Computer Security Chapter 3: User Authentication

Questions and Answers

What is the primary purpose of password selection strategies?

To eliminate guessable passwords (correct)

To encourage the use of common dictionary words

To increase the number of characters in passwords

To make passwords easier to remember

Which of the following is NOT a technique used for password selection strategies?

Computer-generated passwords

User education

Social engineering tactics (correct)

Complex password policy

What is the minimum character requirement for a complex password policy?

10 characters

16 characters (correct)

8 characters

12 characters

Which component is involved in a personal identification number (PIN) in user authentication?

Password authenticated connection establishment

In user authentication schemes, what does 'enrollment' create?

An association between a user and their biometric characteristics

What type of attack exploits the characteristics of an algorithm to deduce a specific plaintext or key?

Cryptanalytic attack

What is the universal technique for providing confidentiality for transmitted or stored data called?

Symmetric encryption

What must a secure password contain according to the complex password policy?

At least one uppercase letter and a symbol

What is one of the main reasons for using a salt in password hashing?

To increase the complexity of offline dictionary attacks

What does the process of multifactor authentication involve?

Exchanging an authentication protocol with multiple factors sequentially

Which type of attack involves waiting for a logged-in workstation to be unattended?

Workstation hijacking

What is one requirement for recipients of the work mentioned?

They are expected to abide by certain restrictions.

Which aspect is included in the scope of computer security?

Control of access to computer systems.

What is a common vulnerability associated with user mistakes regarding passwords?

Writing down difficult-to-remember passwords

What is the purpose of an attack tree in the context of security?

To identify potential attack vectors, such as in internet banking.

In the context of password vulnerabilities, what is a popular password attack?

Using a known password across various user IDs

Which of the following represents a consequence of a security threat?

Data breaches leading to unauthorized access.

What is one consequence of the vulnerability of electronic monitoring?

Password transmissions can be intercepted over networks

What does the 'Defense in Depth' concept emphasize?

Multiple layers of security controls.

Which of the following best describes an offline dictionary attack?

Comparing system password hashes with a list of common passwords

Which of the following is a type of threat to computer and network assets?

Malicious software programs.

Which scenario illustrates the exploitation of multiple password use vulnerability?

Using the same password across different network devices

Which statement accurately describes a primary objective of computer security?

Ensure the integrity and confidentiality of data.

What are security requirements primarily based on?

Government standards and frameworks.

What does RBAC stand for?

Role-Based Access Control

Which model often uses an access control matrix to represent permissions?

Role-Based Access Control (RBAC)

Which of the following is NOT a common RBAC model aspect?

Role termination

What is the main focus of Identity, Credential, and Access Management (ICAM)?

Overseeing user identities and their rights

How are functions typically associated with roles in a banking context?

Roles define which functions can be performed based on job need

What does ABAC primarily rely on for decision-making?

Attributes of users, resources, and environment

Which figure typically represents the hierarchy of roles in RBAC?

Role Hierarchy Figure

What is a key benefit of using an access control list (ACL)?

Granular control over individual resources

What does the variable K represent in symmetric encryption?

The key used for encryption and decryption

In symmetric encryption, what is the role of the encryption algorithm?

To produce cypher text from plain text using a key

Which of the following is a popular symmetric encryption algorithm?

DES

What is a Message Authentication Code (MAC) used for in symmetric encryption?

To provide a means of verifying the integrity of a message

What is the output of the decryption algorithm in symmetric encryption?

The original plain text before encryption

Which symmetric encryption standard is generally considered more secure than DES?

AES

What happens if the integrity of a copyrighted work is compromised?

Its educational purpose is diminished

Which of the following describes the process of symmetric encryption?

The same key is used for both encryption and decryption.

What is the purpose of a digital signature in the context of message transmission?

To confirm the identity of the sender

Which hash function is mentioned as an example for generating a hash value in the digital signature process?

SHA-512

What does Alice do after receiving a signed message from Bob?

She verifies the signature using Bob's public key

What major issue does public-key encryption face when distributing public keys?

The process of sharing public keys lacks verification

What does the Certification Authority (CA) do with the unsigned certificate it receives?

It creates a signature for the certificate

Which statement accurately describes the role of a digital signature?

It signals that the message has not been altered

Which step is NOT part of the process of obtaining a public-key certificate?

Encrypting the public key with a password

What is true about the confidentiality of a message sent with a digital signature?

