A web server sends an authentication code to the user’s mobile phone through short messages after validating the user credential. To reduce the web server’s workload, the architect has the stateless web server send a cookie containing authentication code to shift authentication code validation to browsers. To validate the authentication code input by the user, which of the following is the best design to protect the authentication code in the cookie responded by the web server in terms of the economy of mechanism principle? (Wentz QOTD)
A. Send the authentication code in plain text to boost performance and scalability
B. Encrypt the authentication code using a proprietary encryption algorithm designed by a security expert
C. Encrypt the authentication code using the Advanced Encryption Standard (AES)
D. Send the unencrypted hash of the authentication code
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Send the unencrypted hash of the authentication code.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
My justification is under development.
Web服務器在驗證用戶帳號及密碼(credential)後，通過短信向用戶手機發送驗證碼。 為了減少 Web 服務器的工作量，架構師讓無狀態 Web 服務器發送一個包含身份驗證代碼的 cookie，以將身份驗證代碼的驗證工作負擔轉移到瀏覽器。 為了驗證用戶輸入的身份驗證代碼，從機制經濟性(economy of mechanism)的角度來看，以下哪項是保護Web服務器所回傳的 cookie 中之身份驗證代碼的最佳設計？ (Wentz QOTD)