CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 721:

  A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user's digital certificate. Which of the following will help resolve the issue? (Select TWO).

  A. Revoke the digital certificate

  B. Mark the key as private and import it

  C. Restore the certificate using a CRL

  D. Issue a new digital certificate

  E. Restore the certificate using a recovery agent

  Correct Answer: AD

  The user's certificate must be revoked to ensure that the stolen computer cannot access resources the user has had access to. To grant the user access to the resources he must be issued a new certificate.

  Incorrect Answers:

  B: Within a PKI there is no meaningful procedure that marks and import a key.

  C: The certificate needs to be revoked, not to be restored. CRLs are used to store revoked certificates and signatures. CRLs are not used to restore certificates.

  E: Restore the certificate using a recovery agent

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285

• Question 722:

  Which of the following is true about the CRL?

  A. It should be kept public

  B. It signs other keys

  C. It must be kept secret

  D. It must be encrypted

  Correct Answer: A

  The CRL must be public so that it can be known which keys and certificates have been revoked. In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.

  Incorrect Answers:

  B: A CRL is a database of revoked keys and signatures. It does not sign other keys.

  C: Keeping the CRL secret would be against the purpose of the CRL, which is to provide information regarding revoked keys and certificates.

  D: The CRL must be readily available so it should not be encrypted.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-285, 285

• Question 723:

  Which of the following should a security technician implement to identify untrusted certificates?

  A. CA

  B. PKI

  C. CRL

  D. Recovery agent

  Correct Answer: C

  Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.

  Incorrect Answers:

  A: A certificate authority (CA) is an organization, not a static record containing certificates. A CA is responsible for issuing, revoking, and distributing certificates.

  B: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Within a PKI you can use CRL to meet the requirements in this question.

  D: A recovery agent cannot be used to check if certificates are still valid. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 279-285, 285

• Question 724:

  When employees that use certificates leave the company they should be added to which of the following?

  A. PKI

  B. CA

  C. CRL

  D. TKIP

  Correct Answer: C

  The certificates of the leaving employees must be made unusable. This is done by revoking them. The revoke certificates end up in the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

  Incorrect Answers:

  A: You can't add revoked certificates to a PKI.

  A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

  B: You can't add revoked certificates to a CA.

  D: TKIP is a wireless protocol and cannot manage certificates. Temporal Key Integrity Protocol or TKIP was a stopgap security protocol used in the IEEE 802.11 wireless networking standard. TKIP was designed by the IEEE 802.11i task

  group and the Wi-Fi Alliance as an interim solution to replace WEP without requiring the replacement of legacy hardware.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 171, 279-280, 279-285, 285

• Question 725:

  Which of the following identifies certificates that have been compromised or suspected of being compromised?

  A. Certificate revocation list

  B. Access control list

  C. Key escrow registry

  D. Certificate authority

  Correct Answer: A

  Certificates that have been compromised or are suspected of being compromised are revoked. A CRL is a locally stored record containing revoked certificates and revoked keys.

  Incorrect Answers:

  B: Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them access to certain network capabilities. ACLs cannot be used for certificates or keys.

  C: Key escrow is not related to revoked certificates.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  D: In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. You don't use a CA to store revoked certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 156-157, 262, 279-280, 285

• Question 726:

  Public key certificates and keys that are compromised or were issued fraudulently are listed on which of the following?

  A. PKI

  B. ACL

  C. CA

  D. CRL

  Correct Answer: D

  A CRL is a locally stored record containing revoked certificates and revoked keys.

  Incorrect Answers:

  A: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Within a PKI you can use CRL to meet the requirements in this question.

  B: Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them access to certain network capabilities. ACLs cannot be used for certificates or keys.

  C: In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. You don't use a CA to store revoked certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 156-157, 279-280, 279-285, 285

• Question 727:

  A security administrator needs a locally stored record to remove the certificates of a terminated employee. Which of the following describes a service that could meet these requirements?

  A. OCSP

  B. PKI

  C. CA

  D. CRL

  Correct Answer: D

  A CRL is a locally stored record containing revoked certificates and revoked keys.

  Incorrect Answers:

  A: OCSP is a protocol, not a database.

  The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

  B: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Within a PKI you can use CRL to meet the requirements in

  this question.

  C: In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. You don't use a CA to store revoked certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 279-285, 285

• Question 728:

  The finance department works with a bank which has recently had a number of cyber attacks. The finance department is concerned that the banking website certificates have been compromised. Which of the following can the finance department check to see if any of the bank's certificates are still valid?

  A. Bank's CRL

  B. Bank's private key

  C. Bank's key escrow

  D. Bank's recovery agent

  Correct Answer: A

  The finance department can check if any of the bank's certificates are in the CRL or not. If a certificate is not in the CRL then it is still valid. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

  Incorrect Answers:

  B: Within PKI there are only two methods to verify certificates or keys still are valid. One is using a CRL and the other is using the OCSP protocol. Private key verification cannot be used to a comprised CA.

  C: Key escrow cannot be used to check if a certification is revoked or not. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  D: A recovery agent cannot be used to check if certificates are still valid. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285

• Question 729:

  A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity?

  A. Key escrow

  B. Private key verification

  C. Public key verification

  D. Certificate revocation list

  Correct Answer: D

  If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the certificates that it has issued) no longer can be trusted. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

  Incorrect Answers:

  A: Key escrow is not related to revoked certificates.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  B: Within PKI there are only two methods to verify certificates or keys still are valid. One is using a CRL and the other is using the OCSP protocol. Private key verification cannot be used to check if a CA is comprised.

  C: Public key verification cannot be used to a comprised CA. Within PKI there are only two methods to verify certificates or keys still are valid. One is using a CRL and the other is using the OCSP protocol.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-285, 285

• Question 730:

  Which of the following provides a static record of all certificates that are no longer valid?

  A. Private key

  B. Recovery agent

  C. CRLs

  D. CA

  Correct Answer: C

  The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.

  Incorrect Answers:

  A: A private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages. A private key cannot provide a list of invalid certificates.

  B: A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A recovery agent does not provide a list of invalid certificates.

  D: A certificate authority (CA) is an organization, not a static record containing certificates. A CA is responsible for issuing, revoking, and distributing certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 271-285, 285