Which of the following authentication methods support mutual authentication? Each correct answer represents a complete solution. Choose two.
Answer(s): A,D
Mutual authentication is a process in which a client process and server are required to prove their identities to each other before performing any application function. The client and server identities can be verified through a trusted third party and use shared secrets as in the case ofKerberos v5. The MS-CHAP v2 and EAP-TLS authentication methods support mutual authentication.
Which of the following keys is derived from a preshared key and Extensible Authentication Protocol (EAP)?
Answer(s): D
Pairwise Master Key (PMK) is the highest order key used within the 802.11i amendment. It is derived directly from a preshared key and can also be derived from the Extensible Authentication Protocol (EAP). It is a cryptography key that is used to derive lower level keys.Answer option B is incorrect. Group Temporal Key (GTK) is a random value that is assigned by the broadcast/multicast source. It is used to protect broadcast/multicast medium access control (MAC) protocol data units. It is derived from a group master key (GMK).Answer option A is incorrect. Pairwise Transient Key (PTK) is a 64-byte key that comprises the following:16 bytes of EAPOL-Key Confirmation Key (KCK): This key is used to compute MIC on WPA EAPOL Key message.16 bytes of EAPOL-Key Encryption Key (KEK): AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client.16 bytes of Temporal Key (TK): This key is used to encrypt/decrypt unicast data packets. 8 bytes of Michael MIC Authenticator Tx Key: This key is used to compute MIC on unicast data packets transmitted by the AP.8 bytes of Michael MIC Authenticator Rx Key: This key is used to compute MIC on unicast data packets transmitted by the station.Pairwise Transient Key is derived from the pairwise master key (PMK), Authenticator address (AA), Supplicant address (SPA), Authenticator nonce (A Nonce), and Supplicant nonce (S Nonce) using pseudo-random function (PRF). Answer option C is incorrect. Private Key is not derived from a preshared key and Extensible Authentication Protocol (EAP). This key is used in cryptography techniques.
Which of the following schemes is used by the Kerberos authentication?
Answer(s): C
Kerberos authentication uses the private key cryptography. Kerberos v5 is an authentication method used by Windows operating systems to authenticate users and network services. Windows 2000/2003 and XP clients and servers use Kerberos v5 as the default authentication method. Kerberos has replaced the NT LAN Manager (NTLM) authentication method, which was less secure. Kerberos uses mutual authentication to verify both the identity of the user and network services. The Kerberos authentication process is transparent to the users.Note: Kerberos v5 is not supported on Windows XP Home clients or on any clients that are not members of an Active Directory domain.Answer option A is incorrect. Kerberos does not support public key cryptography. Answer option B is incorrect. Time-synchronized one-time password (OTP) is usually related to a piece of hardware called a token (e.g., each user is given a personal token that generates a one-time password). Inside the token is an accurate clock that has been synchronized with the clock on the proprietary authentication server. On these OTP systems, time is an important part of the password algorithm since the generation of new passwords is based on the current time rather than, or in addition to, the previous password or a secret key. This token may be a proprietary device for sale, or a mobile phone or similar mobile device which runs software that is proprietary, freeware, or open-source.Answer option D is incorrect. OPIE is the initialism of "One time Passwords In Everything". Opie is a mature, Unix-like login and password package installed on the server and the client which makes untrusted networks safer against password-sniffing packet-analysis software like dSniff and safe against Shoulder surfing. It works by circumventing the delayed attack method because the same password is never used twice after installing Opie. OPIE implements a one-time password (OTP) scheme based on S/key, which will require a secret passphrase (not echoed) to generate a password for the current session.
You are advising a school district on disaster recovery plans. In case a disaster affects the main IT centers for the district they will need to be able to work from an alternate location. However, budget is an issue.Which of the following is most appropriate for this client?
Answer(s): B
A cold site provides an office space, and in some cases basic equipment. However, you will need to restore your data to that equipment in order to use it. This is a much less expensive solution than the hot site. Answer option D is incorrect. A hot site has equipment installed, configured and ready to use. This may make disaster recovery much faster,but will also be more expensive. And a school district can afford to be down for several hours before resuming IT operations, so the less expensive option is more appropriate.Answer option A is incorrect. A warm site is between a hot and cold site. It has some equipment ready and connectivity ready. However, it is still significantly more expensive than a cold site, and not necessary for this scenario. Answer option C is incorrect. Off site is not any type of backup site terminology.
Post your Comments and Discuss ISC2 ISSAP exam with other Community members:
Terry commented on May 24, 2023 i can practice for exam Anonymous upvote
Rahul Kumar commented on August 31, 2023 need certification. CANADA upvote
Terry commented on May 24, 2023 I can practice for exam Anonymous upvote
Our website is free, but we have to fight against bots and content theft. We're sorry for the inconvenience caused by these security measures. You can access the rest of the ISSAP content, but please register or login to continue.