A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. An attribute sent over TLS/SSL that uniquely identifies the subject.

An attribute or attribute value of the client can’t authenticate the client to the IdP. For example, A user submitting the username and employee ID won’t authenticate to the IdP.

• A password transmitted in clear text is vulnerable, but it can authenticate clients, e.g., PAP is a typical example.
• A timestamp encrypted by the hash of the password requires both the client and IdP to share the secret to decrypt and verify the identity.
• A nonce from the IdP encrypted by the subject’s private key utilized the feature of challenge/response and asymmetric encryption. The nonce from the IdP is a challenge. If the client encrypts the nonce by its private key as the response, only the paired public key can decrypt it.

Authentication

Authentication is the process of “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.” (FIPS 200)

• A credential binds the subject’s identity to the authenticator, which contains the secret. A subject is authenticated by proofing its possession and control of the authenticator, presenting the credential, or even direct submission of the secret.
• Identity is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)

Reference

• Identity management
• Establishment of identity

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

客戶端正在向身份提供者（IdP）進行身份驗證。 以下哪項是最不可行的身份驗證子(authenticator)或驗證機制？
A. 以明文形式傳輸的密碼
B. 通過密碼哈希值(hash)加密的時間戳
C. 來自IdP且通過主體(subject)私鑰加密的隨機數(nonce)
D. 通過TLS / SSL發送的屬性，用於唯一標識主題