CITC 2374 Chapter 6
We need to create a three-factor authentication system. The system already uses a USB device that is unlocked with the user's fingerprint. Which of the following can we add to implement three separate factors?
A PIN entered via a built-in PIN pad
Bob lives at home during the summer. His little brother, Tom, is fascinated by computers and with everything his big brother does. Tom loves to watch Bob log in to his summer job's remote site and do things. Tom often goes into Bob's room and looks through his things. Given this, which authentication technique—by itself—resists the risk of Tom masquerading as Bob?
A memorized, hard-to-guess password
Which of the following most effectively resists a trial-and-error guessing attack? All sizes are in terms of decimal digits.
A passive authentication token with a 9-digit base secret
What does authentication do?
Associates an individual with an identity
Kevin wants to attack Bob's computing resources. He is motivated at the "stealth" level. Which of the following attacks might Bob face? Select all that apply.
Borrow Bob's one-time password token Search for written copies of Bob's passwords
Short Answer: The average attack space estimates the number of guesses required before success is
Likely
The phrases below describe types of authentication factors. Match the type of authentication factor with its description.
Memorized information like a password - Something you know A biometric measurement - [don't know] An object containing a base secret, like the magnetic stripe on a cash card - [don't know]
We are trying to protect a household computer. We have implemented password-based authentication to protect sensitive data. Which levels of attacker motivation can this authentication typically protect against in this situation? Select all that apply.
No motivation Scant motivation Stealth motivation
There are three types of tokens; which of the following is not a correct type?
Offensive tokens
Which of the following authentication techniques are vulnerable to sniffing attacks that replay the sniffed credential? Select all that apply.
Passwords Passive tokens Biometric readers
In a password system, the total number of possible passwords is called the:
Search space
Are base secrets the same as credentials?
Some base secrets are also credentials, while others are not.
Here is a list of features of various authentication tokens. Indicate all that are true for one-time password tokens.
Some tokens use a built-in clock to generate nonces. Some tokens use a built-in counter to generate nonces The authentication credential and the base secret are always identical
The following are fundamental strategies for authenticating people on computer systems,
Something you make
An attack that blocks access to a system by other users is called:
Denial of service
True or False? Average attack space measures the time until success is cretain.
False
True or False? Biometrics are a favored form of authentication, as they are immune to sniffing attacks.
False
True or False? Biometrics have a fault tolerance of 0.
False
True or False? Entropy refers to the strength of a password system.
False
True or False? Offline attacks are easily detected.
False
True or False? Passive tokens are favored, as they are immune to sniffing attacks.
False
True or False? SHA-1024 is the latest hash algorithm.
False
True or False? True randomness is easily achieved with the random function of an application like Excel.
False
True or False? USB tokens are weak because if the public key becomes lost or stolen, the private key can be derived from it.
False
True or False? When selecting a password, random collections of letters contain far less entropy than written words.
False
True or False? When you are biased in selecting a password, you choose your password from the entire search space.
False
Two factor authentication is using two passwords
False
Your fingerprint is a "something you have" factor.
False
The phrases below describe types of tokens. Match the type of token with its description.
Transmits credentials that vary according to an unpredictable challenge from the computer - [don't know] Transmits different credentials based on an internal clock or counter - [don't know] Transmits the same credential every time - [don't know]
Section 6.1.2 describes doorknob-rattling attacks. This is most similar to which of the following attacks?
Trial and error
True or False? Authentication associates an individual with an identity.
True
In a password system, increasing the work factor results in which of the following? Select all that apply.
Increases the length of the password Increases the size of the character set from which users choose passwords
True or False? Credit reports are a treasured target among identity thieves
True
True or False? Dictionary attacks differ from trial and error attacks because dictionary attacks focus on likely passwords.
True
True or False? Keyloggers can be hardware or software based.
True
True or False? Low-hanging fruit refers to the easiest targets in an attack.
True
True or False? The one-way hash is a cryptographic function.
True
True or False? When an attacker is attacking a password system, the average attack space estimates the number of guesses required before success is likely.
True
True or False? When the fault tolerance goes up, so do the false positives.
True
An authentication system that requires the user to provide two different passwords and a fingerprint scan is an example of:
Two-factor authentication
We need to create a three-factor authentication system. The system already requires the user's fingerprint and memorized password. Which of the following can we add to implement three separate factors?
[don't know]
Biometric scanners are often connected by [ BLANK ] this poses a security risk, as sniffed credentials can be fed down this line.
BLANK = [don't know]