Читаем CISSP Practice полностью

17. c. Entropy in an information system is the measure of the disorder or randomness in the system. Passwords need high entropy because low entropy is more likely to be recovered through brute force attacks.

Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. Larger salts effectively make the use of Rainbow Tables (lookup tables) by attackers infeasible. Many operating systems implement salted password hashing mechanisms to reduce the effectiveness of password cracking.

Stretching, which is another technique to mitigate the use of rainbow tables, involves hashing each password and its salt thousands of times. Larger stretching makes the creation of rainbow tables more time-consuming, which is not good for the attacker, but good for the attacked organization. Rainbow tables are lookup tables that contain precomputed password hashes. Therefore, passwords with high entropy, larger salts, and larger stretching can mitigate password guessing and cracking attempts by attackers.

18. In electronic authentication using tokens, the authenticator in the general case is a function of which of the following?

a. Token secret and salt or challenge

b. Token secret and seed or challenge

c. Token secret and nonce or challenge

d. Token secret and shim or challenge

18. c. The authenticator is generated through the use of a token. In the trivial case, the authenticator may be the token secret itself where the token is a password. In the general case, an authenticator is generated by performing a mathematical function using the token secret and one or more optional token input values such as a nonce or challenge.

A salt is a nonsecret value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker.

A seed is a starting value to generate initialization vectors. A nonce is an identifier, a value, or a number used only once. Using a nonce as a challenge is a different requirement than a random-challenging because a nonce is predictable.

A shim is a layer of host-based intrusion detection and prevention code placed between existing layers of code on a host that intercepts data and analyzes it.

19. In electronic authentication, using one token to gain access to a second token is called a:

a. Single-token, multifactor scheme

b. Single-token, single-factor scheme

c. Multitoken, multifactor scheme

d. Multistage authentication scheme

19. b. Using one token to gain access to a second token is considered a single token and a single factor scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is used, the compound solution is only as strong as the token with the lowest assurance level. The other choices are incorrect because they are not applicable to the situation here.

20. As a part of centralized password management solutions, which of the following statements are true about password synchronization?

1. No centralized directory

2. No authentication server

3. Easier to implement than single sign-on technology

4. Less expensive than single sign-on technology

a. 1 and 3

b. 2 and 4

c. 3 and 4

d. 1, 2, 3, and 4

20. d. A password synchronization solution takes a password from a user and changes the passwords on other resources to be the same as that password. The user then authenticates directly to each resource using that password. There is no centralized directory or no authentication server performing authentication on behalf of the resources. The primary benefit of password synchronization is that it reduces the number of passwords that users need to remember; this may permit users to select stronger passwords and remember them more easily. Unlike single sign-on (SSO) technology, password synchronization does not reduce the number of times that users need to authenticate. Password synchronization solutions are typically easier, less expensive, and less secure to implement than SSO technologies.

21. As a part of centralized password management solutions, password synchronization becomes a single point-of-failure due to which of the following?

a. It uses the same password for many resources.

b. It can enable an attacker to compromise a low-security resource to gain access to a high-security resource.

c. It uses the lowest common denominator approach to password strength.