CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 731:

  Which of the following MUST be updated immediately when an employee is terminated to prevent unauthorized access?

  A. Registration

  B. CA

  C. CRL

  D. Recovery agent

  Correct Answer: C

  Certificates or keys for the terminated employee should be put in the CRL. A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.

  Incorrect Answers:

  A: The registration of any certificates or keys for the terminated employee should be revoked. These keys and certificates should be put in the CRL.

  B: More specifically, it is not the CA that need to be updated, just the CRL.

  D: A recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A recovery is not affected when a user is terminated.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 280-281, 285

• Question 732:

  A CRL is comprised of.

  A. Malicious IP addresses.

  B. Trusted CA's.

  C. Untrusted private keys.

  D. Public keys.

  Correct Answer: D

  A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked. The certificates for which a CRL should be maintained are

  often X.509/public key certificates, as this format is commonly used by PKI schemes.

  Incorrect Answers:

  A: The CRL contains certificates and keys, not IP addresses.

  B: Trusted CAs are not listed in the CRL.

  C: Public keys, not private keys, might be included in the CRL.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 278-285, 279-280, 285

• Question 733:

  A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network?

  A. A CRL

  B. Make the RA available

  C. A verification authority

  D. A redundant CA

  Correct Answer: A

  A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. By checking the CRL you can check if a particular certificate has been revoked.

  Incorrect Answers:

  B: Access to a registration authority (RA) is not required to check for bad certificates. A CRL will do fine. A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities.

  C: A verification authority is used to check the uniqueness of a certificate, not primarily to check for bad certificates. The user identity must be unique within each CA domain. The third-party validation authority (VA)/verification authority can provide this information on behalf of the CA. The binding is established through the registration and issuance process.

  D: A redundant CA is not required to check for bad certificates. A CRL will do fine.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 285

• Question 734:

  Joe, a user, reports to the system administrator that he is receiving an error stating his certificate has been revoked. Which of the following is the name of the database repository for these certificates?

  A. CSR

  B. OCSP

  C. CA

  D. CRL

  Correct Answer: D

  A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.

  Incorrect Answers:

  A: A CSR is a request to a CA, not a database of revoked certificates. One of the first steps in getting a certificate is to submit a certificate-signing request (CSR). This is a request formatted for the CA. This request will have the public key you

  wish to use and your fully distinguished name (often a domain name). The CA will then use this to process your request for a digital certificate.

  B: OCSP is a protocol, not a database.

  The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

  C: A CA is not a database for revoked certificates, though the CRL is stored on the CA. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 285

• Question 735:

  When reviewing a digital certificate for accuracy, which of the following would Matt, a security administrator, focus on to determine who affirms the identity of the certificate owner?

  A. Trust models

  B. CRL

  C. CA

  D. Recovery agent

  Correct Answer: C

  A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. The CA affirms the identity of the certificate owner.

  Incorrect Answers:

  A: A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. A trust model in itself would not help matt to affirm the identity of the certificate owner.

  B: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. A CRL is not used to issue certificates or affirm the identity of owner of a certificate.

  D: A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A key recovery agent could not affirm the identity of owner of a certificate.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 279-280, 285, 285-289

• Question 736:

  Pete, an employee, needs a certificate to encrypt data. Which of the following would issue Pete a certificate?

  A. Certification authority

  B. Key escrow

  C. Certificate revocation list

  D. Registration authority

  Correct Answer: A

  A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.

  Incorrect Answers:

  B: Key escrow is not related to issuing certificates.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  C: A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key. A CRL is not used to issue certificates.

  D: A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and validate identities. However, the RA doesn't issue

  certificates; that responsibility remains with the CA.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 278-290

• Question 737:

  A company's security administrator wants to manage PKI for internal systems to help reduce costs. Which of the following is the FIRST step the security administrator should take?

  A. Install a registration server.

  B. Generate shared public and private keys.

  C. Install a CA

  D. Establish a key escrow policy.

  Correct Answer: C

  PKI is a two-key, asymmetric system with four main components: certificate authority (CA), registration authority (RA), RSA (the encryption algorithm), and digital certificates. When you implement a PKI you should start by installing a CA.

  Incorrect Answers:

  A: When you implement a PKI you are not required to install a registration server. You can rely on a public registration authority server.

  B: To generate shared public and private keys you would need a CA.

  D: A key escrow policy is not required for a PKI.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 278-290

• Question 738:

  Company employees are required to have workstation client certificates to access a bank website. These certificates were backed up as a precautionary step before the new computer upgrade. After the upgrade and restoration, users state

  they can access the bank's website, but not login.

  Which is the following is MOST likely the issue?

  A. The IP addresses of the clients have change

  B. The client certificate passwords have expired on the server

  C. The certificates have not been installed on the workstations

  D. The certificates have been installed on the CA

  Correct Answer: C

  The computer certificates must be installed on the upgraded client computers.

  Incorrect Answers:

  A: Changing the IP address of a client would not affect the certificate.

  B: It is not likely that the certificates expired at the time that the clients were upgraded.

  D: It is not likely that the client certificates were installed on the CA at the time that the clients were upgraded.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 281-284

• Question 739:

  Which of the following components MUST be trusted by all parties in PKI?

  A. Key escrow

  B. CA

  C. Private key

  D. Recovery key

  Correct Answer: B

  A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. In a simple trust model all parties must trust the CA. In a more complicated trust model all parties must trust the Root CA.

  Incorrect Answers:

  A: Key escrow is nothing that needs to be trusted.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  C: A private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages.

  D: A recovery key has no specific function within a PKI.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 278-290

• Question 740:

  Which of the following is used to certify intermediate authorities in a large PKI deployment?

  A. Root CA

  B. Recovery agent

  C. Root user

  D. Key escrow

  Correct Answer: A

  The root CA certifies other certification authorities to publish and manage certificates within the organization. In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren't. This arrangement allows a high level of control at all levels of the hierarchical tree. .

  Incorrect Answers:

  B: A recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A recovery agent does not certify entities.

  C: The root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. The root user does not certify entities.

  D: Key escrow is not related to certifying authorities.

  Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages)

  and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee's private messages have been called into question.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 278-290