Cryptography and PKI (2)

Question 1

Which of the following EAP types use a three-phase operation?

EAP-FAST

EAP-TLS

EAP-TTLS

Answer 1

EAP-FAST

EAP-FAST is for situations where strong password policy cannot be enforced and certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication, establishment of a secure tunnel, and client authentication

Question 2

Which of the following is an encryption standard that uses a single 56-bit symmetric key?

DES

3DES

AES

Answer 2

DES

DES is a symmetric encryption standard that uses a key length of 56 bits

Question 3

Which of the following cryptography concepts converts output data into a fixed-length value and cannot be reversed?

Steganography

Hashing

Collision

Answer 3

Hashing

Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages

Question 4

SSL is a protocol used for securing transactions transmitting over an untrusted network such as the Internet. Which of the following best describes the action that occurs during the SSL connection setup process?

The client creates a session key and encrypts it with the server’s private key.

The client creates a session key and encrypts it with the server’s public key.

The server creates a session key and encrypts it with the client’s private key.

Answer 4

The client creates a session key and encrypts it with the server’s public key.

SSL (Secure Socket Layer) uses public key encryption. When a client accesses a secured website, it will generate a session key and encrypt it with the server’s public key. The session key is decrypted with the server’s private key, and the session key is used to encrypt and decrypt data sent back and forth

Question 5

Which of the following EAP types requires both server and client certificates?

EAP-FAST

PEAP

EAP-TLS

Answer 5

EAP-TLS

EAP-TLS requires both client and server to have certificates. The authentication is mutual where the server authenticates to the client and the client authenticates to the server

Question 6

You are the network administrator for a small office of 35 users and need to utilize mail encryption that will allow specific users to encrypt outgoing email messages. You are looking for an inexpensive onsite encryption server. Which of the following would you implement?

PGP/GPG

WPA2

CRL

Answer 6

PGP/GPG

PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) provides a low-cost or open source alternative solution that allows users to encrypt their outgoing emails

Question 7

You have been promoted to security administrator for your company and you need to be aware of all types of hashing algorithms for integrity checks. Which algorithm offers a 160-bit digest?

MD5

RC4

SHA-1

Answer 7

SHA-1

SHA-1 is a hashing algorithm that produces a 160-bit digest

Question 8

You are the security manager for your company, and a system administrator wants to know if there is a way to reduce the cost of certificates by purchasing a certificate to cover all domains and subdomains for the company. Which of the following solutions would you offer?

Wildcards

Object identifiers

Key escrow

Answer 8

Wildcards

Wildcard certificates allow the company to secure an unlimited number of subdomain certificates on a domain name from a third party

Question 9

Which of the following are authentication protocols? (Choose two.)

WPS

EAP

IPSec

IEEE 802.1x

Answer 9

EAP

IEEE 802.1x

EAP and IEEE 802.1x are authentication protocols that transfer authentication data between two devices

Question 10

Your company is looking to accept electronic orders from a vendor and wants to ensure nonauthorized people cannot send orders. Your manager wants a solution that provides nonrepudiation. Which of the following options would meet the requirements?

Digital signatures

Hashes

Steganography

Answer 10

Digital signatures

Digital signatures are created by using the user’s or computer’s private key that is accessible only to that user or computer. Nonrepudiation is the assurance that someone cannot deny something

Question 11

You are tasked to implement a solution to ensure data that are stored on a removable USB drive hasn’t been tampered with. Which of the following would you implement?

File backup

File encryption

File hashing

Answer 11

File hashing

Hashing is a one-way encryption that transforms a string of characters into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of data or messages

Question 12

Which of the following is mainly used for remote access into a network?

XTACACS

Kerberos

RADIUS

Answer 12

RADIUS

RADIUS is a client-server protocol that enables remote access servers to communicate with a central server to authenticate users. RADIUS uses symmetric encryption for security

Question 13

A security manager has asked you to explain why encryption is important and what symmetric encryption offers. Which of the following is the best explanation?

Confidentiality

Nonrepudiation

Steganography

Answer 13

Confidentiality

Encryption provides confidentiality because the data is scrambled and cannot be read by an unauthorized user. Symmetric encryption uses one key to encrypt, and decrypting data with one key is considered fast

Question 14

You are a security administrator and have discovered one of the employees has been encoding confidential information into graphic files. Your employee is sharing these pictures on their social media account. What concept was the employee using?

Hashing

Steganography

Symmetric algorithm

Answer 14

Steganography

Steganography is a process of hiding data within data. This technique can be applied to images, video files, or audio files

Question 15

Your company’s branch offices connect to the main office through a VPN. You recently discovered the key used on the VPN has been compromised. What should you do to ensure the key isn’t compromised in the future?

Enable perfect forward secrecy at the main office and branch office ends of the VPN.

Enable perfect forward secrecy at the branch office end of the VPN.

Disable perfect forward secrecy at the main office and branch office ends of the VPN.

Answer 15

Enable perfect forward secrecy at the main office and branch office ends of the VPN.

Enable perfect forward secrecy (PFS) at the main office and branch office end of the VPN. Perfect forward secrecy is a way to ensure the safety of session keys from future abuse by threat actors

Question 16

You are configuring your friend’s new wireless SOHO router and discover a PIN on the back of the router. Which of the following best describes the purpose of the PIN?

This is a WEP PIN.

