CISSP · Question #106
CISSP Question #106: Real Exam Question with Answer & Explanation
The correct answer is C: Timed sessions and Secure Socket Layer (SSL). Replay attacks involve an attacker intercepting and reusing valid authentication tokens or assertions. In SAML, timed sessions (assertion validity windows) and SSL (transport encryption) together prevent replayed assertions from being accepted.
Question
Which of the following BEST mitigates a replay attack against a system using identity federation and Security Assertion Markup Language (SAML) implementation?
Options
- ATwo-factor authentication
- BDigital certificates and hardware tokens
- CTimed sessions and Secure Socket Layer (SSL)
- DPasswords with alpha-numeric and special characters
Explanation
Replay attacks involve an attacker intercepting and reusing valid authentication tokens or assertions. In SAML, timed sessions (assertion validity windows) and SSL (transport encryption) together prevent replayed assertions from being accepted.
Common mistakes.
- A. Two-factor authentication strengthens initial user authentication but does not prevent a captured SAML assertion from being replayed after successful authentication has already occurred.
- B. Digital certificates and hardware tokens verify identity at authentication time but do not prevent a valid, already-issued SAML assertion from being intercepted and replayed within its validity window.
- D. Strong password complexity policies protect against brute-force and credential-guessing attacks but have no effect on replay attacks, which exploit captured valid tokens rather than guessed credentials.
Concept tested. Mitigating SAML replay attacks with timed assertions and SSL
Reference. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
Topics
Community Discussion
No community discussion yet for this question.