Your company implements a website and sells products online. A frequent customer is logging into the system. Which of the following authentication schemes is least likely to be implemented to validate the username and password against the directory that encrypts and stores all customer’s passwords? (Wentz QOTD)
A. Claim-based
B. Cleartext-based
C. Ciphertext-based
D. Checksum-based

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Claim-based.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

A typical authentication process involves three steps:

1. A subject professes its identity to an identity provider (IdP).
2. The IdP validates the username and password against a directory.
3. The IdP issues a token if the subject is validated.

Claim-based (or assertion-based) authentication implies your website accepts tokens from an external identity provider (IdP) instead of authenticating username and password against the directory on the server. Claims or assertions are typically packaged in a token signed by the issuer, the IdP. Your website as a client relies on the claims issued by the IdP.

Cleartext-based authentication is common. Username and password can be submitted in an HTML form or through the HTTP Basic authentication scheme. Even though the password itself is not encrypted, it’s commonly protected by a TLS/SSL session.

Some JavaScript libraries can encrypt the password as ciphertext and post it to the backend server even though we don’t have to do so when using TLS/SSL.

The HTTP Digest scheme implements challenge and response. “A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given
nonce value, the HTTP method, and the requested URI.” (RFC 2617)

Reference

• HTTP Authentication: Basic and Digest Access Authentication

---

貴公司建置了網站在線上銷售產品。 一位常客正在登錄(log in)系統。以下哪種身份驗證方案最不可能採用將所有客戶密碼加密後再儲存的目錄(directory)來驗證用戶名和密碼？ (Wentz QOTD)
A. 以聲明(claim)為基礎
B. 以明文(cleartext)為基礎
C. 以密文(ciphertext)為基礎
D. 以查驗總合(checksum)為基礎