Effective CISSP Questions

You are implementing a wireless network. Which of the following is least likely to be entailed for a subject to authenticate to the access point (AP)?
A. A memorable preshared key
B. The subject’s public key
C. The subject’s private key
D. The subject’s session key

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The subject’s session key.

A session key can be used to ensure confidentiality and integrity after a session is established or after authentication, if required. So, the subject’s session key is least likely to be entailed for a subject to authenticate to the access point (AP)

Session Keys

  • In communication, a session refers to the period of the conversation between two parties. Messages transmitted in a session can be encrypted using the session key, “a single-use symmetric key used for encrypting all messages in one communication session.” (Wikipedia)
  • In the context of TLS, session keys can broadly refer to the various secrets derived from the master secret, from which can be derived a set of working keys. (RFC 8446)

TLS session keys can be derived and used for encryption and computation of message authentication code (MAC) after authentication. As the following diagram shows, the “client MAC key” and “server MAC key” used for ensuring the origin of data can be viewed as session keys, even though they are called a “MAC” key. As a result, a session key can be used for both encryption and authentication in terms of TLS.

Preshared Key

A preshared key is a preconfigured shared secret commonly used for authentication. An AP allows wireless clients that are configured with the correct preshared key to connect.

Public Key

A public key is typically enclosed in a digital certificate signed and issued by a certificate authority (CA). In a well-established public key infrastructure, a certificate can be used for authentication, e.g., EAP-TLS.

Private Key

Even though a well-established PKI can employ the public key for authentication, proprietary authentication solutions can use the private key to realize “zero-knowledge proof” for authentication.

The asymmetric key pair of public and private keys are always used together as a tandem. A subject can use its private key to realize “zero-knowledge proof,” an approach that can demonstrate one party possesses or controls the secret in any means except presenting the secret directly, the private key in this case.

  • The authentication server commonly sends a challenge (e.g., a random value) to the subject; the subject encrypts the challenge, when received, using its private key, and sends it back. (PS. CHAP uses MD5 to compute the hash value as the response, MD5(ID||secret||challenge).)
  • The authentication server then decrypts the response using the subject’s public key and compares it with the original challenge value. If they match, the authentication server can conclude that the subject is genuine.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正在建置無線網絡。 主體(subject)向接入點(AP)進行身份驗證時,最不可能需要用到以下哪項?
A. 易記的預共享密鑰
B. 主題的公鑰
C. 主體的私鑰
D. 主題的會話密鑰


Leave a Reply