1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 16
Выбрать главу

The flow of authentication process involving ClaimantAuthentication ProtocolVerifier: The authentication process establishes the identity of the claimant to the verifier with a certain degree of assurance. It is implemented through an authentication protocol message exchange, as well as management mechanisms at each end that further constrain or secure the authentication activity. One or more of the messages of the authentication protocol may need to be carried on a protected channel.

The flow of tokens and credentials involving ClaimantAuthenticatorVerifier: Tokens generally are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. In E-authentication, the claimant authenticates to a system or application over a network by proving that he has possession of a token. The token produces an output called an authenticator and this output is used in the authentication process to prove that the claimant possesses and controls the token.

The flow of assertions involving VerifierClaimantRelying Party: Assertions are statements from a verifier to a relying party that contain information about a subscriber (claimant). Assertions are used when the relying party and the verifier are not collocated (e.g., they are connected through a shared network). The relying party uses the information in the assertion to identify the claimant and make authorization decisions about his access to resources controlled by the relying party.

125. Which of the following authentication techniques is appropriate for accessing nonsensitive IT assets with multiple uses of the same authentication factor?

a. Single-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Multifactor authentication

125. a. Multiple uses of the same authentication factor (e.g., using the same password more than once) is appropriate for accessing nonsensitive IT assets and is known as a single-factor authentication. The other three factors are not needed for authentication of low security risk and nonsensitive assets.

126. From an access control effectiveness viewpoint, which of the following represents biometric verification when a user submits a combination of a personal identification number (PIN) first and biometric sample next for authentication?

a. One-to-one matching

b. One-to-many matching

c. Many-to-one matching

d. Many-to-many matching

126. a. This combination of authentication represents something that you know (PIN) and something that you are (biometric). At the authentication system prompt, the user enters the PIN and then submits a biometric live-captured sample. The system compares the biometric sample to the biometric reference data associated with the PIN entered, which is a one-to-one matching of biometric verification. The other three choices are incorrect because the correct answer is based on its definition.

127. From an access control effectiveness viewpoint, which of the following represents biometric identification when a user submits a combination of a biometric sample first and a personal identification number (PIN) next for authentication?

a. One-to-one matching

b. One-to-many matching

c. Many-to-one matching

d. Many-to-many matching

127. b. This combination of authentication represents something that you know (PIN) and something that you are (biometric). The user presents a biometric sample first to the sensor, and the system conducts a one-to-many matching of biometric identification. The user is prompted to supply a PIN that provided the biometric reference data. The other three choices are incorrect because the correct answer is based on its definition.

128. During biometric identification, which of the following can result in slow system response times and increased expense?

a. One-to-one matching

b. One-to-many matching

c. Many-to-one matching

d. Many-to-many matching

128. b. The biometric identification with one-to-many matching can result in slow system response times and can be more expensive depending on the size of the biometric database. That is, the larger the database size, the slower the system response time. A personal identification number (PIN) is entered as a second authentication factor, and the matching is slow.

129. During biometric verification, which of the following can result in faster system response times and can be less expensive?

a. One-to-one matching

b. One-to-many matching

c. Many-to-one matching

d. Many-to-many matching

129. a. The biometric verification with one-to-one matching can result in faster system response times and can be less expensive because the personal identification number (PIN) is entered as a first authenticator and the matching is quick.

130. From an access control effectiveness viewpoint, which of the following is represented when a user submits a combination of hardware token and a personal identification number (PIN) for authentication?

1. A weak form of two-factor authentication

2. A strong form of two-factor authentication

3. Supports physical access

4. Supports logical access

a. 1 only

b. 2 only

c. 1 and 3

d. 2 and 4

130. c. This combination represents something that you have (i.e., hardware token) and something that you know (i.e., PIN). The hardware token can be lost or stolen. Therefore, this is a weak form of two-factor authentication that can be used to support unattended access controls for physical access only. Logical access controls are software-based and as such do not support a hardware token.

131. From an access control effectiveness viewpoint, which of the following is represented when a user submits a combination of public key infrastructure (PKI) keys and a personal identification number (PIN) for authentication?

1. A weak form of two-factor authentication

2. A strong form of two-factor authentication

3. Supports physical access

4. Supports logical access

a. 1 only

b. 2 only

c. 1 and 3

d. 2 and 4

131. d. This combination represents something that you have (i.e., PKI keys) and something that you know (i.e., PIN). There is no hardware token to lose or steal. Therefore, this is a strong form of two-factor authentication that can be used to support logical access.

132. RuBAC is rule-based access control, ACL is access control list, IBAC is identity-based access control, DAC is discretionary access control, and MAC is mandatory access control. For identity management, which of the following equates the access control policies and decisions between the U.S. terminology and the international standards?

1. RuBAC = ACL

2. IBAC = ACL

3. IBAC = DAC

4. RuBAC = MAC

a. 1 only

b. 2 only

~ 16 ~