User Authentication

Question 1

Presenting an identifier to the security system

Answer 1

Identification step

Question 2

Presenting or generating authentication information that corroborates the binding between the entity and the identifier

Answer 2

Verification step

Question 3

What are the four means of authenticating user identity based on?

Answer 3

Something the individual knows
Something the individual possess (token)
Something the individual is (static biometrics)
Something the individual does (dynamic biometrics)

Question 4

What is an example of something the individual knows?

Answer 4

Password, PIN, answers to prearranged questions

Question 5

What is an example of something the individual possess?

Answer 5

Smartcard, electronic keycard, physical key

Question 6

What is an example of something the individual is (static biometrics)?

Answer 6

Fingerprint, retina, face

Question 7

What is an example of something the individual does (dynamic biometrics)?

Answer 7

Voice pattern, handwriting, typing rhythm

Question 8

What are password vulnerabilities?

Answer 8

Offline dictionary attack
Specific account attack 
Popular password attack
Password guessing against single user
Workstation hijacking
Exploiting user mistakes
Exploiting multiple password use
Electronic monitoring

Question 9

In the UNIX Hashed password scheme is the password saved on the machine?

Answer 9

no, only the user ID, salt value, and hash code.

Question 10

True or False

Unix Hashed Password adequate or inadequate?

Answer 10

Now regarded as inadequate, still often required for compatibility with existing account management software or multivendor environments.

Question 11

What are the improvements implementations for the Unix Hashed Password Scheme?

Answer 11

Much stronger hash/salt schemes available for Unix
Recommended has function is based on MD5
OpenBSD uses Blowfish block cipher based hash algorithm call Bcrypt

Question 12

What are examples of password cracking?

Answer 12

Dictionary attacks
Rainbow table attacks
John the ripper

Question 13

What are the differences in memory card and smart card

Answer 13

Memory cards
store but do not process data
Smart Card
Appearance of a credit card
Has an electronic interface 
Has an entire microprocessor
Processor
Memory 
I/O ports

Question 14

What does EEPROM stand for?

Answer 14

Electrically erasable programmable ROM

-Holds application data and programs on a smart card

Question 15

What are the two steps in an authetication process?

Answer 15

Identification step

Verification step

Question 16

Presenting an identifier to the security system

Answer 16

Identification step in the authentication process

Question 17

Presenting or generating authentication information that corroborates the binding between the entity and the identifier

Answer 17

Verification step in the authentication process

Question 18

_______ is the means by which a user provides a claimed identity to the system.

Answer 18

Identification

Question 19

_______ _____ ______ is the process of establishing confidence in user identities that are presented electronically to an information system.

Answer 19

Electronic user authentication

Question 20

An _______ _____ describes an organizations degree of certainty that a user has presented a credential that refers to his or her identity.

Answer 20

assurance level

Question 21

What are the four levels of assurance and there levels of confidence?

Answer 21

Level 1: little or no confidence
Level 2: Some confidence
Level 3: High confidence
Level 4: Very high confidence

Question 22

An authentication error could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Answer 22

Low Potential Impact

Question 23

An authentication error could be expected to have a serious adverse effect.

Answer 23

Moderate Potential Impact

Question 24

An authentication error coulee be expected to have a severe or catastrophic adverse effect.

Answer 24

High Potential Impact

Question 25

How does an ID provide security?

Answer 25

• It determines whether the user is authorized to gain access to a system.
• Determines the privileges accorded to the user.
• Is used in what is referred to as discretionary access control

Question 26

The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords.

Answer 26

Offline dictionary attack

Question 27

The attacker targets a specific account and submits password guesses until the correct password is discovered.

Answer 27

Specific account attack

Question 28

A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs.

Answer 28

Popular password attack

Question 29

The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password.

Answer 29

Password guessing against single user

Question 30

The attacker waits until a logged-in workstation is unattended.

Answer 30

Workstation hijacking

Question 31

If the systems assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password

Answer 31

Exploiting user mistakes

Question 32

Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user.

Answer 32

Exploiting multiple password use

Question 33

If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping.

Answer 33

Electronic monitoring

Question 34

What is the process of using a Hashed Password when loading a new password into the system.

Answer 34

1. The user selects or is assigned a password.
2. The password is combined with a fixed-length salt value.
3. The password and salt serve as inputs to a hashing algorithm to produce a fixed-length hash code.
4. The User ID, Salt value, and Hashed password are then stored in the password file.

Question 35

What is the process of using hashed passwords when logging onto a Unix system.

Answer 35

1. User provides their ID and password
2. The OS uses the ID to index into the password file and retrieve the plaintext salt and the encrypted password.
3. The salt and user-supplied password are used as input to the encryption routine.
4. If the result matches the stored value, the password is accepted.

Question 36

What are the three purposes that salt serves in hashed passwords.

Answer 36

1. It prevents duplicate passwords from being visible in the password file.
2. Increases the difficulty of offline dictionary attacks.
3. Impossible to find out whether a person with passwords on two or more systems has used the same password on all of them.

Question 37

What are the two threats to the UNIX password scheme?

Answer 37

1. A user can gain access on a machine using a guess account or by some other means and then run a password guessing program.
2. If an opponent is able to obtain a copy of the password file, then a cracker program can be run on another machine at leisure.

