Читаем CISSP Practice полностью

The CSP is responsible for maintaining the revocation status of credentials and destroying the credential at the end of its life. For example, public key certificates are revoked using certificate revocation lists (CRLs) after the certificates are distributed. The verifier and the CSP may or may not belong to the same entity.

The CSP is responsible for mitigating threats to tokens and credentials and managing their operations. Examples of threats include disclosure, tampering, unavailability, unauthorized renewal or reissuance, delayed revocation or destruction of credentials, and token use after decommissioning.

The other three choices are incorrect because the (i) subscriber is a party who has received a credential or token from a CSP, (ii) relying party is an entity that relies upon the subscriber’s credentials or verifier’s assertion of an identity, and (iii) registration authority (RA) is a trusted entity that establishes and vouches for the identity of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).

8. Which of the following is used in the unique identification of employees and contractors?

a. Personal identity verification card token

b. Passwords

c. PKI certificates

d. Biometrics

8. a. It is suggested that a personal identity verification (PIV) card token is used in the unique identification of employees and contractors. The PIV is a physical artifact (e.g., identity card or smart card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, or digitized fingerprint).

The other three choices are used in user authenticator management, not in user identifier management. Examples of user authenticators include passwords, tokens, cryptographic keys, personal identification numbers (PINs), biometrics, public key infrastructure (PKI) certificates, and key cards. Examples of user identifiers include internal users, external users, contractors, guests, PIV cards, passwords, tokens, and biometrics.

9. In electronic authentication, which of the following produces an authenticator used in the authentication process?

a. Encrypted key and password

b. Token and cryptographic key

c. Public key and verifier

d. Private key and claimant

9. b. The token may be a piece of hardware that contains a cryptographic key that produces the authenticator used in the authentication process to authenticate the claimant. The key is protected by encrypting it with a password.

The other three choices cannot produce an authenticator. A public key is the public part of an asymmetric key pair typically used to verify signatures or encrypt data. A verifier is an entity that verifies a claimant’s identity. A private key is the secret part of an asymmetric key pair typically used to digitally sign or decrypt data. A claimant is a party whose identity is to be verified using an authentication protocol.

10. In electronic authentication, shared secrets are based on which of the following?

1. Asymmetric keys

2. Symmetric keys

3. Passwords

4. Public key pairs

a. 1 only

b. 1 or 4

c. 2 or 3

d. 3 or 4

10. c. Shared secrets are based on either symmetric keys or passwords. The asymmetric keys are used in public key pairs. In a protocol sense, all shared secrets are similar and can be used in similar authentication protocols.

11. For electronic authentication, which of the following is not an example of assertions?

a. Cookies

b. Security assertions markup language

c. X.509 certificates

d. Kerberos tickets

11. c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may be digitally signed objects, or they may be obtained from a trusted source by a secure protocol. X.509 certificates are examples of electronic credentials, not assertions. Cookies, security assertions markup language (SAML), and Kerberos tickets are examples of assertions.

12. In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is trusted?

a. Signed credentials are stored as signed data.

b. Unsigned credentials are stored as unsigned data.