You are implementing a wireless network. Which of the following is least likely to be entailed for a subject to authenticate to the access point (AP)?
A. A memorable preshared key
B. The subject’s public key
C. The subject’s private key
D. The subject’s session key
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The subject’s session key.
A session key can be used to ensure confidentiality and integrity after a session is established or after authentication, if required. So, the subject’s session key is least likely to be entailed for a subject to authenticate to the access point (AP)
- In communication, a session refers to the period of the conversation between two parties. Messages transmitted in a session can be encrypted using the session key, “a single-use symmetric key used for encrypting all messages in one communication session.” (Wikipedia)
- In the context of TLS, session keys can broadly refer to the various secrets derived from the master secret, from which can be derived a set of working keys. (RFC 8446)
TLS session keys can be derived and used for encryption and computation of message authentication code (MAC) after authentication. As the following diagram shows, the “client MAC key” and “server MAC key” used for ensuring the origin of data can be viewed as session keys, even though they are called a “MAC” key. As a result, a session key can be used for both encryption and authentication in terms of TLS.
A preshared key is a preconfigured shared secret commonly used for authentication. An AP allows wireless clients that are configured with the correct preshared key to connect.
A public key is typically enclosed in a digital certificate signed and issued by a certificate authority (CA). In a well-established public key infrastructure, a certificate can be used for authentication, e.g., EAP-TLS.
Even though a well-established PKI can employ the public key for authentication, proprietary authentication solutions can use the private key to realize “zero-knowledge proof” for authentication.
The asymmetric key pair of public and private keys are always used together as a tandem. A subject can use its private key to realize “zero-knowledge proof,” an approach that can demonstrate one party possesses or controls the secret in any means except presenting the secret directly, the private key in this case.
- The authentication server commonly sends a challenge (e.g., a random value) to the subject; the subject encrypts the challenge, when received, using its private key, and sends it back. (PS. CHAP uses MD5 to compute the hash value as the response, MD5(ID||secret||challenge).)
- The authentication server then decrypts the response using the subject’s public key and compares it with the original challenge value. If they match, the authentication server can conclude that the subject is genuine.
- Session key
- What Is a Session Key? | Session Keys and TLS Handshakes
- Zero-knowledge proof
- An Overview of Cryptography
- The EAP-TLS Authentication Protocol (RFC 5216)
- The Transport Layer Security (TLS) Protocol Version 1.3 (RFC 8446)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.