The digital signature protects against alteration but not eavesdropping

Study Notes

Computer Security: Principles and Practice

• Chapter 3: User Authentication covers methods for verifying user identities.
• Four authentication methods are based on what the individual knows, possesses, is, or does.
  • Something the individual knows: Passwords, PINs, and answers to prearranged questions.
  • Something the individual possesses: Tokens like smartcards, electronic keycards, and physical keys.
  • Something the individual is (static biometrics): Fingerprint, retina, and face recognition.
  • Something the individual does (dynamic biometrics): Voice pattern, handwriting, and typing rhythm.
• Multifactor Authentication: Involves multiple factors, like something the user knows and possesses. If the first factor fails, the protocol drops, and it passes the second authentication logic.
• Password Vulnerabilities:
  • Offline dictionary attack: Attackers obtain a password file and compare against common passwords.
  • Specific account attack: The attacker targets a specific account and guesses passwords until the right one is found.
  • Popular password attack: Uses commonly used passwords against a wide range of usernames.
  • Workstation hijacking: The attacker waits until a logged-in workstation is unattended.
  • Exploiting user mistakes: Users write passwords down, making them easily accessible.
  • Exploiting multiple password use: Multiple devices with repeated passwords.
  • Electronic Monitoring: Password transmission across a network.
• Salt: Used in password hashing to prevent duplicate passwords and make offline dictionary attacks harder. 
• Password Authentication Process:
  • Loading a new password: A salt is combined with the password by a slow hash function, then inserted into a password file.
  • Verifying a password: The input password is combined with the corresponding salt and subjected to the slow hash function, the resulting hash code is compared to the hash code in the password file.
• Password Selection Strategies: Techniques to create memorable but hard-to-guess passwords.
  • User education: Explain good password practices to users.
  • Computer-generated passwords: Use computer tools to create secure passwords
  • Reactive password checking: Alert users to bad passwords and prompt them to change them.
  • Complex password policy: Specify requirements (min length, character types, avoiding dictionary words) for passwords.
• Types of Cards Used as Tokens: Different types of token cards.
  • Embossed: Raised characters on the card front (old credit cards).
  • Magnetic stripe: Magnetic bar on back.
  • Memory: Electronic memory inside.
  • Smart contact: Electronic memory and processor inside.
  • Contactless: Radio antennae embedded inside.
• Smart Card/Reader Exchange: Protocol exchange for a smartcard.
• eID Card Functions and Data: Specific functions and data for electronic ID cards.
• User Authentication with eID: Steps of authentication with eID.
• Cost versus Accuracy of Biometric Characteristics: Hand, signature, face, retina, finger, and iris in terms of cost and accuracy.
• A Generic Biometric System: Enrollment, verification, and identification processes in a biometric system.
• Symmetric Encryption Definitions: - **Symmetric Encryption: ** The universal technique of confidentiality for transmitted or stored data using a single key.
  • Cryptanalytic attacks: Attacks exploiting the characteristics of the encryption algorithm.
  • Brute-force attacks: Attempting to deduce the key by trying all possible combinations.
  • Block cipher: Processes the input blocks of a fixed size.
  • Stream cipher: Processes the input elements continuously.
  • Back-end appliance: Hardware between servers and storage systems that encrypts and decrypts data.
  • Key size: The length of the encryption key (e.g., increasing to 128 bits, 256 bits for greater security).
  • Key pair: A pair of keys for encryption and decryption.
• Chapter 4: Access Control
• Basic Security Requirements (SP 800-171):
• Security requirements for limiting system access, transaction types, CUI flow, duties separation, least privilege, preventing privileged function execution, limiting unsuccessful login attempts, privacy notices, session locking and pattern-hiding, automated user session termination, remote access control, routing remote access, authorizing remote commands.
• Access Control Context: Concepts used in determining permitted access to system resources.
  • Authentication: Verifying user or entity credentials.
  • Authorization: Granting access rights to a system entity for a specific purpose.
  • Audit: Evaluating adequacy of system controls through independent reviews.
• Relationship among Access Control and Other Security Functions:
  • Diagram showing the interactions between security administrator, user, authentication function, access control function, and auditing.
• Basic elements of access control:
  • Subject: Entity capable of accessing objects (e.g., user, process).
  • Object: System resource that can be accessed (e.g., file, directory).
  • Access right: Describes the way a subject can access an object (read, write, execute, delete, create, search).
  • Owner: Creator/originator of the resource.
  • Group: Set of users granted access to the resource.
  • World: The minimum level of access for all users within a system (users not included in other groups or by owners).
• Discretionary Access Control: Entities grant access to others.
• Authorization Table for Files: Table representing different user/entity access permissions to specific files.
• Extended Access Control Matrix: A more detailed access control table, showing who has access to which assets in a system.
• Role-Based Access Control (RBAC): Access based on user roles with predefined permissions and operations (notable as differing from users' identity.)
• Scope RBAC Models: RBAC0, RBAC1, RBAC2, RBAC3 and their hierarchical and constraint differences.
• Example of Role Hierarchy: Diagram illustrating a role hierarchy ( Director -> Project Leads -> Engineering).
• ABAC Scenario: A diagram illustrating the Attributes-Based Access Control (ABAC) system with its elements and their interactions.
• ACL and ABAC Trust Relationships: Diagrams depicting the trust relationships involved in the implementation of Access Control Lists (ACLs) and Attribute-Based Access Control (ABAC).
• Unnumbered Table 1: Table describing movie ratings and relevant age groups for access.
• Identity, Credential, and Access Management (ICAM):
• Comprehensive system for managing users, credentials, and access rights.
• Identity Information Exchange Approaches:
• Diagrams depicting approaches involved, involving identity service providers, attribute providers, trusts, and relying parties.
• Table 4.5a – 4.5c: Functions and roles of banking staff, their assigned applications, and their access rights. Also including permission with inheritance.
• Example of Access Control Administration:
• A diagram illustrating how access control administration might be organized within an organization.
• VAX/VMS Access Modes:
• Diagram demonstrating different access modes in the VAX/VMS operating system.

