Page 1544 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1544

indicates a less accurate device.

               14.  A. A false rejection, sometimes called a false negative
                    authentication or a Type I error, occurs when a valid subject (Sally

                    in this example) is not authenticated. A Type 2 error (false
                    acceptance, sometimes called a false positive authentication or
                    Type II error) occurs when an invalid subject is authenticated.
                    Crossover errors and equal errors aren’t valid terms related to
                    biometrics. However, the crossover error rate (also called equal

                    error rate) compares the false rejection rate to the false acceptance
                    rate and provides an accuracy measurement for a biometric
                    system.

               15.  C. The primary purpose of Kerberos is authentication, as it allows
                    users to prove their identity. It also provides a measure of
                    confidentiality and integrity using symmetric key encryption, but
                    these are not the primary purpose. Kerberos does not include

                    logging capabilities, so it does not provide accountability.

               16.  D. SAML is an XML-based framework used to exchange user
                    information for single sign-on (SSO) between organizations within
                    a federated identity management system. Kerberos supports SSO
                    in a single organization, not a federation. HTML only describes
                    how data is displayed. XML could be used, but it would require
                    redefining tags already defined in SAML.

               17.  B. The network access server is the client within a RADIUS

                    architecture. The RADIUS server is the authentication server and it
                    provides authentication, authorization, and accounting (AAA)
                    services. The network access server might have a host firewall
                    enabled, but that isn’t the primary function.

              18.  B. Diameter is based on Remote Authentication Dial-in User
                    Service (RADIUS), and it supports Mobile IP and Voice over IP
                    (VoIP). Distributed access control systems such as a federated

                    identity management system are not a specific protocol, and they
                    don’t necessarily provide authentication, authorization, and
                    accounting. TACACS and TACACS+ are authentication,
                    authorization, and accounting (AAA) protocols, but they are
                    alternatives to RADIUS, not based on RADIUS.
   1539   1540   1541   1542   1543   1544   1545   1546   1547   1548   1549