A security administrator needs to implement a technology that creates a secure key exchange. Neither party involved in the key exchange will have pre-existing knowledge of one another. Which of the following technologies would allow for this?
A security administrator must implement a secure key exchange protocol that will allow company clients to autonomously exchange symmetric encryption keys over an unencrypted channel. Which of the following MUST be implemented?
A. SHA-256 B. AES C. Diffie-Hellman D. 3DES
Correct Answer: C Section: Cryptography
Diffie-Hellman key exchange (D-H) is a means of securely generating symmetric encryption keys across an insecure medium.
A: SHA-256 can used to detect violations of data integrity. It will not, however, allow company clients to autonomously exchange symmetric encryption keys over an unencrypted
B: AES is a specification for the encryption of electronic data. It will not, however, allow company clients to autonomously exchange symmetric encryption keys over an unencrypted
D: 3DES is symmetric-key algorithm for the encryption of electronic data. It will not, however, allow company clients to autonomously exchange symmetric encryption keys over an
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 336
A security administrator must implement a system to allow clients to securely negotiate encryption keys with the company’s server over a public unencrypted communication channel. Which of the following implements the required secure key negotiation? (Select TWO).
A. PBKDF2 B. Symmetric encryption C. Steganography D. ECDHE E. Diffie-Hellman
Correct Answer: D,E Section: Cryptography
Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret
over an insecure channel. This shared secret may be directly used as a key, or better yet, to derive another key which can then be used to encrypt subsequent communications using a
symmetric key cipher. It is a variant of the Diffie–Hellman protocol using elliptic curve cryptography.
Note: Adding an ephemeral key to Diffie-Hellman turns it into DHE (which, despite the order of the acronym, stands for Ephemeral Diffie-Hellman).
Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE (again, overlook the order of the acronym letters; it is called Ephemeral Elliptic Curve Diffie-Hellman). It is
the ephemeral component of each of these that provides the perfect forward secrecy.
A: PBKDF2 is to strengthen keys, but it would resolve the problem with the key exchange on an unsecure channel.
PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5
v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to produce a derived key.
B: Symmetric encryption would not in itself help on an unsecure channel.
C: Steganography is the process of hiding one message in another. Steganography is not used for secure key negotiation.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 248, 249-251, 254, 256