Chapter 13 - PKI and Encryption Protocols

Question 1

Which of the following does not apply to an x.509 certificate?

A. Certificate version

B. The Issuer of the certificate

C. Public key information

D. Owner’s symmetric key

Answer 1

D. In x.509, the owner does not use a symmetric key. All the other answers apply to x.509.

Question 2

What two items are included in a digital certificate? (Select the two best answers.)

A. User’s private key

B. Certificate Authority’s digital signature

C. The user’s public key

D. Certificate Authority’s IP address

Answer 2

B and C. A digital certificate includes the Certificate Authority’s (CA) digital signature and the user’s public key. A user’s private key should be kept private and should not be within the digital certificate. The IP address of the CA should have been known to the user’s computer before obtaining the certificate.

Question 3

Rick has a local computer that uses software to generate and store key pairs. What type of PKI implementation is this?

A. Distributed key

B. Centralized

C. Hub and spoke

D. Decentralized

Answer 3

D. When creating key pairs, PKI has two methods: centralized and decentralized. Centralized is when keys are generated at a central server and are transmitted to hosts. Decentralized is when keys are generated and stored on a local computer system for use by that system.

Question 4

Which of the following is usually used with L2TP?

A. IPsec

B. SSH

C. PHP

D. SHA

Answer 4

A. IPsec is usually used with L2TP. SSH is a more secure way of connecting to remote computers. PHP is a type of language commonly used on the web. SHA is a type of hashing algorithm.

Question 5

What ensures that a CRL is authentic and has not been modified?

A. The CRL can be accessed by anyone

B. The CRL is digitally signed by the CA

C. The CRL is always authentic

D. The CRL is encrypted by the CA.

Answer 5

B. Certificate revocation lists or CRLs are digitally signed by the certificate authority for security purposes. If a certificate is compromised, it will be revoked and placed on the CRL. CRLs are later generated and published periodically.

Question 6

Which of the following encryption concepts is PKI based on?

A. Asymmetric

B. Symmetric

C. Elliptical curve

D. Quantum

Answer 6

A. The public key infrastructure, or PKI, is based on the asymmetric encryption concept. Symmetric, elliptical curve, and quantum cryptography are all different encryption schemes that PKI is not associated with.

Question 7

You are in charge of PKI certificates. What should you implement so that stolen certificates cannot be used?

A. CRL

B. CAD

C. CA

D. CRT

Answer 7

A. You should implement a certificate revocation list or CRL so that stolen certificates, or otherwise revoked or held certificates, cannot be used.

Question 8

Which of the following are certificate-based authentication mapping schemes? (Select the two best answers.)

A. One to-many mapping

B. One-to-one mapping

C. Many-to-many mapping

D. Many-to-one mapping

Answer 8

B and D. When dealing with certificate authentication, asymmetric systems use one-to-one mappings and many-to-one mappings.

Question 9

Which of the following network protocols sends data between two computers while using a secure channel?

A. SSH

B. SMTP

C. SNMP

D. P2P

Answer 9

A. SSH, or the secure Shell, enables two computers to send data via a secure channel. SMTP is the Simple Mail Transfer Protocol that deals with e-mail. SNMP is the Simple Network Management Protocol that enables the monitoring of remote systems. P2P is the abbreviated version of peer-to-peer network.

Question 10

Which of the following protocols uses port 443?

A. SFTP

B. HTTPS

C. SSHTP

D. SSLP

Answer 10

B. Port 443 is used by HTTPS, which implements TLS/SSL for security. SFTP is the Secure File Transfer Program. There are no protocols named SSHTP and SSLP.

Question 11

Which of the following protocols creates an unencrypted tunnel?

A. L2TP

B. PPTP

C. IPsec

D. VPN

Answer 11

A. In Virtual Private Networks (VPN), Layer Two Tunneling Protocol (L2TP) creates an unencrypted tunnel between two IP addresses. It is usually used with IPsec to encrypt the data transfer. PPTP is the Point-to-Point Tunneling Protocol that includes encryption.

Question 12

In a public key infrastructure setup, which of the following should be used to encrypt the signature of an e-mail?

A. Private key

B. Public key

C. Shared key

D. Hash

Answer 12

A. A private key should be used to encrypt the signature of an e-mail in an asymmetric system such as PKI. Public keys and shared keys should never be used to encrypt this type of information. A hash is not used to encrypt in this fashion; it is used to verify the integrity of the message.

Question 13

Two computers are attempting to communicate with the SSL protocol. Which two types of keys will be used? (Select the two best answers.)

A. Recovery key

B. Session key

C. Public key

D. Key card

Answer 13

B and C. In an SSL session, a session key and a public key are used. A recovery key is not necessary unless data has been lost. A key card would be used as a physical device to gain access to a building or server room.

Question 14

Which layer of the OSI model does IPsec operate at?

A. Data Link

B. Network

C. Transport

D. Application

Answer 14

B. IPsec is a dual mode, end-to-end security scheme that operates at Layer 3, the Network Layer of the OSI model, also known as the Internet Layer within the Internet Protocol Suite. It is often used with L2TP for VPN tunneling among other protocols.

Question 15

Which layer of the OSI model is where SSL provides encryption?

