Getting Ready for Chapter 1 - Answers
1. Bell La-Padula features:
D. All choices are correct
Explanation: MAC (Mandatory Access Control)
Division (B): Mandatory Protection The notion of a TCB that preserves the integrity of sensitivity labels and uses them to enforce a set of mandatory access control rules is a major requirement in this division. Systems in this division must carry the sensitivity labels with major data structures in the system.35
DAC or Discretionary Access Control is, by definition, optional. The reference to Bell La-Padula is derived from a white paper published in November 1973 by David Ellott Bell and L. J. LaPadula titled Secure Computer Systems: A mathematical Model. This mathematical discourse is the basis for DoD Class B Trusted Computer systems.
2. Kerberos features
A. Scalability for large environments
B. Authentication over untrustworthy networks
C. Asymmetric encryption
D. Creates three session keys
Explanation: Kerberos is an authentication system created by MIT to allow for the exchange of private information on an untrusted network.36 Kerberos uses symmetric encryption and the Authentication Server (AS) creates two temporary session keys37.
A. Uses a three-way handshake
B. Encrypts the process using RC4
C. Repeats the challenge at random intervals
D. Is stronger than Kerberos
Explanation: The Challenge-Handshake Authentication Protocol uses a three way handshake that is repeated on a random basis38.Generally speaking39, Kerberos is more secure than CHAP. Note that both Kerberos40 and CHAP41 have issues.
4. All SmartCards utilize:
B. SecureID Tokens
D. All choices are correct
Explanation: Basic smart cards have a limited storage capacity (around 16k). A Certificate Authority issues a certificate to the owner of the smart card, which is stored on the card itself. When authentication is required, the user presents the physical smart card (by placing it in a card reader), and supplies a PIN number. The PIN unlocks the card, and allows the certificates stored on it to be retrieved and checked for authenticity. A biometric option for reading the fingerprint of the owner is an option not a requirement42. Similarly, some SmartCards involve the use of SecureID tokens, but this is also optional.
5. A SYN DoS attack operates by:
A. Sending repeated TCP SYNACK packets
B. Sending repeated UDP SYNACK packets
C. Sending repeated TCP SYN packets
D. Sending repeated UDP SYN packets
Explanation: Since TCP uses a 'virtual circuit', the circuit must be set up at the beginning of the conversation. UDP does not require a conversation setup, so no UDP choice is correct. The SYN attack occurs by sending SYN requests, rather than by responding to them43. This is a function of the design of the protocol. The normal TCP circuit request involves a three-way handshake: the source system sending the initial SYN request, the target system replying to that SYN with a SYNACK, and then the source system replying to the target with another ACK. When the target system receives a SYN, it sends its SYNACK and keeps the request open for X time, waiting for the final ACK. If the ACK is not received, the request stays open, consuming resources on the target system. If repeated SYNs are sent, and not completed with ACKs, this could exhaust the target systems resources and cause it to be unable to accept additional network connections.
35. DoD 5200.28-STD
39. http://www.ecse.rpi.edu/Homepages/shivkuma/teaching/ sp2001/ip2001-Lecture15
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.