An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES modes of operation would meet this integrity-only requirement?
A new MPLS network link has been established between a company and its business partner. The link provides logical isolation in order to prevent access from other business partners. Which of the following should be applied in order to achieve confidentiality and integrity of all data across the link?
A. MPLS should be run in IPVPN mode. B. SSL/TLS for all application flows. C. IPSec VPN tunnels on top of the MPLS link. D. HTTPS and SSH for all application flows.
Correct Answer: C Section: Cryptography
IPSec can very well be used with MPLS. IPSec could provide VPN tunnels on top if the MPLS link.
Internet Protocol Security (IPSec) isn’t a tunneling protocol, but it’s used in conjunction with tunneling protocols. IPSec is oriented primarily toward LAN-to-LAN connections, but it can
also be used with dial-up connections. IPSec provides secure authentication and encryption of data and headers; this makes it a good choice for security.
A: MPLS tunnelling would not hide the logical MPLS link.
B: SSL/TLS could provide encryption, but not the tunnelling required for the logical isolation.
D: To provide the required logical isolation tunnelling should be used. HTTPS and SSH cannot provide tunnelling.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 91, 103-105, 268, 271, 274, 274-275
Which of the following protocols encapsulates an IP packet with an additional IP header?
A. SFTP B. IPSec C. HTTPS D. SSL
Correct Answer: B Section: Cryptography
Authentication Header (AH) is a member of the IPsec protocol suite. AH operates directly on top of IP, using IP protocol number 51.
A: The SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) does not encapsulate IP packets with an additional IP header.
SFTP is a network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream.
C: HTTPS does not add an extra IP header to IP packages.
Technically, HTTPS is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL or TLS protocol, thus adding the
security capabilities of SSL/TLS to standard HTTP communications.
D: SSL does not encapsulate IP packets with an additional IP header.
Secure Sockets Layer (SSL) is used to establish a secure communication connection between two TCP-based machines.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 75, 76, 268-269, 274, 274-275
Which of the following cryptographic algorithms is MOST often used with IPSec?
A. Blowfish B. Twofish C. RC4 D. HMAC
Correct Answer: D Section: Cryptography
The HMAC-MD5-96 (also known as HMAC-MD5) encryption technique is used by IPSec to make sure that a message has not been altered.
A: Blowfish can be used with IPSec but not as often as HMAC.
B: Twofish, a variant of Blowfish, can be used with IPSec but not as often as HMAC.
C: RC4 is popular with wireless and WEP/WPA encryption. IPSec can use HMAC-MD5 for data integrity.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 139, 250, 251, 255-256, 260
Which of the following is used to verify data integrity?
A. SHA B. 3DES C. AES D. RSA
Correct Answer: A Section: Cryptography
SHA stands for “secure hash algorithm”. SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely used applications and protocols
including TLS and SSL, PGP, SSH, S/MIME, and IPsec. It is used to ensure data integrity.
A hash value (or simply hash), also called a message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a
formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
Hashes play a role in security systems where they’re used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts
it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two
hashes. If they’re the same, there is a very high probability that the message was transmitted intact. This is how hashing is used to ensure data integrity.
B: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data
Encryption Standard (DES) cipher algorithm three times to each data block. 3DES is used to encrypt data, not to verify data integrity.
C: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES) which was
published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is used to encrypt
data, not to verify data integrity.
D: RSA encryption is used for encrypting data in transit. RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages.
Messages encrypted with the public key can only be decrypted in a reasonable amount of time using the private key. RSA is used to encrypt data, not to verify data integrity.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 250, 251, 255-256
An administrator needs to secure RADIUS traffic between two servers. Which of the following is the BEST solution?
A. Require IPSec with AH between the servers B. Require the message-authenticator attribute for each message C. Use MSCHAPv2 with MPPE instead of PAP D. Require a long and complex shared secret for the servers
Correct Answer: A Section: Network Security
IPsec is used for a secure point-to-point connection traversing an insecure network such as the Internet. Authentication Header (AH) is a primary IPsec protocol that provides authentication of the sender’s data.
B: This option allows for the entire RADIUS message to be encrypted. The question asks for the BEST method to secure RADIUS traffic between two servers. In this instance, IPSec
with AH is a better option.
C: MSCHAPv2 with MPPE allows for Two-way authentication that verifies the identity of both sides of the connection, and data security for the PPTP connection that is between the
VPN client and the VPN server. It is not, however, the BEST method to secure RADIUS traffic
between two servers.
D: The shared secret will only come into play if the message-authenticator attribute is enabled.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 41
A security administrator wishes to change their wireless network so that IPSec is built into the protocol and NAT is no longer required for address range extension. Which of the following protocols should be used in this scenario?
A. WPA2 B. WPA C. IPv6 D. IPv4
Correct Answer: C Section: Network Security
IPSec security is built into IPv6.
A: WPA2 makes use of CCMP
B: WPA makes use of the RC4 encryption algorithm with TKIP.
D: IPSec is an add-on to IPv4.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 145, 172