Читаем CISSP Practice полностью

c. Signed credentials are stored as unsigned data.

d. Unsigned credentials are stored as signed data.

12. b. Electronic credentials are digitally signed objects, in which case their integrity is verified. When the directory or database server is trusted, unsigned credentials may be stored as unsigned data.

13. In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is untrusted?

a. Self-authenticating

b. Authentication to the relying party

c. Authentication to the verifier

d. Authentication to the credential service provider

13. a. When electronic credentials are stored in a directory or database server, the directory or database may be an untrusted entity because the data it supplies is self-authenticated. Alternatively, the directory or database server may be a trusted entity that authenticates itself to the relying party or verifier, but not to the CSP.

14. The correct flows and proper interactions between parties involved in electronic authentication include:

a. Applicant⇒Registration Authority⇒Subscriber⇒Claimant

b. Registration Authority⇒Applicant⇒Claimant⇒Subscriber

c. Subscriber⇒Applicant⇒Registration Authority⇒Claimant

d. Claimant⇒Subscriber⇒Registration Authority⇒Applicant

14. a. The correct flows and proper interactions between the various parties involved in electronic authentication include the following:

An individual applicant applies to a registration authority (RA) through a registration process to become a subscriber of a credential service provider (CSP)

The RA identity proofs that applicant

On successful identity proofing, the RA sends the CSP a registration confirmation message

A secret token and a corresponding credential are established between the CSP and the new subscriber for use in subsequent authentication events

The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier

The other three choices are incorrect because they do not represent the correct flows and proper interactions.

15. In electronic authentication, which of the following represents the correct order of passing information about assertions?

a. Subscriber⇒Credential Service Provider⇒Registration Authority

b. Verifier⇒Claimant⇒Relying Party

c. Relying Party⇒Claimant⇒Registration Authority

d. Verifier⇒Credential Service Provider⇒Relying Party

15. b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber (i.e., claimant). These assertions are used to pass information about the claimant from the verifier to a relying party. Assertions may be digitally signed objects or they may be obtained from a trusted source by a secure protocol. When the verifier and the relying parties are separate entities, the verifier conveys the result of the authentication protocol to the relying party. The object created by the verifier to convey the result of the authentication protocol is called an assertion. The credential service provider and the registration authority are not part of the assertion process.

16. From an access control viewpoint, which of the following are restricted access control models?

1. Identity-based access control policy

2. Attribute-based access control policy

3. Bell-LaPadula access control model

4. Domain type enforcement access control model

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

16. c. Both the Bell-LaPadula model and domain type enforcement model uses restricted access control models because they are employed in safety-critical systems, such as military and airline systems. In a restricted model, the access control policies are expressed only once by a trusted principal and fixed for the life of the system. The identity-based and attribute-based access control policies are not based on restricted access control models but based on identities and attributes respectively.

17. Regarding password guessing and cracking threats, which of the following can help mitigate such threats?

a. Passwords with low entropy, larger salts, and smaller stretching

b. Passwords with high entropy, smaller salts, and smaller stretching

c. Passwords with high entropy, larger salts, and larger stretching

d. Passwords with low entropy, smaller salts, and larger stretching