A. Network

B. Transport

C. Session

D. Application

Answer 15

C. SSL, or the Secure Sockets Layer, and its successor Transport Layer Security (TLS) encrypt segments of network connections that start at the Transport Layer. The actual encryption is done at the Session Layer, and the protocol is known as an Application Layer protocol.

Question 16

Which of the following details one of the primary benefits of using S/MIME?

A. S/MIME expedites the delivery of e-mail messages

B. S/MIME enables users to send e-mail messages with a return receipt

C. S/MIME enables users to send both encrypted and digitally signed e-mail messages

D. S/MIME enables users to send anonymous e-mail messages.

Answer 16

C. S/MIME enables users to send both encrypted and digitally signed e-mail messages enabling a higher level of e-mail security. It does not make the delivery of e-mail any faster nor does it have anything to do with return receipts. Return receipts are usually controlled by the SMTP server. Anonymous e-mail messages would be considered spam, completely insecure, and something that a security administrator wants to reduce, and certainly does not want users to implement.

Question 17

What should you do to make sure that a compromised PKI key cannot be used again?

A. Renew the key

B. Reconfigure the key

C. Revoke the key

D. Create a new key.

Answer 17

C. Key revocation is the proper way to approach the problem of a compromised PKI key. The revoked key will then be listed in the CRL (Certificate Revocation List).

Question 18

Which of the following statements is correct about IPsec authentication headers?

A. The authentication information is a keyed hash based on half of the bytes in the packet

B. The authentication information is a keyed hash based on all the bytes in the packet

C. The authentication information hash will remain the same even if the bytes change on transfer

D. The authentication header cannot be used in combination with the IP Encapsulating Security Payload.

Answer 18

B. The only statement that is true is that the authentication information is a keyed hash that is based on all the bytes in the packet. A hash will not remain the same if the bytes change on transfer; a new hash will be created for the authentication header (AH). The authentication header can be used in combination with the Encapsulating Security Payload (ESP).

Question 19

Which of the following protocols is not used to create a VPN tunnel and not used to encrypt VPN tunnels?

A. PPTP

B. L2TP

C. PPP

D. IPsec

Answer 19

C. PPP, or point-to-point protocol, does not provide security and is not used to create VPN connections. You will see PPP used in dial-up connections, and it is an underlying protocol used by L2TP, PPTP, and IPsec, which are all used in VPN connections.

Question 20

Which of the following answers are not part of IPsec? (Select the two best answers.)

A. TKIP

B. Key exchange

C. AES

D. Authentication header

Answer 20

A and C. IPsec contains (or uses) a key exchange (either Internet Key Exchange or Kerberized Internet Negotiation of Keys) and an authentication header (in addition to many other components). TKIP and AES are other encryption protocols.

Question 21

What should you publish a compromised certificate to?

A. CRL

B. CA

C. PKI

D. AES

Answer 21

A. A compromised certificate should be published to the certificate revocation list (CRL). The CA is the certificate authority that houses the CRL. PKI stands for public key infrastructure—the entire system that CRLs and CAs are just components of. AES is an encryption protocol.

Question 22

You have been asked to set up authentication through PKI, and encryption of a database using a different cryptographic process to decrease latency. What encryption types should you use?

A. Public key encryption to authenticate users and public keys to encrypt the database

B. Public key encryption to authenticate users and private keys to encrypt the database

C. Private key encryption to authenticate users and private keys to encrypt the database

D. Private key encryption to authenticate users and public keys to encrypt the database

Answer 22

B. PKI uses public keys to authenticate users. If you are looking for a cryptographic process that allows for decreased latency, then symmetrical keys (private) would be the way to go. So the PKI system uses public keys to authenticate the users, and the database uses private keys to encrypt the data.

Question 23

Which of the following statements are true about PKI? (Select the two best answers.)

A. When encrypting a message with the public key, only the private key can decrypt it.

B. When encrypting a message with the public key, only the public key can decrypt it.

C. When encrypting a message with the public key, only the CA can decrypt it.

D. When encrypting a message with the private key, only the public key can decrypt it.

E. When encrypting a message with the private key, only the private key can decrypt it.

Answer 23

A. and D. Messages encrypted with a public key can only be decrypted with a private key, and vice-versa, messages encrypted with a private key can only be decrypted with a public key. The same key will not be used on both ends as PKI is an asymmetric system. The CA itself does not encrypt or decrypt keys; it manages the certificates.

Question 24

Which of the following describes key escrow?

A. Maintains a secured copy of the user’s private key for the purpose of recovering the CRL

B. Maintains a secured copy of the user’s private key for the purpose of recovering the key if it is lost

C. Maintains a secured copy of the user’s public key for the purpose of recovering messages if the key if it is lost

D. Maintains a secured copy of the user’s public key for the purpose of increasing network performance

Answer 24

B. Key escrow is implemented to secure a copy of the user’s private key in the case that it is lost, not the public key. It has nothing to do with the CRL

Question 25

When a user’s web browser communicates with a CA, what PKI element does the CA require from the browser?

A. Public key

B. Private key

C. Symmetric key

D. Secret key

Answer 25

A. The browser must present the public key, which is matched against the CA’s private key. Symmetric and secret keys are other names for private keys.