CompTIA Security Plus Mock Test Q1118

In order to use a two-way trust model the security administrator MUST implement which of the following?

A. DAC
B. PKI
C. HTTPS
D. TPM


Correct Answer: B
Section: Cryptography

Explanation:
PKI is a high level concept. Within a PKI you use a trust model to set up trust between Certification Authorities (CAs).
A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

Incorrect Answers:
A: DAC cannot be used to setup trust models.
Discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission
(perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”.
C: HTTPS is just a protocol. You cannot use HTTPS to set up trust models.
HTTPS is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.
D: Trusted Platform Module (TPM) cannot be used to setup trust models.
A TPM can be used to assist with hash key generation. TPM is the name assigned to a chip that can store cryptographic keys, passwords, or certificates. TPM can be used to protect
smart phones and devices other than PCs as well. It can also be used to generate values used with whole disk encryption such as BitLocker.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 150, 151-152, 237, 274, 279-285, 290

CompTIA Security Plus Mock Test Q1119

Which of the following types of trust models is used by a PKI?

A. Transitive
B. Open source
C. Decentralized
D. Centralized

Correct Answer: D
Section: Cryptography

Explanation:
PKI uses a centralized trust model. In a simple PKI a single centralized certification authority (CA). In a hierarchical trust model the root CA is the center of the model, with subordinate
CAs lower in the hierarchy.
Note: A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.

Incorrect Answers:
A: Some of the trust in a PKI trust model are transitive, but the trust model itself is centralized not transitive.
B: Open Source refers to software and is not a concept that is within a PKI.
Open source software is software whose source code is available for modification or enhancement by anyone.
C: PKI is not use a decentralized trust model.
Web of trust, an alternative to PKI, use a decentralized trust model.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 285-289

CompTIA Security Plus Mock Test Q1116

Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure?

A. Trust Model
B. Recovery Agent
C. Public Key
D. Private Key


Correct Answer: A
Section: Cryptography

Explanation:
In a bridge trust model allows lower level domains to access resources in a separate PKI through the root CA.
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.
In a bridge trust model, a peer-to-peer relationship exists among the root CAs. The root CAs can communicate with one another, allowing cross certification. This arrangement allows a
certification process to be established between organizations or departments.
Each intermediate CA trusts only the CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.

Incorrect Answers:
B: A recovery agent cannot be used to bridge trust between PKIs.
A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to
access information that is encrypted with older keys.
C: A public key is available to everyone. A public key cannot be used to bridge trust between PKIs.
D: A private key is a secret key. It cannot be used to bridge trust between PKIs.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-285, 285-289

CompTIA Security Plus Mock Test Q1113

Which of the following must be kept secret for a public key infrastructure to remain secure?

A. Certificate Authority
B. Certificate revocation list
C. Public key ring
D. Private key

Correct Answer: D
Section: Cryptography

Explanation:
The private key, which is also called the secret key, must be kept secret.

Incorrect Answers:
A: The CA must be accessible. It should not be kept secret.
A certificate authority (CA) is an organization. A CA is responsible for issuing, revoking, and distributing certificates.
B: The CRL should be readily accessible. It should be posted on a publically accessible location.
A CRL is a database of revoked keys and signatures.
C: A public key ring must be available for all.
A public key ring is often implemented as a file with public keys in it.
The traditional PGP Key Ring is a sequential file with a sequential list of keys in it.
Slightly more advanced key rings, such as those used in Key Servers actually use a database.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 279-280, 279-285, 285

CompTIA Security Plus Mock Test Q1096

A software development company wants to implement a digital rights management solution to protect its intellectual property. Which of the following should the company implement to enforce software digital rights?

A. Transport encryption
B. IPsec
C. Non-repudiation
D. Public key infrastructure

Correct Answer: D
Section: Cryptography

Explanation:
The Public-Key Infrastructure (PKI) is intended to offer a means of providing security to messages and transactions on a grand scale. The need for universal systems to support ecommerce,
secure transactions, and information privacy is one aspect of the issues being addressed with PKI. A PKI can be used to protect software.

Incorrect Answers:
A: Transport encryption would protect data that is sent between two entities. It would not be able to protect use of software.
B: IPSec protect data that is sent between two entities through encryption. It would not be able to protect use of software.
C: Nonrepudiation is a means of ensuring that transferred data is valid. Nonrepudiation is not a way to protect software.
Nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 249, 262, 274-275, 279-285

CompTIA Security Plus Mock Test Q1092

An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA?

A. CSR
B. Recovery agent
C. Private key
D. CRL


Correct Answer: A
Section: Cryptography

Explanation:
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply
for a digital identity certificate.
When you renew a certificate you send a CSR to the CA to get the certificate resigned.

Incorrect Answers:
B: You cannot use a Recovery agent to renew a certificate.
A recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. A recovery is not affected when a user is terminated.
C: You cannot submit a private key to the CA.
A private or secret key is an encryption/decryption key known only to the party or parties that exchange secret messages.
D: A CRL cannot be submitted to a CA.
A CRL is a database of revoked keys and signatures.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-280, 285
http://en.wikipedia.org/wiki/Certificate_signing_request