A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. An attribute sent over TLS/SSL that uniquely identifies the subject.
An attribute or attribute value of the client can’t authenticate the client to the IdP. For example, A user submitting the username and employee ID won’t authenticate to the IdP.
- A password transmitted in clear text is vulnerable, but it can authenticate clients, e.g., PAP is a typical example.
- A timestamp encrypted by the hash of the password requires both the client and IdP to share the secret to decrypt and verify the identity.
- A nonce from the IdP encrypted by the subject’s private key utilized the feature of challenge/response and asymmetric encryption. The nonce from the IdP is a challenge. If the client encrypts the nonce by its private key as the response, only the paired public key can decrypt it.
Authentication is the process of “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.” (FIPS 200)
- A credential binds the subject’s identity to the authenticator, which contains the secret. A subject is authenticated by proofing its possession and control of the authenticator, presenting the credential, or even direct submission of the secret.
- Identity is “the set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.” (NIST SP 800-161)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
D. 通過TLS / SSL發送的屬性，用於唯一標識主題