CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 711:

  Which of the following allows a company to maintain access to encrypted resources when employee turnover is high?

  A. Recovery agent

  B. Certificate authority

  C. Trust model

  D. Key escrow

  Correct Answer: A

  If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to

  recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.

  Incorrect Answers:

  B: A certificate authority (CA) is an organization. A CA is responsible for issuing, revoking, and distributing certificates. A CA cannot recovery keys.

  C: A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. A trust model cannot recover keys.

  D: Key escrow is not used to recover old keys.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 285-289

• Question 712:

  Which of the following is true about PKI? (Select TWO).

  A. When encrypting a message with the public key, only the public key can decrypt it.

  B. When encrypting a message with the private key, only the private key can decrypt it.

  C. When encrypting a message with the public key, only the CA can decrypt it.

  D. When encrypting a message with the public key, only the private key can decrypt it.

  E. When encrypting a message with the private key, only the public key can decrypt it.

  Correct Answer: DE

  E: You encrypt data with the private key and decrypt with the public key, though the opposite is much more frequent. Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic protocols based on algorithms

  that require two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked.

  D: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration

  authority (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key.

  A PKI example:

  1.

  You want to send an encrypted message to Jordan, so you request his public key.

  2.

  Jordan responds by sending you that key.

  3.

  You use the public key he sends you to encrypt the message.

  4.

  You send the message to him.

  5.

  Jordan uses his private key to decrypt the message.

  Incorrect Answers:

  A: The private and the public key are mathematically linked and make a key pair. You cannot use two public keys to encrypt and decrypt the data.

  B: The private and the public key are mathematically linked and make a key pair. You cannot use two private keys to encrypt and decrypt the data.

  C: If you encrypt the data with the public key, the data must be decrypted with the private key. The CA would not be able to decrypt the data by itself.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285

• Question 713:

  In PKI, a key pair consists of: (Select TWO).

  A. A key ring

  B. A public key

  C. A private key

  D. Key escrow

  E. A passphrase

  Correct Answer: BC

  In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The key pair consists of these two keys.

  Incorrect Answers:

  A: There is no concept of key ring within a Public-Key Infrastructure.

  D: A key escrow is not included in a PKI key pair.

  Key escrow) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.

  E: A PKI key pair contains two keys, and does not include a passhrase. A passphrase is a sequence of words or other text used to control access to a computer system, program or data. Passphrases are particularly applicable to systems

  that use the passphrase as an encryption key.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 140, 262, 279-285 http://en.wikipedia.org/wiki/Keyring_%28cryptography%29

• Question 714:

  Which of the following is the MOST likely cause of users being unable to verify a single user's email signature and that user being unable to decrypt sent messages?

  A. Unmatched key pairs

  B. Corrupt key escrow

  C. Weak public key

  D. Weak private key

  Correct Answer: A

  In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The sender and receiver must have a matching key in order for the receiver to decrypt the data. Incorrect Answers:

  B: Key escrow is not used for verifying signatures or for decrypting data.

  C: Public keys are public and known to all parties. They are weak by nature.

  D: A weak private(secret) key could allow third parties to compromise the security, but would not cause problems verifying signatures or decrypting data.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285

• Question 715:

  A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights?

  A. Transport encryption

  B. IPsec

  C. Non-repudiation

  D. Public key infrastructure

  Correct Answer: D

  The Public-Key Infrastructure (PKI) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support e- commerce, secure transactions, and information privacy is

  one aspect of the issues being addressed with PKI. A PKI can be used to protect software.

  Incorrect Answers:

  A: Transport encryption would protect data that is sent between two entities. It would not be able to protect use of software.

  B: IPSec protect data that is sent between two entities through encryption. It would not be able to protect use of software.

  C: Nonrepudiation is a means of ensuring that transferred data is valid. Nonrepudiation is not a way to protect software. Nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 249, 262, 274-275, 279-285

• Question 716:

  Which of the following BEST describes part of the PKI process?

  A. User1 decrypts data with User2's private key

  B. User1 hashes data with User2's public key

  C. User1 hashes data with User2's private key

  D. User1 encrypts data with User2's public key

  Correct Answer: D

  In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority

  (RA), RSA (the encryption algorithm), and digital certificates. Messages are encrypted with a public key and decrypted with a private key.

  A PKI example:

  1.

  You want to send an encrypted message to Jordan, so you request his public key.

  2.

  Jordan responds by sending you that key.

  3.

  You use the public key he sends you to encrypt the message.

  4.

  You send the message to him.

  5.

  Jordan uses his private key to decrypt the message.

  Incorrect Answers:

  A: You must use your own private key to decrypt data.

  B: In a PKI data is encrypted and decrypted. Data is not hashed.

  C: In a PKI data is encrypted and decrypted. Data is not hashed.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285

• Question 717:

  In which of the following scenarios is PKI LEAST hardened?

  A. The CRL is posted to a publicly accessible location.

  B. The recorded time offsets are developed with symmetric keys.

  C. A malicious CA certificate is loaded on all the clients.

  D. All public keys are accessed by an unauthorized user.

  Correct Answer: C

  A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default. A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.

  Incorrect Answers:

  A: The CRL should be readily accessible. It should be posted on a publically accessible location. A CRL is a database of revoked keys and signatures.

  B: Incorrect time offsets is much less of a security threat compared to a rogue Certification Authority certificate.

  D: Public keys are public and can be accessed by anyone.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285 http://www.webopedia.com/TERM/R/rogue_certification_authority_certificate.html

• Question 718:

  An administrator needs to submit a new CSR to a CA. Which of the following is a valid FIRST step?

  A. Generate a new private key based on AES.

  B. Generate a new public key based on RSA.

  C. Generate a new public key based on AES.

  D. Generate a new private key based on RSA.

  Correct Answer: D

  Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The private key is needed to produce, but it is not part of, the CSR. The private key is an RSA key. The private encryption key that will be used to protect sensitive information. Note: A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

  Incorrect Answers:

  A: The private key that is generated is an RSA key, not an AES key.

  B: The produce the CSR you need a private key, not a public key.

  C: The produce the CSR you need a private key, not a public key.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-280 http://en.wikipedia.org/wiki/Certificate_signing_request

• Question 719:

  An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA?

  A. CSR

  B. Recovery agent

  C. Private key

  D. CRL

  Correct Answer: A

  In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. When you renew a certificate you send a CSR to the CA to get the certificate resigned.

  Incorrect Answers:

  B: You cannot use a Recovery agent to renew a certificate. A recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A recovery is not affected when a user is terminated.

  C: You cannot submit a private key to the CA.

  A private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages.

  D: A CRL cannot be submitted to a CA.

  A CRL is a database of revoked keys and signatures.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 285 http://en.wikipedia.org/wiki/Certificate_signing_request

• Question 720:

  Which of the following protocols is used to validate whether trust is in place and accurate by returning responses of either "good", "unknown", or "revoked"?

  A. CRL

  B. PKI

  C. OCSP

  D. RA

  Correct Answer: C

  The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

  Incorrect Answers:

  A: CRL is not a protocol. CRL is a database which contains revoked certificates and keys.

  B: A PKI is not a protocol.

  A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

  D: A registration authority (RA) is not a protocol.

  An RA offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285 http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol