11. For electronic authentication, which of the following is not an example of assertions?

a. Cookies

b. Security assertions markup language

c. X.509 certificates

d. Kerberos tickets

11. c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may be digitally signed objects, or they may be obtained from a trusted source by a secure protocol. X.509 certificates are examples of electronic credentials, not assertions. Cookies, security assertions markup language (SAML), and Kerberos tickets are examples of assertions.

12. In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is trusted?

a. Signed credentials are stored as signed data.

b. Unsigned credentials are stored as unsigned data.

c. Signed credentials are stored as unsigned data.

d. Unsigned credentials are stored as signed data.

12. b. Electronic credentials are digitally signed objects, in which case their integrity is verified. When the directory or database server is trusted, unsigned credentials may be stored as unsigned data.

13. In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is untrusted?

a. Self-authenticating

b. Authentication to the relying party

c. Authentication to the verifier

d. Authentication to the credential service provider

13. a. When electronic credentials are stored in a directory or database server, the directory or database may be an untrusted entity because the data it supplies is self-authenticated. Alternatively, the directory or database server may be a trusted entity that authenticates itself to the relying party or verifier, but not to the CSP.

14. The correct flows and proper interactions between parties involved in electronic authentication include:

a. Applicant⇒Registration Authority⇒Subscriber⇒Claimant

b. Registration Authority⇒Applicant⇒Claimant⇒Subscriber

c. Subscriber⇒Applicant⇒Registration Authority⇒Claimant

d. Claimant⇒Subscriber⇒Registration Authority⇒Applicant

14. a. The correct flows and proper interactions between the various parties involved in electronic authentication include the following:

An individual applicant applies to a registration authority (RA) through a registration process to become a subscriber of a credential service provider (CSP)

The RA identity proofs that applicant

On successful identity proofing, the RA sends the CSP a registration confirmation message

A secret token and a corresponding credential are established between the CSP and the new subscriber for use in subsequent authentication events

The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier

The other three choices are incorrect because they do not represent the correct flows and proper interactions.

15. In electronic authentication, which of the following represents the correct order of passing information about assertions?

a. Subscriber⇒Credential Service Provider⇒Registration Authority

b. Verifier⇒Claimant⇒Relying Party

c. Relying Party⇒Claimant⇒Registration Authority

d. Verifier⇒Credential Service Provider⇒Relying Party

15. b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber (i.e., claimant). These assertions are used to pass information about the claimant from the verifier to a relying party. Assertions may be digitally signed objects or they may be obtained from a trusted source by a secure protocol. When the verifier and the relying parties are separate entities, the verifier conveys the result of the authentication protocol to the relying party. The object created by the verifier to convey the result of the authentication protocol is called an assertion. The credential service provider and the registration authority are not part of the assertion process.

16. From an access control viewpoint, which of the following are restricted access control models?

1. Identity-based access control policy

2. Attribute-based access control policy

3. Bell-LaPadula access control model

4. Domain type enforcement access control model

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

16. c. Both the Bell-LaPadula model and domain type enforcement model uses restricted access control models because they are employed in safety-critical systems, such as military and airline systems. In a restricted model, the access control policies are expressed only once by a trusted principal and fixed for the life of the system. The identity-based and attribute-based access control policies are not based on restricted access control models but based on identities and attributes respectively.

17. Regarding password guessing and cracking threats, which of the following can help mitigate such threats?

a. Passwords with low entropy, larger salts, and smaller stretching

b. Passwords with high entropy, smaller salts, and smaller stretching

c. Passwords with high entropy, larger salts, and larger stretching

d. Passwords with low entropy, smaller salts, and larger stretching

17. c. Entropy in an information system is the measure of the disorder or randomness in the system. Passwords need high entropy because low entropy is more likely to be recovered through brute force attacks.

Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. Larger salts effectively make the use of Rainbow Tables (lookup tables) by attackers infeasible. Many operating systems implement salted password hashing mechanisms to reduce the effectiveness of password cracking.

Stretching, which is another technique to mitigate the use of rainbow tables, involves hashing each password and its salt thousands of times. Larger stretching makes the creation of rainbow tables more time-consuming, which is not good for the attacker, but good for the attacked organization. Rainbow tables are lookup tables that contain precomputed password hashes. Therefore, passwords with high entropy, larger salts, and larger stretching can mitigate password guessing and cracking attempts by attackers.

18. In electronic authentication using tokens, the authenticator in the general case is a function of which of the following?

a. Token secret and salt or challenge

b. Token secret and seed or challenge

c. Token secret and nonce or challenge

d. Token secret and shim or challenge

18. c. The authenticator is generated through the use of a token. In the trivial case, the authenticator may be the token secret itself where the token is a password. In the general case, an authenticator is generated by performing a mathematical function using the token secret and one or more optional token input values such as a nonce or challenge.