M3: User authentication, IAM - C.3 & C.5 Flashcards
What is the main purpose of user authentication?
To verify an asserted identity using supporting evidence.
What is the difference between authentication and identification?
Authentication verifies an asserted identity, while identification finds an identity from available information.
Why are passwords still widely used despite their weaknesses?
They are simple, easy to learn, free, and require no extra hardware.
What is a pre-computed dictionary attack?
An attack where an attacker uses a pre-made list of hashed passwords to find matches in a stolen password file.
How does storing password hashes improve security?
It prevents direct exposure of passwords if the password file is stolen.
What is password salting?
Adding a random value to a password before hashing to make dictionary attacks harder.
What is iterated hashing (password stretching)?
Hashing a password multiple times to slow down offline guessing attacks.
What is a pepper in password security?
A secret salt not stored with the password, used to further slow down attacks.
What are the disadvantages of passwords?
They can be hard to remember, vulnerable to various attacks, and require frequent changes.
What is an online password guessing attack?
An attack where guesses are sent to the legitimate server to find the correct password.
What is an offline password guessing attack?
An attack where the attacker uses a stolen password hash file to guess passwords without contacting the server.
What is a one-time password (OTP)?
A password that is valid for only one use, improving security against replay attacks.
How do SIM swap attacks work?
Attackers trick a mobile provider into transferring a victim’s number to a new SIM card to intercept OTPs.
What are secret questions used for?
To recover access to accounts when passwords are forgotten.
Why are secret questions considered weak for security?
Answers are often easy to guess or find out, making them less secure than passwords.
What was the main security concern with early time-sharing systems?
Preventing one process from writing into another’s memory.
What is a descriptor register used for in memory protection?
It constrains the addresses a process can access.
What does the privileged bit do?
It allows only the supervisor code to load the descriptor register.
Why is finer-grained memory control desirable?
To allow separate read, write, and execute permissions for different memory regions.
What is a memory segment in the context of access permissions?
A continuous block of words representing a logical unit of information.
What is the role of a User ID (UID) in operating systems?
It identifies the principal accountable for a process and grants access privileges.
What is the reference monitor concept?
A model ensuring all access requests are validated against a list of authorized types of reference.
What is an access matrix?
A model that defines authorized access permissions for each subject-object pair in a system.
What are the three requirements for a reference validation mechanism?
It must be
* tamper-proof,
* always invoked
* verifiable.
What is a capability list (C-list)?
A list detailing all access privileges a subject holds.
What is an access control list (ACL)?
A list specifying permitted access modes on an object by different subjects.
What does the setuid bit do for executable files?
It allows a process to run with the file owner’s privileges.
What is the difference between real UID and effective UID?
Real UID denotes the process owner, while effective UID determines access privileges.
What are the LAT bits for directory permissions?
Permissions for directories.
* List
* Alter
* Traverse
What is the purpose of the setgid bit for directory files?
It allows files created within the directory to inherit the directory’s group ID.