CompTIA Security Plus Mock Test Q153

A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate to the network. Which of the following should the administrator implement?

A. WPA2 over EAP-TTLS
B. WPA-PSK
C. WPA2 with WPS
D. WEP over EAP-PEAP

Correct Answer: D
Section: Network Security

Explanation:
D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn’t considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAP-MD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

Incorrect Answers:
A: WPA2 is a more recent version of WEP. Although many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure because it establishes an encrypted channel
between the server and the client. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. With EAP TTLS the client can, but does not have to be
authenticated via a CA-signed PKI certificate to the server.
B: WPA is basically a version of WEP. EAP-PSK, defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAPPSK
is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol
exchange is done in a minimum of four messages.
C: WPA2 is a more recent version of WEP but does not ensure encryption of user credentials when they enter their usernames and passwords to authenticate to the network.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 171, 181