Welcome to download the newest Pass4itsure hp0-m52 VCE dumps: http://www.pass4itsure.com/hp0-m52.html
ATTENTION : The following Cisco 642-825 exam questions and answers were updated in recent days with the change of new Cisco 642-825 exam, more new added questions are available at Flydumps. Please visit Flydumps and get valid Cisco 642-825 PDF and VCE exam dumps with free new version VCE player.
QUESTION 81
Jason the security administrator at Certkiller Inc. is working on IKE. His assignment is to find out which three things the Cisco VPN 3000 Concentrator checks during the IKE negotiations, when an identity certificate is received from an IKE peer. (Choose three)
A. Has the CA expired?
B. Is the certificate still valid?
C. Has the CA been revoked?
D. Is the certificate signed by a trusted CA?
E. Is the certificate in the CRL?
F. Is the certificate FQDN valid?
Correct Answer: BDE Section: (none) Explanation
Explanation/Reference:
Explanation: During IKE tunnel establishment, the peer provides its identity: either an IP address, a fully qualified domain name (FQDN), or a distinguished name (DN). It also presents a certificate, which contains none, some, or all of these fields. If IKE peer identity validation is enabled, the VPN Concentrator compares the peer’s identity to the like field in the certificate to see if the information matches. If the information matches, then the peer’s identity is validated and the VPN Concentrator establishes the tunnel. If the information does not match, the VPN Concentrator drops the tunnel. This feature provides an additional level of security. Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 82
Jason the security administrator for Certkiller Inc. was given the assignment to find out what the two purposes of the X.509 Certificate Serial Number are. (Choose two)
A. The purpose is it specifies the subject’s public key and hashing algorithm.
B. The purpose is it specifies the start and expiration dates for the certificate.
C. The purpose is a unique certificate numerical identifier in the CA domain.
D. The purpose is the certificate number that is listed on the CRL when the certificate is revoked.
E. The purpose is it identifies the CA’s public key and hashing algorithm.
F. The purpose is Private Key.
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to such things as a name change, change of association between the subject and the CA, and security compromise, the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically issuing a signed CRL, where each revoked certificate is identified by its serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked.h
QUESTION 83
Kathy the security administrator at Certkiller Inc. is working on certificates. She needs to know which information is included in the PKCS#10 request message. (Choose two)
A. PKCS#10 request message contains the encryption algorithm
B. PKCS#10 request message contains the validity dates
C. PKCS#10 request message contains the user information
D. PKCS#10 request message contains the key size
E. PKCS#10 request message contains the private key
F. PKCS#10 request message contains the authentication algorithm
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
Generating the PKCS#10 requires various user information inputs AND input for the key size of choice!
Note: An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the
VPN Concentrator generates based on information you provide in the steps that follow.
You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs
recognize or require. The system automatically saves this file in Flash memory with the filename shown in
the
browser (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key
remains on the VPN Concentrator in encrypted form.
QUESTION 84
Which of the following features will permit automatic certificate enrollment with the CA?
A. Mode Configuration
B. Quick Configuration
C. VRRP
D. SCEP
E. RRI
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Developed by Cisco, Verisign, Entrust, Microsoft, Netscape and Sun Simple Certificate Enrollment Protocol (SCEP) provides a way of managing the certificate. SCEP let you automatically provide your users with a way to enroll with the CA.
QUESTION 85
What are the two types of certificate enrollment for the Cisco VPN Concentrator? Select two.
A. PKCS# 15enrollment process
B. PKCS#7 enrollment process
C. SCEP
D. certified enrollment process
E. CERTC enrollment process
F. File-based enrollment process
Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation:
Configuring Digital Certificates: SCEP and Manual Methods
To use digital certificates for authentication, you first enroll with a Certificate Authority (CA), and obtain and
install a CA certificate on the VPN Concentrator. Then you enroll and install an identity certificate from the
same CA.
You can enroll and install digital certificates on the VPN Concentrator in either of two ways:
*
Using Cisco’s Simple Certificate Enrollment Protocol (SCEP).
SCEP is a secure messaging protocol that requires minimal user intervention. SCEP is the quicker
method, and it lets you to enroll and install certificates using only the VPN Concentrator Manager. To use
SCEP, you must enroll with a CA that supports SCEP, and you must enroll via the Internet.
*
Manually, exchanging information with the CA directly.
The manual method involves more steps. You can do some of the steps using the Manager. Other steps
require that you exchange information with the CA directly. You deliver your enrollment request and
receive the certificate from the CA via the Internet, email, or a floppy disk.
Ref 2//Enrollment Method
Choose an enrollment method:
*
PKCS10 Request (Manual) = Enroll using the manual process.
*
Certificate Name via SCEP = Enroll automatically using this SCEP CA.
