CompTIA Security Plus Mock Test Q1716

A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative Name (SAM) attribute of a certificate?

A. It can protect multiple domains
B. It provides extended site validation
C. It does not require a trusted certificate authority
D. It protects unlimited subdomains

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1637

The firewall administrator is adding a new certificate for the company’s remote access solution. The solution requires that the uploaded file contain the entire certificate chain for the certificate to load properly. The administrator loads the company certificate and the root CA certificate into the file. The file upload is rejected. Which of the following is required to complete the certificate chain?

A. Certificate revocation list
B. Intermediate authority
C. Recovery agent
D. Root of trust

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1461

Joe, a security technician, is configuring two new firewalls through the web on each. Each time Joe connects, there is a warning message in the browser window about the certificate being untrusted. Which of the following will allow Joe to configure a certificate for the firewall so that firewall administrators are able to connect both firewalls without experiencing the warning message?

A. Apply a permanent override to the certificate warning in the browser
B. Apply a wildcard certificate obtained from the company’s certificate authority
C. Apply a self-signed certificate generated by each of the firewalls
D. Apply a single certificate obtained from a public certificate authority

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1313

A user tries to visit a web site with a revoked certificate. In the background a server from the certificate authority only sends the browser revocation information about the domain the user is visiting. Which of the following is being used by the certificate authority in this exchange?

A. CSR
B. Key escrow
C. OCSP
D. CRL

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1125

A company is concerned that a compromised certificate may result in a man-in-the-middle attack against backend financial servers. In order to minimize the amount of time a compromised certificate would be accepted by other servers, the company decides to add another validation step to SSL/TLS connections. Which of the following technologies provides the FASTEST revocation capability?

A. Online Certificate Status Protocol (OCSP)
B. Public Key Cryptography (PKI)
C. Certificate Revocation Lists (CRL)
D. Intermediate Certificate Authority (CA)


Correct Answer: A
Section: Cryptography

Explanation:
CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage
to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client
and network.

Incorrect Answers:
B: PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA).
C: CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP.
D: An Intermediate Certificate Authority is below the Root CA in a hierarchical trust model. It trusts only information provided by the root CA.

References:
https://www.fir3net.com/Security/Concepts-and-Terminology/certificate-revocation.html
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 278-290

CompTIA Security Plus Mock Test Q1105

The security administrator installed a newly generated SSL certificate onto the company web server. Due to a misconfiguration of the website, a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised?

A. The file containing the recovery agent’s keys.
B. The file containing the public key.
C. The file containing the private key.
D. The file containing the server’s encrypted passwords.

Correct Answer: B
Section: Cryptography

Explanation:
The public key can be made available to everyone. There is no need to reissue the certificate.

Incorrect Answers:
A: The recovery agent has no key.
C: The private key must be secret. If the private key is made available to a third party, then the key must be revoked.
D: Encrypted passwords would not be a security risk. It would be hard to decrypt them.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 279-285

CompTIA Security Plus Mock Test Q1104

Which of the following is synonymous with a server’s certificate?

A. Public key
B. CRL
C. Private key
D. Recovery agent

Correct Answer: A
Section: Cryptography

Explanation:
A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.

Incorrect Answers:
B: A CRL is not a certificate. It is a database consisting of revoked keys and signatures.
C: A private key is not a certificate. A public key is a certificate.
D: A recovery agent is not a certificate. A recovery agent is used to recover keys.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-285, 285

CompTIA Security Plus Mock Test Q1103

The recovery agent is used to recover the:

A. Root certificate
B. Key in escrow
C. Public key
D. Private key


Correct Answer: D
Section: Cryptography

Explanation:
A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can
decrypt encrypted data.

Incorrect Answers:
A: The key recovery agent recovers the private key, not the root certificate.
B: The key recovery agent recovers the private key, not key in escrow.
C: The key recovery agent recovers the private key, not the public key.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis

CompTIA Security Plus Mock Test Q1094

In which of the following scenarios is PKI LEAST hardened?

A. The CRL is posted to a publicly accessible location.
B. The recorded time offsets are developed with symmetric keys.
C. A malicious CA certificate is loaded on all the clients.
D. All public keys are accessed by an unauthorized user.


Correct Answer: C
Section: Cryptography

Explanation:
A rogue Certification Authority (CA) certificate allows malicious users to impersonate any Web site on the Internet, including banking and e-commerce sites secured using the HTTPS
protocol. A rogue CA certificate would be seen as trusted by Web browsers, and it is harmful because it can appear to be signed by one of the root CAs that browsers trust by default.
A rogue Certification Authority (CA) certificate can be created using a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure Web sites.

Incorrect Answers:
A: The CRL should be readily accessible. It should be posted on a publically accessible location.
A CRL is a database of revoked keys and signatures.
B: Incorrect time offsets is much less of a security threat compared to a rogue Certification Authority certificate.
D: Public keys are public and can be accessed by anyone.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 279-285
http://www.webopedia.com/TERM/R/rogue_certification_authority_certificate.html