A security administrator must implement a system to allow clients to securely negotiate encryption keys
with the company’s server over a public unencrypted communication channel.Which of the following implements the required secure key negotiation? (Select TWO).

A.
PBKDF2

B.
Symmetric encryption

C.
Steganography

D.
ECDHE

E.
Diffie-Hellman

Explanation:
Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties,
each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel.
This shared secret may be directly used as a key, or better yet, to derive another key which can then be
used to encrypt subsequent communications using a symmetric key cipher. It is a variant of the Diffie–
Hellman protocol using elliptic curve cryptography.
Note: Adding an ephemeral key to Diffie-Hellman turns it into DHE (which, despite the order of the
acronym, stands for Ephemeral Diffie-Hellman).
Adding an ephemeral key to Elliptic Curve Diffie-Hellman turns it into ECDHE (again, overlook the order of
the acronym letters; it is called Ephemeral Elliptic Curve Diffie-Hellman). It is the ephemeral component
of each of these that provides the perfect forward secrecy.
Incorrect Answers:
A: PBKDF2 is to strengthen keys, but it would resolve the problem with the key exchange on an unsecure
channel.
PBKDF2 (Password-Based Key Derivation Function 2) is part of PKCS #5
v. 2.01. It applies some function (like a hash or HMAC) to the password or passphrase along with Salt to
produce a derived key.
B: Symmetric encryption would not in itself help on an unsecure channel.C: Steganography is the process of hiding one message in another. Steganography is not used for secure
key negotiation.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 248, 249-251, 254, 256