CompTIA Security+ Question F-56

Which of the following provides a static record of all certificates that are no longer valid?

A. Private key
B. Recovery agent
C. CRLs
D. CA

Answer: C

Explanation:
The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user.

CompTIA Security+ Question F-48

One of the senior managers at a company called the help desk to report to report a problem. The manager could no longer access data on a laptop equipped with FDE. The manager requested that the FDE be removed and the laptop restored from a backup. The help desk informed the manager that the recommended solution was to decrypt the hard drive prior to reinstallation and recovery. The senior manager did not have a copy of the private key associated with the FDE on the laptop. Which of the following tools or techniques did the help desk use to avoid losing the data on the laptop?

A. Public key
B. Recovery agent
C. Registration details
D. Trust Model

Answer: B

CompTIA Security+ Question F-34

Which of the following allows a company to maintain access to encrypted resources when employee turnover is high?

A. Recovery agent
B. Certificate authority
C. Trust model
D. Key escrow

Answer: A

Explanation:
If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent to retrieve his decryption key. We can use this recovered key to access the data. A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext messages as needed. As opposed to escrow, recovery agents are typically used to access information that is encrypted with older keys.

CompTIA Security+ Question F-2

When using PGP, which of the following should the end user protect from compromise? (Select TWO).

A. Private key
B. CRL details
C. Public key
D. Key password
E. Key escrow
F. Recovery agent

Answer: A,D

Explanation:
A: In PGP only the private key belonging to the receiver can decrypt the session key. PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key.

D: PGP uses a passphrase to encrypt your private key on your machine. Your private key is encrypted on your disk using a hash of your passphrase as the secret key. You use the passphrase to decrypt and use your private key.

CompTIA Security+ Question E-51

The recovery agent is used to recover the:

A. Root certificate
B. Key in escrow
C. Public key
D. Private key

Answer: D

Explanation:
A key recovery agent is an entity that has the ability to recover a private key, key components, or plaintext messages as needed. Using the recovered key the recovery agent can decrypt encrypted data.

CompTIA Security+ Question D-99

Which of the following is synonymous with a server’s certificate?

A. Public key
B. CRL
C. Private key
D. Recovery agent

Answer: A

Explanation:
A public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key.

CompTIA Security+ Question D-94

Which of the following should a security technician implement to identify untrusted certificates?

A. CA
B. PKI
C. CRL
D. Recovery agent

Answer: C

Explanation:
Untrusted certificates and keys are revoked and put into the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included.

CompTIA Security+ Question D-49

An administrator needs to renew a certificate for a web server. Which of the following should be submitted to a CA?

A. CSR
B. Recovery agent
C. Private key
D. CRL

Answer: A

Explanation:
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. When you renew a certificate you send a CSR to the CA to get the certificate resigned.

CompTIA Security+ Question C-58

The security administrator installed a newly generated SSL certificate onto the company web server. Due to a misconfiguration of the website, a downloadable file containing one of the pieces of the key was available to the public. It was verified that the disclosure did not require a reissue of the certificate. Which of the following was MOST likely compromised?

A. The file containing the recovery agent’s keys.
B. The file containing the public key.
C. The file containing the private key.
D. The file containing the server’s encrypted passwords.

Answer: B

Explanation:
The public key can be made available to everyone. There is no need to reissue the certificate.

CompTIA Security+ Question C-33

A system administrator is notified by a staff member that their laptop has been lost. The laptop contains the user’s digital certificate. Which of the following will help resolve the issue? (Select TWO).

A. Revoke the digital certificate
B. Mark the key as private and import it
C. Restore the certificate using a CRL
D. Issue a new digital certificate
E. Restore the certificate using a recovery agent

Answer: A,D

Explanation:
The user’s certificate must be revoked to ensure that the stolen computer cannot access resources the user has had access to. To grant the user access to the resources he must be issued a new certificate.