### Chapter 1: Overview

• Essential Network and Computer Security Requirements: The CIA triad (confidentiality, integrity, and availability) is emphasized as a framework for protection.
• Computer Security Terminology: Definitions like adversary, attack, countermeasure, risk, security policy, system resource, threat, and vulnerability.
• Threat Consequences and Threat Actions: Classification of potential consequences and actions related to threats.
• Scope of Computer Security: Emphasizing the boundaries of systems (data, process, users, access) that require security protections.
• Computer and Network Assets: Types of assets (hardware, software, data, communication lines, networks) and examples of potential threats to each.
• Security Requirements Table: Lists core security requirements for protecting systems with emphasis on access control, awareness, accountability, certification, accreditation and security assessments, configuration management, contingency planning, identification and authentication, incident response, maintenance, media protection, physical and environmental protection, and security planning. A diagram of defense in depth contrasted with attack surface.
• Attack Tree: Example of an attack tree for internet banking authentication.

Chapter 2: Cryptographic Tools

• Simplified Model of Symmetric Encryption: A simplified diagram explaining how symmetric encryption works.
• Symmetric Encryption: The example shows a schematic of a symmetric encryption system, featuring sender and recipient sharing a secret key, an encryption algorithm, an outputted ciphertext, a decryption algorithm, and an resulting plaintext output.
• Comparison of Popular Symmetric Algorithms: A table of size characteristics and key sizes.
• Average Time Required for Exhaustive Key Search: A table illustrating the complexity of brute force attacks concerning encryption key length.
• Types of Symmetric Encryption: Discusses techniques for encryption using key streams, including block cipher encryption and stream encryption.
• Message Authentication Code (MAC): Diagram illustrating how message authentication codes work for verification by using an algorithm.
• Cryptographic Hash Function: Illustrates how a hash function works to map variable length data to a fixed-length code.
• Message Authentication Using a One-Way Hash Function: Methods depicting how to use a one-way hash function for verifying messages, with and without symmetric encryption.
• Unnumbered Table 1: The table illustrates how the strength of a hash function depends on the length of the hash code generated. Key lengths of 2ⁿ, 2^n/2 are needed for different types of resistance.

Chapter 4 (continued)

• Public-Key Certificate Use: Describes how public-key certificates are used to manage public keys more securely and avoids their inherent weakness.
• Digital Envelopes: Another important technique to protect a symmetric key for securing a message in confidentiality.

Description

This quiz explores Chapter 3 of 'Computer Security: Principles and Practice', focusing on various user authentication methods. Discover how authentication relies on what users know, possess, are, or do, alongside the significance of multifactor authentication and password vulnerabilities. Test your understanding of these critical security concepts.