Mutual authentication or bidirectional authentication refers to two parties involved in a transaction verifying each other. Which of the following is least likely to employ mutual authentication?
A. A client and server exchange their certificates issued by a trusted certificate authority
B. A web server sends its certificate to the user, who then signs in using his password
C. A 802.1X supplicant sends a user’s credential to the authenticator using EAP-MD5
D. An administrator connects to a remote server through the SSH default authentication
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A 802.1X supplicant sends a user’s credential to the authenticator using EAP-MD5.
In a client/server setting, mutual authentication requires the server authenticate to the client and vice versa. Authentication can be done through either a certificate or a username/password.
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
Mutual authentication is of two types:
- Certificate based
- User name-password based
Source: Wikipedia
EAP Comparison
EAP-MD5 doesn’t support mutual authentication by design.
EAP Use Cases
Certificate-based Mutual Authentication
It is the certificate-based mutual authentication that a client and server exchange their certificates issued by a trusted certificate authority. In other words, both the client and the server need a certificate to complete authentication.
Hybrid Mutual Authentication
In the scenario that a web server sends its certificate to the user, who then signs in using his password, the server authenticates to the client using a certificate, while the client authenticates to the server using the username/password.
SSH Default Authentication
When an SSH client connects to the SSH server for the first time, the SSH server will send its public key to the SSH client for authentication. If the SSH client trusts the key, it will save it for encryption. This is how the SSH server authenticates to the SSH client. The SSH client can authenticate to the SSH server through username/password or public key/certificate.
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time, being a default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
Source: Wikipedia
Reference
- Mutual authentication
- User Name/Password-Based Mutual Authentication
- What are Your EAP Authentication Options?
- Wireless LAN Security with 802.1x, EAP-TLS, and PEAP
- TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication
- SMTP and Transport Layer Security (TLS) [Tutorial]
- 802.1X Overview and EAP Types
- SSL and SSH
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
相互認證(Mutual authentication)或雙向認證是指交易中的雙方對彼此進行身份驗證。 以下哪項最不可能採用相互認證?
A. 客戶端和伺服器交換由受信任的證書頒發機構核發的證書
B. Web伺服器將其證書發送給用戶,然後用戶使用其密碼登入
C. 802.1X請求者使用EAP-MD5將用戶的帳號及密碼發送到身份驗證主機
D. 管理員通過SSH的預設身份驗證連接到遠端的伺服器