CSE 4380 Chapter 3
If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
H.)Electronic monitoring
Match the assurance level with the description Level 1______ A.)Very High Confidence Level 2_____ B.)Little confidence Level 3____ C.)Some confidence Level 4____ D.)High Confidence
Level 1: B Level 2: C Level 3: D Level 4: A
What are some token based authentications A.) Memory cards,smart cards, Electronic ID cards B.)passwords, hashes, encrypted files C.) passwords, ciphers, hashes D.) fingerprints, retinas, facial recognition
A.) Memory cards,smart cards, Electronic ID cards
A password, a personal identification number (PIN), or answers to a prearranged set of questions are examples of? A.) Something the individual knows: B.)Something the individual possesses: C.)Something the individual is (static biometrics) D.)Something the individual does (dynamic biometrics)
A.) Something the individual knows:
What are some countermeasures to a specific account attack? A.) account lockout B.) long passwords with special characters C.) double hashing password file D.)encrypting password file
A.) account lockout
What are some countermeasures to Workstation hijacking? A.) automatically log user out after inactivity B.) physical lock on a desk C.) secure password hashing D.) keycard
A.) automatically log user out after inactivity
An applicant applies to a ______ (RA) to become a subscriber of a credential service provider (CSP) A.) registration authority B.) Certificate authority C.) security authority D.) systems authority
A.) registration authority
In this model, the ______ is a trusted entity that establishes and vouches for the identity of an applicant to a CSP A.) registration authority B.) Certificate authority C.) security authority D.) systems authority
A.) registration authority
The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways: A.) system authorization, privileges, discretionary access control B.)system authorization, privileges, multi-level access control C.)local authorization, privileges, multi-level access control D.)network authorization, privileges, multi-level access control
A.) system authorization, privileges, discretionary access control
What are some countermeasures to Password guessing against a single user? A.) training in and enforcement of password policies B.) training and termination of employees C.) training of employees and prosecution of hackers D.)updating password policies and training
A.) training in and enforcement of password policies
Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords. Is an example of password technique? A.) user education B.)computer-generated password C.)reactive password checking D.)complex password policy
A.) user education
The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords is what type of attack? A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
A.)Offline dictionary attack
A widely used line of defense against intruders is the _____ system. A.)password B.)encryption C.)digital envelope D.) authentication system
A.)password
What are some countermeasures to a dictionary attack? A.)prevent unauthorized access to file, intrusion detection, rapid reissuance of password if compromised B.)prevent unauthorized access to file, intrusion detection, account lockout C.) encrypt password file, intrusion detection, rapid reissuance of password if compromised D.) encrypt password file, intrusion detection, account lockout
A.)prevent unauthorized access to file, intrusion detection, rapid reissuance of password if compromised
In older implementations, this value is related to the time at which the password is assigned to the user. Newer implementations use a pseudo random or random number. A.)salt B.) double hash function C.) one-way hash function D.) encrypted hash
A.)salt
What are some counter measures against exploiting user mistakes? A.)user training, intrusion detection, simple password with secondary authentication B.)user training, intrusion detection, more difficult password with secondary authentication C.)user auditing, intrusion detection, simple password with secondary authentication D.)user training, password hashing, simple password with secondary authentication
A.)user training, intrusion detection, simple password with secondary authentication
Salting a hash serves three purposes: A.) prevents duplicate passwords, increases difficulty of DDOS attacks, nearly impossible to find if the password has been used on multiple systems B.)prevents attacker access, increases difficulty of dictionary attacks, nearly impossible to find if the password has been used on multiple systems C.)prevents duplicate passwords, increases difficulty of dictionary attacks, nearly impossible to find if the password has been used on multiple systems D.)prevents duplicate passwords, increases difficulty of dictionary attacks, reduces the the use of password vault
C.)prevents duplicate passwords, increases difficulty of dictionary attacks, nearly impossible to find if the password has been used on multiple systems
A _______ strategy is one in which the system periodically runs its own password cracker to find guessable passwords. A.) user education B.)computer-generated password C.)reactive password checking D.)complex password policy
C.)reactive password checking -The system cancels any passwords that are guessed and notifies the user
Objects that a user possesses for the purpose of user authentication are called _____. A.) biometrics B.) key cards C.)tokens D.) dynamic biometrics
C.)tokens
Our goal, then, is to eliminate guessable passwords while allowing the user to select a password that is memorable. Four basic techniques are in use: A.) system administration, Computer generated passwords, reactive password checking, complex password policy B.)user education, user generated passwords, reactive password checking, complex password policy C.)user education, Computer generated passwords, reactive password checking, complex password policy D.)user education, Computer generated passwords, proactive password checking, complex password policy
C.)user education, Computer generated passwords, reactive password checking, complex password policy
What are some countermeasures to popular password attack? A.) account lockout , encrypted password B.) long passwords. account lockout C.)double hashing password, account lockout D.)prohibit common passwords, scan IP address for authentication
D.)prohibit common passwords, scan IP address for authentication
The attacker targets a specific account and submits password guesses until the correct password is discovered A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
B.)Specific account attack:
In general, ________ schemes have a history of poor acceptance by users. A.) user education B.)computer-generated password C.)reactive password checking D.)complex password policy
B.)computer-generated password
One technique that is typically used is to store not the user's password but a ________ of the password. A.) two-way hash function B.)one-way hash function C.) encryption D.) symmetric encryption
B.)one-way hash function
What are some possible approaches to proactive password checking? A.) rule enforcement, password checker, password filter B.)rule enforcement, password checker, bloom filter C.) user training, password checker, bloom filter D.)user training, password vault, bloom filter
B.)rule enforcement, password checker, bloom filter
