Cryptography and Authentication Quiz

Questions and Answers

What distinguishes authentication from authorization?

• Authentication checks if a user is permitted access to certain data.
• Authorization verifies the identity of a user.
• Authorization processes user credentials for access.
• Authentication ascertains a user's identity while authorization determines access rights. (correct)

Which cryptographic primitive is used to ensure the integrity of a message?

• Hash (correct)
• Symmetric keys
• Digital signature
• MAC

In the context of HTTP authentication, which method does NOT provide a way of proving identity?

• OAuth2 (correct)
• JSON Web Token (JWT)
• HMAC authentication
• HTTP Basic

What role does a digital signature play in cryptographic security?

It ensures integrity while providing non-repudiation. (C)

Which type of key is used in MAC (Message Authentication Code) for ensuring authenticity?

Symmetric keys (B)

What is the purpose of multi-factor authentication?

To enhance security by requiring multiple forms of verification. (C)

How does token authentication differ from traditional username/password methods?

It allows for stateless session management. (C)

Which of the following statements about HTTP Digest authentication is accurate?

It enhances security by hashing the credentials. (D)

What are the three components of a JWS?

Header, Payload, Signature (A)

What is the correct structure of a JWS?

header.payload.signature (A)

Which character is used in base64url encoding instead of '+'.

• (D)

What is true about padding in base64url?

Padding is optional. (A)

How many alphanumeric characters are used in base64url encoding?

62 (C)

What is the purpose of using base64url encoding?

To make binary data URL safe. (B)

Which punctuation mark is unreserved and can be used as a separator in base64url?

. (B)

Which of the following is NOT true regarding the base64url character set?

• is included as a valid character. (D)

What does the server respond with when it requires authentication using HTTP Basic?

401 Unauthorized (D)

What is sent in the Authorization header for HTTP Basic authentication?

User and password encoded in base64 (C)

What is a primary vulnerability of HTTP Basic authentication when used without SSL/TLS?

Unencrypted transmission of user credentials (D)

What is the main mechanism behind HTTP Digest authentication?

Challenge-response mechanism (A)

What does HA1 represent in the context of HTTP Digest authentication?

MD5 hash of username, realm, and password (B)

Which of the following is NOT a feature of HTTP Digest authentication?

User credentials sent as plain text (D)

What is a limitation of HTTP Digest authentication?

It does not prevent security downgrading (B)

What does HMAC stand for in the context of authentication?

Hash-based Message Authentication Code (B)

What is the purpose of including the body in HMAC authentication?

To ensure data integrity and prevent data tampering (A)

In token authentication, what does the client need to do before receiving a token?

Authenticate using a secret/password (A)

What format does a JSON Web Token (JWT) represent?

A set of claims as a JSON object (C)

How can a client renew a token in token authentication?

Using a refresh token (C)

What does JSON Web Signature (JWS) secure?

Content secured with digital signatures or MACs (D)

What is included in the Authorization header when using a Bearer token?

The access token (B)

What is the role of the hashing algorithm in HMAC authentication?

To generate a fixed-size hash for data verification (A)

Which of the following best describes a characteristic of token authentication?

Tokens can be revoked if necessary (C)

What is the primary purpose of JSON Web Encryption (JWE)?

To encrypt data end-to-end (D)

Which role is NOT part of the OAuth2 framework?

Service provider (C)

What does the Client Credentials Grant imply?

The client acts as the resource owner. (B)

What is a consequence of not using a JWT for authorization?

The Resource Server must look up token details. (B)

Which of the OAuth2 grant types is specifically for server applications?

Authorization Code Grant (C)

Which statement accurately reflects the role of JSON Web Key (JWK)?

It provides a JSON representation of a cryptographic web key. (D)

What is a primary feature of OAuth2's authorization process?

It enables resource access on behalf of a resource owner. (D)

What is a notable aspect of using a JWT for authorization?

It reduces server load for token verification. (C)

What type of application typically utilizes the Implicit Grant in OAuth2?

Client applications using JavaScript (A)

Which of the following statements about multi-factor authentication is true?

It enhances security by requiring multiple forms of identification. (A)

What is the primary purpose of the WebAuthn API?

To authenticate using public key cryptography. (B)

What does OpenID Connect provide when used with OAuth 2.0?

Single-sign-on capabilities. (A)

Which of the following is a characteristic feature of the Universal 2nd Factor (U2F)?

It interfaces with USB and NFC tokens. (A)

How does OpenID differ from OpenID Connect?

OpenID Connect incorporates REST principles, whereas OpenID does not. (D)

Which statement is correct regarding refresh tokens in the Implicit Grant type of OAuth2?

They are not used in the Implicit Grant. (C)

What is an important benefit of using Single Sign-On (SSO)?

It streamlines the login process across various sites. (A)

Flashcards

Authentication

The process of confirming a user's identity.

