CompTIA Security+ Question L-78

A security administrator at a company which implements key escrow and symmetric encryption only, needs to decrypt an employee’s file. The employee refuses to provide the decryption key to the file. Which of the following can the administrator do to decrypt the file?

A. Use the employee’s private key
B. Use the CA private key
C. Retrieve the encryption key
D. Use the recovery agent

Answer: C

Explanation:
Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee’s private messages have been called into question.

CompTIA Security+ Question L-76

Which of the following identifies certificates that have been compromised or suspected of being compromised?

A. Certificate revocation list
B. Access control list
C. Key escrow registry
D. Certificate authority

Answer: A

Explanation:
Certificates that have been compromised or are suspected of being compromised are revoked. A CRL is a locally stored record containing revoked certificates and revoked keys.

CompTIA Security+ Question L-51

A certificate authority takes which of the following actions in PKI?

A. Signs and verifies all infrastructure messages
B. Issues and signs all private keys
C. Publishes key escrow lists to CRLs
D. Issues and signs all root certificates

Answer: D

Explanation:
A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is part of a public key infrastructure (PKI) scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA). Note: In cryptography and computer security, a root certificate is an unsigned public key certificate (also called self-signed certificate) that identifies the Root Certificate Authority (CA).

CompTIA Security+ Question L-28

A new mobile banking application is being developed and uses SSL / TLS certificates but penetration tests show that it is still vulnerable to man-in-the-middle attacks, such as DNS hijacking. Which of the following would mitigate this attack?

A. Certificate revocation
B. Key escrow
C. Public key infrastructure
D. Certificate pinning

Answer: D

CompTIA Security+ Question K-70

Which of the following is a requirement when implementing PKI if data loss is unacceptable?

A. Web of trust
B. Non-repudiation
C. Key escrow
D. Certificate revocation list

Answer: C

Explanation:
Key escrow is a database of stored keys that later can be retrieved. Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as it relates to home mortgages) and made available if that third party requests them. The third party in question is generally the government, but it could also be an employer if an employee’s private messages have been called into question.

CompTIA Security+ Question K-64

Which of the following allows an organization to store a sensitive PKI component with a trusted third party?

A. Trust model
B. Public Key Infrastructure
C. Private key
D. Key escrow

Answer: D

Explanation:
Sensitive PKI data, such as private keys, can be put into key escrow data. The key escrow data can be kept at a trusted third party. Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees’ private communications, or governments, who may wish to be able to view the contents of encrypted communications.

CompTIA Security+ Question K-31

A CA is compromised and attacks start distributing maliciously signed software updates. Which of the following can be used to warn users about the malicious activity?

A. Key escrow
B. Private key verification
C. Public key verification
D. Certificate revocation list

Answer: D

Explanation:
If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the certificates that it has issued) no longer can be trusted. The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

CompTIA Security+ Question K-30

Which of the following concepts is used by digital signatures to ensure integrity of the data?

A. Non-repudiation
B. Hashing
C. Transport encryption
D. Key escrow

Answer: B

Explanation:
Most digital signature implementations also use a hash to verify that the message has not been altered, intentionally or accidently, in transit.

CompTIA Security+ Question K-10

Which of the following components MUST be trusted by all parties in PKI?

A. Key escrow
B. CA
C. Private key
D. Recovery key

Answer: B

Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates. In a simple trust model all parties must trust the CA. In a more complicated trust model all parties must trust the Root CA.

CompTIA Security+ Question K-2

Peter, an employee, needs a certificate to encrypt data. Which of the following would issue Peter a certificate?

A. Certification authority
B. Key escrow
C. Certificate revocation list
D. Registration authority

Answer: A

Explanation:
A certificate authority (CA) is an organization that is responsible for issuing, revoking, and distributing certificates.