CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 321:

  Ann, a newly hired human resource employee, sent out confidential emails with digital signatures, to an unintended group. Which of the following would prevent her from denying accountability?

  A. Email Encryption

  B. Steganography

  C. Non Repudiation

  D. Access Control

  Correct Answer: C

  Nonrepudiation prevents one party from denying actions they carried out.

  Incorrect Answers:

  A: Email encryption is used to protect privacy.

  B: Steganography is the process of hiding one message in another. Steganography may also be referred to as electronic watermarking.

  C: Access Control is used to govern which users have access to the email.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 248, 262, 414

• Question 322:

  An encrypted message is sent using PKI from Sara, a client, to a customer. Sara claims she never sent the message. Which of the following aspects of PKI BEST ensures the identity of the sender?

  A. CRL

  B. Non-repudiation

  C. Trust models

  D. Recovery agents

  Correct Answer: B

  Nonrepudiation prevents one party from denying actions they carried out. This means that the identity of the email sender will not be repudiated.

  Incorrect Answers:

  A: CRLs are literally a list of certificates that a specific CA stated should no longer be used.

  C: Trust models are used with PKIs. It is not used to ensure the identity of the email sender.

  D: Recovery Agents are used with certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 414

• Question 323:

  An administrator has successfully implemented SSL on srv4.comptia.com using wildcard certificate *.comptia.com, and now wishes to implement SSL on srv5.comptia.com. Which of the following files should be copied from srv4 to accomplish this?

  A. certificate, private key, and intermediate certificate chain

  B. certificate, intermediate certificate chain, and root certificate

  C. certificate, root certificate, and certificate signing request

  D. certificate, public key, and certificate signing request

  Correct Answer: A

  a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. In public-key cryptography, the receiver has a private key known only to them; a public key corresponds to it, which they make known to others. The public key can be sent to all other parties; the private key is never divulged. A symmetric algorithm requires that receivers of the message use the same private key. Thus you should copy the certificate, the private key and the intermediate certificate chain from srv4 to srv5.

  Incorrect Answers:

  B: You will require the same private key to be copied as well since you intend using wildcard certificate.

  C: You intend using wildcard certificates and you cannot omit using the same private key.

  D: With wildcard certificates you require the same private key to be used, thus coping the public key is futile.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 292

• Question 324:

  A certificate used on an ecommerce web server is about to expire. Which of the following will occur if the certificate is allowed to expire?

  A. The certificate will be added to the Certificate Revocation List (CRL).

  B. Clients will be notified that the certificate is invalid.

  C. The ecommerce site will not function until the certificate is renewed.

  D. The ecommerce site will no longer use encryption.

  Correct Answer: B

  A similar process to certificate revocation will occur when a certificate is allowed to expire. Notification will be sent out to clients of the invalid certificate. The process of revoking a certificate begins when the CA is notified that a particular certificate needs to be revoked. This must be done whenever the private key becomes known. The owner of a certificate can request that it be revoked at any time, or the administrator can make the request.

  Incorrect Answers:

  A: Revocation occurs prior to expiration and not vice versa.

  C: Expired certificates are not the same as a site ceasing to function; it is access that is the issue.

  D: No longer using encryption would be impractical for an ecommerce webserver.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 285

• Question 325:

  Digital certificates can be used to ensure which of the following? (Select TWO).

  A. Availability

  B. Confidentiality

  C. Verification

  D. Authorization

  E. Non-repudiation

  Correct Answer: BE

  Digital Signatures is used to validate the integrity of the message and the sender. Digital certificates refer to cryptography which is mainly concerned with Confidentiality, Integrity, Authentication, Nonrepudiation and Access Control. Nonrepudiation prevents one party from denying actions they carried out.

  Incorrect Answers:

  A: Availability is concerned with making data and systems available to authorized users.

  C: Verification is the act of ensuring integrity. And PKI uses verification to check the validity of a certificate.

  D: Authorization is concerned with which users have access.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 291, 414

• Question 326:

  Some customers have reported receiving an untrusted certificate warning when visiting the company's website. The administrator ensures that the certificate is not expired and that customers have trusted the original issuer of the certificate. Which of the following could be causing the problem?

  A. The intermediate CA certificates were not installed on the server.

  B. The certificate is not the correct type for a virtual server.

  C. The encryption key used in the certificate is too short.

  D. The client's browser is trying to negotiate SSL instead of TLS.

  Correct Answer: A

  In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't.

  Incorrect Answers:

  B: Nowhere in the question is mention made of virtual servers.

  C: An untrusted certificate warning is not indicative of too short encryption keys.

