ExamGecko
Question list
Search
Search

List of questions

Search

Related questions











Question 280 - CAS-004 discussion

Report
Export

An organization is looking to establish more robust security measures by implementing PKI. Which of the following should the security analyst implement when considering mutual authentication?

A.
Perfect forward secrecy on both endpoints
Answers
A.
Perfect forward secrecy on both endpoints
B.
Shared secret for both endpoints
Answers
B.
Shared secret for both endpoints
C.
Public keys on both endpoints
Answers
C.
Public keys on both endpoints
D.
A common public key on each endpoint
Answers
D.
A common public key on each endpoint
E.
A common private key on each endpoint
Answers
E.
A common private key on each endpoint
Suggested answer: C

Explanation:


A) Perfect forward secrecy on both endpoints is not required for implementing PKI-based mutual authentication. Perfect forward secrecy (PFS) is a property of encryption protocols that ensures that the compromise of a long-term secret key (such as a private key) does not affect the security of past or future session keys (such as symmetric keys). PFS can enhance the security and privacy of encrypted communications, but it does not provide authentication by itself.

B) Shared secret for both endpoints is not required for implementing PKI-based mutual authentication. Shared secret is a method of authentication that relies on a pre-shared piece of information (such as a password or a passphrase) that is known only to both parties. Shared secret can provide simple and fast authentication, but it does not provide non-repudiation or identity verification.

D) A common public key on each endpoint is not required for implementing PKI-based mutual authentication. A common public key on each endpoint would imply that both parties share the same certificate and private key, which would defeat the purpose of PKI-based mutual authentication. Each party should have its own unique certificate and private key that proves its identity and authenticity.

E) A common private key on each endpoint is not required for implementing PKI-based mutual authentication. A common private key on each endpoint would imply that both parties share the same certificate and public key, which would defeat the purpose of PKI-based mutual authentication. Each party should have its own unique certificate and private key that proves its identity and authenticity.


Public keys on both endpoints are required for implementing PKI-based mutual authentication. PKI stands for Public Key Infrastructure, which is a system that manages the creation, distribution, and verification of certificates. Certificates are digital documents that contain public keys and identity information of their owners. Certificates are issued by trusted authorities called Certificate Authorities (CAs), and can be used to prove the identity and authenticity of the certificate holders. Mutual authentication is a process in which two parties authenticate each other at the same time using certificates. Mutual authentication can provide stronger security and privacy than one-way authentication, where only one party is authenticated. In PKI-based mutual authentication, each party has a certificate that contains its public key and identity information, and a private key that corresponds to its public key. The private key is kept secret and never shared with anyone, while the public key is shared and used to verify the identity and signature of the certificate holder. The basic steps of PKI-based mutual authentication are as follows:

Party A sends its certificate to Party B.

Party B verifies Party A's certificate by checking its validity, signature, and trust chain. If the certificate is valid and trusted, Party B extracts Party A's public key from the certificate.

Party B generates a random challenge (such as a nonce or a timestamp) and encrypts it with Party A's public key. Party B sends the encrypted challenge to Party A.

Party A decrypts the challenge with its private key and sends it back to Party B.

Party B compares the received challenge with the original one. If they match, Party B confirms that Party A is the legitimate owner of the certificate and has possession of the private key.

The same steps are repeated in reverse, with Party A verifying Party B's certificate and sending a challenge encrypted with Party B's public key.

asked 02/10/2024
Sam Krupesh
38 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first