- INFA 610 Midterm Exam (2018 version)
1.List and briefly describe the principal physical characteristics used for biometric identification.
2.What is multi-factor authentication? Why does it provide better protection?
3.What techniques can be used to minimize password cracking?
4.What are the categories of access controls? Define each category.
5.How many keys are required for two people to communicate via a symmetric cipher?
6.What is a public-key certificate? What is the need for public-key certificates?
7.What is the difference between a private key and a secret key?
8.Define the two types of symmetric key cryptography.
9.What are the key features of the RSA algorithm?
10.Why are public-key algorithms usually used just to establish a symmetrically encrypted communications channel?
1.The leadership at Dan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Dan’s best choice?
2.Which objects and subjects have a label in a MAC model?
3.Jeff and Tony would like to begin communicating using a symmetric cryptosystem but they have no prearranged secret and are not able to meet in person to exchange keys. What algorithm can they use to securely exchange the secret key?
4.Under the Common Criteria, what element describes the security requirements for a product?
5.Which one of the following is not one of the basic requirements for a cryptographic hash function?
6.Samantha recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Samantha create?
7.Laura builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Laura using?
8.David is implementing an access control system for her organization and builds the following array:
9.Which of the following is used only to encrypt data in transit over a network and cannot be used to encrypt data at rest?
10.What access control scheme labels subjects and objects, and allows subjects to access objects when the labels match?
1.Why was it necessary to move beyond DES? Why has it been necessary to move beyond 3DES? Describe the encryption standard used to replace 3DES?
2.As a part of a formal risk assessment of the external server in a small Web design company, you have identified the asset “integrity of the organization’s Web server” and the threat “hacking and defacement of the Web server.” Suggest reasonable values for the items in the risk table for this asset and threat, and provide justifications for your choices.
3.A relatively new authentication proposal is the Secure Quick Reliable Login (SQRL). It is described at https://www.grc.com/sqrl/sqrl.htm. Briefly summarize how SQRL works and indicate how it fits into the categories of types of user authentication. Provide the benefits and identify any possible security issues with SQRL.
4.What is the purpose of evaluating an IT product against a trusted computing evaluation standard?
5.What properties must a hash function have to be useful for message authentication?
6. What are the features of the NIST RBAC standards?
7. Describe three types of password attacks. For each type of attack, provide an example of an authentication technique that can minimize or reduce the likelihood of the attack being successful.
8. What are the challenges of biometrics?
9. Provide a comparison of access control lists (ACL) and capability lists.
10. How is an Internet proxy server related to the Clark-Wilson Security Model?