Correct Answer: D

D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wired network. WEP has vulnerabilities and isn't considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP- PSK, EAP-MD5, as well as LEAP and PEAP. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server- side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

Incorrect Answers:

A: WPA2 is a more recent version of WEP. Although many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure because it establishes an encrypted channel between the server and the client. EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. With EAP TTLS the client can, but does not have to be authenticated via a CA-signed PKI certificate to the server.

B: WPA is basically a version of WEP. EAP-PSK, defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.

C: WPA2 is a more recent version of WEP but does not ensure encryption of user credentials when they enter their usernames and passwords to authenticate to the network.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 171, 181.

Correct Answer: B

Correct Answer: D

Authentication generally requires one or more of the following:

?Something you know: a password, code, PIN, combination, or secret phrase.

?Something you have: a smart card, token device, or key.

?Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter.

?Somewhere you are: a physical or logical location.

?Something you do: typing rhythm, a secret handshake, or a private knock.

Incorrect Answers:

A: Single sign-on is when a user is authenticated into the realm, they need not re-authenticate to access resources on any realm entity. Authentication has not occurred in this instance.

B: Authorization occurs after authentication, and ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity. Authorization indicates who is trusted to perform specific

operations.

C: Access Control is defined as the control and management of users and their privileges and activities in a secure environment.

References:

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp 275- 284.

Correct Answer: A

Enticement is the process of luring someone into your plan or trap.

Incorrect Answers:

B: Entrapment is the process in which a law enforcement officer or a government agent encourages or induces a person to commit a crime when the potential criminal expresses a desire not to go ahead. Entrapment is a valid legal defense in a criminal prosecution.

C: Deceit is an act to propagate beliefs of things that are not true.

D: According to Wikipedia a sting is a deceptive operation designed to catch a person committing a crime. Almost akin to setting a honey trap.

References:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 65 http://en.wikipedia.org/wiki/Sting_operation

Correct Answer: A

Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A "contact" smart card communicates with a PC using a smart card reader whereas a "contactless" card sends encrypted information via radio waves to the PC. Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail decryption and remote access authentication. However, smart cards are programmable and can contain programs and data for many different applications. For example smart cards may be used to store medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer. Microsoft provides two device independent APIs to insulate application developers from differences between current and future implementations: CryptoAPI and Microsoft Win32?SCard APIs. The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user's sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). There are many different cryptographic algorithms and even when implementing the same algorithm there are many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.

Incorrect Answers:

B: A time-based one-time password (TOTP) is a temporary code, generated by an algorithm, for use in authenticating access to computer systems. The algorithm that generates each password uses the current time of day as one of its factors, ensuring that each password is unique. Time- based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers. In two-factor authentication scenarios, a user must enter a traditional, static password and a TOTP to gain access. In this question, the company currently stores passwords as SHA hashes. This suggests that the passwords are not temporary passwords. Therefore this answer is incorrect.

C: In cryptography, key stretching refers to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key stretching makes such attacks more difficult. Key stretching is used to make passwords stronger. One method is to apply a hash to the password. In this question, the passwords are already hashed. Therefore this answer is incorrect.

D: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. Asymmetric keys are not used to further secure hashed passwords. Therefore this answer is incorrect.

References: https://msdn.microsoft.com/en-us/library/ms953432.aspx http://searchconsumerization.techtarget.com/definition/time-based-one-time-password-TOTP http://en.wikipedia.org/wiki/Key_stretching