Like the Kerberos protocol, SESAME is also subject to which of the following?
Answer(s): B
Sesame is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA-style Privilege Attribute Service.The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public Key authentication. When using Symmetric Key authentication as in Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be. The Symmetric key being used is based on the password used by the user when he logged on the system. If the user has a simple password it could be guessed or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong password discipline.The Basic Mechanism in Sesame for strong authentication is as follow:The user sends a request for authentication to the Authentication Server as in Kerberos, except that SESAME is making use of public key cryptography for authentication where the client will present his digital certificate and the request will be signed using a digital signature. The signature is communicated to the authentication server through the preauthentication fields. Upon receipt of this request, the authentication server will verifies the certificate, then validate the signature, and if all is fine the AS will issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage attribute server (PAS) when access to a resource is needed.Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key cryptography is used, public key data is transported in preauthentication data fields to help establish identity.Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute Certificates (PAC), which contain the subject's identity, access capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from the trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access.
http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt andKRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 43.
RADIUS incorporates which of the following services?
Answer(s): D
A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information todesignated RADIUS servers, and then acting on the response which is returned.RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning allconfiguration information necessary for the client to deliver service to the user.RADIUS authentication is based on provisions of simple username/password credentials. These credentials are encryptedby the client using a shared secret between the client and the RADIUS server. OIG 2007, Page RADIUS incorporates an authentication server and can make uses of both dynamic and staticpasswords.Since it uses the PAP and CHAP protocols, it also incluses static passwords.RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138.The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User Service.The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access.Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password.Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active attacks.RADIUS: Key Features and BenefitsFeatures BenefitsRADIUS supports dynamic passwords and challenge/response passwords.Improved system security due to the fact that passwords are not static.It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms.RADIUS allows the user to have a single user ID and password for all computers in a network.Improved usability due to the fact that the user has to remember only one login combination.RADIUS is able to:Prevent RADIUS users from logging in via login (or ftp).Require them to log in via login (or ftp)Require them to login to a specific network access server (NAS); Control access by time of day.Provides very granular control over the types of logins allowed, on a per-user basis.The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable.RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices.Stratus Technology Product Briefhttp://www.stratus.com/products/vos/openvos/radius.htm
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 44.Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46.
Which of the following protects a password from eavesdroppers and supports the encryption of communication?
Answer(s): A
CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.The authentication is successful if the client's response is the one that the server expected.
Page 450, OIG 2007.CHAP protects the password from eavesdroppers and supports the encryption of communication. KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.
The Terminal Access Controller Access Control System (TACACS) employs which of the following?
For networked applications, the Terminal Access Controller Access Control System (TACACS) employs a user ID and a static password for network access.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.
Which of the following is most relevant to determining the maximum effective cost of access control?
The cost of access control must be commensurate with the value of the information that is being protected.
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.
Share your comments for ISC SSCP exam with other users:
a good source for exam preparation
nice questions
i need ielts general training audio guide questions
please make this content available
content is good
latest dumps please
aside from pdf the test engine software is helpful. the interface is user-friendly and intuitive, making it easy to navigate and find the questions.
questions and options are correct, but the answers are wrong sometimes. so please check twice or refer some other platform for the right answer
90% of questions was there but i failed the exam, i marked the answers as per the guide but looks like they are not accurate , if not i would have passed the exam given that i saw about 45 of 50 questions from dump
answer to this question "what administrative safeguards should be implemented to protect the collected data while in use by manasa and her product management team? " it should be (c) for the following reasons: this administrative safeguard involves controlling access to collected data by ensuring that only individuals who need the data for their job responsibilities have access to it. this helps minimize the risk of unauthorized access and potential misuse of sensitive information. while other options such as (a) documenting data flows and (b) conducting a privacy impact assessment (pia) are important steps in data protection, implementing a "need to know" access policy directly addresses the issue of protecting data while in use by limiting access to those who require it for legitimate purposes. (d) is not directly related to safeguarding data during use; it focuses on data transfers and location.
password lockout being the correct answer for question 37 does not make sense. it should be geofencing.
for question 4, the righr answer is :recover automatically from failures
question number 4s answer is 3, option c. i
very good questions
i am confused about the answers to the questions. are the answers correct?
very usefull
need certification.
great exam prep
i require dump
good morning, could you please upload this exam again,
hi can you please upload the dumps for sap contingent module. thanks
good questions
looking forward to the real exam
good ones for exam preparation
this is a good experience
hi everyone
waiting for the dump. please upload.
upload cks exam questions
awesome training material
where is dump
q. 289 - the correct answer should be b not d, since the question asks for the most secure way to provide access to a s3 bucket (a single one), and by principle of the least privilege you should not be giving access to all buckets.
please i need if possible h12-831,
good collection of questions and solution for pl500 certification
i would like to appear the exam.