Chapter3

Question 1

RFC 4949 describe user authentication as:

Answer 1

The process of verifying an identity claimed by or for a system entity

Question 2

Authentication Process

Answer 2

• Fundamental building block and primary line of defense

- Basis of access control and user accountability

Question 3

Step of authentication process:

Answer 3

• Identification Step

- Verification Step

Question 4

Identification Step

Answer 4

• Presenting an identifier to the security system

Question 5

Verification Step

Answer 5

• Presenting or generating authentication information that corroborates the binding between the entity and the identifier

Question 6

The four means of authenticating user identity are based on:

Answer 6

• Something the individual knows
• Something the individual possess
• Something the individual is (Static Biometrics)
• Something the individual does (Dynamic Biometrics)

Question 7

3 separated concepts for Risk assessment for user authentication

Answer 7

• Assurance Level
• Potential impact
• Areas of risk

Question 8

Assurance level

Answer 8

Describes n organization’s degree of certainty that a user has presented a credential that refers to his or her identity.

Question 9

Levels of Potential Impact

Answer 9

• low
• moderate
• High

Question 10

Password Authentication

Answer 10

• Widely used line of defense against intruders

Question 11

The User ID:

Answer 11

• Determines that the user is authorized to access the system.
• Determines the user’s privileges
• Is used in discretionary access control

Question 12

Password Vulnerabilities:

Answer 12

• Offline dictionary attack
• Specific account attack
• Password guessing against single user
• Popular password attack
• Workstation Hijacking
• Exploiting user mistakes
• electronic monitoring
• exploiting multiple password use

Question 13

Unix Implementation Original Scheme

Answer 13

• Up to 8 printable characters in length
• 12-bit salt used to modify DES encryption into a one- way hash function
• zero value repeatedly encrypted 25 times
• output translated to 11 character sequence

Question 14

Down side of original unix implementation

Answer 14

• now regarded as inadequate.

Question 15

Improved Unix implementatio

Answer 15

• much stronger hash/salt schemes
• OpenBSD uses Blowfish block cipher based hash algorithm call Bcrypt
• Recommended hash function is based on MD5

Question 16

Password Cracking

Answer 16

• Dictionary attacks
• Rainbow table attacks
• Password crackers exploit the fact that people chooses easily guessable passwords
• John the Ripper

Question 17

Password File Access Control

Answer 17

• Can block offline guessing attacks by denying access to encrypted passwords
• Make available only to privileged users
• Shadows password file

Question 18

Vulnerabilities in Password File Access Control

Answer 18

• Weakness in the OS
• Accident with permissions
• users with same password on other systems
• access from backup media
• sniff passwords in network traffick

Question 19

Password Selection Strategies:

Answer 19

• User Education
• Computer generate passwords
• reactive password checking
• complex password policy

Question 20

Proactive Password Checking

Answer 20

• Password Cracker
• Rule of enforcement
• Bloom Filter