401 SEC+ Exam Guaranteed Pass: Expertly Crafted
Graded Questions & Comprehensive Solutions
Certified for High Academic Standards
Which of the following provide the BEST protection against brute forcing stored passwords?
(Select TWO).
A. PBKDF2
B. MD5
C. SHA2
D. Bcrypt
E. AES
F. CHAP - -correct ans- -Answer: A,D
Explanation:
A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies
some function (like a hash or HMAC) to the password or passphrase along with Salt to
produce a derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to
brute-force search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other
systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
Deploying a wildcard certificate is one strategy to:
A. Secure the certificate's private key.
,B. Increase the certificate's encryption key length.
C. Extend the renewal date of the certificate.
D. Reduce the certificate management burden - -correct ans- -Answer: D
Explanation:
A wildcard certificate is a public key certificate which can be used with multiple
subdomains of a domain. This saves money and reduces the management burden of
managing multiple certificates, one for each subdomain.
A single Wildcard certificate for *.example.com, will secure all these domains:
payment.example.com
contact.example.com
login-secure.example.com
www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full
stops), these domains would not be valid for the certificate:
test.login.example.com
A certificate authority takes which of the following actions in PKI?
A. Signs and verifies all infrastructure messages
B. Issues and signs all private keys
C. Publishes key escrow lists to CRLs
D. Issues and signs all root certificates - -correct ans- -Answer: D
Explanation:
A certificate authority can issue multiple certificates in the form of a tree structure. A root
certificate is part of a public key infrastructure (PKI) scheme. The most common
commercial variety is based on the ITU-T X.509 standard, which normally includes a digital
signature from a certificate authority (CA).
, Note: In cryptography and computer security, a root certificate is an unsigned public key
certificate (also called self-signed certificate) that identifies the Root Certificate Authority
(CA).
Which of the following is used to certify intermediate authorities in a large PKI deployment?
A. Root CA
B. Recovery agent
C. Root user
D. Key escrow - -correct ans- -Answer: A
Explanation:
The root CA certifies other certification authorities to publish and manage certificates
within the organization.
In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the
information. The intermediate CAs are next in the hierarchy, and they trust only information
provided by the root CA. The root CA also trusts intermediate CAs that are in their level in
the hierarchy and none that aren't. This arrangement allows a high level of control at all
levels of the hierarchical tree. .
Which of the following components MUST be trusted by all parties in PKI?
A. Key escrow
B. CA
C. Private key
D. Recovery key - -correct ans- -Answer: B
Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and
distributing certificates. In a simple trust model all parties must trust the CA.
Graded Questions & Comprehensive Solutions
Certified for High Academic Standards
Which of the following provide the BEST protection against brute forcing stored passwords?
(Select TWO).
A. PBKDF2
B. MD5
C. SHA2
D. Bcrypt
E. AES
F. CHAP - -correct ans- -Answer: A,D
Explanation:
A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies
some function (like a hash or HMAC) to the password or passphrase along with Salt to
produce a derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function:
over time, the iteration count can be increased to make it slower, so it remains resistant to
brute-force search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other
systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
Deploying a wildcard certificate is one strategy to:
A. Secure the certificate's private key.
,B. Increase the certificate's encryption key length.
C. Extend the renewal date of the certificate.
D. Reduce the certificate management burden - -correct ans- -Answer: D
Explanation:
A wildcard certificate is a public key certificate which can be used with multiple
subdomains of a domain. This saves money and reduces the management burden of
managing multiple certificates, one for each subdomain.
A single Wildcard certificate for *.example.com, will secure all these domains:
payment.example.com
contact.example.com
login-secure.example.com
www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full
stops), these domains would not be valid for the certificate:
test.login.example.com
A certificate authority takes which of the following actions in PKI?
A. Signs and verifies all infrastructure messages
B. Issues and signs all private keys
C. Publishes key escrow lists to CRLs
D. Issues and signs all root certificates - -correct ans- -Answer: D
Explanation:
A certificate authority can issue multiple certificates in the form of a tree structure. A root
certificate is part of a public key infrastructure (PKI) scheme. The most common
commercial variety is based on the ITU-T X.509 standard, which normally includes a digital
signature from a certificate authority (CA).
, Note: In cryptography and computer security, a root certificate is an unsigned public key
certificate (also called self-signed certificate) that identifies the Root Certificate Authority
(CA).
Which of the following is used to certify intermediate authorities in a large PKI deployment?
A. Root CA
B. Recovery agent
C. Root user
D. Key escrow - -correct ans- -Answer: A
Explanation:
The root CA certifies other certification authorities to publish and manage certificates
within the organization.
In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the
information. The intermediate CAs are next in the hierarchy, and they trust only information
provided by the root CA. The root CA also trusts intermediate CAs that are in their level in
the hierarchy and none that aren't. This arrangement allows a high level of control at all
levels of the hierarchical tree. .
Which of the following components MUST be trusted by all parties in PKI?
A. Key escrow
B. CA
C. Private key
D. Recovery key - -correct ans- -Answer: B
Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and
distributing certificates. In a simple trust model all parties must trust the CA.
