Deck 23: Internet Authentication Applications

CMP, defined in RFC 2510, is designed to be a flexible protocol ableto accommodate a variety of technical, operational, and business models.

An obvious security risk is that of impersonation.

The principal objective for developing a PKI is to enable secure,convenient, and efficient acquisition of private keys.

The ticket-granting ticket is encrypted with a secret key known only tothe AS and the TGS.

The ticket-granting ticket is not reusable.

Update is not required when the certificate lifetime expires or as aresult of certificate revocation.

Kerberos does not support interrealm authentication.

Initialization begins the process of enrolling in a PKI.

Because serial numbers are unique within a CA, the serial number issufficient to identify the certificate.

The authentication server shares a unique secret key with each server.

Kerberos is designed to counter only one specific threat to the securityof a client/server dialogue.

The overall scheme of Kerberos is that of a trusted third-partyauthentication service.

Federated identity management makes use of a number of standardsthat provide the building blocks for secure identity information exchange across different domains or heterogeneous systems.

X.509 provides a format for use in revoking a key before it expires.

The _________ is an optional bit string field used to identify uniquely the issuing CA in the event the X.500 name has been reused for different entities.

The focus of _________ is defining an identity for each user, associating attributes with the identity, and enforcing a means by which a user can verify identity.

_______ systems are automated methods of verifying or recognizing identity on the basis of some physiological or behavioral characteristic.

An alternative to each server being required to confirm identities of clients who request service is to use an _______ that knows the passwords of all users and stores them in a centralized database.

______ is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates based on asymmetric cryptography.

In a generic identity management architecture a ________ is an identity holder.

A software utility initially developed at MIT and available both in the public domain and in commercially supported versions, ________ is the defacto standard for remote authentication.

The certification _________ is the issuer of certificates and certificate revocation lists.

________ allows end entities to restore their encryption/decryption key pair from an authorized key backup facility.

A full-service Kerberos environment consisting of a Kerberos server that has the user ID and password of all participating users in its database and shares a secret key with each server, all users and servers being registered with the Kerberos server, is referred to as a Kerberos ______.

________ is a set of SOAP extensions for implementing message integrity and confidentiality in Web services.

The ticket contains the user's ID, the server's ID, a __________, a lifetime after which the ticket is invalid, and a copy of the same session key sent in the outer message to the client.

In a generic identity management architecture _______ are entities that obtain and employ data maintained and provided by identity and attribute providers, often to support authorization decisions and to collect audit information.

_______ is an XML-based language for the exchange of security information between online business partners.

In Kerberos, the ___________ decrypts the ticket and authenticator, verifies the request, and creates ticket for requested server.