Cryptography and Authentication Quiz

Questions and Answers

What distinguishes authentication from authorization?

Authentication checks if a user is permitted access to certain data.

Authorization verifies the identity of a user.

Authorization processes user credentials for access.

Authentication ascertains a user's identity while authorization determines access rights. (correct)

Which cryptographic primitive is used to ensure the integrity of a message?

Hash (correct)

Symmetric keys

Digital signature

MAC

In the context of HTTP authentication, which method does NOT provide a way of proving identity?

OAuth2 (correct)

JSON Web Token (JWT)

HMAC authentication

HTTP Basic

What role does a digital signature play in cryptographic security?

It ensures integrity while providing non-repudiation.

Which type of key is used in MAC (Message Authentication Code) for ensuring authenticity?

Symmetric keys

What is the purpose of multi-factor authentication?

To enhance security by requiring multiple forms of verification.

How does token authentication differ from traditional username/password methods?

It allows for stateless session management.

Which of the following statements about HTTP Digest authentication is accurate?

It enhances security by hashing the credentials.

What are the three components of a JWS?

Header, Payload, Signature

What is the correct structure of a JWS?

header.payload.signature

Which character is used in base64url encoding instead of '+'.

What is true about padding in base64url?

Padding is optional.

How many alphanumeric characters are used in base64url encoding?

62

What is the purpose of using base64url encoding?

To make binary data URL safe.

Which punctuation mark is unreserved and can be used as a separator in base64url?

.

Which of the following is NOT true regarding the base64url character set?

• is included as a valid character.

What does the server respond with when it requires authentication using HTTP Basic?

401 Unauthorized

What is sent in the Authorization header for HTTP Basic authentication?

User and password encoded in base64

What is a primary vulnerability of HTTP Basic authentication when used without SSL/TLS?

Unencrypted transmission of user credentials

What is the main mechanism behind HTTP Digest authentication?

Challenge-response mechanism

What does HA1 represent in the context of HTTP Digest authentication?

MD5 hash of username, realm, and password

Which of the following is NOT a feature of HTTP Digest authentication?

User credentials sent as plain text

What is a limitation of HTTP Digest authentication?

It does not prevent security downgrading

What does HMAC stand for in the context of authentication?

Hash-based Message Authentication Code

What is the purpose of including the body in HMAC authentication?

To ensure data integrity and prevent data tampering

In token authentication, what does the client need to do before receiving a token?

Authenticate using a secret/password

What format does a JSON Web Token (JWT) represent?

A set of claims as a JSON object

How can a client renew a token in token authentication?

Using a refresh token

What does JSON Web Signature (JWS) secure?

Content secured with digital signatures or MACs

What is included in the Authorization header when using a Bearer token?

The access token

What is the role of the hashing algorithm in HMAC authentication?

To generate a fixed-size hash for data verification

Which of the following best describes a characteristic of token authentication?

Tokens can be revoked if necessary

What is the primary purpose of JSON Web Encryption (JWE)?

To encrypt data end-to-end

Which role is NOT part of the OAuth2 framework?

Service provider

What does the Client Credentials Grant imply?

The client acts as the resource owner.

What is a consequence of not using a JWT for authorization?

The Resource Server must look up token details.

Which of the OAuth2 grant types is specifically for server applications?

Authorization Code Grant

Which statement accurately reflects the role of JSON Web Key (JWK)?

It provides a JSON representation of a cryptographic web key.

What is a primary feature of OAuth2's authorization process?

It enables resource access on behalf of a resource owner.

What is a notable aspect of using a JWT for authorization?

It reduces server load for token verification.

What type of application typically utilizes the Implicit Grant in OAuth2?

Client applications using JavaScript

Which of the following statements about multi-factor authentication is true?

It enhances security by requiring multiple forms of identification.

What is the primary purpose of the WebAuthn API?

To authenticate using public key cryptography.

What does OpenID Connect provide when used with OAuth 2.0?

Single-sign-on capabilities.

Which of the following is a characteristic feature of the Universal 2nd Factor (U2F)?

