Review Questions

advertisement
Chapter 8
Review Questions
1. A wireless LAN requires that the _____ must be authenticated first.
a. supplicant
b. authenticator
c. authentication server
d. user
2. Each of the following make up the AAA elements in network security except
a. determining user need (analyzing)
b. controlling access to network resources (authentication)
c. enforcing security policies (authorization)
d. auditing usage (accounting)
3. Each of the following are categories of credentials that are used to verify
authentication except
a. something the user knows
b. something the user purchases
c. something the user is
d. something the user has
4. Each of the following human characteristics can be used for biometric
identification except
a. fingerprint
b. face
c. iris
d. weight
5. Asymmetric encryption uses _____ keys.
a. two
b. three
c. four
d. five
6. Digital signatures are electronic files that are used to uniquely identify users and
resources over networks. True or False?
7. Some organizations set up a subordinate server, called a registration authority
(RA), to handle some certification authority (CA) tasks such as processing
certificate requests and authenticating users. True or False?
8. The most common type of server used with IEEE 802.1x is a RADIUS server.
True or False?
9. A directory service is a database stored on the network itself and contains all the
information about users and network devices. True or False?
10. A disadvantage of the Lightweight Directory Access Protocol (LDAP) is that is
can only be used on Windows-based computers. True or False?
11. A(n) _____ uses local authentication with one or more RADIUS servers at each
site, yet the authentication database is replicated from one central site to each
local site. distributed autonomous site deployment
12. The _____ is an “envelope” that can carry many different kinds of exchange data
used for authentication, such as a challenge/response, one-time passwords, and
digital certificates. Extensible Authentication Protocol (EAP).
13. _____ is considered an acceptable protocol for use in a wired network but not for
a WLAN because outsiders can easily determine the identities of wireless devices
by sniffing packets and password hashes. Extended Authentication Protocol–
MD 5 (EAP-MD5)
14. _____ requires that the wireless device and RADIUS server to both prove their
identities to each other by using public key cryptography such as digital
certificates. EAP with Transport Layer Security (EAP-TLS)
15. Instead of issuing digital certificates to all users, _____ and PEAP use Windows
logins and passwords. EAP with Tunneled TLS (EAP-TTLS)
16. Explain how a pairwise master key is created in an access point and wireless
device in a WPA2 Enterprise security model network.
The master key (MK), from which all other keys are formed, is done by the
authentication server. An MK is sent from the authentication server (usually a
RADIUS server) to the authenticator (access point) as part of an acceptance packet.
The MK, which is tied to that specific authentication session, is encrypted within an
EAP packet. The access point forwards this packet directly to the wireless device
without seeing its contents. The device then generates its own PMK. The
authentication server creates the PMK for the authenticator and sends it that
information.
17. What are the three keys that make up the pairwise transient key (PTK)?
The PTK is itself divided into three keys. The first key is the key confirmation key
(KCK). The KCK is used by the EAP key exchanges to provided data origin
authenticity. The second key is the key encryption key (KEK). The KEK is used by
the EAP key exchanges to provide for confidentiality. The third key is the temporal
key, which is used by the data-confidentiality protocols.
18. What is the difference between group keys (GK) and master keys (MK)?
The MKs are used for access point to wireless device transmissions, or unicast
transmissions. When an AP sends the same packet to all wireless devices, known as
a broadcast, MKs are not used. Instead, group keys (GK) are used. The starting
point of the group key hierarchy is the group master key (GMK). The GMK is
simply a random number. A pseudorandom function uses the GMK, the
authenticator's MAC address and a nonce from the authenticator to create a group
temporal key (GTK). The GTK is the value that the wireless deivces uses to decrypt
broadcast messages from APs
19. Describe the four-way handshake.
The exchange of information for the MK is based on a four-way handshake. In the
first message, the authenticator sends the supplicant a random value called a nonce
(known as the ANonce). The supplicant then creates its nonce (the SNonce). At this
point the supplicant can now calculate the PTK (the authenticator has already
received its PTK from the RADIUS server). Next, the supplicant sends the SNonce
to the authenticator. The authenticator sends the supplicant the security
parameters that it is using when sending out in its beacons and probe responses
(multicast messages). Finally, an authentication packet is sent.
20. How does authorization differ from authentication?
Authorization is the process that determines whether the user has the authority to
carry out such tasks. Authorization is often defined as the process of enforcing
policies; that is, it determines what types or qualities of activities, resources, or
services a user is permitted. Authorization controls access per user after users
authenticate. Before users can be given access a computer and its data, they must in
some way prove that they are who they claim to be. That is, users must give proof
that they are “genuine” or authentic. This process of providing proof is known as
authentication.
Download