Note If you install a CA certificate using the manual method, you must also use the manual method to
request identity or SSL certificates from that C A. Conversely, to request identity and SSL certificates using
SCEP, you must first use SCEP to obtain the CA certificate.
Tasks Summary
Whether you use SCEP or the manual method, you perform the following tasks to obtain and install certificates:
1.
Obtain and install one or more CA certificate(s).
2.
Create an enrollment request for one or more identity certificates.
3.
Request an identity certificate from the same CA that issued the CA certificate(s).
4.
Install the identity certificate on the VPN Concentrator.
5.
Enable CRL checking and caching.
6.
Enable certificates. About the Documentation The print version of this guide provides step-by-step examples of configuring digital certificates using SCEP and manually, and with both LAN-to-LAN and remote access connections, beginning with the next section, ” 1879871Managing Certificates with SCEP.” Ref 3://————– Types of certificate enrollment in Cisco VPN contractor You can enroll and install digital certificates on the VPN 3002 automatically or manually. The automatic method is a new feature that uses the Simple Certificate Enrollment Protocol (SCEP) to streamline enrollment and installation. SCEP is a secure messaging protocol that requires minimal user intervention. This method is quicker than enrolling and installing digital certificates manually, but it is available only if you are both enrolling with a CA that supports SCEP and enrolling via the web. If your CA does not support SCEP, or if you enroll with digital certificates by a means other than the web (such as through email or by a diskette), then you cannot use the automatic method; tou must use the manual method. An enrollment request for an identity certificate consists of a base 64 encoded PKCS#10 file that the VPN Concentrator generates based on information you provide in the steps that follow
QUESTION 86
Which of the following will suffice as reasons for revoking a certificate? Choose two.
A. invalid time
B. Invalid date
C. change of association
D. compromised security
E. Invalid signature
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation: A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to a name change, change of association between the subject and the CA, security compromise, etc., the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically issuing a signed certificate revocation list (CRL), where each revoked certificate is identified by its serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate for authentication, it also checks the CRL to ensure that the certificate being verified has not been revoked. CAs use LDAP/HTTP databases to store and distribute CRLs. They might also use other means, but the VPN Concentrator relies on LDAP/HTTP access.
QUESTION 87
Which of the following statements regarding the digital signature process statement is valid?
A. The hash is encrypted with the public key and decrypted with the private key.
B. The hash is encrypted and decrypted with a shared secret key.
C. The hash is encrypted and decrypted with a symmetric key.
D. The hash is encrypted with the private key and decrypted with the public key.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The question is “digital signature” which requires computation of a hash code, typically MD5 or SHA-1, then encrypted with the private key of the sender. It is verified by the public key of the sender – which is known to all. Since the public key is ONLY known to the owner of the key pair, as loing as the private key is kept secret, you know that the signature is valid – and that is came from the holder/owner of the private key (non-repudiation)
QUESTION 88
What are the functions that a CA has to fulfill? (Select three options.)
A. The CA is responsible for revoking valid certificates
B. The CA is responsible for creating certificates
C. The CA is responsible for decrypting digital certificate
D. The CA is responsible for administering certificates
E. The CA is responsible for issues equipment certificates
F. The CA is responsible for revoking invalid certificates
Correct Answer: BDF Section: (none) Explanation
Explanation/Reference:
Explanation:
The CA creates, administers, and revokes invalid certificates.
Reference: Ciscopress CCSP Self Study, CSVPN Second edition Page: 142
QUESTION 89
The Certkiller CEO wants your opinion regarding the best PKI model for a large enterprise. What can you tell her?
A. Central
B. Flat
C. Hub and Spoke
D. Hierarchical
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Going beyond the single-root CA, more complex topologies can be devised that involve multiple CAs within the same organization. One such topology is the hierarchical CA system, in which CAs no longer issue certificates to end users only, but also to subordinate CAs, who in turn issue their certificates to end-users and/or other CAs. In a hierarchical CA system, a tree of CAs and end users is built for which every CA can issue certificates to entities on the next lower level.
QUESTION 90
Which of the following causes a certificate issued from a CA to become invalid? Choose all that apply.
A. certificate reaches expiration date
B. certificate listed on CRL
C. certificate not enrolled via SCEP
D. certificate requested via PKCS # 10
Correct Answer: AB Section: (none) Explanation
Explanation/Reference:
Explanation: If a certificate is on the CA servers’ Certificate Revocation List, (CRL) is should be considered invalid and not used. Also when the certificate is generated, it has a built-in expiration date, after which it will not work.
QUESTION 91
Which of the following protocols automates the installation process of
a digital certificate?
A. FTP
B. SCEP
C. VRRP
D. AH
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
You can automate the certificate request and installation process on your Concentrator by using Simple
Certificate Enrollment Protocol (SCEP) with a CA.
