Security MCQ: Access Control and Identity Management

Which one of the following defines APIs for devices such as smart cards that contain cryptographic information?

a. PKCS #11
b. PKCS #13
c. PKCS #4
d. PKCS #2

Answer: A

PKCS #11, the Cryptographic Token Interface Standards, defines an API named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography (ECC) standard. Both answers C and D are incorrect because PKCS #4 and PKCS #2 no longer exist and have been integrated into PKCS #1, RSA Cryptography Standard.

Which is the best rule-based access control constraint to protect against unauthorized access when admins are off-duty?

a. Least privilege
b. Separation of duties
c. Account expiration
d. Time of day

Answer: D

Time-of-day rules prevent administrative access requests during off-hours when local admins and security professionals are not on duty. Answer A is incorrect because least privilege is a principle of assigning only those rights necessary to perform assigned tasks. Answer B is incorrect because separation of duties aids in identification of fraudulent or incorrect processes by ensuring that action and validation practices are performed separately. Answer C is incorrect because account expiration policies ensure that individual accounts do not remain active past their designated lifespan but do nothing to ensure protections are enabled during admin downtime.

Which type of authorization provides no mechanism for unique logon identification?

a. Anonymous
b. Kerberos
c. TACACS
d. TACACS+

Answer: A

During anonymous access, such as requests to a public FTP server, unique identify of the requester is not determined and so cannot be used for personalized logon identification. Answers B, C, and D are incorrect because authorization services such as Kerberos, TACACS, and its replacement TACACS+ all verify access requests against a list of authorized credentials and so can log individual visits and identify access request logons.

Which of the following is not true regarding expiration dates of certificates?

a. Certificates may be issued for a week.
b. Certificates are issued only at yearly intervals.
c. Certificates may be issued for 20 years.
d. Certificates must always have an expiration date.

Answer: B

Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are incorrect.

Which of the following is true of digital signatures? (Choose the two best answers.)

a. They are the same as a hash function.
b. They can be automatically time-stamped.
c. They allow the sender to repudiate that the message was sent.
d. They cannot be imitated by someone else.
b. They can be automatically time-stamped.

Answer: D

Digital signatures offer several features and capabilities. This includes being able to ensure the sender cannot repudiate that he or she used the signature. In addition, non repudiation schemes are capable of offering time stamps for the digital signature. Answer A is incorrect. Hashing algorithms are only used for integrity purposes and only confirm original content. Answer C is incorrect because a key feature of digital signatures is to provide for nonrepudiation.

To check the validity of a digital certificate, which one of the following would be used?

a. Corporate security policy
b. Certificate policy
c. Certificate revocation list
d. Expired domain names

Answer: C

A certificate revocation list (CRL) provides a detailed list of certificates that are no longer valid. A corporate security policy would not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy does not provide information on invalid issued certificates, either; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect.