A Linux administrator needs to implement a modern, fast, and secure VPN solution. The administrator chooses WireGuard due to its small codebase and use of state-of-the-art cryptography. Which of the following describes the fundamental method used by WireGuard to authenticate peers and establish a secure tunnel?
A central Certificate Authority (CA) is established to sign and issue client and server certificates for mutual authentication.
The ssh-keygen utility is used to create an authentication key pair that is then loaded into the WireGuard interface.
Each peer generates a private key and exchanges public keys with other peers, which are then added to the configuration files.
The wg-quick tool is used with a pre-shared key (PSK) that is identical on the server and all connecting peers for authentication.
The correct answer is that each peer generates a private key and shares its corresponding public key. WireGuard's authentication model is built on a concept called Cryptokey Routing. Each device (peer) has its own private key and a corresponding public key. To establish a secure connection, peers exchange their public keys through an out-of-band method, similar to how SSH public keys are shared. This public key is then associated with the specific VPN IP addresses allowed for that peer in the configuration file. This approach is simple, avoids the complexity of managing a certificate authority, and leverages modern cryptographic principles.
Creating a central Certificate Authority (CA) and issuing signed certificates is the model used by protocols like OpenVPN and IPsec, not WireGuard. WireGuard was designed to be simpler than these older protocols.
Using the wg-quick tool with a pre-shared key (PSK) alone is incorrect. While WireGuard does support an optional PSK for added post-quantum security, it is an additional layer on top of the primary public/private key authentication, not the fundamental method itself.
Using ssh-keygen is for generating SSH keys, and while the concept of public/private key pairs is similar, WireGuard uses its own tool, wg genkey, to generate its specific type of keys (Curve25519).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cryptokey Routing in WireGuard?
Open an interactive chat with Bash
How does WireGuard differ from VPNs that use a Certificate Authority (CA)?
Open an interactive chat with Bash
What tools does WireGuard use to generate and manage keys?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access