Exam CISSP topic 1 question 42 discussion

Every employee will have a digital certificate. That means every of the them will have a private key stored in his device. The private keys will be stored in the TPM of the users' devices. PKI is a framework and irrelevant to storing the keys.

Trusted Platform Module (TPM): A TPM is a hardware-based security module that is typically embedded on the motherboard of a computer system. It provides secure storage for cryptographic keys and other sensitive data. TPMs are designed to be tamper-resistant and can be used to protect against various attacks, including cold boot attacks and physical tampering.

A Trusted Platform Module (TPM) is a dedicated hardware chip designed to securely store cryptographic keys, including private keys. It provides hardware-based security by protecting the keys from unauthorized access and tampering. TPMs are widely recognized as one of the most secure options for storing private keys, especially within an internal certification authority (CA) environment, where the security of private keys is critical.

B: The key word is, "Store..."

For key storage its pretty much always going to be a TPM or HSM. Ima go with A as I think a Physically secure storage device is just another name for HSM

The question states nothing to do with the devices being laptops. VMs dont have TPMs neither do desktops, so how could it be TPM.

If you issue certs from AD CS to Windows devices the private user key is not stored on the TPM of the laptop. This would have to be PKI IMO.

B - from CISSP Official Study Guide (Sybex) - Trusted Platform Module Modern computers often include a specialized cryptographic component known as a Trusted Platform Module (TPM). The TPM is a chip that resides on the motherboard of the device. The TPM serves a number of purposes, including the storage and management of keys used for full-disk encryption (FDE) solutions. The TPM provides the operating system with access to the keys only if the user successfully authenticates. This prevents someone from removing the drive from one device and inserting it into another device to access the drive's data. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 286). Wiley. Kindle Edition.

The best answer is B. Trusted Platform Module (TPM) because TPMs provide hardware-based security that is more resilient to external software attacks than software-based encryption solutions. They are designed to protect and store cryptographic keys securely within the hardware, making it a suitable option for securing the private keys of a certification authority.

A Trusted Platform Module (TPM) is a cryptographic processor embedded into a computer. It provides authentication and full-disk encryption.

TPM is correct.

B is the correct answer! A Trusted Platform Module (TPM) is a specialized chip on a laptop or desktop computer that is designed to secure hardware with integrated cryptographic keys. A TPM helps prove a user's identity and authenticates their device. In this case, the employees each own a TPM compliant device.

I think should be A vs B. the question asking internal certification <- so i choose B

designing and implementing an "internal" certification authority

I vote B as well

TPM and HSM are the best options to store crypto keys

Public key infrastructure (PKI) The certificate is signed by a central and respected certificate authority (CA) to vouch for its authenticity. A large organization might manage a private CA for internal communications, while several third-party public CAs offer internet-based certificate services. If a certificate is compromised, the CA can revoke it and issue a new one. X.509 certificates use it by default. PKI itself encompasses multiple trust models.