QUESTION 92
Johnthe security administrator at Certkiller Inc. is working on installing certificates on the Cisco VPN 3000 Concentrator. Which two certificates does John need to install in the Cisco VPN 3000 Concentrator? (Choose two)
A. Root certificate needs to be installed
B. SSL certificate needs to be installed
C. Public certificate needs to be installed
D. Private certificate needs to be installed
E. Identity certificate needs to be installed
F. Trusted certificate needs to be installed
Correct Answer: AE Section: (none) Explanation
Explanation/Reference:
“Concentrator Certificate Manual Loading Process”
Step 1: Generate the certificate request and upload it to the CA Step 2: The CA generates the identity and
root certificates.
Each downloaded to a PC.
Step 3: The certificates are loaded onto the Concentrator.
Reference: VPN 3000 Concentrator Ref Volume 1. Configuration 4.0.pdf
QUESTION 93
Which pieces of information does the CA supply when it issues a digital certificate? Choose three.
A. user name
B. validity dates
C. User’s private key information
D. private key
E. Issuer’s name
F. CA signature algorithm
Correct Answer: BEF Section: (none) Explanation Explanation/Reference:
Explanation:
Certificate Fields
A certificate contains some or all of the following fields: Field Content Subject The person or system that
uses the certificate. For a CA root certificate, the Subject and Issuer are the same.
Issuer The CA or other entity (jurisdiction) that issued the certificate.
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C.
These labels and acronyms conform to X.520 terminology, and they echo the fields on the Administration |
Certificate Management | Enrollment screen.
CN Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level
in the identification hierarchy.
For the VPN Concentrator self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private)
interface at the time the certificate is generated. SSL compares this CN with the address you use to
connect to the VPN Concentrator via HTTPS, as part of its validation.
OU Organizational Unit: the subgroup within the organization (O).
O Organization: the name of the company, institution, agency, association, or other entity.
L Locality: the city or town where the organization is located.
SP State/Province: the state or province where the organization is located.
C Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
Serial Number The serial number of the certificate. Each certificate issued by a CA must be unique among
all certificates issued by that C A. CRL checking uses this serial number.
Signing Algorithm The cryptographic algorithm that the CA or other issuer used to sign this certificate.
Public Key Type The algorithm and size of the certified public key.
Certificate Usage The purpose of the key contained in the certificate, for example: digital signature,
certificate signing, nonrepudiation, key or data encipherment, etc.
MD5 Thumbprint A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This
value is unique for every certificate, and it positively identifies the certificate.
If you question a root certificate’s authenticity, you can check this value with the issuer.
SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string.
This value is unique for every certificate, and it positively identifies the certificate. If you question a
certificate’s authenticity, you can check this value with the issuer.
Validity The time period during which this certificate is valid.
Format is MM/DD/YYYY at HH:MM:SS to MM/DD/YYYY at HH:MM:SS. Time uses 24-hour notation, and is
local system time.
The Manager checks the validity against the VPN Concentrator system clock, and it flags expired
certificates by issuing event log entries.
Subject Alternative Name (Fully Qualified Domain Name) The fully qualified domain name for this VPN
Concentrator that identifies it in this PKI. The alternative name is an optional additional data field in the
certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN
connections.
CRL Distribution Point All CRL distribution points from the issuer of this certificate.
QUESTION 94
Which of the following are the steps that are used when enrolling the file-based certificate? (Select three options.)
A. The identity certificate is loaded into the Cisco VPN Concentrator first.
B. The CA generates the root and identity certificates.
C. The root certificate is loaded into the Cisco VPN Concentrator second.
D. The root certificate is loaded into the Cisco VPN Concentrator first.
E. The Cisco VPN Concentrator generates a PKCS#7.
F. The Cisco VPN Concentrator generates a PKCS#10.
Correct Answer: BCF Section: (none) Explanation
Explanation/Reference:
QUESTION 95
James the security administrator at Certkiller Inc. is working on IKE certificates.
What are three steps in the IKE certificate authentication process? (Choose three)
A. The identity certificate validity period is verified against the system clock of the Cisco VPN Concentrator.
B. The root certificate is not in the Cisco VPN Concentrator.
C. If enabled, the Cisco VPN Concentrator locates the CRL and validates the identity certificate.
D. Identity certificates are exchanged during IPSec negotiations.
E. The identity certificate signature is validated using the stored root certificate.
F. The signature is validated using the stored identity certificate.
Correct Answer: ACE Section: (none) Explanation
Explanation/Reference:
Explanation: Validating Certificates:
1.
Signed by a CA that is trusted. – Checks the signature. (E)
2.
Not expired. (A)
3.
