Sec+ Chp 6-10 Flashcards
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
What cryptographic information is stored in a digital certificate?
The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it should reject the certificate.
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a thirdparty. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
What mechanism informs clients about suspended or revoked keys?
Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.
What mechanism does HPKP implement?
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?
PKCS #12 / .PFX / .P12.
What type of operation is being performed by the following command?
openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem
This generates a new RSA key pair plus a certificate signing request.
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says she/he is.
What steps should be taken to enroll a new employee on a domain network?
Perform checks to confirm the user’s identity, issue authentication credentials securely, assign appropriate permissions/privileges to the account, and ensure accounting mechanisms to audit the user’s activity.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
False—Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).
What methods can be used to implement location-based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
Why might a PIN be a particularly weak type of something you know authentication?
A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.
In what scenario would PAP be considered a secure authentication method?
PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).
True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication.
A user maintains a list of commonly used passwords in a file located deep within the computer’s directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using search tools.
Which property of a plaintext password is most effective at defeating a brute-force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).
True or false? When implementing smart card logon, the user’s private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
Which network access control framework supports smart cards?
Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.
What is a RADIUS client?
A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.
What is EAPoL?
A network access server that support 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.
How does OTP protect against password guessing or sniffing attacks?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
What two ways can biometric technologies be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
You are consulting with a company about a new approach to authenticating users. You suggest there could be cost savings and better support for multifactor authentication (MFA) if your employees create accounts with a cloud provider. That allows the company’s staff to focus on authorizations and privilege management. What type of service is the cloud vendor performing?
The cloud vendor is acting as the identity provider.
What is the process of ensuring accounts are only created for valid users, only assigned the appropriate privileges, and that the account credentials are known only to the valid user?
Onboarding.
What is the policy that states users should be allocated the minimum sufficient permissions?
Least privilege.
What is a SOP?
A standard operating procedure (SOP) is a step-by-step listing of the actions that must be completed for any given task.
What type of organizational policies ensure that at least two people have oversight of a critical business process?
Shared authority, job rotation, and mandatory enforced vacation/holidays.