It interfaces with USB and NFC tokens.

How does OpenID differ from OpenID Connect?

OpenID Connect incorporates REST principles, whereas OpenID does not.

Which statement is correct regarding refresh tokens in the Implicit Grant type of OAuth2?

They are not used in the Implicit Grant.

What is an important benefit of using Single Sign-On (SSO)?

It streamlines the login process across various sites.

Study Notes

Web Authentication

• Web Authentication is the process of verifying a user's identity.
  • Authentication verifies who the user is.
  • Authorization defines what actions a user is permitted to take.
• Authentication vs Authorization
  • Authentication determines if the user is who they claim to be.
  • Authentication controls access based on rules and permissions.
• Cryptographic Primitives
  • Hashing is used for integrity, not authentication or non-repudiation.
  • MACs (Message Authentication Codes) provide integrity and authentication, using symmetric keys.
  • Digital signatures offer integrity, authentication, and non-repudiation, relying on asymmetric keys.

HTTP Basic Authentication

• Simplest method, but vulnerable to eavesdropping.
• Server responds with "401 Unauthorized" and requests authentication.
• Client includes a base64-encoded username and password in the header.
• Browser handles this method natively and does not provide customization options.
• Passwords are not encrypted in transit; use SSL/TLS to protect.

HTTP Digest Authentication

• More secure than HTTP Basic.
• Server provides a "nonce" (random value) and a challenge.
• Client computes a response digest based on the server's challenge, including the nonce.
• More complex than HTTP Basic, handled by most modern browsers.

HTTP Digest II

• Simplifies the digest calculation.
• HA1: derived from username, realm, and password using MD5 hash.
• HA2: derived from method and URI.
• Response is based on HA1, nonce, and HA2 (using MD5).
• Bit outdated due to being defined before HMAC.

HMAC Authentication

• Uses a secret key shared between client and server.
• Creates a message authentication code (digest) for the data.
• Allows checking for any data tampering in transit.
• Cryptographic hash algorithm, like SHA-256, is used; and data is encoded.

Token Authentication

• Represents a user's authenticated status.
• Client requests a token after authentication.
• Subsequent requests include the token.
• Can be short- or long-lived.
• Refresh tokens allow renewing a token.
• Revocability is often implemented.
• Authenticates via header field (e.g. "Bearer").

JSON Web Token (JWT)

• A set of claims (information about a user or object) encoded in a JSON payload within a specialized format (JWS or JWE).
• JWT comprises a header, payload, and signature/MAC.
• Simplifies authentication across applications/systems, as it only requires sending the user's token.

JSON Web Signature (JWS)

• Represents digitally signed content.
• Consists of a JOSE header, payload, and signature.
• Signatures provide content integrity and authenticity.
• Uses Base64Url encoding.

base64url Encoding

• Variant of Base64, using URL-safe characters.
• Replaces '+' and '/' with '-' and '_'.
• May omit padding ('=').

JWE, JWK

• JWE: JSON Web Encryption, comparable to JWS but encrypts the data.
• JWK: JSON Web Key, a JSON representation of cryptographic keys, for JWE.
• Enables end-to-end encryption, regardless of transport-layer security (TLS/SSL).

OAuth2 I & II

• Open standard for authorization (allowing one application to access resources for another user).
• Supports delegated access (one user allowing resources to be accessed by another party).
• Different grant types allow for varied use cases (e.g. client credentials, implicit).

Multi-factor Authentication

• Incorporates multiple authentication methods (e.g., something you know, are, or have) for enhanced security.

WebAuthn (Web Authentication)

• Browser API for public-key authentication.
• Leverages security devices like USB tokens or smart cards.

OpenID Connect

• Adds identity verification capabilities on top of OAuth 2.0.
• Enables single sign-on across multiple sites.
• Verifies the user's identity and provides profile information.

Description

Test your knowledge on key concepts of cryptography, focusing on authentication and authorization methods. This quiz covers various cryptographic primitives, digital signatures, and multi-factor authentication. Challenge yourself to understand the nuances between different authentication techniques and their applications.