M3: User authentication, IAM - C.3 & C.5

Question 1

What is the main purpose of user authentication?

M3: User authentication, IAM - C.3 & C.5

Answer 1

To verify an asserted identity using supporting evidence.

Question 2

What is the difference between authentication and identification?

M3: User authentication, IAM - C.3 & C.5

Answer 2

Authentication verifies an asserted identity, while identification finds an identity from available information.

Question 3

Why are passwords still widely used despite their weaknesses?

M3: User authentication, IAM - C.3 & C.5

Answer 3

They are simple, easy to learn, free, and require no extra hardware.

Question 4

What is a pre-computed dictionary attack?

M3: User authentication, IAM - C.3 & C.5

Answer 4

An attack where an attacker uses a pre-made list of hashed passwords to find matches in a stolen password file.

Question 5

How does storing password hashes improve security?

M3: User authentication, IAM - C.3 & C.5

Answer 5

It prevents direct exposure of passwords if the password file is stolen.

Question 6

What is password salting?

M3: User authentication, IAM - C.3 & C.5

Answer 6

Adding a random value to a password before hashing to make dictionary attacks harder.

Question 7

What is iterated hashing (password stretching)?

M3: User authentication, IAM - C.3 & C.5

Answer 7

Hashing a password multiple times to slow down offline guessing attacks.

Question 8

What is a pepper in password security?

M3: User authentication, IAM - C.3 & C.5

Answer 8

A secret salt not stored with the password, used to further slow down attacks.

Question 9

What are the disadvantages of passwords?

M3: User authentication, IAM - C.3 & C.5

Answer 9

They can be hard to remember, vulnerable to various attacks, and require frequent changes.

Question 10

What is an online password guessing attack?

M3: User authentication, IAM - C.3 & C.5

Answer 10

An attack where guesses are sent to the legitimate server to find the correct password.

Question 11

What is an offline password guessing attack?

M3: User authentication, IAM - C.3 & C.5

Answer 11

An attack where the attacker uses a stolen password hash file to guess passwords without contacting the server.

Question 12

What is a one-time password (OTP)?

M3: User authentication, IAM - C.3 & C.5

Answer 12

A password that is valid for only one use, improving security against replay attacks.

Question 13

How do SIM swap attacks work?

M3: User authentication, IAM - C.3 & C.5

Answer 13

Attackers trick a mobile provider into transferring a victim’s number to a new SIM card to intercept OTPs.

Question 14

What are secret questions used for?

M3: User authentication, IAM - C.3 & C.5

Answer 14

To recover access to accounts when passwords are forgotten.

Question 15

Why are secret questions considered weak for security?

M3: User authentication, IAM - C.3 & C.5

Answer 15

Answers are often easy to guess or find out, making them less secure than passwords.

Question 16

What was the main security concern with early time-sharing systems?

M3: User authentication, IAM - C.3 & C.5

Answer 16

Preventing one process from writing into another’s memory.

Question 17

What is a descriptor register used for in memory protection?

M3: User authentication, IAM - C.3 & C.5

Answer 17

It constrains the addresses a process can access.

Question 18

What does the privileged bit do?

M3: User authentication, IAM - C.3 & C.5

Answer 18

It allows only the supervisor code to load the descriptor register.

Question 19

Why is finer-grained memory control desirable?

M3: User authentication, IAM - C.3 & C.5

Answer 19

To allow separate read, write, and execute permissions for different memory regions.

Question 20

What is a memory segment in the context of access permissions?

M3: User authentication, IAM - C.3 & C.5

Answer 20

A continuous block of words representing a logical unit of information.

Question 21

What is the role of a User ID (UID) in operating systems?

M3: User authentication, IAM - C.3 & C.5

Answer 21

It identifies the principal accountable for a process and grants access privileges.

Question 22

What is the reference monitor concept?

M3: User authentication, IAM - C.3 & C.5

Answer 22

A model ensuring all access requests are validated against a list of authorized types of reference.

Question 23

What is an access matrix?

M3: User authentication, IAM - C.3 & C.5

Answer 23

A model that defines authorized access permissions for each subject-object pair in a system.

Question 24

What are the three requirements for a reference validation mechanism?

M3: User authentication, IAM - C.3 & C.5

Answer 24

It must be
* tamper-proof,
* always invoked
* verifiable.

Question 25

What is a capability list (C-list)?

M3: User authentication, IAM - C.3 & C.5

Answer 25

A list detailing all access privileges a subject holds.

Question 26

What is an access control list (ACL)?

M3: User authentication, IAM - C.3 & C.5

Answer 26

A list specifying permitted access modes on an object by different subjects.

Question 27

What does the setuid bit do for executable files?

M3: User authentication, IAM - C.3 & C.5

Answer 27

It allows a process to run with the file owner’s privileges.

Question 28

What is the difference between real UID and effective UID?

M3: User authentication, IAM - C.3 & C.5

Answer 28

Real UID denotes the process owner, while effective UID determines access privileges.

Question 29

What are the LAT bits for directory permissions?

M3: User authentication, IAM - C.3 & C.5

Answer 29

Permissions for directories.
* List
* Alter
* Traverse

Question 30

What is the purpose of the setgid bit for directory files?

M3: User authentication, IAM - C.3 & C.5

Answer 30

It allows files created within the directory to inherit the directory’s group ID.