  D: Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines. This protocol uses the handshake method of establishing a session, TLS is based on SSL and the browser would

  not issue an untrusted certificate warning.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 75, 286

• Question 327:

  Certificates are used for: (Select TWO).

  A. Client authentication.

  B. WEP encryption.

  C. Access control lists.

  D. Code signing.

  E. Password hashing.

  Correct Answer: AD

  Certificates are used in PKI to digitally sign data, information, files, email, code, etc. Certificates are also used in PKI for client authentication.

  Incorrect Answers:

  B: Wired Equivalent Privacy (WEP) encryption is used with TKIP which placed a 128-bit wrapper around the WEP encryption and is based on the MAC address of the host device and the serial number of the packet.

  C: Access control lists are used to allow individual and highly controllable access to resources in a network.

  E: Hashing refers to the hash algorithms used in cryptography. It is used to derive a key mathematically from a message.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 156, 278, 281

• Question 328:

  Which of the following could cause a browser to display the message below?

  "The security certificate presented by this website was issued for a different website's address."

  A. The website certificate was issued by a different CA than what the browser recognizes in its trusted CAs.

  B. The website is using a wildcard certificate issued for the company's domain.

  C. HTTPS://127.0.01 was used instead of HTTPS://localhost.

  D. The website is using an expired self signed certificate.

  Correct Answer: C

  PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). Users, or their software on their behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate. Since CA certificates are often signed by other, "higher- ranking," CAs, there must necessarily be a highest CA, which provides the ultimate in attestation authority in that particular PKI scheme. Localhost is a hostname that means this computer and may be used to access the computer's own network services via its loopback network interface. Using the loopback interface bypasses local network interface hardware. In this case the HTTPS://127.0.01 was used and not HTTPS//localhost Incorrect Answers:

  A: This is not a case where the certificate was issued by a different CA.

  B: A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. This option will not yield an error message

  D: A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 280-281

• Question 329:

  A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform?

  A. Remove all previous smart card certificates from the local certificate store.

  B. Publish the new certificates to the global address list.

  C. Make the certificates available to the operating system.

  D. Recover the previous smart card certificates.

  Correct Answer: B

  CAs can be either private or public, with VeriSign being one of the best known of the public variety. Many operating system providers allow their systems to be configured as CA systems. These CA systems can be used to generate internal certificates that are used within a business or in large external settings. The process provides certificates to the users. Since the user in question has been re-issued a smart card, the user must receive a new certificate by the CA to allow the user to send digitally signed email. This is achieved by publishing the new certificates to the global address list.

  Incorrect Answers:

  A: Removing all previous smart card certificates from the local certificate store will affect all the other users as well and then no one will be able to log in and send digitally signed email.

  C: Making certificates available to the operating system will not allow the user to send digitally signed email. The other users all have access to this service because of the CA having published their certificates on the global address list, which means that the re-issued smart card's certificate should also be published on the global address list.

  D: The previous smart card certificates are no longer valid.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-280

• Question 330:

  Joe, a user, wants to send an encrypted email to Ann. Which of the following will Ann need to use to verify the validity's of Joe's certificate? (Select TWO).

  A. The CA's public key

  B. Joe's private key

  C. Ann's public key

  D. The CA's private key

  E. Joe's public key

  F. Ann's private key

  Correct Answer: AE

  Joe wants to send a message to Ann. It's important that this message not be altered. Joe will use the private key to create a digital signature. The message is, in effect, signed with the private key. Joe then sends the message to Ann. Ann will use the public key attached to the message to validate the digital signature. If the values match, Ann knows the message is authentic and came from Joe. Ann will use a key provided by Joe--the public key--to decrypt the message. Most

  digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit. Thus Ann would compare the signature area referred to as a message in the message with the calculated

  value digest (her private key in this case). If the values match, the message hasn't been tampered with and the originator is verified as the person they claim to be. This process provides message integrity, nonrepudiation, and authentication.

  A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. A certificate is nothing more than a mechanism that associates the public key with an individual.

  If Joe wants to send Ann an encrypted e-mail, there should be a mechanism to verify to Ann that the message received from Mike is really from Joe. If a third party (the CA) vouches for Joe and Ann trusts that third party, Ann can assume that

  the message is authentic because the third party says so.

  Incorrect Answers:

  B: Ann would require Joe's public key and not his private key.

  C: Ann is the recipient and her public key is not required to verify e-mail sent by Joe.

  D: The CA's private key is not used to decrypt messages, rather a recipient must make use of the CA's public key to process a request for a digital certificate.

  F: The certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. Ann's private key is thus not an issue here because she must use the DC's public key to process a request for a digital signature.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 261, 279 http://searchsecurity.techtarget.com/definition/digital-signature http://email.about.com/cs/pgp/a/public_key_enc.htm