Domain 5: Authentication Methods

Question 1

• Authentication method
• Testing the subject with some sort of challenge and response where the subject must respond with a knowledgeable answer
• i.e. password or PIN

Answer 1

Type 1 Authentication: Something You Know

Question 2

• Type of Password
• Reusable passwords that may or may not expire
• Typically user-generated

Answer 2

Static Passwords

Question 3

• Type of Password
• Long passwords comprised of words in a phrase or sentence
• i.e. “I will pass the CISSP”

Answer 3

Passphrases

Question 4

• Type of Password

- Authentication that is only valid for one-time use

Answer 4

One-time Passwords

Question 5

• Type of Password
• Authentication that changes at regular intervals
• i.e. RSA security token

Answer 5

Dynamic Passwords

Question 6

• The process of trying to predict a password in order to authenticate while online
• Account lockouts is a prevention

Answer 6

Password guessing

Question 7

Attacker has gained access to the password hashes or database and compares the output to a desired hash hoping to find a match therefore deriving the original password

Answer 7

Password Cracking

Question 8

• Password Attack
• Uses a word list each of which is hashed
• Cracking software matches hash output to the password hash; if a match we‘ve identified the password

Answer 8

Dictionary Attack

Question 9

• Password Attack
• Appends, prepends, or changes characters in words from a dictionary before hashing in order to attempt the fastest crack of complex password

Answer 9

Hybrid Attack

Question 10

• Password Attack

- Attacker calculates the hash outputs for every possible password.

Answer 10

Brute-Force Attacks

Question 11

Database that contains the precomputed hashed output for most of all possible passwords

Answer 11

Rainbow table

Question 12

• Random value added to the plaintext password before hashing
• Adds complexity to hashed password stored in database
• Protects against rainbow attacks

Answer 12

Salt

Question 13

• Authentication method
• Requires that users possess something
• i.e. token

Answer 13

Type 2 Authentication: Something You Have

Question 14

• Time-based and synchronized with an authentication server (AS).
• New password generated periodically (i.e. every 60 secs)
• Does require the token and the server to have accurate time

Answer 14

Synchronous Dynamic Passwords

Question 15

• Creates a dynamic one time password that stays the same until used for authentication
• Hardware token generates passwords based on an algorithm and an incrementing counter
• Does not use a clock

Answer 15

Asynchronous Dynamic Passwords

Question 16

• Authentication method
• Uses a physical characteristics as a means of identification or authentication
• i.e. facial recognition system or fingerprint

Answer 16

Type 3 Authentication: Something You Are

Question 17

The process of registering with the biometric system

Answer 17

Biometric Enrollment

Question 18

• The process of authenticating to a biometric system

- Typically 6-10 secs

Answer 18

Throughput

Question 19

• Occurs when an authorized subject is rejected by the biometric system as unauthorized
• Type I error

Answer 19

False Rejection Rate

Question 20

• Occurs when an unauthorized subject is accepted as valid

- Type II error

Answer 20

False Acceptance Rate

Question 21

• The point where False Rejection Rate and False Acceptance Rate are equal
• Describes the overall accuracy of a biometric system
• AKA Equal Error Rate (EER)

Answer 21

Crossover Error Rate

Question 22

Most widely used biometric control

Answer 22

Fingerprints

Question 23

Includes specific details of fingerprint friction ridges like whorls, ridges and bifurcation

Answer 23

Minutiae

Question 24

• Laser scan of capillaries that feed the back of the eye
• This biometric control raises privacy concerns because conditions such as pregnancy and diabetes can be determined
• Rarely used

Answer 24

Retina scan

Question 25

• Camera takes a picture of the colored portion of the eye and then compares photos within the authentication database
• Scan even works if person is wearing contact lenses or glasses
• This is unique on every person, including twins

Answer 25

Iris scan

Question 26

• Biometric control

- Takes measurements from specific points on a subject’s hand

Answer 26

Hand Geometry

Question 27

• Biometric control

- Refers to how hard a person presses each key and the rhythm in which the keys are pressed.

Answer 27

Keyboard Dynamics

Question 28

• Biometric control

- Measures the process by which someone signs his/her name

Answer 28

Dynamic Signatures

Question 29

• Biometric control

- Measures the subject’s tone of voice while stating a specific sentence or phrase

Answer 29

Voiceprint

Question 30

• Biometric control

- Process of taking a picture of a subjects face and comparing that picture to a list stored in a database

Answer 30

Facial scan

Question 31

• Describes location-based access control using technologies
• i.e. GPS, IP address-based geolocation

Answer 31

Someplace You Are

Question 32

• OASIS standard typically used to define access control policies i.e. attribute-based or role-based
• Most commonly used by software-define-networking systems

Answer 32

Extensible Access Control Markup Language (XACML)

Question 33

• Used for federated identity SSO

- Based on DSML, which is used to present LDAP info in XML format

Answer 33

Security Provisioning Markup Language (SPML)

Question 34

• Large constant value added to the plaintext password before hashing
• Value is stored somewhere outside the database holding the hashed passwords

Answer 34

Pepper

Question 35

What are some algorithms that add a salt to a password and repeat the hashing function many times?

Answer 35

bcrypt

Password-Based Key Derivation Function 2 (PBKDF2)

Question 36

• Type 3 authentication factor

- Behavioral biometrics i.e. signature and keystroke dynamics

Answer 36

Something-you-do

Question 37

• ID or badge that has an integrated circuit chip embedded in it
• Certificate inside microprocessor can be used for authentication, to encrypt data, digitally sign email and etc…

Answer 37

Smartcard

Question 38

Card that holds authentication information for a user

Answer 38

Memory card

Question 39

Authentication method that uses situational info (i.e. identity, geolocation, geofence, time of day, type of device) to determine who can access a network

Answer 39

Context-Aware authentication

Question 40

Virtual perimeter identifying the location of the building and can identify when a user is in the building

Answer 40

Geofence

Question 41

Series of challenge questions about facts or predefined response that only the subject should know

Answer 41

Cognitive Passwords

Question 42

• Worn smartcards by personnel within the US government

- Users wear them while walking around and insert them into card readers at their computer when logging on

Answer 42

Common Access Cards (CACs)

Personal Identity Verification (PIV)

Question 43

• Standard to create one time passwords
• Typically creates values of six to 8 numbers
• Values remain valid until used

Answer 43

HMAC-based One-Time Password (HOTP)

Question 44

• Standard to create one time passwords
• Uses a timestamp and remains valid for a certain timeframe (i.e. 30 secs)
• Password expires if user does not use within timeframe

Answer 44

Time-based One-Time Password

Question 45

• Biometric control

- Use near-infrared light to measure vein patterns in the palm, which are as unique as fingerprints

Answer 45

Palm scanners

Question 46

• Biometric control

- Ensures that a real person is providing the biometric factor

Answer 46

Heart/Pulse Patterns

Question 47

Database where users biometric data is stored

Answer 47

Reference profile