Pen used to do a practice exam.

Domain 6 Quiz

Domain 6 Quiz

  1. You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?
    1. TLS
    2. CPS
    3. OCSP
    4. CRL
    5. thumbprint
    6. PFS
    This is another English prose analysis question. All choices are correct, relevant, part of the story. I have again made it relatively easy by putting the answer choices in the same order:

    "a system that can ..." = TLS or Transport Layer Security
    "the rules" = CPS or Certificate Practices Statement
    "a protocol" = OCSP or Online Certificate Status Protocol
    "copy of the revoked keys" = CRL or Certificate Revocation List
    "its hash" = thumbprint
    "exposure today doesn't expose keys from the past" = PFS or Perfect Forward Secrecy

    "What do you need?" is the actual question. One of the sentences says "You must have", it's a requirement. The others state that the item provides some feature, or describe your plan.

    The requirement is for a local copy of the CRL, which is a relatively uncommon or unneeded step. This makes it a better question from the CompTIA point of view. Less common makes it more challenging.
  2. Abe, a security architect, needs to configure Perfect Forward Secrecy for remote access for employees working from home. What can he use? Select two.
    1. DH
    2. DHE
    3. ECDHE
    4. One-time pads
    5. AES-GCM-256
    Both Diffie-Hellman Ephemeral and Elliptic Curve Diffie-Hellman Ephemeral provide ephemeral keys to use as symmetric session keys, meaning you have PFS. You might happen to use those ephemeral keys with AES, but AES by itself doesn't mean PFS. One-time pads are the only perfectly secure encryption method, but they're totally impractical for this application.
  3. Charlotte is in charge of VPN access to the data analysis facility. She has read that it is helpful to pad a secret with a short text value before encrypting it. What concept is she considering?
    1. Salt
    2. Nonce
    3. Hash
    4. PBKDF2
    This is a bad question, intentionally included to more accurately emulated a CompTIA exam. This is very frustrating because it's really talking about an IV or Initialization Vector, but that isn't a choice. Salts are used with password hashes, not with encrypting. But the question says "short text value", and CompTIA wants you to say "salt", reserving "nonce" (or number used only once) for something described as a number. Even though a nonce takes the form of a string of bits, just as a text value would be. Pad with short text means select salt.
  4. International, national, and state/provincial regulations require the protection of personal privacy. This makes confidentiality important, but it is not the only security goal. You need to protect both endpoint authentication and data confidentiality in all data streams. Which ciphers should you choose? Select two.
    1. AES-CBC
    2. AES-CCMP
    3. AES-CFB
    4. AES-GCM
    AES-CCMP is appropriate for 802.11 wireless, AES-GCM is appropriate for TLS. Both are authenticated encryption.
  5. Which of these are advantages of WPA/2 Enterprise over WPA/2 PSK? Select two.
    1. PKI
    2. Stronger cipher suite
    3. Higher performance
    4. Integrated Active Directory
    5. RADIUS
    The RADIUS server deals with trusted digital certificates, which means integration into your PKI. The two choices support the same cipher suite with identical network performance. AD isn't related.
  6. Tasha, a network engineer, is designing a wireless solution for her large corporation. She needs to specify the current best encryption, supporting 802.1x with either LEAP or EAP-TLS. What should she use? Select three.
    1. CCMP
    2. AES-GCM-256
    3. WPA/2 PSK
    4. WPA/2 Enterprise
    5. RADIUS
    6. Active Directory
    CompTIA tends to say "CCMP" when they should say "AES-CCMP". It is authenticated encryption. AES-GCM-256 is also authenticated encryption, but it is appropriate for use with TLS, not 802.11.

    WPA/2 Enterprise uses a RADIUS server and certificates, while WPA/2 PSK uses manually configured pre-shared keys.

    RADIUS is a trusted third party authentication service commonly used with 802.1x, it can speak several EAP variants.
  7. Blake has been asked to configure the web server to provide Perfect Forward Secrecy. Which security feature will this provide?
    1. Data sent from the server to the client will always be protected
    2. Data sent from the client to the server will always be protected
    3. A breach today does not expose keys from the past
    4. A breach today does not expose keys in the future
    Yes, the name seems backwards to me, too. It's sometimes called just "Perfect Secrecy".
  8. Alice wants to send an encrypted message to Bob. What does she need?
    1. Alice's public key
    2. Alice's private key
    3. Bob's public key
    4. Bob's private key
    Know the fundamentals!
    Goal Sender needs Receiver needs
    Encrypted only Receiver's public key Receiver's private key
    Encrypted and signed Sender's private key
    Receiver's public key
    Sender's public key
    Receiver's private key
    Signed only Sender's private key Sender's public key
    That table answers a lot of questions in the Domain 6 pool.
  9. Alice has obtained a copy of Bob's certificate. Which of these does it contain?
    1. Bob's private key
    2. Bob's public key
    3. The CA's private key
    4. The CA's public key
    Certificates are publicly available, so of course they don't contain private keys! It's Bob's certificate, so it contains his public key, wrapped in a digital certificate by the CA.
  10. Alice has obtained a copy of what claims to be Bob's certificate. Which of these does she need to verify that it really belongs to Bob?
    1. Bob's private key
    2. Bob's public key
    3. The CA's private key
    4. The CA's public key
    Bob's certificate contains his public key, wrapped in a digital certificate by the CA. You need the signer's public key to verify a digital signature.
  11. Bob has just received an digitally signed, encrypted message from Alice. What does he need? Select three.
    1. Alice's certificate
    2. Bob's certificate
    3. The CA's certificate
    4. Bob's public key
    5. Bob's private key
    To verify Alice's digital signature, he needs Alice's public key. But he needs to be quite certain that it's really her public key, which means he needs it in the form of a certificate, signed by a trusted CA. And that means he needs her CA's certificate containing the CA's public key. Their shared PKI will provide the certificates.

