M3: User authentication, IAM - C.3 & C.5 Flashcards
What is the main purpose of user authentication?
M3: User authentication, IAM - C.3 & C.5
To verify an asserted identity using supporting evidence.
What is the difference between authentication and identification?
M3: User authentication, IAM - C.3 & C.5
Authentication verifies an asserted identity, while identification finds an identity from available information.
Why are passwords still widely used despite their weaknesses?
M3: User authentication, IAM - C.3 & C.5
They are simple, easy to learn, free, and require no extra hardware.
What is a pre-computed dictionary attack?
M3: User authentication, IAM - C.3 & C.5
An attack where an attacker uses a pre-made list of hashed passwords to find matches in a stolen password file.
How does storing password hashes improve security?
M3: User authentication, IAM - C.3 & C.5
It prevents direct exposure of passwords if the password file is stolen.
What is password salting?
M3: User authentication, IAM - C.3 & C.5
Adding a random value to a password before hashing to make dictionary attacks harder.
What is iterated hashing (password stretching)?
M3: User authentication, IAM - C.3 & C.5
Hashing a password multiple times to slow down offline guessing attacks.
What is a pepper in password security?
M3: User authentication, IAM - C.3 & C.5
A secret salt not stored with the password, used to further slow down attacks.
What are the disadvantages of passwords?
M3: User authentication, IAM - C.3 & C.5
They can be hard to remember, vulnerable to various attacks, and require frequent changes.
What is an online password guessing attack?
M3: User authentication, IAM - C.3 & C.5
An attack where guesses are sent to the legitimate server to find the correct password.
What is an offline password guessing attack?
M3: User authentication, IAM - C.3 & C.5
An attack where the attacker uses a stolen password hash file to guess passwords without contacting the server.
What is a one-time password (OTP)?
M3: User authentication, IAM - C.3 & C.5
A password that is valid for only one use, improving security against replay attacks.
How do SIM swap attacks work?
M3: User authentication, IAM - C.3 & C.5
Attackers trick a mobile provider into transferring a victim’s number to a new SIM card to intercept OTPs.
What are secret questions used for?
M3: User authentication, IAM - C.3 & C.5
To recover access to accounts when passwords are forgotten.
Why are secret questions considered weak for security?
M3: User authentication, IAM - C.3 & C.5
Answers are often easy to guess or find out, making them less secure than passwords.
What was the main security concern with early time-sharing systems?
M3: User authentication, IAM - C.3 & C.5
Preventing one process from writing into another’s memory.
What is a descriptor register used for in memory protection?
M3: User authentication, IAM - C.3 & C.5
It constrains the addresses a process can access.
What does the privileged bit do?
M3: User authentication, IAM - C.3 & C.5
It allows only the supervisor code to load the descriptor register.
Why is finer-grained memory control desirable?
M3: User authentication, IAM - C.3 & C.5
To allow separate read, write, and execute permissions for different memory regions.
What is a memory segment in the context of access permissions?
M3: User authentication, IAM - C.3 & C.5
A continuous block of words representing a logical unit of information.
What is the role of a User ID (UID) in operating systems?
M3: User authentication, IAM - C.3 & C.5
It identifies the principal accountable for a process and grants access privileges.
What is the reference monitor concept?
M3: User authentication, IAM - C.3 & C.5
A model ensuring all access requests are validated against a list of authorized types of reference.
What is an access matrix?
M3: User authentication, IAM - C.3 & C.5
A model that defines authorized access permissions for each subject-object pair in a system.
What are the three requirements for a reference validation mechanism?
M3: User authentication, IAM - C.3 & C.5
It must be
* tamper-proof,
* always invoked
* verifiable.
What is a capability list (C-list)?
M3: User authentication, IAM - C.3 & C.5
A list detailing all access privileges a subject holds.
What is an access control list (ACL)?
M3: User authentication, IAM - C.3 & C.5
A list specifying permitted access modes on an object by different subjects.
What does the setuid bit do for executable files?
M3: User authentication, IAM - C.3 & C.5
It allows a process to run with the file owner’s privileges.
What is the difference between real UID and effective UID?
M3: User authentication, IAM - C.3 & C.5
Real UID denotes the process owner, while effective UID determines access privileges.
What are the LAT bits for directory permissions?
M3: User authentication, IAM - C.3 & C.5
Permissions for directories.
* List
* Alter
* Traverse
What is the purpose of the setgid bit for directory files?
M3: User authentication, IAM - C.3 & C.5
It allows files created within the directory to inherit the directory’s group ID.