CompTIA Security Plus Mock Test Q617

The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords. The company currently stores passwords as SHA hashes. Which of the following can the CTO implement requiring the LEAST change to existing systems?

A. Smart cards
B. TOTP
C. Key stretching
D. Asymmetric keys


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to securely store and process information. A “contact” smart card communicates with a PC using a smart card reader whereas a “contactless” card sends encrypted information via radio waves to the PC.
Typical scenarios in which smart cards are used include interactive logon, e-mail signing, e-mail decryption and remote access authentication. However, smart cards are programmable and can contain programs and data for many different applications. For example smart cards may be used to store medical histories for use in emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer.
Microsoft provides two device independent APIs to insulate application developers from differences between current and future implementations: CryptoAPI and Microsoft Win32® SCard APIs.
The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for the user’s sensitive private key data. All cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). There are many different cryptographic algorithms and even when implementing the same algorithm there are many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types, in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example, CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.

Incorrect Answers:
B: A time-based one-time password (TOTP) is a temporary code, generated by an algorithm, for use in authenticating access to computer systems. The algorithm that generates each password uses the current time of day as one of its factors, ensuring that each password is unique. Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers. In two-factor authentication scenarios, a user must enter a traditional, static password and a TOTP to gain access. In this question, the company currently stores passwords as SHA hashes. This suggests that the passwords are not temporary passwords. Therefore this answer is incorrect.
C: In cryptography, key stretching refers to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking. Key stretching makes such attacks more difficult. Key stretching is used to make passwords stronger. One method is to apply a hash to the password. In this question, the passwords are already hashed. Therefore this answer is incorrect.
D: Asymmetric algorithms use two keys to encrypt and decrypt data. These asymmetric keys are referred to as the public key and the private key. The sender uses the public key to encrypt a message, and the receiver uses the private key to decrypt the message; what one key does, the other one undoes. Asymmetric keys are not used to further secure hashed passwords. Therefore this answer is incorrect.

References:
https://msdn.microsoft.com/en-us/library/ms953432.aspx
http://searchconsumerization.techtarget.com/definition/time-based-one-time-password-TOTP
http://en.wikipedia.org/wiki/Key_stretching