A user's credential for an application is stored in a relational database. Which control protects the confidentiality of the credential while it is stored?
A user's credential for an application is stored in a relational database. Which control protects the confidentiality of the credential while it is stored?
Using a salted cryptographic hash of the password protects the confidentiality of the credential while it is stored in a relational database. A cryptographic hash is a one-way function, meaning it is not feasible to reverse-engineer the original password from the hash. Salting adds an additional layer of security by ensuring that even if two users have the same password, their hash values will be different. This makes it significantly more difficult for attackers to use precomputed tables (rainbow tables) to crack passwords. Encrypting the entire database, as proposed in another option, involves embedding an encryption key in the application, which can be a security risk if the key is compromised. Therefore, the preferred method for protecting the confidentiality of stored credentials is using a salted cryptographic hash.
Its absurd that D is listed as the correct answer, when the second part of the answer says "embed an encryption key in the application."
Very absurd and even surprise that's the selected answer by Examtopic
Answer is A "Hashes cannot be used to discover the contents of the original message, or any of its other characteristics, but can be used to determine whether the message has changed. In this way, hashes provide confidentiality, but not integrity." https://www.sciencedirect.com/topics/computer-science/hash-function
Determine wether a message has changed is the goal of integrity. This is why hashing provides integrity only. P.S.: Even scientists make mistakes ;-)
I see people saying hash is for integrity which is correct. But at the same time it’s a one way process like you can’t extract the password from the hash. I see A and D are valid. I wonder if the exam would have such similar answers. I would be doomed
D is the right one. Credentials comprises of user id AND authentication token (password). This is why answer A is wrong as it covers only the password part. Second the question was what provides confidentiality to the credentials. Hashing does not provide confidentiality but it provides integrity only.
agreed! They are taking about credential and not only password. Also, They are looking for protection while password is stored in the database. Salt helps to ensure attacker can't crack but we also need to protect hashed password to ensure It never reaches in the hand of attacker. Answer should be D.
its disturbing the amount of people persuing a security certification and think D is the correct answer. Would you really embed aka hard code the encryption key inside of the application software? You might as well hard code the password too!
Option D, encrypting the entire database and embedding an encryption key in the application, can indeed be an effective control to protect the confidentiality of the credential while stored. By encrypting the entire database, including the stored credentials, unauthorized access to the database would not reveal the plaintext passwords. The encryption key, which is embedded in the application, is required to decrypt the database and access the stored credentials. This provides an additional layer of protection against unauthorized access to the sensitive information. Encrypting the database ensures that even if an attacker gains access to the stored data, they would not be able to read the credentials without the encryption key. It adds an extra level of security beyond just hashing and salting the passwords. Therefore, option D, encrypting the entire database and embedding an encryption key in the application, is a valid control to protect the confidentiality of the credential while stored in a relational database.
D --- is the right answer to me. Encrypting the entire database and embedding an encryption key in the application protects the confidentiality of the user's credentials while they are stored in the relational database. This means that even if an attacker gains access to the database, they will not be able to read the user's credentials as they will be in an encrypted form.
A definitely. Reference : https://www.techtarget.com/searchsecurity/definition/salt
A is the answer. Are these really correct answers from the CISSP exam? Why would you embed an encryption key in the application?
Going with A. Hashed password are not reversible (or extremely hard to reverse it) back to the original form (strong hashing algorithms). Encryption do provide extra layer of protection, however, ciphertexts can be reverted back to their original form with a decryption key. Just in case both the key and the DB records are leaked, the DB records in cleartext would be leaked. Example of such incident includes the Adobe breach at 2013: https://www.csoonline.com/article/540070/network-security-adobe-confirms-stolen-passwords-were-encrypted-not-hashed.html
How come given answer D, what if size of the DB is large then need to encrypt entirely?
A is correct because option "D" proposes to encrypt the entire database and embed an encryption key in the application. While this measure provides a level of protection, it is not best suited to protect the confidentiality of specific user credentials in the database. Using a single encryption key for the entire database and embedding it in your application can compromise security if that key is compromised or accessed.
D. It says relational DB. You encrypt the table or DB.
D sounds wrong but A is hashing, which provides integrity only: "Integrity ensures that data is maintained and that no unauthorized changes have been made to the data. One example of this is signature hashing, such as an MD5 or SHA256 checksum." D talks about encryption, which is confidentiality.
Option C is the correct answer because it addresses the access control aspect of the question. By allowing only the application to have access to the password field in order to verify user authentication, it ensures that only authorized entities can access the credential. Access controls are a critical security control to prevent unauthorized access to sensitive information.
A is correct
A What is password salting? Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them. Salting prevents hackers who breach an enterprise environment from reverse-engineering passwords and stealing them from the database.
No need to encrypt entire DB