Printed from www.StudyDroid.com

CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition, Chapter 9
0x4b4d

Front Back

1. PKI (Public Key Infrastructure) is a key-asymmetric system utilizing how many keys
One
Two
Three
Four


1. B. PKI (Public Key Infrastructure) is a key-asymmetric system utilizing two keys.


2. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing:
Tokens
Licenses
Certificates
Tickets


2. C. A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.


3. A registration authority (RA) can do all the following except:
Distribute keys
Accept registrations for the CA
Validate identities
Give recommendations


3. D. A registration authority (RA) can distribute keys, accept registrations for the CA, and validate identities. It cannot give recommendations.


4. The primary difference between an RA and _____ is that the latter can be used to identify or establish the identity of an individual.
MLA
STR
BSO
LRA


4. D. The primary difference between an RA and LRA is that the LRA can be used to identify or establish the identity of an individual.


5. The most popular certificate used is version 3 of:
X.509
B.102
C.409
Z.602


5. A. The most popular certificate used is version 3 of X.509.


6. The process of requiring interoperability is called:
Cross examination
Cross certification
Cross scoping
Cross marking


6. B. The process of requiring interoperability is called cross certification.


7. A Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and ______ of the CA.
Implement policies
Control processes
Regulate actions
Complete processes


7. A. A Certificate Practice Statement (CPS) is a detailed statement the CA uses to issue certificates and implement policies of the CA.


8. Certificate revocation is the process of revoking a certificate before it:
Is renewed
Becomes public
Reuses a value
Expires


8. D. Certificate revocation is the process of revoking a certificate before it expires.


9. Which of the following is not one of the four main types of trust models used with PKI?
Hierarchical
Bridge
Custom
Mesh
Hybrid


9. C. The four main types of trust models used with PKI are hierarchical, bridge, mesh, and hybrid. Custom is not one of the main PKI trust models.


10. Which of the following refers to the ability to manage individual resources in the CA network?
Regulation
Granularity
Management
Restricting


10. B. Granularity refers to the ability to manage individual resources in the CA network.


11. A hierarchical trust model is also known as a:
Bush
Branch
Tree
Limb


11. C. A hierarchical trust model is also known as a tree.


12. In a bridge trust model, a ______ to ______ relationship exists between the root CAs.
Parent, child
Peer, peer
Father, daughter
Sister, parent


12. B. In a bridge trust model, a peer-to-peer relationship exists between the root CAs.


13. The mesh trust model is also known as what?
Web structure
Car model
Web redemption
Corrupt system


13. A. The mesh trust model is also known as a web structure.


14. Key management includes all of the following stages/areas except:
Centralized versus decentralized key generation
Key storage and distribution
Key locking
Key escrow
Key expiration


14. C. Key management includes centralized versus decentralized key generation, key storage and distribution, key escrow, and key expiration. Key locking is not a part of key management.


15. Key destruction is the process of destroying keys that have become:
Invalid
Expired
Ruined
Outdated


15. A. Key destruction is the process of destroying keys that have become invalid.


16. Public Key Infrastructure (PKI) is a first attempt to provide all the aspects of security to messages and transactions that have been previously discussed. It contains four components including:
Certificate Authority (CA), Registration Authority (RA), RSA, and digital certificates
Certificate Authority (CA), RSA, Document Authority (DA), and digital certificates
Document Authority (DA), Certificate Authority (CA), and RSA
Registration Authority (RA), RSA, and digital certificates


16. A. Public Key Infrastructure (PKI) contains four components: certificate authority (CA), registration authority (RA), RSA, and digital certificates.


17. Which of the following is responsible for issuing certificates?
Registration authority (RA)
Certificate authority (CA)
Document authority (DA)
Local registration authority (LRA)


17. B. The certificate authority (CA) is responsible for issuing certificates.


18. In a bridge trust model, each intermediate CA trusts only those CAs that are:
Above and below it
Above it
Below it
On the same level


18. A. In a bridge trust model, each intermediate CA trusts those CAs that are above and below it.


19. Which of the following is an attack against the algorithm?
Birthday attack
Weak key attack
Mathematical attack
Registration attack


19. C. A mathematical attack is an attack against the algorithm.


20. One disadvantage of decentralized key generation is:
It depends on key escrow.
It is more vulnerable to single point attacks.
There are more risks of attacks.
It creates a storage and management issue.


20. D. A disadvantage of decentralized key generation is the storage and management issue it creates.


Public Key Infrastructre (PKI)


Two-key (asymmetric) security system
Four Parts:
Certificate Authority (CA)
Registration Authority (RA)
RSA encryption algorithm
Digital Certificates


Certificate Authority (CA)


Organization responsible for issuing, revoking, and distributing certificates


Registration Authority (RA)


Takes the load off of Certificate Authority.
Performs all functions EXCEPT issuing certificates


Local Registration Authority (LRA)


Performs the functions of RA but can also verify identity


X.509


Describes digital certificate structure. Current version is 3


Certificate Policies


Define what a certificate does. (Identification, digital signature, encryption, etc)


Certificate Practice Statement (CPS)


CA statement detailing issuance of certificates and implementation of policies


Certificate Revocation


Revoking a certificate before it expires. Examples are loss, theft, or employee leaving an organization


Certificate Revocation List (CRL)


List of revoked certificates.
Updated on a regular schedule
May have lag between certificate revocation and CRL update


Online Certificate Status Protocol (OCSP)


Used to overcome lag in CRL updates. Updates are immediately available through OCSP


Trust Models


Hierarchical (tree) - Root CA distributes to intermediate CA on to "Leaf" CA
Bridge - peer-peer relationship between root CA. CAs trust only those in their tree and trust the other tree through root CA
Mesh - AKA web. Multiple Root CAs trusting each other
Hybrid - Mixture of capabilities of other models



Attacking the Key


Attempt to discover the value of the key.
Dictionary attacks, Rainbow tables, etc


Attacking the algorithm


Seeking mathematical errors or backdoors


Intercepting the Transmission


Looking for patterns over time or waiting for a user to make a mistake


Birthday Attack


Possibility that two values will produce the same hash


Weak Key Attack


Attacking short, simple passwords


Mathematical Attack


Focused on the algorithm. Breaking the encryption method rather than the key or message


Key lifecycle


Key (certificate) process from generation to end-of-life or destruction


Key Generation


Centralized requires much system resources. Problems with distribution
Decentralized takes the load and spreads risk but has issues with storage and management


Key distribution


How keys are stored and delivered
Key Distribution Center in Kerberos
Key Exchange Algorithm in PKI


Key Escrow


Retaining keys for a third party (law enforcement)


Key expiration


Each key has a date beyond which cannot be used


Key revocation


Key is permanently revoked
loss, theft, transfer, etc


Key Suspension


Temporarily deactivating a key.
Leave of absence or numerous failed logon attempts


Key Archiving/Recovery


Old keys are held to access information


Key Renewal


Keys expiration date can be extended


Key destruction


Destroy the key so that it cannot be reused