CISSP PRACTICE QUESTIONS – 20200807

Effective CISSP Questions

You are developing an in-house application with an authentication requirement that user passwords shall not be transmitted on the network. Which of the following is the best solution for clients to authenticate to the server? (Source: Wentz QOTD)
A. Clients encrypt credentials using the server’s public key.
B. The server sends a nonce encrypted by the client’s public key.
C. Clients negotiate a dynamic key with the server through Diffie-Hellman.
D. The server sends a TGT encrypted by its secret key after receiving the client’s ID.


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The server sends a nonce encrypted by the client’s public key.

Zero-knowledge proof

In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.

Source: Wikipedia

Challenge–Response Authentication

In computer security, challenge–response authentication is a family of protocols in which one party presents a question (“challenge”) and another party must provide a valid answer (“response”) to be authenticated.

Source: Wikipedia

Public Key Authentication

The server sends a nonce encrypted by the client’s public key as a challenge to the client. If the client can decrypt the challenge encrypted by its private key as a response, it can prove the possession of the private key and authenticate to the server. It’s a typical use case of zero-knowledge proof.

Secret Key Authentication

Decrypting a server’s message using a pre-shared or secret key can authenticate to the server as well. For example, HMAC authenticate the origin of data by incorporating a secret key.

TGT implies Kerberos in use which doesn’t transmit the user password to the AS when logging in. The server sends a TGT encrypted by the CLIENT’s secret key (pre-shared) after receiving the client’s ID so that the client can decrypt the AS response.

Password Authentication

Password authentication refers to the user password is sent, in plaintext or ciphertext, to the authentication server.

  • It supports confidentiality only that clients encrypt credentials using the server’s public key, but the user password is still encrypted and transmitted on the network.
  • Clients get a secret key to encrypt the user password if clients negotiate a dynamic key with the server through Diffie-Hellman. The user password needs to be transmitted on the network as well.

Reference


您正在開發具有身份驗證要求的內部應用程序,該身份驗證要求不得在網絡上傳輸用戶密碼。 以下哪項是客戶端對服務器進行身份驗證的最佳解決方案?
A. 客戶端使用服務器的公鑰加密證件。
B. 服務器發送一個以用客戶端公開金鑰加密的一次性隨機數。
C. 客戶端通過Diffie-Hellman與服務器協商以產生動態密碼。
D. 服務器在收到客戶端的ID後,發送通過其密鑰加密的TGT。


A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Buy Your Copy

 

 

 

 

 

Leave a Reply