CompTIA Security Plus Mock Test Q1052

When using PGP, which of the following should the end user protect from compromise? (Select TWO).

A. Private key
B. CRL details
C. Public key
D. Key password
E. Key escrow
F. Recovery agent


Correct Answer: A,D
Section: Cryptography

Explanation:
A: In PGP only the private key belonging to the receiver can decrypt the session key.
PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each
symmetric key is used only once and is also called a session key.
D: PGP uses a passphrase to encrypt your private key on your machine. Your private key is encrypted on your disk using a hash of your passphrase as the secret key. You use the
passphrase to decrypt and use your private key.

Incorrect Answers:
B: A certificate revocation list (CRL) is a list of certificates. An end user of PGP does not have to be concerned with the CRL.
C: The public key is available for everyone. It does need protection.
E: Key escrow is not related to PGP. Key escrow is the process of storing keys or certificates for use by law enforcement.
F: The recovery agent does not need to be protected by the end user.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 272-273, 285