    Then he needs his private key to decrypt the content. (which she encrypted with a copy of his public key, which was in his certificate, etc.)

    I'm sure that I am giving CompTIA far too much credit, implying that they would get this complete and correct. But if you understand the above, you're doing well. Expect this to be simpler, choosing just these two of four:
    1. Alice's public key
    2. Alice's private key
    3. Bob's public key
    4. Bob's private key
  12. Isaac is a cybersecurity architect for a financial services company. He has been tasked with securing key escrow. The escrow storage is extremely sensitive. What should he use to implement trustworthy key escrow?
    1. Asymmetric encryption
    2. M-of-N control
    3. Certificate chaining
    4. Off-site storage
    Divide the master key into N overlapping parts, give each part to one person, and any M of them can reassemble the master key. You can pick M and N as appropriate for your situation
  13. Alice must send a message which only Bob can read. What does Alice need?
    1. Alice's private key
    2. Alice's public key
    3. Bob's private key
    4. Bob's public key
  14. Ellen is a webmaster for a major high technology company. She will use virtual hosting to provide six web sites with unique domain names on a single server:
    That is, the same corporation name in three top-level domains, both with and without leading "www.". What would be the most economic way to obtain certificates?
    1. Self-signed certificates
    2. Wildcard certificates
    3. Server Alternative Names
    4. Six individual certificates
    This would be one certificate with six names listed under SAN or Server Alternative Names.

    A wildcard certificate could work for, e.g., *, maybe for hosts www, www2, ftp, ns1, ns2, mailbox, and so on, but all would have to be in the same top-level and second-level domain.

    Six individual certificates would work, but at significantly higher cost.

    Self-signed certificates wouldn't work at all for external clients.
  15. Which of the following is not needed to enable any user to encrypt a message which only the intended recipient can read?
    1. PKI
    2. Public keys
    3. Private keys
    4. Hashing
  16. Lee is a security analyst at a software development company. Their data is worth far more than the hardware on which it is stored, and confidentiality is protected with strong encryption. However, management is also concerned about availability. Lee has been tasked with providing availability of cleartext versions of encrypted software, even if an employee loses or destroys their decryption key. What should be set up?
    1. Escrow
    2. Secret sharing
    3. Certificate chaining
    4. Key pinning
    5. Key stapling
    Key escrow keeps backup copies of decryption keys in highly trusted storage. Secret sharing would be something like Diffie-Hellman. Certificate chaining is used in TLS servers. Pinning and stapling are concepts associated with web server certificates, not simple keys.

    Notice that another question provides a hint for this one.
  17. Charlize, a data archivist for a government agency, needs to protect the confidentiality of a large data set. A government regulation requires the use of the Advanced Encryption Standard for this category of data. But in which mode should she employ that cipher?
    1. CBC
    2. CCMP
    3. ECB
    4. GCM
    CBC mode is among the appropriate modes for large block (or file-like) data sets. CCMP mode is used with 802.11, GCM with TLS. ECB is only appropriate for some very specific use cases.
  18. Gary works for a bank, and is designing a wireless solution for customers to use during their visits to bank branches. Which two technologies should he deploy? Select two.
    1. WPA/2 Enterprise
    2. Captive portal
    3. Open system authentication
    4. Enable an Internet-facing SSID
    It's for customers visiting the bank, so WPA/2 Enterprise with its need to enroll their devices into the bank PKI and install certificates is very impractical. "Internet-facing SSID" doesn't really mean anything.

    A captive portal redirects their attempted browser connections to a small local web server, to a page where they check the box for "Yes, I will follow the rules, before routing them out to the Internet."

    Open system authentication means that there's no encryption and no authentication needed.

    This combination is what you find in most US hotels.

Passing = 82% of 18 = 14.8

Goal = 91% of 18 = 16.4

To the Cybersecurity Page