEP D. CRL E. OCSP F. PFX
C. DHE DHE. Diffie-Hellman Ephemeral (DHE) uses ephemeral keys, generating different keys for each session. PFS (Perfect Forward Secrecy) characteristic of encryption keys ensuring that keys are random. Perfect forward secrecy methods do not use deterministic algorithms. Anytime a CompTIA question asks about ensuring PFS look for any of the used abbreviations of Diffie Hellman
754. Which of the following provides PFS? A. AES B. RC4 C. DHE D. HMAC
C. It performs bit-level encryption. Stream ciphers encrypt data 1 bit or 1 byte at a time. They are more efficient than block ciphers when encrypting data of an unknown size or when sent in a continuous stream. RC4 is a commonly used stream cipher.
763. Which of the following is unique to a stream cipher? A. It encrypt 128 bytes at a time. B. It uses AES encryption. C. It performs bit-level encryption. D. It is used in HTTPS.
C. Purchase a wildcard certificate and implement it on every server. A wildcard certificate starts with an asterisk (*) and can be used for multiple domains, but each domain name must have the same root domain. For example, Google uses a wildcard certificate issued to *.google.com. This same certificate can be used for other Google domains, such as accounts.google.com and support.google.com. Wildcard certificates can reduce the administrative burden associated with managing multiple certificates. Purchase a wildcard cert install on all server is "cost effective" compare to purchasing cert for each server. Installing a self-signed cert on a public access server is useless as the public user browser will still popup untrust certificate.
768. A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? A. Create and install a self-signed certificate on each of the servers in the domain. B. Purchase a load balancer and install a single certificate on the load balancer. C. Purchase a wildcard certificate and implement it on every server. D. Purchase individual certificates and apply them to the individual servers. Hide Answer
D. Install a CRL. The client then checks the serial number of the certificate against the list of serial numbers in the CRL. If the certificate is revoked for any reason, the application gives an error message to the user. Stapling is using OCSP. Key escrow is the process of placing a copy of a private key in a safe environment.''
775. The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? A. Build an online intermediate CA. B. Implement a key escrow. C. Implement stapling. D. Install a CRL.
B. The recipient's private key If encrypted by the recipient's public key then can only be decrypted by the recipient's private key
809. An email recipient is unable to open a message encrypted through PKI that was sent from another organization. Which of the following does the recipient need to decrypt the message? A. The sender's private key B. The recipient's private key C. The recipient's public key D. The CA's root certificate E. The sender's public key F. An updated CRL