The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer
passwords.
The company currently stores passwords as SHA hashes. Which of the following can the CTO implement
requiring the LEAST change to existing systems?
A.
Smart cards
B.
TOTP
C.
Key stretching
D.
Asymmetric keys
Explanation:
Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic
with an embedded microchip. The second is as a USB token. It contains a built in processor and has the
ability to securely store and process information. A “contact” smart card communicates with a PC using a
smart card reader whereas a “contactless” card sends encrypted information via radio waves to the PC.
Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail
decryption and remote access authentication. However, smart cards are programmable and can contain
programs and data for many different applications. For example smart cards may be used to store
medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a
customer to an e-retailer.Microsoft provides two device independent APIs to insulate application developers from differences
between current and future implementations: CryptoAPI and Microsoft Win32® SCard APIs.
The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a
flexible manner, while providing protection for the user’s sensitive private key data. All cryptographic
operations are performed by independent modules known as cryptographic service providers (CSPs).
There are many different cryptographic algorithms and even when implementing the same algorithm
there are many choices to make about key sizes and padding for example. For this reason, CSPs are
grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular
to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA
hashing.
Incorrect Answers:
B: A time-based one-time password (TOTP) is a temporary code, generated by an algorithm, for use in
authenticating access to computer systems. The algorithm that generates each password uses the current
time of day as one of its factors, ensuring that each password is unique. Time-based one-time passwords
are commonly used for two-factor authentication and have seen growing adoption by cloud application
providers. In two-factor authentication scenarios, a user must enter a traditional, static password and a
TOTP to gain access. In this question, the company currently stores passwords as SHA hashes. This
suggests that the passwords are not temporary passwords. Therefore this answer is incorrect.
C: In cryptography, key stretching refers to techniques used to make a possibly weak key, typically a
password or passphrase, more secure against a brute force attack by increasing the time it takes to test
each possible key. Passwords or passphrases created by humans are often short or predictable enough to
allow password cracking. Key stretching makes such attacks more difficult. Key stretching is used to make
passwords stronger. One method is to apply a hash to the password. In this question, the passwords are
already hashed. Therefore this answer is incorrect.
D: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred
to as the public key and the private key. The sender uses the public key to encrypt a message, and the
receiver uses the private key to decrypt the message; what one key does, the other one undoes.
Asymmetric keys are not used to further secure hashed passwords. Therefore this answer is incorrect.https://msdn.microsoft.com/en-us/library/ms953432.aspxhttp://searchconsumerization.techtarget.com/definition/time-based-one-time-password-TOTP
http://en.wikipedia.org/wiki/Key_stretching