CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 691:

  Which of the following types of trust models is used by a PKI?

  A. Transitive

  B. Open source

  C. Decentralized

  D. Centralized

  Correct Answer: D

  PKI uses a centralized trust model. In a simple PKI a single centralized certification authority (CA). In a hierarchical trust model the root CA is the center of the model, with subordinate CAs lower in the hierarchy.

  Note: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. A trust Model is collection of rules that informs application

  on how to decide the legitimacy of a Digital Certificate.

  Incorrect Answers:

  A: Some of the trust in a PKI trust model are transitive, but the trust model itself is centralized not transitive.

  B: Open Source refers to software and is not a concept that is within a PKI. Open source software is software whose source code is available for modification or enhancement by anyone.

  C: PKI is not use a decentralized trust model.

  Web of trust, an alternative to PKI, use a decentralized trust model.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 285-289

• Question 692:

  In order to use a two-way trust model the security administrator MUST implement which of the following?

  A. DAC

  B. PKI

  C. HTTPS

  D. TPM

  Correct Answer: B

  PKI is a high level concept. Within a PKI you use a trust model to set up trust between Certification Authorities (CAs). A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

  Incorrect Answers:

  A: DAC cannot be used to setup trust models.

  Discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The

  controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)".

  C: HTTPS is just a protocol. You cannot use HTTPS to set up trust models. HTTPS is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.

  D: Trusted Platform Module (TPM) cannot be used to setup trust models. A TPM can be used to assist with hash key generation. TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. TPM can be

  used to protect smart phones and devices other than PCs as well. It can also be used to generate values used with whole disk encryption such as BitLocker.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 150, 151-152, 237, 274, 279-285, 290

• Question 693:

  A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements?

  A. Trust model

  B. Key escrow

  C. OCSP

  D. PKI

  Correct Answer: A

  In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree.

  Incorrect Answers:

  B: Key escrow is a database of stored keys that later can be retrieved. Key escrow cannot be used to set up a trust to a CA.

  C: The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. OCSP cannot be used to set up a trust to a CA.

  D: PKI is a high level concept. In itself you cannot use a PKI to set up a trust to a CA. Within a PKI you use a trust model for this purpose. A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285, 285-289

• Question 694:

  Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure?

  A. Trust Model

  B. Recovery Agent

  C. Public Key

  D. Private Key

  Correct Answer: A

  In a bridge trust model allows lower level domains to access resources in a separate PKI through the root CA. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a bridge trust model, a peer-to-peer relationship exists among the root CAs. The root CAs can communicate with one another, allowing cross certification. This arrangement allows a certification process to be established between organizations or departments. Each intermediate CA trusts only the CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.

  Incorrect Answers:

  B: A recovery agent cannot be used to bridge trust between PKIs. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.

  C: A public key is available to everyone. A public key cannot be used to bridge trust between PKIs.

  D: A private key is a secret key. It cannot be used to bridge trust between PKIs.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285-289

• Question 695:

  Which of the following is a requirement when implementing PKI if data loss is unacceptable?

  A. Web of trust

  B. Non-repudiation

  C. Key escrow

  D. Certificate revocation list

  Correct Answer: C

  Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  Incorrect Answers:

  A: Web of trust is not used within the PKI domain. It is an alternative approach. A web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such).

  B: Nonrepudiation is a means of ensuring that transferred data is valid. Nonrepudiation is not used to store data.

  D: A certification list is just a database of revoked keys and certificates, and does not store any other information.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-289, 285

• Question 696:

  Which of the following allows an organization to store a sensitive PKI component with a trusted third party?

  A. Trust model

  B. Public Key Infrastructure

  C. Private key

  D. Key escrow

  Correct Answer: D

  Sensitive PKI data, such as private keys, can be put into key escrow data. The key escrow data can be kept at a trusted third party. Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' private communications, or governments, who may wish to be able to view the contents of encrypted communications.

  Incorrect Answers:

  A: A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. A trust model cannot store sensitive information.

  B: A PKI cannot store sensitive information.

  The Public-Key Infrastructure (PKI) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support e- commerce, secure transactions, and information privacy is

  one aspect of the issues being addressed with PKI.

  C: A private key is a secret key. It is not used to stored sensitive information through a third party.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285-289

• Question 697:

  Which of the following must be kept secret for a public key infrastructure to remain secure?

  A. Certificate Authority

  B. Certificate revocation list

  C. Public key ring

  D. Private key

  Correct Answer: D

  The private key, which is also called the secret key, must be kept secret.

  Incorrect Answers:

  A: The CA must be accessible. It should not be kept secret. A certificate authority (CA) is an organization. A CA is responsible for issuing, revoking, and distributing certificates.

  B: The CRL should be readily accessible. It should be posted on a publically accessible location.

  A CRL is a database of revoked keys and signatures.

  C: A public key ring must be available for all.

  A public key ring is often implemented as a file with public keys in it. The traditional PGP Key Ring is a sequential file with a sequential list of keys in it. Slightly more advanced key rings, such as those used in Key Servers actually use a

  database.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-280, 279-285, 285

• Question 698:

  Which of the following is true about an email that was signed by User A and sent to User B?

  A. User A signed with User B's private key and User B verified with their own public key.

  B. User A signed with their own private key and User B verified with User A's public key.

  C. User A signed with User B's public key and User B verified with their own private key.

  D. User A signed with their own public key and User B verified with User A's private key.

  Correct Answer: B

  The sender uses his private key, in this case User A's private key, to create a digital signature. The message is, in effect, signed with the private key. The sender then sends the message to the receiver. The receiver (User B) uses the public key attached to the message to validate the digital signature. If the values match, the receiver knows the message is authentic. The receiver uses a key provided by the sender--the public key--to decrypt the message.

  Incorrect Answers:

  A: User A must sign with his own private key, not with User B's private key.

  C: User A must sign with his own private key, not with User B's public key.

  D: User A must sign with his own private key, not with his public key. User B's cannot use the private (secret) key of User A.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285

• Question 699:

  Company A sends a PGP encrypted file to company B. If company A used company B's public key to encrypt the file, which of the following should be used to decrypt data at company B?

  A. Registration

  B. Public key

  C. CRLs D. Private key

  Correct Answer: D

  In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority

  (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key.

  A PKI example:

  1.

  You want to send an encrypted message to Jordan, so you request his public key.

  2.

  Jordan responds by sending you that key.

  3.

  You use the public key he sends you to encrypt the message.

  4.

  You send the message to him.

  5.

  Jordan uses his private key to decrypt the message.

  Incorrect Answers:

  A: Registration is not used to decrypt files. Key registration is the process of providing certificates to users

  B: If the public key is used to encrypt the file, then we cannot use this public key to decrypt the file. We need the private key. The private and the public key are mathematically linked and make a key pair. You cannot use two public keys to

  encrypt and decrypt the data.

  C: CRLs are not used to decrypt files. A CRL is a database of revoked keys and certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285, 280-281, 285

• Question 700:

  Which of the following devices is BEST suited for servers that need to store private keys?

  A. Hardware security module

  B. Hardened network firewall

  C. Solid state disk drive

  D. Hardened host firewall

  Correct Answer: A

  A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. By adding a HSM to the server and storing the private keys on HSM, the security of the keys would be improved.

  Incorrect Answers:

  B: A firewall protects from threats in the incoming traffic. A firewall would not be of much help in securing keys stored on a server.

  C: A solid state drive does not provide any extra security, it is just faster than most regular hard drives.

  D: A firewall protects from threats in the incoming traffic. A firewall would not be of much help in securing keys stored on a server.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 96-97, 222, 238, 290, 386