This is a WPS PIN.

This is a WPA PIN.

Answer 16

This is a WPS PIN.

WPS is a network security standard that allows home users to easily add new devices to an existing wireless network without entering long passphrases. Users enter a PIN to allow the device to connect after pressing the WPS button on the SOHO router

Question 17

Which of the following benefits do digital signatures provide? (Choose two.)

Nonrepudiation

Authentication

Encryption

Key exchange

Answer 17

Nonrepudiation

Authentication

Digital signatures provide three core benefits: authentication, integrity, and nonrepudiation

Question 18

Your company has asked you to recommend a secure method for password storage. Which of the following would provide the best protection against brute-force attacks? (Choose two.)

ROT13

MD5

PBKDF2

BCRYPT

Answer 18

PBKDF2

BCRYPT

PBKDF2 applies a pseudo-random function such as a HMAC to the password along with a salt value and produces a derived key. PBKDF2 is designed to protect against brute-force attacks. BCRYPT is a password-hashing function derived from the Blowfish cipher. It adds a salt value to protect against rainbow table attacks

Question 19

Your IT support center is receiving a high number of calls stating that users trying to access the company’s website are receiving certificate errors within their browsers. Which of the following statements best describes what the issue is?

The website certificate has expired.

Users have forgotten their usernames or passwords.

The domain name has expired.

Answer 19

The website certificate has expired.

Users are receiving the error because the website certificate has expired. The user can continue accessing the website, but the error will state the user could be accessing an untrusted site

Question 20

In asymmetric encryption, what is used to decrypt an encrypted file?

Private key

Public key

Message digest

Answer 20

Private key

In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file

Question 21

You are performing a vulnerability assessment on a company’s LAN and determine they are using 802.1x for secure access. Which of the following attacks can a threat actor use to bypass the network security?

MAC spoofing

ARP poisoning

Ping of death

Answer 21

MAC spoofing

A threat actor can spoof a device’s MAC address and bypass 802.1x authentication. Using 802.1x with client certificates or tunneled authentication can help prevent this attack

Question 22

Your security manager is looking to implement a one-time pad scheme for the company’s salespeople to use when traveling. Which of the following best describes a requirement for this implementation? (Choose three.)

The pad must be distributed securely and protected at its destination.

The pad must always be the same length.

The pad must be used only one time.

The pad must be made up of truly random values.

Answer 22

The pad must be distributed securely and protected at its destination.

The pad must be used only one time.

The pad must be made up of truly random values.

A one-time pad must be delivered by a secure method and properly guarded at each destination. The pad must be used one time only to avoid introducing patterns, and it must be made up of truly random values. Today’s computer systems have pseudo-random-number generators, which are seeded by an initial value from some component within the computer system

Question 23

A threat actor has created a man-in-the-middle attack and captured encrypted communication between two users. The threat actor was unable to decrypt the messages. Which of the following is the reason the threat actor is unable to decrypt the messages?

Hashing

Symmetric encryption

Asymmetric encryption

Answer 23

Asymmetric encryption

In asymmetric encryption, sometimes referred to as public key encryption, the private key is used to decrypt an encrypted file

Question 24

You have implemented a PKI to send signed and encrypted data. The user sending data must have which of the following? (Choose two.)

The receiver’s private key

The sender’s private key

The sender’s public key

The receiver’s public key

Answer 24

The sender’s private key

The receiver’s public key

To sign the data for nonrepudiation purposes, the sender uses their private key and when encrypting the data, the sender uses the receiver’s public key

Question 25

Which of the following best describes the drawback of symmetric key systems?

You must use different keys for encryption and decryption.

The algorithm is more complex.

The key must be delivered in a secure manner.

Answer 25

The key must be delivered in a secure manner.

Symmetric encryption uses the same key to encrypt and decrypt data, so the key must be sent to the receiver in a secure manner. If a person were to get the key somewhere in the middle, they would be able to decrypt the information and read the data or inject it with malware

Question 26

Your company is looking for a secure backup mechanism for key storage in a PKI. Which of the following would you recommend?

CSR

Key escrow

CA

Answer 26

Key escrow

Key escrow is a security measure where cryptographic keys are held in escrow by a third party and under normal circumstances, the key should not be released to someone other than the sender or receiver without proper authorization

Question 27

Which cryptography concept uses points on a curve to define public and private key pairs?

Obfuscation

ECC

Stream cipher

Answer 27

ECC

ECC (elliptical curve cryptography) is based on elliptic curve theory that uses points on a curve to define more efficient public and private keys

Question 28

You are a security administrator and have been given instructions to update the access points to provide a more secure connection. The access points are currently set to use WPA TKIP for encryption. Which of the following would you configure to accomplish the task of providing a more secure connection?

WEP

WPA2 CCMP

Enable MAC filtering

Answer 28

WPA2 CCMP

WPA2 CCMP replaced TKIP and is a more advanced encryption standard. CCMP provides data confidentiality and authentication

Question 29

Which of the following is an example of a stream cipher?

AES

3DES

RC4

Answer 29

RC4

RC4 is an example of a stream cipher that encrypts data one bit at a time

Question 30

Which of the following are negotiation protocols commonly used by TLS? (Choose two.)

DHE

ECDHE

RSA

SHA

Answer 30

DHE

ECDHE

DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) are commonly used with TLS to provide perfect forward secrecy