Not revoked. (C)
Reference: Cisco Secure Virtual Private Networks (Ciscopress) page 236
QUESTION 96
Janice the Certkiller Inc. security administrator is working on the CRL configuration. Which three statements about CRL configuration are true? (Choose three)
A. CRL checking is disabled by default.
B. The Cisco VPN Concentrator relies on LDAP access to procedure the CRL list.
C. CRL checking is enabled by default.
D. The Cisco VPN Concentrator relies on HTTP access to procedure the CRL list.
E. If the CRL distribution point is available in the certificate, you do not have to fill in most of the CRL configuration fields.
F. If the CRL distribution point is available in the certificate, you still have to fill in most of the CRL configuration fields.
Correct Answer: ABE Section: (none) Explanation
Explanation/Reference:
Explanation:
F is incorrect, because you don’t have to specify the CRL distribution point configuration fields, if the CRL
distribution point URI comes with the certificate (-> E is the better choice).
Note 1:
CAs use LDAP databases to store and distribute CRLs. They might also use other means, but the VPN
Concentrator relies on LDAP access.
Step 1 On the Administration | Certificate Management screen, in the Certificate Authorities table, click
Configure next to the CA certificate for which you want to enable CRL checking. The Manager displays the
Administration | Certificate Management | Configure CA Certificate screen. For information on these fields,
see the “Administration | Certificate Management | Configure CA Certificate” section or online Help.
Step 2 CRL checking is disabled by default. Choose the method to use to retrieve the CRL.
If you choose to use CRL distribution points specified in the certificate being checked, be sure to specify
the distribution point protocols for retrieving CRLs. If you choose the LDAP protocol, be sure to specify the
LDAP distribution point defaults.
If you choose to use static CRL distribution points, be sure to enter them under Static CRL Distribution
Points further down.
Step 3 To enable CRL caching, check the Enabled check box. In the Refresh Time field, specify a time
period for updating the CRL.
Step 4 Check the appropriate check boxes to indicate whether you want to accept Subordinate CA Certificates or accept Identity Certificates signed by this issuer. Step 5 Click Apply. The Manager displays the Administration | Certificate Management screen. Note: D is also true, because the concentrator can use LDAP and HTTP to get CRLs (see also Explanations for QUESTION 90 The problem is, that there are only three selections possible
QUESTION 97
Which of the following represents a correctly defined static CRL distribution point?
A. TFTP://10.0.1.21/CertEnroll/ Certkiller .crl
B. FTP://10.0.1.21/CertEnroll/ Certkiller .crl
C. HTTP://10.0.1.21/CertEnroll/ Certkiller .crl
D. HTTPS://10.0.1.21/CertEnroll/ Certkiller .crl
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Static CRL Distribution Points
Enter HTTP or LDAP URLs that identify CRLs located on external servers. If you chose a CRL Retrieval
Policy that uses static distribution points, you must enter at least one (and not more than five) valid URLs.
Enter each URL on a single line. (Scroll right to enter longer values.) Examples of
valid URLs are:
HTTP URL: http://1.1.1.2/CertEnroll/TestCA6-8.crl
LDAP URL: ldap://100.199.7.6:389/CN=TestCA6-8,CN=2KPDC,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=qa2000,DC=com?certficateRevocationList?base?
objectclass=
QUESTION 98
The VPN Concentrator retrieves and examines CRLs when CRL checking is enabled. CRLs can be cached locally to mitigate potential timeout problems due to network congestion and delay. In which location are CRLs cached?
A. on a pre-defined TFTP server on the local private network
B. on a pre-defined FTP server on the local private network
C. in the VPN Concentrator’s volatile memory
D. in the VPN Concentrator’s non volatile memory
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Since the system has to retrieve and examine the CRL from a network distribution point, enabling CRL checking might slow system response times. Also, if the network is slow or congested, CRL checking might fail. To mitigate these potential problems, you can enable CRL caching. This stores the retrieved CRLs in local volatile memory, thus allowing the VPN Concentrator to verify the revocation status of certificates more quickly.
QUESTION 99
Which of the following protocols can be utilized by VPN Concentrator in an attempt to retrieve Certificate Revocation Lists? (Select two options.)
A. SSL
B. SSH
C. LDAP
D. HTTP
E. FTP
F. TFTP
Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
Explanation:
Reference: Cisco Press CCSP Cisco Secure VPN (Roland, Newcomb) p.237
Flydumps.com practice test training resources are versatile and highly compatible with Cisco exam formats. We provide up to date resources and comprehensive coverage on Cisco 642-825 exam dumps help you to advance your skills.
Pass4itsure hp0-m52 dumps with PDF + Premium VCE + VCE Simulator: http://www.pass4itsure.com/hp0-m52.html
Cisco 642-825 Exam Download, Prompt Updates Cisco 642-825 Vce Files Is Your Best Choice