Authentication, authorisation and accountability summary questions

Questions are randomized per student, and you will only receive correct/incorrect feedback for them. In Problem 1, each question has exactly one correct option.

In Problem 2, each student will get at least one correct option, usually more. Problem 2 is accepted when the score is 12 or higher, and points are shown with a yellow background. Unfortunately, Plussa gives “incorrect” feedback for partially correct answers. However, Problem 2 is considered passed if the score is 12 or more. From the score alone, you cannot directly infer whether an individual choice was correct or not. Points start accumulating only after more than half of the choices in the problem are correct.

Question 1

Non-repudiation means that

some action has taken place, there are traces of it, and on that basis the actor is known.

some action has demonstrably broken the system.

some action has demonstrably taken place.

some action is traceable.

Question 2

Tamper resistance of an event record means that

no new events can be written to it.

it is extremely difficult to modify.

it cannot be modified without being noticed.

it cannot disappear.

it has not been touched manually.

Question 3

Access management is

a yes-or-no decision in relation to what the security policy says about the availability of a resource.

the decision determined by the reference monitor for releasing a resource to some authenticated user.

a set of procedures that ensures the confidentiality, integrity, and availability of resources.

focused on deriving automatic access decisions from authentication requirements.

a subset concept of access control.

Question 4

A relying service trusts that

the identity provider does not violate the user’s privacy.

the identity provider does not make changes to its service.

the user has been identified based on attributes and the identity has been verified.

the attributes relating to the user are correct and the user has been identified sufficiently reliably.

Question 5

Identification cannot be based on

a passport.

biometrics.

passwords.

behaviour.

Question 6

Password security

is solely the user’s responsibility.

improves when a hash is stored instead of the password itself.

requires frequent changes and special characters.

improves by using the same password in many services.

Question 7

In biometric authentication

the authentication threshold is exceeded when a suitable number of observations has been made.

the user is authenticated if the feature vector is identical to the model.

the observation is compared with the features stored in the system.

false acceptances do not affect security.

Question 8

Authorisation

means granting access, e.g. to certain users for a certain resource.

is a right granted by access control and based e.g. on a password.

means that obligations have been fulfilled and access granted.

authenticates the user’s electronic identity.

Select the correct statements. You may select one or several options.

Question 1

Authentication requires identification.

Access control precedes authentication.

Authentication can be based on a shared secret.

In two‑factor authentication the user’s devices must meet security requirements.

The subjects presenting access requests to an information system are either users or devices.

Accountability aims at individually tracing the actions of entities.

Separation of duties means that we can distinguish which user performed which action.

Matrix‑based access control is weaker than role-based access control.

A case where the system owner determines its security policy can be seen as reverse access control.

Usage control can be thought of as concerning application-level workflows.

There exist revocation mechanisms for access rights.

Posting submission...