401 SEC+ Exam Guaranteed Pass: Expertly Crafted
Graded Questions & Comprehensive Solutions
Certified for High Academic Standards
A certificate authority takes which of the following actions in PKI?
A. Signs and verifies all infrastructure messages
B. Issues and signs all private keys
C. Publishes key escrow lists to CRLs
D. Issues and signs all root certificates - -correct ans- -Answer: D
Explanation:
A certificate authority can issue multiple certificates in the form of a tree structure. A root
certificate is part of a public key infrastructure (PKI) scheme. The most common commercial
variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a
certificate authority (CA).
Note: In cryptography and computer security, a root certificate is an unsigned public key
certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA).
Which of the following is used to certify intermediate authorities in a large PKI deployment?
A. Root CA
B. Recovery agent
C. Root user
D. Key escrow - -correct ans- -Answer: A
Explanation:
The root CA certifies other certification authorities to publish and manage certificates within the
organization.
,In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the
information. The intermediate CAs are next in the hierarchy, and they trust only information
provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the
hierarchy and none that aren't. This arrangement allows a high level of control at all levels of
the hierarchical tree. .
Which of the following components MUST be trusted by all parties in PKI?
A. Key escrow
B. CA
C. Private key
D. Recovery key - -correct ans- -Answer: B
Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and
distributing certificates. In a simple trust model all parties must trust the CA.
In a more complicated trust model all parties must trust the Root CA.
Which of the following provide the BEST protection against brute forcing stored passwords?
(Select TWO).
A. PBKDF2
B. MD5
C. SHA2
D. Bcrypt
E. AES
F. CHAP - -correct ans- -Answer: A,D
Explanation:
, A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some
function (like a hash or HMAC) to the password or passphrase along with Salt to produce a
derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over
time, the iteration count can be increased to make it slower, so it remains resistant to brute-
force search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
Deploying a wildcard certificate is one strategy to: A.
Secure the certificate's private key.
B. Increase the certificate's encryption key length.
C. Extend the renewal date of the certificate.
D. Reduce the certificate management burden - -correct ans- -Answer: D
Explanation:
A wildcard certificate is a public key certificate which can be used with multiple subdomains of a
domain. This saves money and reduces the management burden of managing multiple
certificates, one for each subdomain.
A single Wildcard certificate for *.example.com, will secure all these domains:
payment.example.com contact.example.com
login-secure.example.com www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full
stops), these domains would not be valid for the certificate:
test.login.example.com
Graded Questions & Comprehensive Solutions
Certified for High Academic Standards
A certificate authority takes which of the following actions in PKI?
A. Signs and verifies all infrastructure messages
B. Issues and signs all private keys
C. Publishes key escrow lists to CRLs
D. Issues and signs all root certificates - -correct ans- -Answer: D
Explanation:
A certificate authority can issue multiple certificates in the form of a tree structure. A root
certificate is part of a public key infrastructure (PKI) scheme. The most common commercial
variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a
certificate authority (CA).
Note: In cryptography and computer security, a root certificate is an unsigned public key
certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA).
Which of the following is used to certify intermediate authorities in a large PKI deployment?
A. Root CA
B. Recovery agent
C. Root user
D. Key escrow - -correct ans- -Answer: A
Explanation:
The root CA certifies other certification authorities to publish and manage certificates within the
organization.
,In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the
information. The intermediate CAs are next in the hierarchy, and they trust only information
provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the
hierarchy and none that aren't. This arrangement allows a high level of control at all levels of
the hierarchical tree. .
Which of the following components MUST be trusted by all parties in PKI?
A. Key escrow
B. CA
C. Private key
D. Recovery key - -correct ans- -Answer: B
Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and
distributing certificates. In a simple trust model all parties must trust the CA.
In a more complicated trust model all parties must trust the Root CA.
Which of the following provide the BEST protection against brute forcing stored passwords?
(Select TWO).
A. PBKDF2
B. MD5
C. SHA2
D. Bcrypt
E. AES
F. CHAP - -correct ans- -Answer: A,D
Explanation:
, A: PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5 v. 2.01. It applies some
function (like a hash or HMAC) to the password or passphrase along with Salt to produce a
derived key.
D: bcrypt is a key derivation function for passwords based on the Blowfish cipher. Besides
incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over
time, the iteration count can be increased to make it slower, so it remains resistant to brute-
force search attacks even with increasing computation power.
The bcrypt function is the default password hash algorithm for BSD and many other systems.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis, 2014, pp. 109-110, 139, 143, 250, 255-256, 256
Deploying a wildcard certificate is one strategy to: A.
Secure the certificate's private key.
B. Increase the certificate's encryption key length.
C. Extend the renewal date of the certificate.
D. Reduce the certificate management burden - -correct ans- -Answer: D
Explanation:
A wildcard certificate is a public key certificate which can be used with multiple subdomains of a
domain. This saves money and reduces the management burden of managing multiple
certificates, one for each subdomain.
A single Wildcard certificate for *.example.com, will secure all these domains:
payment.example.com contact.example.com
login-secure.example.com www.example.com
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full
stops), these domains would not be valid for the certificate:
test.login.example.com