An __________ describes an organization's degree of certainty that a user has presented a credential that refers to his or her identity. A.) security access B.) security level C.) assurance level D.) authentication level
C.) assurance level
The party to be authenticated is called a claimant and the party verifying that identity is called a verifier. A.) user, authenticator B.) user, certificate authority C.) claimant, verifier D.) claimant, certificate authority
C.) claimant, verifier
The process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps: A.) Identification, password B.)Identification, user name C.)Identification , Verification D.)Verification, password
C.)Identification , Verification
A variation of the specific account attack, that uses common passwords and tries it against a wide range of user IDs. A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
C.)Popular password attack
recognition by fingerprint, retina, and face are examples of A.) Something the individual knows B.)Something the individual possesses C.)Something the individual is (static biometrics) D.)Something the individual does (dynamic biometrics)
C.)Something the individual is (static biometrics)
Among the reasons for the persistent popularity of passwords are the following A.) server side hardware, expensive smart cards, single sign-on, password managers B.)client side hardware, loss of smart cards, single sign-on, password managers C.)client-side hardware, expensive smart cards, single sign-on, password managers D.)client side hardware, expensive smart cards, single sign-on, network congestion
C.)client-side hardware, expensive smart cards, single sign-on, password managers
Depending on the details of the overall authentication system, the _______ issues some sort of electronic credential to the subscriber A.)security service provider B.)registration service provider C.)credential service provider D.)systems service provider
C.)credential service provider
In this approach the attacker generates a large dictionary of possible passwords. For each password, the attacker generates the hash values associated with each possible salt value. The result is a mammoth table of hash values known as a ________. A.) hash code table B.) rainbow table C.)dictionary attack D.) hashed dictionary attack
C.)dictionary attack
What are some countermeasures against exploiting multiple password use? A.) password generator B.) password vault C.)forbid similar passwords D.) use of keycard
C.)forbid similar passwords
The attacker waits until a logged-in workstation is unattended is what type of attack? A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
E.)Workstation hijacking
Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user. A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
G.)Exploiting multiple password use
_____ are those in which an adversary attempts to achieve user authentication without access to the remote host or to the intervening communications path. A.) server attacks B.) Client attacks C.) remote attacks D.) Distrbuted attacks
B.) Client attacks
dealing with false positives and false negatives, user acceptance, cost, and convenience are some of the variety of problems this authentication may have A.)passwords B.) biometrics C.) key tokens D.) key cards
B.) biometrics
What are some Remote User authentications A.) Memory cards,smart cards, Electronic ID cards B.) passwords, Token, Static and Dynamic biometrics C.) passwords, ciphers, hashes D.) fingerprints, retinas, facial recognition
B.) passwords, Token, Static and Dynamic biometrics
Risk assessments in the silo of user authentication involves which three concepts? A.)Assurance level, potential impact, realized impact B.)Assurance level, potential impact, areas of risk C.)Areas of risk, potential impact, realized impact D.)Assurance level, areas of risk, realized impact
B.)Assurance level, potential impact, areas of risk
A _______ is a space-efficient probabilistic data structure that is used to test whether a password is a member of a set. A.) rainbow table B.)Bloom filter C.) dictionary D.) distributed hash
B.)Bloom filter
____________ is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic. A.) Message overaly B.)Message authentication C.) Message envelope D.)Message encryption
B.)Message authentication
There are four general means of authenticating a user's identity, which can be used alone or in combination: A.)Something the individual knows,possesses, is, hears B.)Something the individual knows,possesses, is, does C.)Something the individual knows,possesses, is, see's D.)Something the individual knows,possesses, is, shows
B.)Something the individual knows,possesses, is, does -knows- password -possesses- keyvard -is- biometrics -does- dynamic biometrics voice pattern
An electronic keycards, smart cards, and physical keys. Are examples of A.) Something the individual knows B.)Something the individual possesses C.)Something the individual is (static biometrics) D.)Something the individual does (dynamic biometrics)
B.)Something the individual possesses:
The ______ is a data structure that authoritatively binds an identity and additional attributes to a token possessed by a subscriber, and can be verified when presented to the verifier in an authentication transaction A.) digital envelope B.) authentication C.) service D.) credential
D.) credential
What are some biometric based authentications A.) Memory cards,smart cards, Electronic ID cards B.)passwords, hashes, encrypted files C.) passwords, ciphers, hashes D.) fingerprints, retinas, facial recognition
D.) fingerprints, retinas, facial recognition
______ is the means by which a user provides a claimed identity to the system; A.) decryption B.) encryption C.) Verification D.) identification
D.) identification
What countermeasures can be used against rainbow table attacks? A.) longer password. larger hash length B.) password vault, longer salt value C.) non-common passwords and larger has length D.) longer salt value and larger hash length
D.) longer salt value and larger hash length
Often, the hashed passwords are kept in a separate file from the user IDs, referred to as a _______. A.) password archive B.) password vault C.) encrypted password file D.) shadow password file
D.) shadow password file
The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
D.)Password guessing against single user
recognition by voice pattern, handwriting characteristics, and typing rhythm are examples of A.) Something the individual knows B.)Something the individual possesses C.)Something the individual is (static biometrics) D.)Something the individual does (dynamic biometrics)
D.)Something the individual does (dynamic biometrics)
A user is allowed to select his or her own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it. A.) user education B.)computer-generated password C.)reactive password checking D.)complex password policy
D.)complex password policy
The password and salt serve as inputs to a hashing algorithm to produce a _______ hash code. A.) packet size length B.) bit wise length C.)variable length D.)fixed length
D.)fixed length
Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. A.)Offline dictionary attack B.)Specific account attack: C.)Popular password attack D.)Password guessing against single user E.)Workstation hijacking F.)Exploiting user mistakes G.)Exploiting multiple password use H.)Electronic monitoring
F.)Exploiting user mistakes
