Выбрать главу

A salt is a nonsecret value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

A seed is a starting value to generate initialization vectors. A nonce is an identifier, a value, or a number used only once. Using a nonce as a challenge is a different requirement than a random-challenging because a nonce is predictable.

A shim is a layer of host-based intrusion detection and prevention code placed between existing layers of code on a host that intercepts data and analyzes it.

19. In electronic authentication, using one token to gain access to a second token is called a:

a. Single-token, multifactor scheme

b. Single-token, single-factor scheme

c. Multitoken, multifactor scheme

d. Multistage authentication scheme

19. b. Using one token to gain access to a second token is considered a single token and a single factor scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is used, the compound solution is only as strong as the token with the lowest assurance level. The other choices are incorrect because they are not applicable to the situation here.

20. As a part of centralized password management solutions, which of the following statements are true about password synchronization?

1. No centralized directory

2. No authentication server

3. Easier to implement than single sign-on technology

4. Less expensive than single sign-on technology

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

20. d. A password synchronization solution takes a password from a user and changes the passwords on other resources to be the same as that password. The user then authenticates directly to each resource using that password. There is no centralized directory or no authentication server performing authentication on behalf of the resources. The primary benefit of password synchronization is that it reduces the number of passwords that users need to remember; this may permit users to select stronger passwords and remember them more easily. Unlike single sign-on (SSO) technology, password synchronization does not reduce the number of times that users need to authenticate. Password synchronization solutions are typically easier, less expensive, and less secure to implement than SSO technologies.

21. As a part of centralized password management solutions, password synchronization becomes a single point-of-failure due to which of the following?

a. It uses the same password for many resources.

b. It can enable an attacker to compromise a low-security resource to gain access to a high-security resource.

c. It uses the lowest common denominator approach to password strength.

d. It can lead passwords to become unsynchronized.

21. a. All four choices are problems with password synchronization solution. Because the same password is used for many resources, the compromise of any one instance of the password compromises all the instances, therefore becoming a single point-of-failure. Password synchronization forces the use of the lowest common denominator approach to password strength, resulting in weaker passwords due to character and length constraints. Passwords can become unsynchronized when a user changes a resource password directly with that resource instead of going through the password synchronization user interface. A password could also be changed due to a resource failure that requires restoration of a backup.

22. RuBAC is rule-based access control; RAdAC is risk adaptive access control; UDAC is user-directed access control; MAC is mandatory access control; ABAC is attribute-based access control; RBAC is role-based access control; IBAC is identity-based access control; and PBAC is policy-based access control. From an access control viewpoint, separation of domains is achieved through which of the following?

a. RuBAC or RAdAC

b. UDAC or MAC

c. ABAC or RBAC

d. IBAC or PBAC

22. c. Access control policy may benefit from separating Web services into various domains or compartments. This separation can be implemented in ABAC using resource attributes or through additional roles defined in RBAC. The other three choices cannot handle separation of domains.

23. Regarding local administrator password selection, which of the following can become a single point-of-failure?

a. Using the same local root account password across systems

b. Using built-in root accounts

c. Storing local passwords on the local system

d. Authenticating local passwords on the local system

23. a. Having a common password shared among all local administrator or root accounts on all machines within a network simplifies system maintenance, but it is a widespread security weakness, becoming a single point-of-failure. If a single machine is compromised, an attacker may recover the password and use it to gain access to all other machines that use the shared password. Therefore, it is good to avoid using the same local administrator or root account passwords across many systems. The other three choices, although risky in their own way, do not yield a single point-of-failure.

24. In electronic authentication, which of the following statements is not true about a multistage token scheme?

a. An additional token is used for electronic transaction receipt.

b. Multistage scheme assurance is higher than the multitoken scheme assurance using the same set of tokens.

c. An additional token is used as a confirmation mechanism.

d. Two tokens are used in two stages to raise the assurance level.

24. b. In a multistage token scheme, two tokens are used in two stages, and additional tokens are used for transaction receipt and confirmation mechanism to achieve the required assurance level. The level of assurance of the combination of the two stages can be no higher than that possible through a multitoken authentication scheme using the same set of tokens.

25. Online guessing is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the online guessing threat?

a. Use tokens that generate high entropy authenticators.

b. Use hardware cryptographic tokens.

c. Use tokens with dynamic authenticators.

d. Use multifactor tokens.

25. a. Entropy is the uncertainty of a random variable. Tokens that generate high entropy authenticators prevent online guessing of secret tokens registered to a legitimate claimant and offline cracking of tokens. The other three choices cannot prevent online guessing of tokens or passwords.

26. Token duplication is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the token duplication threat?

a. Use tokens that generate high entropy authenticators.