Authorization

A set of rules defining what actions a user is permitted to perform.

Hash

A cryptographic function that produces a fixed-length output, typically used for verifying data integrity and authenticity.

Message Authentication Code (MAC)

A cryptographic technique used to verify data integrity and sender authenticity. It involves using a secret key to generate a 'tag' that is appended to the data.

Non-repudiation

The process of proving that a message originates from the sender, ensuring the sender cannot deny sending it.

HTTP Basic Authentication

A basic HTTP authentication scheme where the client sends the username and password in plain text.

HTTP Digest Authentication

A more secure HTTP authentication scheme that uses a one-way hash function to protect passwords.

HMAC (Hash-based Message Authentication Code)

A cryptographic primitive used for verifying both integrity and authenticity of data, relying on a shared secret key between the sender and receiver.

Authentication Token

A short-lived token issued by a server to a client after successful authentication, used for subsequent requests without needing to re-authenticate.

JSON Web Token (JWT)

A standard for representing claims (user information) as a JSON object that is digitally signed and/or encrypted. It facilitates secure communication between parties by ensuring authenticity and integrity.

Basic Authentication

A method where the client provides a user name and password in a request header, typically used for basic authentication, where the credentials are transmitted in plain text.

JSON Web Signature (JWS)

A mechanism for securing content using digital signatures or MACs, based on JSON data structures. It verifies the data's authenticity and integrity.

What is HTTP Basic Authentication?

HTTP Basic Authentication is the simplest authentication scheme. It sends the username and password in plain text, encoded in base64, making it vulnerable to eavesdropping.

How does HTTP Digest Authentication improve security over Basic?

HTTP Digest Authentication is a more secure alternative to HTTP Basic. It uses a one-way hash function to protect passwords, making it harder for eavesdroppers to steal them.

What's a nonce in HTTP Digest Authentication?

HTTP Digest Authentication works by first generating a unique nonce for each interaction. This nonce is used to create a hash that includes the username, realm, password, method, and URI.

How does HTTP Digest Authentication use challenge-response?

Unlike Basic, HTTP Digest Authentication uses a challenge-response mechanism. The client sends the hash, and the server verifies it against the stored password hash.

What is a potential vulnerability with HTTP Digest Authentication?

While HTTP Digest Authentication is more secure than Basic, it can still be vulnerable to replay attacks. This happens if an attacker can intercept and resend the same authentication request.

What is HMAC (Keyed-Hash Message Authentication Code)?

HMAC stands for Keyed-Hash Message Authentication Code. It's a cryptographic technique used to verify both data integrity and sender authenticity by using a secret key.

How does HMAC work to verify data integrity and authenticity?

HMAC uses a secret key shared between the sender and receiver. This key is used to generate a tag that is appended to the data. The receiver then verifies the tag using the same key to ensure data integrity and authenticity.

How does HMAC compare to HTTP Digest Authentication in terms of security?

HMAC authentication provides a significant improvement over HTTP Digest Authentication. It offers stronger security guarantees against various attacks, including replay attacks and message tampering.

What are the components of a JWS?

A JWS consists of a header, payload, and signature, all encoded in base64url format.

What is base64url encoding?

A variant of base64 encoding which replaces '+' with '-' and '/' with '_'. Padding characters '=' are optional.

What is a JSON Web Signature (JWS)?

The JSON Web Signature (JWS) is a compact and URL-safe way to digitally sign and verify JSON content.

What is the purpose of the JWS header?

The header section contains metadata about the JWS, such as the algorithm used for signing.

What is the purpose of the JWS payload?

The payload section holds the actual JSON data to be signed.

What is the purpose of the JWS signature?

The signature section ensures the integrity and authenticity of the JWS by using a cryptographic hash function.

How are the components of a JWS separated?

JWS uses the period '.' character as a separator between the header, payload, and signature.

What is the role of padding in JWS?

JWS uses the '=' character for padding, similar to base64. However, padding is not required in base64url.

Implicit Grant

A type of OAuth2 grant that is commonly used in web applications, where the client runs in a JavaScript environment and the user is redirected to the authorization server to consent to the application's access.

Multi-factor authentication

A security mechanism that requires users to provide multiple forms of authentication, such as a password and a one-time code from their phone, to access an account.

Web Authentication (WebAuthn)

A web standard that allows websites or applications to authenticate users with physical security keys like USB tokens or smart cards. It is a browser-based authentication mechanism.

Universal 2nd Factor (U2F)

A standard for multi-factor authentication (MFA) that uses USB and NFC tokens to provide a second factor of authentication.

OpenID Connect

An open standard built on top of OAuth 2.0 that enables websites and applications to verify the identity of users and obtain basic profile information.

Single Sign-On

A process that allows users to log in once and gain access to multiple applications or resources without re-authenticating.

What is JWT?

A standard for representing claims (user information) as a JSON object that is digitally signed and/or encrypted. It facilitates secure communication between parties by ensuring authenticity and integrity.

