1) Passwords, challenge-response, OTP, biometric and server authentication systems. In most of the sever authentication systems, you will find that it is the only the server that authenticates to the client (usually web browser) through a certificate and it is rare to find an instance of client authentication using a certificate. Why is it the case?

2. We see that an Entity may have many attributes, but only a subset of attributes is used as Identity in a given context. We also see that different contexts require different identity (Student ID # such as G# in University, Driver's License number at MVA/DMV etc). Will not life be simpler if a person has the same identity in all contexts? What is the fundamental need for having different identities in different contexts?

3. The authenticator output in some instances may be different from authenticator secret. Can you think of an example of a situation where this can occur. As a counter example, you know that if PASSWORD or PIN is the authenticator then the authenticator secret is the same as the authenticator output (the one that is transmitted from claimant or subscriber to verifier). Also, can you think of a situation where the authenticator secret is never revealed or transmitted but only the possession and control of the secret is demonstrated by the subscriber to the verifier.

4. Can you name a large-scale real world identity federation. If you log into some websites (say Site 1), it asks to you get authenticated using Facebook or Google. In this scheme, identify as to who plays the role of Identity provider and the Relying party (or Service Provider). The key for any identity federation is trust. How do you think the trust gets established in this scenario just mentioned?

5. In an identity federation, the RP has to make an access control decision purely based on information contained in the assertion. What are the additional means available for RP to get more information (attributes) about the subscriber?

6. You have a good idea how a digital certificate can be used for authentication. In addition, you must be aware that in an enterprise, all the information needed for authenticating you to various corporate applications are stored in a directory such as Active Directory (AD). Can you discuss as to how the certificate-based authentication is linked to the information in a directory

7. We looked at various credential objects in a PIV card. Take two objects - one a certificate object and the other a biometric object. Identify the authenticators (type, name) they contain and briefly describe as to how they are used in multi factor authentication mechanisms.

8. You may have heard about a class of security software called "Identity and Access Management (IAM)". Please identify all the features that a typical IAM product has. In your opinion, which feature you think is the most critical and why. (It is enough you list the features - no need to describe in detail each of the features, except for the justification you provide for the most critical feature).

9. The building blocks of two popular access control models - Role-based Access Control Model (RBAC) and Attribute-based Access Control Model (ABAC). Some people feel that ABAC is a superset of RBAC. Is this conclusion justified. Also ABAC depends heavily on the accuracy and availability of attributes associated with subject, object and environment for it to be an effective access control deployment. From your knowledge of IT infrastructure in an enterprise, can you identify the sources for each of these three classes of attributes (what are the authentic repositories for these attributes and how they are retrieved).

pur-new-sol

Related Questions