Peer-to-peer architecture, sometimes referred to as mutual authentication protocol, involves the direct communication of authentication information between the communicating entities (e.g., peer-to-peer or client host-to-server).

The architecture for trusted third-party (TTP) authentication uses a third entity, trusted by all entities, to provide authentication information. The amount of trust given the third entity must be evaluated. Methods to establish and maintain a level of trust in a TTP include certification practice statements (CPS) that establishes rules, processes, and procedures that a certificate authority (CA) uses to ensure the integrity of the authentication process and use of secure protocols to interface with authentication servers. A TTP may provide authentication information in each instance of authentication, in real-time, or as a precursor to an exchange with a CA.

149. For password management, which of the following ensures password strength?

a. Passwords with maximum keyspace, shorter passphrases, low entropy, and simple passphrases

b. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases

c. Passwords with minimum keyspace, shorter passphrases, high entropy, and simple passphrases

d. Passwords with most likely keyspace, longer passphrases, low entropy, and complex passphrases

149. b. Password strength is determined by a password’s length and its complexity, which is determined by the unpredictability of its characters. Passwords based on patterns such as keyspace may meet password complexity and length requirement, but they significantly reduce the keyspace because attackers are aware of these patterns. The ideal keyspace is a balanced one between maximum, most likely, and minimum scenarios. Simple and short passphrases have low entropy because they consist of concatenated dictionary words, which are easy to guess and attack. Therefore, passphrases should be complex and longer to provide high entropy. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases ensure password strength.

150. Regarding password management, which of the following enforces password strength requirements effectively?

a. Educate users on password strength.

b. Run a password cracker program to identify weak passwords.

c. Perform a cracking operation offline.

d. Use a password filter utility program.

150. d. One way to ensure password strength is to add a password filter utility program, which is specifically designed to verify that a password created by a user complies with the password policy. Adding a password filter is a more rigorous and proactive solution, whereas the other three choices are less rigorous and reactive solutions.

The password filter utility program is also referred to as a password complexity enforcement program.

151. Which of the following controls over telecommuting use tokens and/or one-time passwords?

a. Firewalls

b. Robust authentication

c. Port protection devices

d. Encryption

151. b. Robust authentication increases security in two significant ways. It can require the user to possess a token in addition to a password or personal identification number (PIN). Tokens, when used with PINs, provide significantly more security than passwords. For a hacker or other would-be impersonator to pretend to be someone else, the impersonator must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination. Robust authentication can also create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type in a password is not a threat with one-time passwords because each time a user is authenticated to the computer, a different “password” is used. (A hacker could learn the one-time password through electronic monitoring, but it would be of no value.)

The firewall is incorrect because it uses a secure gateway or series of gateways to block or filter access between two networks, often between a private network and a larger, more public network such as the Internet or public-switched network (e.g., the telephone system). Firewall does not use tokens and passwords as much as robust authentication.

A port protection device (PPD) is incorrect because it is fitted to a communications port of a host computer and authorizes access to the port itself, prior to and independent of the computer’s own access control functions. A PPD can be a separate device in the communications stream or may be incorporated into a communications device (e.g. a modem). PPDs typically require a separate authenticator, such as a password, to access the communications port. One of the most common PPDs is the dial-back modem. PPD does not use tokens and passwords as much as robust authentication.

Encryption is incorrect because it is more expensive than robust authentication. It is most useful if highly confidential data needs to be transmitted or if moderately confidential data is transmitted in a high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity (it detects changes to files). Encryption does not use tokens and passwords as much as robust authentication.

152. Which of the following statements about an access control system is not true?

a. It is typically enforced by a specific application.

b. It indicates what a specific user could have done.

c. It records failed attempts to perform sensitive actions.

d. It records failed attempts to access restricted data.

152. a. Some applications use access control (typically enforced by the operating system) to restrict access to certain types of information or application functions. This can be helpful to determine what a particular application user could have done. Some applications record information related to access control, such as failed attempts to perform sensitive actions or access restricted data.

153. What occurs in a man-in-the-middle (MitM) attack on an electronic authentication protocol?

1. An attacker poses as the verifier to the claimant.

2. An attacker poses as the claimant to the verifier.

3. An attacker poses as the CA to RA.

4. An attacker poses as the RA to CA.

a. 1 only

b. 3 only

c. 4 only

d. 1 and 2

153. d. In a man-in-the-middle (MitM) attack on an authentication protocol, the attacker interposes himself between the claimant and verifier, posing as the verifier to the claimant, and as the claimant to the verifier. The attacker thereby learns the value of the authentication token. Registration authority (RA) and certification authority (CA) has no roles in the MitM attack.

154. Which of the following is not a preventive measure against network intrusion attacks?

a. Firewalls

b. Auditing

c. System configuration

d. Intrusion detection system

154. b. Auditing is a detection activity, not a preventive measure. Examples of preventive measures to mitigate the risks of network intrusion attacks include firewalls, system configuration, and intrusion detection system.