What is a JWK?

JSON Web Key (JWK) is a JSON representation of a cryptographic web key.

What is JWE?

JSON Web Encryption (JWE) is like JWS but for encrypting data. It enables end-to-end encryption for sensitive information.

What is OAuth2?

An Open standard for authorization used to securely delegate access to resources on behalf of a resource owner from a third-party service.

Describe the Client Credentials Grant in OAuth2

In OAuth2, the Client Credentials Grant allows a client to request access to resources on its own behalf without involving an end-user. This grant type is commonly used in machine-to-machine communication where the client is also the resource owner.

How does OAuth2 authentication work without a JWT?

Without a JWT token, the Resource Server must query for information about the token, such as its scope, validity, and other details.

How does OAuth2 authentication work with a JWT?

When using JWT in OAuth2, the Client Credentials Grant provides a JWT token in the Authorization header with the Bearer scheme.

List the four main grant types in OAuth2

OAuth2 has four main grant types: Authorization Code Grant, Implicit Grant, Resource Owner Password Credentials Grant, and Client Credentials Grant. Each grant type serves a specific purpose and involves different parties.

Study Notes

Web Authentication

• Web Authentication is the process of verifying a user's identity.
  • Authentication verifies who the user is.
  • Authorization defines what actions a user is permitted to take.
• Authentication vs Authorization
  • Authentication determines if the user is who they claim to be.
  • Authentication controls access based on rules and permissions.
• Cryptographic Primitives
  • Hashing is used for integrity, not authentication or non-repudiation.
  • MACs (Message Authentication Codes) provide integrity and authentication, using symmetric keys.
  • Digital signatures offer integrity, authentication, and non-repudiation, relying on asymmetric keys.

HTTP Basic Authentication

• Simplest method, but vulnerable to eavesdropping.
• Server responds with "401 Unauthorized" and requests authentication.
• Client includes a base64-encoded username and password in the header.
• Browser handles this method natively and does not provide customization options.
• Passwords are not encrypted in transit; use SSL/TLS to protect.

HTTP Digest Authentication

• More secure than HTTP Basic.
• Server provides a "nonce" (random value) and a challenge.
• Client computes a response digest based on the server's challenge, including the nonce.
• More complex than HTTP Basic, handled by most modern browsers.

HTTP Digest II

• Simplifies the digest calculation.
• HA1: derived from username, realm, and password using MD5 hash.
• HA2: derived from method and URI.
• Response is based on HA1, nonce, and HA2 (using MD5).
• Bit outdated due to being defined before HMAC.

HMAC Authentication

• Uses a secret key shared between client and server.
• Creates a message authentication code (digest) for the data.
• Allows checking for any data tampering in transit.
• Cryptographic hash algorithm, like SHA-256, is used; and data is encoded.

Token Authentication

• Represents a user's authenticated status.
• Client requests a token after authentication.
• Subsequent requests include the token.
• Can be short- or long-lived.
• Refresh tokens allow renewing a token.
• Revocability is often implemented.
• Authenticates via header field (e.g. "Bearer").

JSON Web Token (JWT)

• A set of claims (information about a user or object) encoded in a JSON payload within a specialized format (JWS or JWE).
• JWT comprises a header, payload, and signature/MAC.
• Simplifies authentication across applications/systems, as it only requires sending the user's token.

JSON Web Signature (JWS)

• Represents digitally signed content.
• Consists of a JOSE header, payload, and signature.
• Signatures provide content integrity and authenticity.
• Uses Base64Url encoding.

base64url Encoding

• Variant of Base64, using URL-safe characters.
• Replaces '+' and '/' with '-' and '_'.
• May omit padding ('=').

JWE, JWK

• JWE: JSON Web Encryption, comparable to JWS but encrypts the data.
• JWK: JSON Web Key, a JSON representation of cryptographic keys, for JWE.
• Enables end-to-end encryption, regardless of transport-layer security (TLS/SSL).

OAuth2 I & II

• Open standard for authorization (allowing one application to access resources for another user).
• Supports delegated access (one user allowing resources to be accessed by another party).
• Different grant types allow for varied use cases (e.g. client credentials, implicit).

Multi-factor Authentication

• Incorporates multiple authentication methods (e.g., something you know, are, or have) for enhanced security.

WebAuthn (Web Authentication)

• Browser API for public-key authentication.
• Leverages security devices like USB tokens or smart cards.

OpenID Connect

• Adds identity verification capabilities on top of OAuth 2.0.
• Enables single sign-on across multiple sites.
• Verifies the user's identity and provides profile information.

Description

Test your knowledge on key concepts of cryptography, focusing on authentication and authorization methods. This quiz covers various cryptographic primitives, digital signatures, and multi-factor authentication. Challenge yourself to understand the nuances between different authentication techniques and their applications.