Question 38

To develop a large dictionary of possible passwords and to try each of these against the password file.

Answer 38

Password cracking

Question 39

An attacker generates a large dictionary of possible passwords. For each password, the attacker generates the hash values associated with each possible salt value. The result is a mammoth table of hash values known as a ______ ______.

Answer 39

rainbow table.

Question 40

Attacks that use a combination of brute-force and dictionary techniques have become common.

Answer 40

A notable example of this dual approach is John the Ripper, an open-source password cracker first developed in 1996 and still in use.

Question 41

What are the two improvements that password-cracking has endured to keep pace with strong password requirements.

Answer 41

1. The processing capacity available for passwords cracking has increased dramatically.
2. The use of sophisticated algorithms to generate potential passwords.

Question 42

The hashed passwords are kept in a separate file from the user IDs, referred to as a ______ ______ ____.

Answer 42

shadow password file

Question 43

What are the vulnerabilities in password file protection?

Answer 43

1. Many systems are susceptible to unanticipated break-ins
2. An accident of protection might render the password file readable.
3. Some users may have accounts on other machines in other protection domains, and use the same password
4. A lack of or weakness in physical security
5. Sniffing network traffic to find user IDs and passwords.

Question 44

What are the four password selection strategy techniques?

Answer 44

User education
Computer-generated passwords
Reactive password checking
Complex password policy

Question 45

Users being informed of the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords.

Answer 45

User education

Question 46

A random number generator produces a random stream of characters used to construct the syllable and words.

Answer 46

Computer-generated passwords

Question 47

A strategy in which the system periodically runs its own password cracker to find guessable passwords.

Answer 47

Reactive password checking

Question 48

In this scheme, a user is allowed to select his or her own password. However, at the time of selection, thy system checks to see if the password is allowable and, if not, rejects it.

Answer 48

Complex password policy

or proactive password checker.

Question 49

True or False

A magnetic stripe can store only a simple security code, which can be read by an inexpensive card reader.

Answer 49

True

Question 50

Define the card type Embossed Feature and provide an example.

Answer 50

Passed characters only, on front; old credit card

Question 51

Define the card type Magnetic stripe Feature and provide an example.

Answer 51

Magnetic bar on back, characters on front; Bank card

Question 52

Define the card type Memory Feature and provide an example.

Answer 52

Electronic memory inside; Prepaid phone card

Question 53

Define the card type Smart Contact Contactless Feature and provide an example.

Answer 53

Electronic memory and processor inside, Electrical contacts exposed on surface, Radio antenna embedded inside; Biometric ID card

Question 54

What are the potential draw backs of using a memory card?

Answer 54

Requires special reader
Token loss
User dissatisfaction

Question 55

What are the three categories of authentication protocols used with smart tokens?

Answer 55

Static
Dynamic password generator
Challenge-response

Question 56

What human-readable data does an eID have printed on it? German card neuer Personalausweis

Answer 56

Personal data
Document number
Card access number (CAN)
Machine readable zone (MRZ)

Question 57

What is an eID?

Answer 57

Electronic Identity Card

Question 58

This function is reserved for government use and stores a digital representation of the cardholder’s identity.

Answer 58

ePass

Mandatory

Question 59

The ____ function stores an identity record that authorized service can access with cardholder permission.

Answer 59

eID

Activation Optional

Question 60

This optional function stores a private key and a certificate verifying the key; it is used for generating a digital signature.

Answer 60

eSign

Question 61

_______ ensures that the contactless RF chip in the eID card cannot be read without explicit access control.

Answer 61

Password Authenticated Connection Establishment (PACE)

Question 62

What are the physical characteristics used in biometric applications.

Answer 62

Facial characteristics 
Fingerprints 
Hand geometry 
Retinal pattern 
Iris 
Signature 
Voice

Question 63

What is biometric verification?

Answer 63

The user enters a PIN and also uses a biometric sensor.

Question 64

What is biometric identification?

Answer 64

The individual uses the biometric sensor but does not present any additional information.

Question 65

For a given biometric scheme, we can plot the false match versus false non match rate, called the ______ _______ _____.

Answer 65

operating characteristic curve

Question 66

A user first transmits his or her identity to the remote host. The host generates a random number r, often called a _____, and returns it to the user

Answer 66

Nonce

Question 67

What are attacks that remotely user authentication face?

Answer 67

Client attack 
Host attack 
Eavesdropping, theft, and copying
Replay
Trojan horse
Denial of service

Question 68

An adversary attempts to achieve user authentication without access to the remote host or to the intervening communications path. The adversary attempts to masquerade as a legitimate user.

Answer 68

Client attacks

Question 69

Attacks that are directed at the user file at the host where passwords, token passcodes, or biometric templates are stored.

Answer 69

Host attack

Question 70

Adversaries attempt to learn the password by observing the user, finding a written copy of the password.

Answer 70

Eavesdropping

Question 71

Attacks involve an adversary repeating a previously captured user response.

Answer 71

Replay

Question 72

An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric.

Answer 72

Trojan horse

Question 73

An attack that attempts to disable a user authentication service by flooding the service with numerous authentication attempts.

Answer 73

Denial-of-service